Is there any way that the government’s mass surveillance bill currently before parliament, which aims to impose a data retention regime on the country’s telecommunications companies and internet service providers, can be made safe?

It’s a near-impossible task, partly because the government’s entire rationale for the bill keeps changing. On the one hand, Communications Minister Malcolm Turnbull and Attorney-General George Brandis insist this is merely about retaining the status quo to prevent future loss of access to data; on the other hand, Brandis warns that agencies are already losing access to data, and there’s an urgent need for it. And in a quite astonishing remark on Monday on the ABC, Brandis claimed that there were no existing metadata laws, when a metadata preservation regime has been available to agencies like the Australian Federal Police and ASIO for two years — and isn’t used by ASIO. Whether Brandis was simply mistaken — the Attorney-General has a history of getting basic facts wrong — or lying isn’t clear, but it further confuses the rationale for the regime.

But if, for argument’s sake, we accept there is some justification for mass surveillance of this kind by security agencies, there could be ways in which the proposed bill could be amended to reduce, if not remove, its problems.

Access

The first is something the government has already gone part way to doing itself. Correctly responding to concerns about the wide range of agencies, including non-government agencies, that can access metadata, the government has limited access to retained metadata to a list of law enforcement bodies in the bill. But further assurance could be provided by removing the power of the Attorney-General to add agencies to that list and instead giving Parliament that power — that is, if local councils and the RSPCA want to access stored data, access must be legislated, not made at the whim of someone like Brandis. Better yet, access to all metadata, stored under a data retention regime or not, should be limited to law enforcement agencies.

Warrants

If, as Brandis insists, “the mandatory metadata retention regime applies only to the most serious crime — to terrorism, to international and transnational organised crime, to paedophilia,” then there should be no problem with imposing a requirement that agencies get a warrant in order to access stored data, rather than merely going on fishing expeditions. Security agencies object to a warrant requirement, saying it would impose an impossible burden on them. Given the total number of requests for metadata is now over 300,000 individual instances each year — and that number doesn’t include intelligence agencies — that argument looks credible. But that number says more about the rampant overuse of metadata requests — which currently don’t require a warrant — than about the warrant requirement itself. The argument against warrants also relies on the claim that metadata is less innocuous than content data, which for reasons we’ve repeatedly explained before, is simply false.

If getting a warrant really is too onerous for security agencies, how about a graduated scale: ordinary call data — who, to whom, duration — doesn’t need a warrant, but information on a mobile phone’s location, and ISP data, does?

Whistleblowers

The biggest threat contained in the bill is to people who want to expose wrongdoing within government or corporations, who will now find it far more difficult to distribute information without risking their anonymity either through a phone call or a record of their online address. It will also make it more difficult for the traditional recipients of whistleblowing material, journalists and politicians, to safeguard the identities of people confiding in them. Under data retention, security agencies will have far more material with which to track down a whistleblower, starting with the journalist who has written an embarrassing story, or a politician who has use parliament to reveal information. The AFP has already admitted that it obtains the metadata of journalists and politicians, and data retention will establish a huge resource for them to access for up to two years after a leak; indeed, police accessing of journalists’ metadata is rife in the UK. And large companies, knowing their employees’, journalists’ and politicians’ phone records are retained for two years, will be able to use court orders to secure access to metadata not currently retained in order to hunt down whistleblowers who have exposed them.

The solutions are straightforward: the Brits are going to change their data access laws to require police to obtain a warrant if they want to obtain a journalists’ metadata, with a presumption that access would not be granted if the journalist was acting in the public interest. Such a protection should also be extended to politicians — which risks criticism that politicians are unwilling to subject themselves to surveillance like everyone else, but is worth it to minimise the threat to whistleblowers.

And access to retained metadata should be placed beyond the reach of court orders and private litigation, limited strictly to security agencies. This will both reduce the threat to whistleblowers, and give effect to the government’s insistence that, contrary to the claims of the AFP Commissioner Andrew Colvin, data retention isn’t about allowing the copyright industry to pursue downloaders.

Codifying data

Finally, a proposal that no security agency, if their rhetoric is to be believed, should have the slightest problem with: the data retention scheme should outlaw companies retaining information other than what is specified in legislation. No other forms of metadata, no content, nothing: ISPs and telcos would henceforth only retain a specified set of metadata and it would be illegal to retain any other data on consumers, unless as required under normal warrant processes or for data preservation purposes. Intelligence and law enforcement agencies insist that they do not obtain any other data from communications companies without a warrant. In which case, let’s legislate that, and lay to rest the oft-repeated concerns, expressed by people with detailed knowledge of the sector, that companies are keeping and passing on both metadata and content data freely to security agencies without any accountability or oversight.