Thursday, 26 March 2015
Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015; Third Reading
I will be brief because this debate has been running for some time. We are here tonight because the Abbott government has chosen to ignore the very clear warnings sent by tens of thousands of people and pressed ahead with a bill that entrenches a form of passive surveillance over 23 million Australians.
Senator Jacinta Collins interjecting—
I will get to that—believe me, I will. It has been a long time coming. Mandatory data retention first came to light—at least to my knowledge—in 2010, when it became evident that the Attorney-General's Department had forced telecommunications companies into secret meetings to establish how a two-year mandatory data retention scheme could work. That was when the ALP's Robert McClelland was Attorney-General. With the support of the then chair of the environment and communications committee, Senator Mary Jo Fisher—who I think many people in here still remember quite fondly—we conducted an inquiry into what the Attorney-General's Department was up to, which generated a significant degree of opposition. And then the proposal went underground for a time.
In 2012, with the ALP's Ms Nicola Roxon as Attorney-General, mandatory data retention was referred as a single throwaway paragraph to the Parliamentary Joint Committee on Intelligence and Security. Under a hail of condemnation, that committee was unable to come to a consensus recommendation on mandatory data retention. The proposal dropped under the radar again until it was put firmly back there last August by Senator George Brandis. I have sketched this recent history because this bill contains the DNA of both of the major parties. I am getting a little tired of people reinventing history, as began to happen after the unwelcome passage of the ASIO reforms last year. In her opening contribution, the Labor Party's Senator Collins put it better than I could. She said:
The Australian people must be satisfied that in seeking to defend ourselves from crime and terrorism we do not trample upon the very rights and freedoms that characterise Australia as a free and open democracy. The Abbott government has failed this test.
I strongly agree with this statement by Senator Collins. The Abbott government has failed this test, and the majority of the Australian people are not satisfied with this government's lunge for power.
The only people who did end up satisfied were in the Australian Labor Party. The ALP has caved in to Tony Abbott's self-interested fear campaign and supported the bill. Together, with some of the more critically minded crossbench senators, we had the numbers to defeat this bill, but you failed to turn up. You will be judged for that, and we will ensure that people never forget who made this possible. In 2016, you will answer for it. Surveillance in a democracy should be targeted, proportionate and levelled at serious criminals, organised crime and national security threats. This bill entrenches the opposite. The government will not disclose the costs of the scheme, is silent on the risks of unauthorised disclosure and has at no stage been able to point to evidence that collecting the private records of 23 million nonsuspects will keep people safe or reduce the crime rate.
We will be encouraging people to follow the advice of Mr Malcolm Turnbull, who introduced the bill and, in recent days, has been outlining techniques for avoiding the surveillance scheme that he has just forced on the rest of us. Mr Turnbull told Sky's David Speers yesterday:
…of course you now have the ability by using over-the-top applications. It might just be something straightforward like Whatsapp. It might be a more encrypted over-the-top application to avoid leaving a trail.
He goes on to say:
If you have a device, you know, a phone or a smartphone, and if I call you through the mobile phone network there will be a record. Say my phone’s with Telstra, there’ll be a record with Telstra that I’ve called your number. If on the other hand—
our helpful communications minister informs us—
I communicate with you via Skype for a voice call or Viber, send you a message on WhatsApp or Wickr or Threema or Signal or Telegrammer—there’s a gazillion of them—or, indeed, if you make a FaceTime call, then all that the telco can see, insofar as it can see anything, is that my device has had a connection with the Skype server or the WhatsApp server; it doesn’t see anything happening with you.
Amazing! Tips on how to avoid mandatory data retention by the guy who introduced the bill.
There is a lot of bad information, however, circulating about the use of cryptography and anonymisation tools in protecting privacy and identity online. In particular, there is real confusion about whether merely circumventing the government's expensive new data retention regime guarantees any kind of absolute privacy or anonymity. I admit that I am guilty of some pretty loose language on this issue myself. So I want to be completely clear: if you do not want your email records captured by data retention, all you need to do is use a platform that that is hosted overseas like Gmail or Facebook. If you do not want metadata from your chat sessions hanging around forever, use one of the services that Mr Turnbull recommends. If configured properly, these services erase their tracks as fast as they are created. So as far as email records are concerned, defeating this $400 million data retention scheme really is that simple.
