The Australian Security Intelligence Organisation (ASIO) has renewed its call for Australia to implement a data retention regime, with director-general David Irvine telling a Senate committee that it's asking for nothing that doesn't already happen, and promising that it will treat Web browsing differently to e-mail communications.
Irvine also said that it was not up to ASIO to try and work out the likely costs of such a regime, telling the Senate committee looking at changes to Australia's Telecommunications Interception Act that it would be up to the government to consult with the telecommunications industry if it were to create a data retention regime.
Noting that agencies have to pay telcos to access retained data, Irvine said a too-broad retention regime would be ruinous: “If ASIO had to pay for mass surveillance, we'd be broke in a week”, he said.
Some of the remarks Irvine made to the committee will be uncontroversial and in some quarters perhaps even welcomed. For example, a key aspect of the changes that have been brought to parliament are designed, he said, to reduce the number of warrants needed because at the moment, if an individual has a number of mobile phones, the aim is to eliminate the need to secure one warrant for each device by applying the warrant to the person instead of the device.
Irvine also explained ASIO's view of the ability to snoop on third-party computers, saying that it's necessary to prevent attacks against critical infrastructure.
“Hacker attacks on our national infrastructure [or] espionage attempts to obtain our secrets – these use innocent third-party computers,” he said. “If we can watch traffic going through that third-party computer, discarding anything we don't need, simply looking at the malicious signatures and where they come from, we have taken a great stride forward,” Irvine told the committee.
Irvine, under questioning from Senators on the committee (including Scott Ludlam [Greens], Susan Reynolds [Liberal] and Jacinta Collins [ALP]), said “ASIO is not asking for any change to the principles, definitions or rules under which we seek access to call data. What we are asking for is that the call data be retained.”
That led to an extended discussion about the distinction between metadata and content, particularly with respect to Internet browsing (for example, is the IP address of a Web server content or metadata?).
Irvine put ASIO's view that the agency considers e-mails and Web browsing as different creatures: e-mails, he said, involve an individual at each end of the communication, and therefore their associated metadata should be retained; Web browsing, he said, is considered content and could not be included in a data retention regime.
However, he said, where an individual is accessing e-mail using a Web browser: “Under the current definitions if it's an e-mail – whether you're using a browser or not, it's using a communication.
“The principle is that web surfing … or, indeed, Googling 'Al-Qaeda atrocities' … is not picked up by us, not regarded by us as metadata,” he said.
Irvine repeated a complaint that he has made in the past, that people allow commercial enterprises to invade their privacy “in order to sell you a new BMW … I cannot understand why it is correct for all your privacy to be invaded for a commercial purpose, but not by me to save your life.”
Regarding the struck-down European Data Directive, Irvine considers the court case under which it was struck down to be concerned with implementation detail rather than fundamental principles.
“The court said it didn't contain sufficient safeguards for implementation across EU member states, and the way it was framed it violated the principle of proportionality under EU law,” he said.
However, he said the court's judgement acknowledged there is a legitimate purpose to be served by data retention. “The legal processes are not yet completed, and it would be wrong of us … to rule out [data retention] as a gross violation of human rights across the board.” ®