Nigel Waters, Pacific Privacy & Australian Privacy Charter Council
Introduction
This seminar provides a rare opportunity to consider the overall law enforcement
context of a number of interrelated developments
and issues in the electronic
environment. We also need to see the bigger picture in relation to privacy.
Too many privacy
battles are fought, and too often lost, on the narrow ground
of specific initiatives and proposals, where the immediate arguments
for access
to personal information appear compelling, and the loss of privacy only marginal,
and inconsequential.
But for those concerned about the bigger picture, the incremental loss of
privacy, and with it of other freedoms, is a major
issue. It is timely to
look at the overall effect of the various law enforcement driven initiatives
to regulate cyberspace
and the way we transact within it, and ask if we are
not in danger of giving up too much, in exchange for an uncertain dividend
in crime prevention and detection.
In his stimulating 1999 book
Code, and other Laws of Cyberspace[1],
US academic Lawrence Lessig cautions against the naïve assumption that
there is something inherently unregulable
about cyberspace. He shows how the
regulability of the electronic environment is determined by its architecture
including
the characteristics of software, and that this architecture in
turn influenced by political and commercial choices and interests.
For example,
whether to allow anonymity, unfettered speech, unlimited access to gambling
or sexual material are initially
political decisions, but can then be hard-wired
into operating systems, Internet protocols or telecommunications systems
specifications. Cyberspace can either be a zone of freedom (a nightmare for
some) or a zone of surveillance (equally alarming
for others). Which it becomes
should be within our control through democratic institutions, but whether
the choices that
are made follow an informed public debate, or are determined
by particular vested interests, is a key issue. And there is also
a globalisation
factor at work. Because so much software and hardware is of foreign origin,
and because the architecture
of the Internet and of telecommunications is
largely determined by unelected and arguably unaccountable international bodies,
the balance between privacy and other public interests for Australians is
increasingly out of our control. As in so many
other areas of public policy,
new forms of trans-national governance are required if we are to have any
say on the balance
in the future.
Security and Privacy
Sometimes, Privacy, Security and Law enforcement interests co-incide.
Audit trails and logs of access to computer systems are
a powerful tool for
investigation of unauthorized access or other abuse, both of personal information
and of commercial
or administrative information.
But Security and Law Enforcement interests make no distinction between information
about living individuals (personal information)
and information about dead
people, legal entities or inanimate objects.- a distinction which is fundamental
to privacy
rights.
When dealing with personal information, there is a clear tension between
the security principle in privacy laws (IPP and NPP 4 (Cwth), IPP 4 (Vic),
IPP 5 (NSW)) and some of the other principles notably collection, use and
disclosure; access and correction where these
are allowed on-line and also
the new anonymity and identifiers principles in the Cwth and Victorian
Acts. This tension
arises mainly in relation to the privacy of employees,
but increasingly also in relation to the privacy of customers or clients.
On the one hand the other principles are saying only collect, retain and use
the minimum of details, and give individuals
access to their own information
(and often allow them to edit it). On the other hand, the security principle
is saying
keep detailed records of access and transactions to be used, and
often disclosed, for use in the event of abuse, or even just
as a deterrent
against any abuse. It also prompts organizations to limit access and control
the ability to change information
having to verify individuals identity
and authority to make changes to their own records is a major security challenge.
Because of the focus on privacy as an individual right, no-one has cared much
about the privacy of information as a value
independent of the subject when
perhaps a greater focus on the powers of authorities (and governments) to
invade privacy
both of businesses and individuals - would have been justified.
Powers to invade
privacy
We have perhaps too readily accepted the argument that legal entities
should have no privacy rights that accountability requires
absolute transparency.
This has led to increased powers of intrusion into the affairs of legal entities
(companies, associations)
which have not been seriously challenged. But as
more and more individuals are pushed or pulled by government policies into
incorporation, or at least into being treated as a business (ABN required),
the distinction is blurring, and we find that
rights that we still expect
in our capacity as individuals are suddenly removed simply because of an arbitrary
change of
status. While there may have once been an argument that loss of
privacy rights was a trade-off for the benefits of incorporation
(eg: tax
advantages); this is not a convincing argument if people are being forced
into incorporation or business status
rather than choosing it.
The experience of the Tax Office last year with the proposed sale of personal
details of ABN holders is salutary
[2].
The Tax Office obviously approached the issue on the basis that such details
were about businesses, which are assumed
to be familiar with a degree of transparency
through business name and company registration. There was apparently no recognition
that tens of thousands of ABN holders were simply individual contractors and
freelance workers for whom this was a first,
involuntary and reluctant exposure
to the world of business registration. Faced with the outrage of these people
(already
aggravated by the introduction of the GST) the government backed
off, to the unprecedented extent of quickly amending the ABN
legislation to
avoid the necessity to make individual ABN holders details public.