But there are two hugely important caveats. Firstly, it is well documented that signals intelligence agencies like the NSA and its Five Eyes partners, of which Australia is one, are engaged in massive full-take surveillance of nearly all data traffic globally and that these entities are alleged to have unprecedented visibility of the networks of these very same international providers—some of them mentioned by Mr Turnbull. The second caveat is that using Facebook chat or Twitter direct messages in no way actually guarantees anonymity of privacy. There are whole bodies of practice and technique out there on how to do this well. But the fact is: doing crypto well is actually pretty hard.
We have recently taken the lead of data journalist and transparency activist Asher Wolf, who founded the global CryptoParty movement, and we have held a few events of our own to up-skill on basic crypto skills. The fact is: if you are a whistleblower who fears what will happen if your identity is disclosed, assume that there is no politician in this building—and I include myself—with the technical skills to help you properly protect your identity. You will need to look after yourself. I came across an article yesterday by a certain Dan Nolan who debunked some of the confusion surrounding the distinction between defeating data retention, which in some regards is fairly easy, and defeating some of the more elaborate systems deployed against journalists, whistleblowers, activists and campaigners. The article is titled 'Leaking Securely', and it reads in part:
How To Leak
1. This might seem obvious, but think about it, don’t leak information only you have access to. If you’re the only one that has the information then it’s pretty bloody easy to figure out who leaked the info. Find or create a situation in which you can have plausible deniability that someone else accessed the data
2. Don’t leak data from your home computer, from your personal devices or anywhere at home or at work. You will get caught, and if there are legal ramifications of the leak they will rain down on you like fire.
3. Don’t leak data from personal accounts or accounts linked to family or friends or that can in any way be traced back to you. Create a hushmail or a gmail account, don’t put in your phone number and create this account on a computer you do not normally use, say an internet cafe.
4. Don’t provide any personal information in the stuff you leak. Redact as you need to.
5. Don’t store copies of leaked information on personal devices or home devices.
6. If you use a USB device or something similar to access or copy data, be aware of corporate policies or monitoring. If you’re copying from your office computer, logged in under your account to a device, corporate IT systems can easily track you down and figure out who copied what and when.
7. Destroy any items or devices you use to transit the information to be leaked to a third party area. Dispose of them, again, somewhere you wouldn’t normally dispose of items so someone going through your rubbish can’t find them.
8. Only leak to places that have SecureDrop, like the Guardian.
9. DON’T TELL ANYONE WHAT YOU DID. DO NOT TELL A SINGLE SOUL WHAT YOU DID.
He carries on, but I am not sure that I want to read the rest of it into Hansard. The point being, I guess, the old saying 'three may keep a secret as long as two are dead' applies very much to whistleblowing. Now some, like Mr Edward Snowden, whom the Attorney-General has said on any number of occasions he believes to be a traitor—who I believe to be one of the most important whistleblowers in modern history—or publishers like Julian Assange, who has just spent more than 1,000 days in the Ecuadorian Embassy in London, actually do go public and do lend their name to these acts of quite radical transparency. But, for others, if your welfare or your job depends on anonymity or privacy, do your research and make sure you are using these tools properly. And, by the way, we are looking to auspice such a session for the Canberra Press Gallery, because, with the installation of this regime, things just got even more serious.
Before we commit this thing to a vote, I want to thank all of those who built a spirited community campaign against this measure—publishers, journalists, the Law Council of Australia, the technology sector, digital rights organisations like EFA and advocates from right across the political spectrum joined tens of thousands of concerned Australians to voice their anger—and the major parties shut them out. Some of these people do this advocacy for a living and I thank them for their expertise and their determination. But above all, I want to thank and acknowledge those who bothered to come to events, made calls, wrote emails, signed petitions and organised to try to bring about a different outcome tonight. I would also like to thank my staff, particularly Felicity Ruby who, with me, fought round 1 and round 2 data retention, and Renai LeMay for throwing his heart and soul into round 3. I also acknowledge the significant dissent within the Liberal-National-Labor parties, but the inflexible party discipline that prevails in Australia means that not a single member crossed the floor either to oppose the bill or to support the dozens of amendments proposed by the crossbench. I thank those members of the crossbench in the House and in the Senate, who, together with the Australian Greens, performed the job of opposition that the Labor Party abandoned. We will remember this come 2016, and we will not let others forget.
Our work now turns to documenting this regime and working for its repeal. But to all those listing to this debate, and I know that there are many of you out there, I apologise to you. To all of those who will face the consequences of what is done tonight, I am deeply sorry that we were not able to prevent this from passing into law.