Federal Attorney-General George Brandis is actively considering a mandatory data retention scheme under which ISPs and telcos would be forced to keep information (metadata) about customers’ phone and online activities for up to two years, for access by law enforcement agencies.
Apparently, the government wants this data to be held by the telcos -- imposing massive costs on the industry which will ultimately be passed on to their customers.
It's bad enough that ISPs and telcos may be forced to keep records on their customers’ online activities, but making consumers and businesses pay for it adds insult to injury.
But it’s only metadata! What’s all the fuss about?
In simple terms, the ‘metadata’ being proposed for retention pertains to information contained in the signalling used to connect phone calls, resolve web queries, send email, and engage in other online activities. It would include items like date and time stamps, location, phone numbers, IP addresses and email addresses.
The government argues that warrants aren’t required because metadata doesn't include content, and David Irvine, the head of ASIO, compares call metadata to a street CCTV camera: “It’s akin to a CCTV looking at you in the street -- it doesn’t matter.”
Actually, it does. A recent Stanford University study found that you can ascertain very personal info from metadata. Jonathan Mayer, one of the study's authors, wrote in a blog post: "We found that phone metadata is unambiguously sensitive, even in a small population and over a short time window. We were able to infer medical conditions, firearm ownership, and more, using solely phone metadata."
Add online activities, email and facial recognition from CCTV cameras to the mix, and an extremely detailed picture of an individual’s activities can emerge.
Indeed, in a recent blog post iiNet described telecommunications data collected as often containing personal and content-specific details such as transactional information about the user, the device and activities taking place, location, content of posts, content associated with web pages, people and organisations whom users associate with, internet activity, user data, possibly user login details from auto-fill features, and much more.
This debate isn’t about what you have to hide, but about what you want to keep private. And it's not just individuals who will lose their privacy -- business metadata will also fall into the data-retention trap. Businesses have many legitimate reasons for needing to keep their data away from prying eyes, including the need to protect the privacy of client information.
Who will be liable for data breaches?
The reality is that data beaches happen -- even in companies that can afford top-notch technologists and security experts. We hear of privacy breaches on a weekly basis: two weeks ago it was Cupid Media; last week it was Catch of the Day. And in the telco space, one of the latest investigations involved Telstra.
So the question then arises: who will be liable if this data is hacked, or if there’s a privacy breach? Will the onus also fall on the ISPs and telcos that are fighting against doing this in the first place?
Recent changes to the Privacy Act give the Privacy Commissioner new enforcement powers, and the ability to issue fines of up to $1.7 million to companies found to have breached sensitive customer data.
The issue also raises the question of who would be liable if business metadata pertaining to a consumer was compromised at the data retention site. Would the telco or ISP be liable? Would the business be responsible? Who would notify the consumer?
The only winners out of this will be the spooks and storage vendors, as well as the insurance companies, which will no doubt raise premiums to account for increased risks.
Ultimately, it will be consumers and businesses that pay for this. And the costs will keep rising along with internet traffic.
The Internet of Things
The emerging ‘Internet of Things’ will massively boost the amount of data that will fall into this dragnet. It is estimated that by 2020 there will be at least 50 billion devices connected to the internet that require two-way communication. If we add sensors and other unidirectional transmission devices, this number will increase exponentially. We’re talking about tracking metadata from hundreds of objects per person!
Does the government really need to capture traffic from our fridges, our wearable fitness devices, our smart TVs, our webcams, our air conditioners, our smart clothing, or our driverless cars as they ‘chat’ among themselves? Or capture all the metadata from sensors deployed to monitor water levels, salinity, moisture, pollutants, stock levels, manufacturing status or any of the millions of objects that will in the very near future form part of the IoT?
If companies like iiNet are raising the flag about costs, what will happen to smaller ISPs? Many of these companies already survive on threadbare margins.
The proposed data-retention regime is poorly thought out on so many levels. It’s time to say "no" to the idea of data retention outside of suspected criminal activity, and even then only with lawful warrants.
Shara Evans is internationally acknowledged as a cutting-edge technology futurist, commentator, strategy advisor, keynote speaker and thought leader, as well as the Founder and chief executive of Market Clarity, an award-winning telecom analyst firm.