Even without any change in the numbers of people in each category (individuals
and businesses) our lack of vigilance on
loss of corporate privacy allows
authorities to refine privacy intrusive techniques that can then be brought
to bear
on individuals.
As a consumer advocate I feel uncomfortable defending the rights of legal
entities to privacy large businesses are at
least potentially as great a
threat to consumers as government, and should be held accountable. But by
turning a blind
eye to greater and greater powers of intrusion, initially
aimed at businesses, we have allowed the authorities to acquire, and
exercise,
enormous powers that can and, if we are not vigilant will, be used against
individuals.
Privacy laws have no limiting function in the face of other legislation that
authorizes privacy intrusion. It is important
that the public are not misled
by false re-assurances that privacy is safeguarded because agencies are subject
to Privacy
laws. Firstly many law enforcement and investigatory agencies are
exempted (the NSW Act is particularly generous) and secondly
all privacy laws
necessarily include exceptions for actions required or authorised by law
. This means that the most
that the privacy law does is regulate
the way
in which the intrusion takes place and the way information is handled it
cannot and does not limit
the extent of the intrusion, which is determined
by another law.
Search and Communications Interception powers
Why have we allowed a double standard to prevail in relation to search
and seizure powers between the off-line and electronic
environments? We still
by and large vigorously defend the privacy of our property warrants are
generally still required
for access to premises without consent, and this
initially carried over into communications privacy, with warrant regimes for
postal items and the content of telephone calls.
But in relation to access to information, we have blithely allowed agencies
such as the Tax Office and Social Security (now
Centrelink) to invade our
lives not only without a warrant but even in many cases without a formal notice.
Even in the
front line of negotiations over the privacy principles, advocates
reluctantly bowed to the pressure of administrative interests
in allowing
exceptions to the disclosure principles (IPP 10 & 11 & NPP2) which
allow disclosure of personal information
for a range of public interests even
where it is not required by law.
The contrast between these two extremes is most obvious in telecommunications
where the regulatory regime contains the full
spectrum of controls from
the TI Act warrant regime for substance and content of calls, through a
certificate based
regime (Telecommunications Act s.282 (3)-(5)) to the wholly
discretionary basis for release of personal information contained
in s.282
(1) & (2) and the ACIF CPI Code of Practice
[3]
(reflecting the NPP2 exceptions). The much looser Telecommunications Act basis
for disclosure applies to subscriber details,
call charge records, reverse
call records, IMEI checks and cell dumps; and call tracing; as well as the
affairs or personal
particulars of individuals. Information such as call charge
records reveals a considerable amount about a person s communications,
even
without access to the content of the call. It seems odd that we have allowed
information of this sensitivity to be
routinely accessed without a warrant
or even the need to show prior cause one of a wide range of agencies
simply has
to declare it reasonably necessary (The Postal legislation has
been amended to similar effect). The revelation at the end
of last year that
there were nearly 1 million separate disclosures by telcos in 1999-2000 (a
more than 12% increase on
the previous year), while not news to anyone who
has followed the issue more closely, attracted some media attention.
Unfortunately, there is some uncertainty about the safeguards that apply to
content and substance of telecommunications.
Because of a flaw in the drafting
of the Telecommunications Act, it is not absolutely clear that content and
substance
cannot be released under the loose s.282(1) and (2) provisions (no
warrant, no certificate). The ACIF Code on Assistance to
Agencies, recently
finalized, hedges its bets on this
[4].
The other ambiguity about the scope of the content or substance exception
concerns whether it applies to stored communications,
such as email, pager
or SMS messages or calls recorded in an answering service or messagebank.
At what point are such messages
or calls deemed to have been delivered
for the purposes of the exception? when it has been posted to a user s
mailbox
or message bank? - or only when read? It does seem clear that once
a user has accessed or read such a stored message it loses
the protection
of the content or substance exception even if the user chooses to leave
it temporarily in the carrier/CSP
s storage device. Even without resolving
the other ambiguity this means that there is at least one category of content
- stored messages after they have been read - which is subject to the looser
Telecommunications Act regime rather than the
stricter Telecommunications
(Interception) Act.
Even within the area of communications still subject to warrant based access,
the barriers have been crumbling. Among recent
amendments to the TI Act have
been:
- A weakening of warrant regime AAT members replacing judges, named person
warrants, longer periods.
