Why data retention laws won’t work

Business Spectator 12 Septempber 2012

Attorney-General Nicola Roxon took an unusual step yesterday, launching a video on YouTube to put a new position on the proposed cyber-security and cyber-crime laws.

In the past week Roxon made statements that appeared to pre-empt the report being prepared by the Parliamentary Joint Committee on Intelligence and Security on proposed reforms to Australia’s data retention laws.

The proposed reform would see telcos store their customer’s internet usage data for up to two years. Over the course of the video, Roxon put forward the case that these laws would help catch cyber-criminals and paedophiles. She also clarified that the government would wait until the Joint Committee’s report before making any final decision around the reforms.

Yet, despite these clarifications it is little wonder why advocacy groups such as GetUp! and Electronic Frontiers Australia are concerned about the government's position.

Roxon has again failed to address one key concern: the fact that her comments seem to hint at a pre-ordained outcome to the Parliamentary Joint Committee on Intelligence and Security’s review and an inevitable change in our cyber-security legislation.

Aside from the ethical debate relating to this reform, there are two questions that are pivotal to these cyber-security changes:

Do we need the proposed data collection and retention regime? And should the government's proposed data collection and retention regime be implemented now?

To answer the first question: there is clear justification that an improved data collection and retention regime is needed to combat crime, terrorism and cyber warfare.

But as for the second, in my opinion there is no reason why the government needs to introduce such legislation. Let me explain why.

It’s about the systems, not the legislation

The digital network is being used in ways for which it was not designed. Privacy and security are almost non-existent in the digital world and this should be a concern for all Australians. Small steps have been taken to improve the underlying infrastructure, systems and protocols, however, much larger steps are needed before the digital network is ready for the proposed data collection and retention regime and changes to cyber-crime laws.

Failing to update the infrastructure, systems and protocols being used on the digital network will negate the effectiveness of any changes to Australian law. The criminals and terrorists will still be able to act with impunity by using secure VPNs, TOR and the darknet. Cyber-warfare and criminal hacking with the intent to steal national secrets and intellectual property will continue unabated. Foreign efforts to discover weaknesses in national digital infrastructure and carry out preparatory attacks on business, government and infrastructure will occur more frequently.

In Europe an extended data retention policy has been adopted and a recent report has highlighted the lessons learnt in Europe during the implementation of the new laws. In Sweden, carriers and ISPs were given two months to comply with the new laws. In response, Nils Weidstam - a public policy expert for the Swedish firm IT&Telekomforetagen said, "Telia, the operator [Swedish telecommunications company], will likely need up to two years to implement these systems".

In the article, Mark Newton, a network engineer from a large Australian ISP hinted at a similar scenario:

"The Australian government similarly does not appear to grasp the complexity of storing data in a manner suitable for evidence. There seems to be a view within government that retaining data can be accomplished by simply telling telcos to stop deleting it. There needs to be an auditable chain of evidence, security requirements to mitigate the risk of tampering, high reliability requirements so that evidence doesn't simply disappear due to hardware failure, requirements for staff to have security clearances to process law-enforcement access requests; expensive storage in expensive data centres with expensive backup strategies maintained by expensive staff."

Australia shouldn’t follow America’s lead

In the USA it was reported earlier this week that Debora Plunkett, of the secretive National Security Agency - whose responsibilities include protecting US government computer networks - predicted that Congress would pass long-stalled cyber-security legislation within the next year. Ms Plunkett's comments reflect a growing concern within US officials, lawmakers and security agency heads about the country's cyber security.

The push in the US to get cyber security laws through Congress has also failed to address the technical requirements of implementing the new laws and to address the underlying problems with privacy and security in the digital network.

In Europe, Australia and the US lawmakers are attempting to paint a lemon (the digital network) as an orange. And they appear to be keen on convincing everyone that because it is an orange now an it’s all OK. But, a lemon is still a lemon no matter what.

Australia should not follow the US and Europe without first carrying out a study on how to improve privacy and security on the digital network and the first step along this path is to make substantial changes to the network. A committee of technical experts should review the digital network, prioritise technical changes and report on when the digital network will have the capability to provide adequate privacy and security for all Australians and at this point the proposed changes to cyber-crime and cyber security laws should be revisited.

Mark Gregory is a Senior Lecturer in Electrical and Computer Engineering at RMIT University