AFP, ASIO asked to clarify metadata mess

Two executives from Australia’s Federal Police and intelligence services were wheeled in front of the press today to clarify the specific data they want ISPs to store under the Government’s proposed data retention scheme.

David Irvine, director general of ASIO, and Andrew Colvin, deputy commissioner for national security at the AFP, fronted the media after the government bungled its attempt to explain the technical details behind its proposed legislation to force internet service providers to store non-content data for two years to aid law enforcement.

The plan has been met with strong criticism after both Prime Minister Tony Abbott and Attorney-General George Brandis separately said an individual’s website browsing history would be included under the proposal. Neither were able to offer a clear definition of the data to be retained under the scheme.

Communications Minister Malcolm Turnbull - who had originally been left out of the policy development - was forced to intervene to clarify that website addresses were not included and attempted to clarify how the Government defined metadata.

Irvine and Colvin today said the agencies were not pushing for browsing history to be retained, and would not be allowed by law to access such data without a warrant, regardless of whether it was included in the proposal or not.

They confirmed they were after source IP addresses - the identifier of a user's connection to the internet - as opposed to destination IP addresses - the web pages and services they are connecting to - alongside non-content call data. 

Both said their organisations were seeking access to data that was already being held by telecommunications companies, but wanted laws in place to ensure it is retained for a longer period of time.

“We have been accessing that data for many years legally, and all that we are changing actually, or seeking to change, is that the data - which is held by the companies for a commercial purpose for billing or other reasons - be held in such a way that we can continue to have access to it in an environment where that access has begun to diminish a little bit,” Irvine said.

Both clarified that law enforcement and security intelligence agencies were only legally allowed to access source IP addresses under non-warranted metadata requests. Any instance of an IP address pointing to a URL is classified as ‘content’ and would require a warrant to access.

“Under metadata authorisation, law enforcement and security cannot access that data. If that was provided by ISPs it would not be permissible for us to use. That is content material,” Colvin said.

“Metadata is an investigative tool that informs law enforcement of where an investigation should or may go. That may open the door for further investigative techniques, including warrants, but it is an initial investigative technique.”

Irvine said the way in which ASIO accesses data for law enforcement investigations was “closely monitored” by the Inspector-General of Intelligence and Security.

The agency’s activities were “very targeted against those people who give us good reason to suspect they may be engaged in activities that are a threat to national security” as opposed to “mass surveillance”.

“We don’t get out a rake and go trawling over bundles of metadata held in wherever. We seek access to metadata on various specific cases where, in my case, there is a very specific security intelligence purpose to do so. If there is a mere criminal purpose, I would not do that. We can only access the metadata when we have a clear need to do so,” Irvine said.

“Not only do we not have the capacity to do that, it is also not permissible by law,” Colvin added.

The Office of the Australian Information Commissioner released a statement today expressing concerns that the storage of large amounts of personal information could increase the risk of a data breach or other invasions of a citizen’s privacy.

"Key to this debate will be ensuring the ongoing privacy interests of Australians,” the Office said in a statement.

“It will also be important to consider whether a data retention scheme is effective, proportional, the least privacy invasive option and consistent with community expectations. Any scheme should also be transparent, accountable and have appropriate independent oversight.”

Turnbull and Brandis met with Telstra last night and have flagged further industry consultations on the proposed scheme.