iiNet has lashed out at proposals by government agencies to force internet service providers to retain user data for law enforcement purposes, and outlined its concerns about federal use of section 313 of the Telco Act to force ISPs to block websites.
In a submission to the Senate committee investigating a review of the country’s Telecommunications (Interception and Access) Act 1979, iiNet raised concerns over proposals by state police forces to implement a federal mandatory data retention regime, which it said would result in an increased risk to the privacy of Australians and offer an incentive to hackers and criminals.
“Data retention is at odds with the prevailing policy to maximise and protect privacy and minimise the data held by organisations,” iiNet said in its submission.
“Industry believes it is generally preferable for consumers that telecommunications service providers retain the least amount of data necessary to provision, maintain and bill for services.”
iiNet said such proposals were at odds with the new Australian Privacy Principles, which state that APP organisations must not collect personal information for any longer that is absolutely necessary, and only to deliver services.
“So on one hand, we have one government agency highlighting the need for businesses like iiNet to respect and protect our customer’s personal information and on the other, government agencies again calling for mandatory data retention with too little evidence about the necessity, or efficacy, of such a regime,” iiNet said.
It said in the age of the internet of things, and considering the influx of varied mobile devices, it was an “impractical idea” to store such data.
“And it is even more impractical to suggest that a law enforcement agency, can simply call up a service provider and say ‘give me all Joe Blow’s URLs for 15 June 2012’.”
Complying with a mandatory data retention scheme would not only force iiNet to spend around $60 million on a large data centre holding up to 20,000 terabytes of data - costs which would have to be passed on to consumers - but would also heighten the risk of security breaches, it said.
iiNet also criticised the ‘misleading’ attitude of both the Coalition and Labor that the community should not feel invaded or threatened by the collection of metadata.
“Contrary to the Attorney-General Department’s submission to this Committee, access to telecommunications data is not necessarily less privately intrusive than access to the content of a communication,” it said in its submission.
“Telecommunications data when accessed and analysed may create a profile of a person’s life including medical conditions, political and religious views and associations.”
It said there was no solid evidence that the benefits of increased surveillance would justify “surveilling minors and citizens on the chance that two years later some evidence might help an investigation”.
“iiNet is uncomfortable with the notion that commercial businesses may be forced into a role as unwilling agents of the state to collect, store and safeguard very large databases for which the companies themselves have no use – a role very different from that which those companies were originally established.”
Mandatory data retention was first proposed by the former Labor Government, but was shelved after the parliamentary committee investigating the scheme said the Government had not provided it enough detail on the draft legislation for it to make any recommendations.
The proposal has reared its head again in recent days after the Attorney-General’s Department, a number of state police forces, and the Labor Opposition signalled their support for such a proposal.
iiNet backed recent criticisms by Google directed at the use of controversial powers in the Telecommunications Act by law enforcement agencies to block websites, calling on other service providers to follow in its footsteps and create a site blocking policy to limit abuses of power.
iiNet highlighted the use of section 313 by corporate regulator ASIC - which recently revealed it accidentally blocked over 1000 websites last year in an attempt to take down just one - an as example of how the exercise of the power can “contravene the principles of necessity and proportionality”.
“iiNet is also very concerned about the lack of appropriate due process, accountability and oversight. The scope of this law enforcement obligation is vague and uncertain and unfairly puts the onus on testing the validity of the request on the service provider,” it said.
“It is critical that any exercise of section 313 powers to block websites must be accompanied by sufficient information to confirm that it is appropriately authorised by a senior representative of the relevant agency.”
To combat such abuses of power, iiNet said it had developed an internal site blocking policy which it encourages other service providers to consider adopting.
The policy states iiNet will only block sites where “external requests for compliance with legal obligations are supported by legitimate authorisation, appropriate legislation and due process.”
It will decline any requests that do not meet the criteria, and will require any request to be approved by an iiNet executive before a block is implemented.