Although he was happy to follow the UK in bringing in mandatory data retention, Attorney-General George Brandis has no plans for keeping Australians’ website browsing history, as the UK does.
When Brandis first announced the government would introduce legislation to require telecommunications companies to retain call records, assigned IP addresses, email and text message history and other so-called metadata for two years, he said it was the “way the West” was going on these things, citing the UK and other parts of Europe as implementing their own schemes (despite the fact that a number of schemes had been ruled unconstitutional or had been repealed).
As the Attorney-General’s Department in Australia struggles to grapple with implementing our scheme, the United Kingdom has now gone one step further than Australia’s data retention, this week announcing the Investigatory Powers Bill. It is designed to replace existing data retention legislation that was due to expire at the end of next year (Australia’s legislation has no such sunset clause) but in addition to retaining the same sorts of communications, the UK government wants telcos to retain what is called an “Internet connection record”, which specifies when a device connects to a website or instant messaging app.
Home Secretary Theresa May said in the House of Commons when introducing the draft legislation that keeping data on websites a person visited was “the modern equivalent of an itemised phone bill:
“Some have characterised this power as law enforcement having access to people’s full web browsing histories. Let me be clear — this is simply wrong. An Internet Connection Record is a record of the communications service that a person has used, not a record of every web page they have accessed.
“So, if someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said. It is simply the modern equivalent of an itemised phone bill.”
While much can be determined simply by the websites a person visits, the UK government argues the legislation isn’t overly intrusive because it includes just the websites, not the specific pages. A person watching a YouTube video would just have a record of visiting YouTube.com against their account, rather than the individual video. The log of visited websites will be held for 12 months.
Under the UK scheme, which is similar to Australia’s, when a government agency wants to access telecommunications data without a warrant, it will need internal authorisation, but unlike in Australia the authorisation will need to set out why the data is needed and whether the intrusion is proportionate to what is trying to be achieved. The authorisation can only be signed off by someone who is not working on the investigation. Law enforcement agencies would only be granted access to the log when neeeding to determine whether someone had “accessed a communications website, an illegal website or to resolve an IP address where it is necessary and proportionate to do so in the course of a specific investigation”, May said.
When Australia announced its own data retention scheme, the government’s plans indicated that there would be a record of the “destination IP address” a person was attempting to access. This led to speculation that the Australian government wanted the list of websites Australians were visiting. In a Walkley Award-winning interview on Sky News, Brandis struggled to explain whether websites would be recorded:
HOST: You’ll be able to see whether I’ve been to that website, or that website or that website?
BRANDIS: What we’ll be able, what the security agencies want to know, to be retained is the electronic address of the website that the web user is using.
HOST: It does tell you the website.
BRANDIS: It tells you will the address of the website.
HOST: That’s the website, isn’t it. It tells you what website you’ve been to.
BRANDIS: Well, when you visit a website people browse from one thing to the next. That browsing history won’t be retained or there won’t be any capacity to access that.
HOST: Excuse my confusion here, but if you are retaining the web address, you are retaining the website, aren’t you?
BRANDIS: Well, every website has an electronic address, right?
HOST: Yep, and that’s recorded.
BRANDIS: When a connection is made between a one commuter terminal and a web address that fact and the time of the connection and the duration of the connection is what we mean by metadata in that context.
The government subsequently explicitly ruled out retaining web browsing history in the explanatory memorandum. Despite the United Kingdom now explicitly chasing web browsing history, a spokesperson for the Attorney-General said there were no plans to amend the data retention legislation.
“The government is not considering making any amendments to the data retention legislation,” a spokesperson for the Attorney-General told Crikey.
While most telcos will have until April 2017 to get their data retention systems fully compliant, the Attorney-General’s Department has received a number of requests from agencies that were left off the list of government agencies that could access the data when the legislation passed earlier this year. The list of agencies that could access the data was limited to 22 in order to give the appearance that only the agencies that really needed access to the data could still get it, unlike, for example, city councils or the RSPCA.
Parliament needs to approve access, thanks to last-minute amendments to the legislation, but Border Force has already been granted access. The Australian Taxation Office is also seeking access, and this week Victorian Racing Integrity Commissioner Sal Perna has sought to be added to the list after being removed when the legislation came into effect on October 13.
The Attorney-General’s Department has not said how many other agencies have since requested to be added back in since the legislation passed, but a freedom of information request has now been filed seeking to reveal any requests.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.