- Extension of the range of offences for which warrants can be obtained
- Increased number of agencies able to apply for warrants
- Increased number of agencies allowed to execute warrants independently,
rather than through the AFP.
Amendments to the ASIO Act have introduced a computer data warrant which
allows not only access to data but also alteration of
data and computer operations
to disguise the access. This raises fundamental questions about whether it
is any longer possible
to rely on the integrity of data, and must have an
effect on the evidentiary value of electronic data, if it could have been
changed officially .
[5]
While I have not yet had the opportunity to study the
Cybercrime Bill 2001
in detail, it appears to extend the concept of a computer data warrant to
all investigatory agencies operating under the
Crimes Act 194 and the
Customs
Act 1901. The concerns raised by the Charter Council in relation to the ASIO
warrants have never been satisfactorily addressed and we
will be raising them
again in this wider context.
The New Zealand Privacy Commissioner has recently commented on the equivalent
Crimes Amendment Bill No 6 2001 (NZ)
[6].
Amongst a range of concerns he expressed is the view that allowing remote
hacking into computer systems by government
agencies for ordinary law enforcement
is unacceptable, even if it is subject to a warrant process.
While on the subject of powers, there is also of course the unknown extent
of communications monitoring wholly outside the
known legislative framework
particularly as part of the ECHELON system, exposed by NZ journalist Nicky
Hagar in 1996,
and currently the a point of major irritation between European
Union member states and the US and its UKUSA allies, including
Australia
[7].
Attempts to establish the extent of Australian involvement, and the legal
basis of any interception of the communications
of Australians, have so far
met with the usual neither confirm nor deny response that the government
uses for national
security matters. But this is unacceptable in relation to
such significant allegations. In recent years the federal government
has been
forced to put the intelligence agencies on a clearer statutory basis and increase
their accountability, and it
will hopefully see the need to satisfy the community
at least on the legal basis of any ECHELON interception.
How are the powers
being used?
As if the increase in powers to invade privacy was not bad enough, there
are also alarming trends towards the use of those powers
for intelligence
gathering and routine mass surveillance, rather than for specific investigations.
There is growing pressure from law enforcement and revenue authorities to
require commercial organizations to maintain records
beyond the length of
time they would be kept for commercial/administrative purposes, purely as
an investigative resource.
The danger here is that if records exist, it becomes
very difficult to resist arguments for access privacy advocates are forced
into a rearguard action about ease of access and safeguards while the principle
is lost. The best privacy protection
is destruction, in line with the disposal
principle in privacy laws (IPP and NPP 4)
The controversy over the retention of Census returns now to be given as
an opt-in choice in next month s Census is
a good example of the issues
involved.
Another current example of this pressure is the suggestion that Internet Service
Providers (ISPs) should be required to
retain logs of user activity for much
longer than they need to for their own purposes
[8].
The proposed inclusion of such a requirement in the draft Council of Europe
Convention on Cyber-crime attracted strong
criticism from European Data Protection
Authorities
[9], and as a result
the requirement has been substantially reduced to a 60 day retention on request
from law enforcement agencies,
to allow time for a case to be made for lawful
access. But there is still a requirement for ISPs to record traffic data in
real time even where they have no commercial need to do so.
Another pressure being brought to bear by a broad coalition of government
and business interests is for more demanding standards
of identification for
many transactions. It is argue that this is desirable for many reasons, including
easier law enforcement
and revenue collection, and reduction in identity fraud
allegedly a major problem in the US, although Australian evidence
appears
limited.
From a privacy perspective, any proposal to require identification must be
justified, and there is now the anonymity principle
in the Federal private
sector and Victorian public sector privacy laws to back this up. Close examination
of many proposals
for identification shows that in many cases it is
authentication
that is required, rather than
identification of any particular individual.
Issues of identification come to a head in the vexed area of public key cryptography
and digital signatures. The impression
that privacy advocates have of government
policy on PKI is that it is a combination of confusion and a system in search
of users, with some hidden agendas in relation to indirect movement towards
unique identifiers. Simple objections to the
Gatekeeper model on the basis
of established privacy principles have been consistently either ignored or
misunderstood
over the last two years. It is hoped that the PKI Privacy Guidelines
recently issued for comment by the Privacy Commissioner
will belatedly bring
some sense to this important area of policy, although I have yet to assess
whether they adequately
address the privacy concerns.
Even where identification can be justified (including in the context of digital
certificates), privacy advocates resist
pressure for unique ID and argue
for retaining the option of multiple identities/persona as a barrier against
whole of
life profiling/matching.
Data-matching
Profiling/matching invariably leads to reversal of onus of proof hits
are assumed to be an irregularity and the individual
is asked to justify/explain.
