Tuesday, July 31, 2012

Who watches the Watchmen?

If all that Americans want is security, they can go to prison.
- President Dwight D. Eisenhower

The government recently announced an inquiry into national security legislation, which would involve updating the various Acts that govern how ASIO, ASIS and other such clandestine organisations can spy on Australian citizens, to reflect the changes in technology since the Acts were first written.

They have put forward a discussion paper that outlines the various options they’re considering, in which they cite the 2005 Blunn report, which states that the 1979 version of the Telecommunications (Interceptions and Access) Act relies on obsolete assumptions - this is misleading at best, since Australia has passed 54 pieces of anti-terrorism legislation in the decade following September 11 - and the most recent update of the TIA Act was in 2006, directly in response to the Blunn report’s recommendations.

Still, there is no denying that legislation must keep pace with technological change, and there are definitely some things being suggested that are both necessary and non-threatening. For example, given that one person may have multiple computers (especially since a person’s phone is effectively a computer now), they wish to change the warrants to being based around a given person, rather than a given computer or premises. This makes technological sense, and assuming warrants are acquired with proper oversight, is not burdensome on everyday citizens’ privacy.

But then there's the more outlandish stuff - the ASIO wish list. Things the government is putting out for discussion but isn’t ready to commit very strongly to. They are proposing that ISPs and other service providers be forced to retain data on absolutely everyone for up to two years on the off-chance that they might be doing something wrong. They want to make it a jailable offense to refuse to hand over your passwords and decrypt your information. And they want to be allowed to hack into computers and delete, add or alter data, even if the computer in question is not directly associated with the person they have a warrant for.

The first of these is the modern-day equivalent of steaming open everyone’s mail, photocopying the contents, and keeping it in a warehouse in case they turn out to be criminals. It is the real-world equivalent of the telescreen from Nineteen Eighty-Four - which, as our lives become increasingly inextricable from the internet, makes it a veritable panopticon. A society in which every conversation is recorded, every transaction is noted, and every connection is mapped, can only be described as a police state.

The second is an unconscionable imposition as well. Not only does it run against a person’s (human, if not legal) right not to incriminate themselves, in practise it is extremely fraught with difficulties. The most basic of these is this - what happens if you forget the passwords or lose the decryption key? To get more complicated, you can hide encrypted data by making it look like something innocuous, like a photo or an mp3. In a world where anything that looks encrypted could get you thrown into jail, hiding it like this would become standard practise for those who really want to hide their data - so what happens when ASIO tells you to decrypt the (nonexistent) data in your holiday photos?

The third is an attempt to get around various technical problems and install things like keylogging software, and is basically being considered because sometimes the easiest way to get to the target computer is to go via an innocent one. This is a real technical problem but is a massively disproportionate response given the potential for abuse, and the high likelihood of collateral damage.

The justification for all this is to combat the paedophile terrorist mafia, that shadowy cabal used to justify every erosion of civil liberties. But let’s assume for a second that we don’t care about being constantly spied on, so long as it keeps us safe - would such laws actually prevent serious offenses?

Well, similar laws were trialled in Germany recently - where it was compared to the surveillance performed by the Stasi - and a study of police statistics revealed that it did not help with the prevention or the prosecution of serious crimes, and in fact may have hindered them.

It seems as though, when universal data retention is in place, career criminals know this and avoid using services they believe will be compromised - however if police forces use only targeted surveillance (like a traditional wiretap) criminals may become complacent and not realise they’re under surveillance. In this way, blanket surveillance actually reduces the chances of catching serious criminals.

But, with changing technology, is going to be possible to continue with more traditional methods? Neil Gaughan, head of the AFP’s High Tech Crime Centre, is concerned that if we don’t pass these laws, they won’t be able to conduct even basic investigations any more. I can understand why he says that, because the places they need to do their job aren’t restricted to telephones any more, so some change needs to be made - but targeted wiretaps are still the way to go. They may require ISPs to retain the data of specific individuals suspected of criminal activity - as long as they have a warrant and sufficient oversight, I’m fine with that.

This would not be any more technologically difficult than surveilling everyone (if you have the means to retain everyone’s data and know which individual it is associated with which data, you clearly have the means to discern which traffic belongs to your target) and would be considerably less burdensome for ISPs - even without privacy concerns, the amount of data produced by the entire country over a period of years is unfathomable, and storing it properly would not be cheap. This would drive up prices, eliminate smaller providers, and general deter IT companies from doing business in Australia.

The other threat they invoke is that of cybercrime - of people hacking in with nefarious intentions, not least of which is identity theft. They cite identity theft as a major problem for the security of Australian citizens in the discussion paper…and yet, look at what they’re proposing to do. They want to effectively create huge databases of information on every citizen, thus providing what amounts to the crown jewels of identity theft.

Any such database would be a hugely attractive target - and is there any doubt that eventually some would be compromised? Anonymous has demonstrated this to great effect by hacking into AAPT’s servers and retrieving confidential information, as their own protest of the proposals. And if you think the government can be trusted more than corporations to keep their data safe, well, just look at Wikileaks. Or bungles like this one.

This is without even considering the possibility of unauthorised access by public servants. Let’s not forget that the incidence of ATO and Centrelink staff improperly accessing confidential data is unacceptably high, and that the vast majority of Australian law enforcement agencies have had systemic corruption at some point or other - we can’t exactly give them the benefit of the doubt in the long term.

These measures would seriously erode our right to privacy, and as Twitter extraordinaire @JLLLOW pointed out, effectively get rid of the presumption of innocence. They would do little to curb serious crime, and in many ways would enable it. They absolutely cannot be allowed to get through the parliament.

Fortunately, there is still time to stop them. This has only gotten as far as a discussion paper so far - there hasn’t even been legislation drawn up, so we’re in the best possible position to act. The inquiry’s call for submissions ends on the 20th of August - GetUp are doing a petition, as is their wont, but making a direct submission to the inquiry here would be much more effective. I’ll be putting together a fairly comprehensive submission but they can be as long or short as you like - the important thing is to say something, anything. Just make sure your voice is heard.


  1. Great article. Some beautifully and succinctly expressed points. Mind if I use a few quotes on posters on this issue? You can checkout the freebie design work I do at http://somersetbean.blogspot.com.au/

    1. Go right ahead. Just try to attribute me, where possible.

  2. No worries. Cheers. Will send a link when done.

  3. This article has seen a spike in hits lately, so if anyone's interested the posters SomersetBean made are here: http://somersetbean.blogspot.com.au/2012/08/total-surveillance-coming-soon-to.html