Tony Zappia (Makin, Australian Labor Party, Shadow Parliamentary Secretary for Manufacturing) Share this | Hansard source

I am pleased to follow the member for Hotham in this debate on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. I well understand the many legitimate concerns that people have about this legislation. The Labor Party understands those concerns. Many of the concerns raised do not arise as a result of this legislation, but equally apply with respect to the current process we have for the management of metadata.

Were it not for this legislation and the processes the parliament has gone through in recent months, the existing flawed, insecure and unaccountable practices would continue. They would continue without any discussion whatsoever. The public debate leading to this legislation and the work of the Parliamentary Joint Committee on Intelligence and Security have exposed the existing flaws in the data retention system that we have, allowed the community to have input into the changes and created a much greater community awareness about the realities of the cyberworld we live in.

The protection of rights and liberties is at the core of our national values. It is inscribed in the Australian citizenship pledge, and those rights and liberties should indeed be defended. But rights and liberties can take many forms. Each of us places different values on different rights, and there are times when one right has to be given up in order to protect another. That is why there is no absolute right or wrong view about protection of our freedoms, why there is a diversity of views about this issue and why our laws must strike the right balance. Striking the right balance implies that some people will not be satisfied with the outcome.

We live in a cyberworld with limited knowledge as to who has access to data, how it is being stored, where it is being stored, how that data is being used and how secure it is. We simply do not know. What has been made clear by the inquiry and through the public contribution is that, as reported in the Australian Communications and Media Authority's 2013-14 annual report, there were over 582,000 requests for access to metadata. There were some 80-plus agencies that were being granted access to data, and for much of that data there were no warrants being issued at all. Much of the data is already held for two years or more. The very concerns that are being raised about this legislation are occurring right now, even without it.

Simultaneously, we live in a rapidly changing cyberworld where criminal activities are flourishing because of cybertechnology, globalisation and growing populations. Financial fraud, identity theft, drug trafficking, human trafficking, illegal pornography, paedophilia and terrorism have all heavily relied on cyberuse. Whilst this legislation may have been triggered by growing concerns about terrorism, and is being talked up as a national security issue, the reality is that it has a much wider application in law enforcement than simply being about national security.

The objections to this legislation come down to this very simple proposition: as a result of this legislation, in future all metadata, not just some, will be retained for at least two years. Currently the length of time that metadata is held varies between each carrier. Each carrier chooses how long they keep that data. Data is already being held for two years—what we do not know is how much of it—and in some cases it is being held for longer. This legislation, in simple terms, means that all data will be retained for at least two years.

The first question that then arises is: what is an acceptable period of time that data should be retained for? Should it be one month, three months, a year, five years? At some point we have to make a judgement about that very question. In exchange for all data being retained for two years this legislation provides limitations and oversights that are currently not in place and are badly needed. Let me outline what some of those oversights are, albeit that my colleagues and others who have contributed to this debate have already done so.

Firstly the Commonwealth Ombudsman will have oversight of the data retention scheme and will, for the first time, have the power to inspect the records of enforcement agencies to ensure that they are complying with their obligations under the Telecommunications (Interception and Access) Act. Right now the truth of the matter is that very few people would know what is really going on, who is accessing the data or for what purposes.

Requiring warrants for access to the telecommunications data of journalists is an issue that I know has also been the subject of extensive community debate. If you are going to access the data of journalists, ensuring that there is a warrant required makes reasonable sense. There is good reason for it. Whilst some people have said that if we can apply the warrant process for journalists we should do so for all others, my response to that is simply this: there is a difference between journalists and others. More importantly, if we were to apply a warrant process for all data access that is required—and looking at last year's figures there were over half a million requests—the system and the process would simply be unworkable, not to mention the cost to society of having to process half a million warrants or more each year.

Thirdly, the Parliamentary Joint Committee on Intelligence and Security will have oversight of the data retention scheme. Again, this is the first time ever that the parliamentary joint committee—or any parliamentary committee—has had this power and this authority. It is consistent with the work that parliaments in both the USA and the UK are already doing; their committees have similar oversight provisions. They may not be identical, but they are similar, and this is the first time that the Australian parliament has given that committee the authority to have oversight over any government operation.