Even if they are investigated and cleared without contact, this is still an
invasion of privacy
a key point that many government officials have failed
to grasp over the years.
[10]
Perhaps the best (worst?) example of routine surveillance that has been imposed
on Australians almost unnoticed is the financial
transactions reporting regime
operated by AUSTRAC
[11]. Introduced
in the same year as the federal Privacy Act, and therefore spared the scrutiny
that might have been brought
to bear on it under an established privacy law,
the
Financial Transaction Reports Act 1988 authorises a draconian regime of
routine reporting by financial institutions ironically the sector which
most fiercely
defends its traditional duty of confidence. The records of transactions
are routinely matched against other data by a wide range
of law enforcement,
revenue and intelligence agencies.
A case can probably be made for significant transaction reporting although
the relatively low threshold of $10,0000
and lack of any indexing means that
this is arguably now capturing much smaller transactions than is warranted
by the official
targets of major and organized crime. Of more particular
concern are the unavoidably subjective nature of suspect transaction
reporting,
and the clearly disproportionate capture of
all international currency
transfers, however small. AUSTRAC has a good record on data security and integrity
and maintains
strict controls on use of the data it collects, within the framework
of the legislation, but the fact remains that the regime
it administers is
an extraordinary intrusion into the financial privacy of all Australians.
Once individuals are made aware
of the extent of this monitoring as they
will have to be under the Privacy Act - it will be interesting to see if there
is a public outcry.
Once bulk records are being matched, there is a tendency for subjective social
norms to prevail over objective offence criteria
for example evidence
of sexual orientation or reading or viewing preferences can all too easily
become the basis of
negative assumptions. The interest of authorities is no
longer triggered just by unlawful actions but also by supposedly
predictive
traits/characteristics. Even if there are statistically valid correlations
to back up this intelligence based
policing , there will inevitably be some
individuals who are exceptions but who are caught in the net .
Conclusion
This paper has used examples from several different areas of electronic-
or cyber-space to illustrate a common issue the constant
tension between
government s desire to control and the freedom and privacy of individuals.
In the end, the balance between privacy and the powers of the state come down
to one admittedly difficult and complex question.
How much risk do we need
to eliminate and at what cost?
That there should be a balance is generally accepted at an abstract level,
but officials charged with specific public interest
objectives can understandably
lose sight of the principle, when considering the limits that privacy protection
places on
their ability to meet those objectives. It is easy to get agreement
that some limits on surveillance are desirable otherwise
we would all by
now be wearing electronic bracelets routinely reporting our every move. It
is more difficult at a practical
level to ask a policeman or welfare worker
to accept one more mugging or abused child because we deny them surveillance
tools they could be using. Privacy advocates should perhaps more often acknowledge
this difficulty and very real cost .
But we have to resist technological determinism. Just because we can know
things and do things doesn t mean we should. We must resist both the
magpie tendency to keep records just in case ; and the constant extension
of powers to access
records otherwise we will end up in a world of universal
surveillance which diminishes our humanity and leaves us prey to
the venal
and corrupt who will always be found in positions of power.
In the US, constitutional protections act as partial barrier to these trends.
A Bill of Rights would help us to challenge
the insidious march of state power
and associated erosion of privacy. In the absence of such institutionalised
safeguards,
we can only draw attention to each new initiative that threatens
privacy, set it in the wider context and demand that it be
publicly justified.
That will not stop the trend, but may slow it and ensure that we don t unnecessarily
or too carelessly
surrender precious freedoms.
End
[1] Basic Books 1999, ISBN 0-465-03913-8
[2] See
http://www.privacy.gov.au/news/00_11.html
[3] Australian Communications Industry
Forum Code of Practice on Customer Personal Information (C523). See
www.acif.org.au
[4] C 537 - also at
www.acif.org.au
[5] Submission by the Australian
Privacy Charter Council to the Parliamentary Joint Committee on ASIO on the
Australian Security
Intelligence Organization Legislation Amendment Bill 1999
[6] Supplementary Report by the
Privacy Comissioner to the Parliamentary Law & Order Committee
[7] See ,
www.echelonwatch.org
[8] The New Zealand Privacy Commissioner
refers to this in his recent report on the Crimes Amendment Bill (ibid)
[9] Article 29 Data Protection Working
Party, Opinion 4/2001, 22 March 2001.
[10] For resources on privacy
and data-matching, see Roger Clarke s web site
http://www.anu.edu.au/people/Roger.Clarke/DV/
[11] The author declares an interest
as a privacy representative, since late 2000, on AUSTRAC s Privacy Advisory
Committee
a useful monitor though with limited influence.