ASIO never forgets... or deletes
There are some very interesting points made by authorities in submissions ahead of the Federal Government’s proposed metadata retention bill.
One of the most stunning was the report that the Australian Security and Intelligence Organisation (ASIO) appears never to have destroyed any digital data.
A joint parliamentary inquiry is looking at the plan to store Australians’ phone and web data for two years.
It is still unclear specifically what data will be retained, because the Government intends to make that decision after the bill is passed.
Feelings of concern and discontent have emerged in the near 200 separate submissions to the inquiry, particularly from the inspector general of intelligence and security, Vivienne Thom.
The director general of ASIO has the power to destroy telecommunications data that require warrants, if it is no longer required “for the performance of its functions”.
But this power has never been exercised.
Thom said in her submission: “I have recently been advised by Asio that the power had not been delegated and that the director-general does not currently make any decisions under these provisions. Therefore currently no records are destroyed under these provisions.”
This is despite the attorney general’s guidelines to ASIO stating: “Where an inquiry or investigation concludes that a subject’s activities are not, or are no longer, relevant to security, the records of that inquiry or investigation shall be destroyed under schedules agreed to between ASIO and the National Archives of Australia.”
Thom said ASIO has shown a “consistently high level of compliance” in its authorisations for access to metadata, but also called for changes to be made to the rules on the destruction of data.
There were more issues raised by privacy commissioner, Timothy Pilgrim, in his submission to the inquiry.
Pilgrim says the data retention scheme risks some major privacy breaches of Australians’ personal information in its current form.
He called for a notification scheme to highlight the breach of mandatorily collected data.
“The proposed data retention scheme increases the risk and possible consequences of a data breach. This is because the challenge of effectively securing that information from misuse, interference and loss, and from unauthorised access, modification or disclosure will become more difficult as technology evolves,” Pilgrim’s submission states.
He also questioned the proposed two-year retention period, asking for proof that the necessary intrusion on personal privacy needed to last so long.
The privacy commissioner has become the most recent figure to raise concerns about the fact that there is no definition for the actual data to be retained. Nor does the bill state which agencies can access the pile of personal information.
Pilgrim said both issues should be addressed in the Act itself,
If the definitions are left up to regulations - as Attorney-General George Brandis plans for them to be - they will be subject to less scrutiny and could only be wound back by a majority vote in the Senate.
Parliamentary hearings into the mandatory data retention bill are scheduled for today and Friday.
It is worth noting that international law enforcement agencies struggle to point to crimes that were prevented by metadata.
In Australia, authorities can barely decide how many times they have accessed the data, let alone how useful it actually was.