I will also note that the data retention cannot be used for ordinary civil litigation. This was another concern raised in the public discussion. For example, you cannot use data access for the purpose of copyright enforcement. I also note that the data stored will be encrypted to ensure that it too has better security. There will also be a mandatory data breach scheme to notify consumers if security of their metadata is being breached, and individual consumers will have access to their own data. Again, these are all measures that are simply not available at the moment. Importantly, the number of agencies that can access the metadata will be reduced from around 80 at the moment to just over 20, I understand. And, importantly, no additional agencies can be added to the list by the Attorney-General, other than in emergency situations, without the agency and the relative legislation going to parliament and being approved by parliament.

Most importantly, this whole process, this scheme, will be reviewed, I understand, after two years by the Parliamentary Joint Committee on Intelligence and Security—again, enabling the parliament and the people of Australia to have oversight of it, which means we have a review process in place to ensure that it is working well and working in the national interest. None of these measures are currently available with respect to the current data retention process. It should be acknowledged that the retention of data can also be used to clear innocent people of false accusations, and I understand from my discussions with law enforcement agencies that defence lawyers frequently access the data for that purpose, as do our law enforcement officers themselves. So, the retention of data is not all bad. There are many occasions when it is actually used for good reason and good purposes.

It is true that many crimes would not be prevented by the retention of more data for longer periods, as some speakers have said. Conversely, though, it is also true that the retention of data has been invaluable to security agencies in their pursuit of criminals and has been used for good public purposes. Again, it is a matter of weighing one issue up against the next. The real issue, in my view, is not that data is being stored but that communication and cyber use now control our life in a way that it has never done before. It exposes everything we do. We are tied to a system that indeed does monitor and track us in every aspect of life. I note an article about serious computer hacking late last year, which detailed an attack in which 13,000 passwords and credit card details relating to gaming consoles and online stores were released. I would be much more worried about the security of the systems we have than about the storage of data, and it is those kinds of concerns—the hacking of data, the hacking of the systems we currently use—that I believe should be of greater concern to the broader public.

In the few minutes I have left I just want to turn to some matters that I do have some reservations and concerns about, and they have been raised by other speakers in this debate. The first is with respect to the storage of the data. As I said earlier in my remarks, we do not know how much is being stored, where it is being stored or how safe it is. My view supports other speakers who have made this point, and that is that the data should all be stored in Australia. We should know where it is being stored and by whom, and I believe people of this country would feel much more secure if it was stored in Australia. I understand that that may come at a cost, and I understand that ultimately the consumer pays for it. But I suspect that the retention of data, wherever it is, comes at some cost, and until I have seen the final figures on that I reserve my own views about whether it ought to be done or not, because I do not know what the costs are and the government is not releasing the costs that they have. Yes, it may come at a cost, but my view is that ultimately it should be stored here in Australia.

The second point I make is with respect to the Ombudsman, and indeed the Inspector-General of Intelligence and Security and their offices and their roles in securing the rights, liberties and freedoms of the people of this country. They can carry out their roles and do their work only if they are properly resourced and funded. I would like to think that complementary to this legislation the government will provide assurances that both of those offices will be properly resourced, properly funded into the future, to enable them to carry out the oversight role they have been tasked to do.

The third point is one I mentioned earlier, and I want to touch very briefly on the issue of warrants again. My understanding is that currently there is no requirement for warrants to be sought in order to access metadata in most cases, and I have heard the argument time and time again about the fact that if it is good enough for journalists then it ought to be applied to every other application. I have also heard the argument—and I believe there is some truth to it—that if that were the case we probably would not have 500,000 requests and more each year and that it would in fact reduce the numbers. That may well be true. But nevertheless, to argue that we should ensure that everyone who accesses data needs a warrant would simply bring the system to a grinding halt and make it unworkable.

In summing up, I believe we have a choice. We have the choice to do nothing and leave the system as it currently stands, or we can support this legislation. If we do nothing and leave the system as it currently stands, it is a system with no limits on who can access the data, no understanding of who keeps the data or where it is kept, no oversight over it, no knowledge about what is being kept, no certainty that it is secure, no accountability by those agencies that have access to it, and no parliamentary oversight whatsoever. That is the choice. In my view, the choice is quite clear: we support this legislation and we improve an already badly flawed system.

See this speech in context