Mandatory data retention rears its head again

The Australian Attorney-General's department has backed calls by state and federal law enforcement agencies to pass legislation that would force ISPs to retain user data for a minimum of two years.

In submissions made to the Senate committee investigating a review of the country’s Telecommunications (Interception and Access) Act 1979, Australia's police forces, intelligence agency ASIO and the Australian Crime Commission claim mandatory data retention would allow them to better achieve success in their criminal investigations.

The committee was formed last December following a push from Greens Senator Scott Ludlam to review the “deeply flawed” Act in light of ongoing revelations about international governmental spying. The committee will report back in June. 

The committee is studying the issue with reference to a May 2013 report into potential TIA Act reform by the Parliamentary Joint Committee on Intelligence and Security, which examined changes to interception of communications and access data under three key pieces of legislation.

One of the most controversial inclusions in the May 2013 report into TIA Act reform was that of a mandatory data retention scheme, a regime proposed by the former Labor Government.

The Labor proposal was shelved after the parliamentary committee investigating the plan claimed it was unable to make a recommendation due to the Government's failure to provide enough detail on draft legislation.

The Greens at the time called on the Government to "unequivocally reject mandatory telecommunications data retention".

The proposal looks to have been given a breath of new life under the Coalition Government.

State law enforcement agencies want to legislate carriers to retain user data for two years to maximise the success of criminal investigations.

In a submission to the current inquiry, the Northern Territory Police joined calls for the implementation of a mandatory two-year data retention regime for internet service providers.

It recommended ISPs be forced to retain the web-browsing history of customers so law enforcement agencies such as itself can access the data without a warrant.

"The NT Police are supportive of a data retention regime of two years. Such a regime would assist law enforcement agencies in investigating serious crimes. The NT Police are not in favour of excluding browser history," it said in its submission.

Victoria Police similarly backed the introduction of a data retention regime “given the changes in the patterns of community usage of mobile phones”. It more widely called for “urgent holistic reform” of the TIA Act to keep pace with the modern era of telecommunications.

Victoria Police recommended carriers be required to retain subscriber information; numbers of parties involved in communication; date, time and duration of communication; IP addresses and URLs; and location-based data.

Colleagues in West Australia’s police force also “fully support” a mandatory data retention regime, as such a regime would “provide consistency across all telecommunication providers when accessing stored data to assist during investigation of serious offences,” it said in its submission.

The WA Police suggested a minimum retention period of two years would be appropriate.

“Telecommunications interception and associated data is an often utilised investigative tool, and it is important that a reasonable retention regime is put in place to ensure service providers do not delete their data,” the submission noted.

“Currently, the only retention regime in existence is what the service providers have voluntarily implemented. There is no formal period of compulsory retention, which suggests access to data is unreliable, and may impede serious investigations.”

Two years was also the minimum threshold recommended by the Australian Crime Commission and ASIO for the mandatory retention of data.

The ACC said it was currently being hindered in its investigations of serious and organised crime due to restrictions on its ability to collect and share material obtained under the TIA Act.

“The loss of data due to the absence of a standard mandatory data retention scheme also has a detrimental impact on ACC investigations, in terms of availability of data and certainty as to the period it will be retained,” the ACC stated in its submission.

“These issues will increasingly impact the ability of the ACC to fulfil its functions without reform.”

It recommended such a regime be limited to apply only to metadata and exclude internet browsing data. 

ASIO said in some cases it would be beneficial to its operations for data to be stored for longer than two years - specifically in activities involving foreign states operating against Australian interests.

“Foreign states take a long-term, strategic approach to conducting espionage. The approachis slow and considered in order to hide activities. There is often no known or specific incident or starting point with espionage investigations,” ASIO's submission said.

“ASIO must baseline the activities and threat posed by adversaries over an extended period to identify indicators of activity and then review historical data to understand the extent and scope of the activity and harm. We note in the case of the European Union, their directive mandates data retention for up to two years."

While the Attorney-General's Department signalled its support for such a regime, it noted at the time of its submission that it had not yet undertaken necessary consultation with key stakeholders, including the telco sector and privacy advocates, and would seek to do so before advising the Government on the subject.

"The Department agrees ... that a mandatory telecommunications data retention regime would be of significant utility for intelligence, counter-terrorism and law enforcement investigations, that such a regime would raise fundamental privacy issues, and that those issues should be sufficiently addressed before any such regime is progressed."