Roxon Letter on Data Retention
Introduction
This letter[1] was sent to the Parliamentary Joint Committee on Intelligence and Security (PJCIS)[2] by the Attorney-General Nicola Roxon seeking to clarify questions regarding so called "metadata" and what traffic or content data the government intended to be included within the mandatory data retention proposals.
Below is a transcription of that letter with some analysis and commentary. The transcription may contain some errors.
Transcription of Letter
12/7195
Anthony Byrne MP
Chair
Parliamentary Joint Committee on Intelligence and Security
Parliament House
CANBERRA ACT 2600
AUSTRALIA
Dear Mr ByrneAnthony
I refer to our meeting of 13 September 2012 and to the data retention proposal contained in my Department's discussion paper entitled "Equipping Australia Against Emerging and Evolving Threats". The Terms of Reference of my referral to the Committee state that the Government is expressly seeking the views of the Committee on a "tailored data retention scheme for periods for up to 2 years for parts of a data set, with specific timeframes taking into account agency priorities, and privacy and cost impacts".
I appreciate the Committee's desire to receive further details on what this proposal may entail. I do not have a specific data retention model in mind but I can provide the following further information to clarify the parameters of this proposal.
"Telecommunications data" is information about the process of a communication, as distinct from its content. It includes information about the identity of the sending and receiving parties and related subscriber details, account identifying information collected by the telecommunications carrier or internet service provider to establish the account, and information such as the time and date of the communication, its duration, location and type of communication.
The Government does not propose that a data retention scheme would apply to the content of communications. The content of communications may include the text or substance of emails, SMS messages, phone calls or photos and documents sent over the internet.
Access to the content of communication is only ever carried out under warrants issued in accordance with the Telecommunications (Interception and Access) Act 1979. There is no intention to alter the requirement for warranted access to the contents of communications.
The need to consider a data retention scheme has come about because of changes in technology that have affected the behaviour of criminal and national security suspects.
Targets of interest now utilise the wide range of telecommunications services available to them to communicate, coordinate, manage and carry out their activities. The ability to lawfully access telecommunications data held by the telecommunications industry enables investigators to identify and build a picture of a suspect, provides vital leads of inquiry and creates evidence for alibis and prosecutions.
Two examples that have been provided to my Department by State agencies serve to illustrate the importance of maintaining access to telecommunications data:
a) During a recent murder investigation there were a number of open lines of inquiry. When a human source provided information implicating a particular, previously unknown, person as responsible for the murder, telephone billing records were used to link the person nominated by the human source to another key suspect. The billing records also ultimately resulted in other lines of enquiry being discounted. The link between two of the principal offenders could not have been easily made without access to reliable telecommunications data. All the persons involved in that matter have been charged with the murder and associated offences and are currently beforethe courts.
b) A corruption investigation revealed evidence of SMS communications between a police member and a member of an organised criminal network. Despite knowledge of the communications occurring recently, no data relating to the communications was available. The inability to obtain relevant information about the communications led to the loss of evidence which could have supported the investigation into the corrupt links.
In the past the telecommunications industry retained most types of telecommunications data. However, due to rapid changes in the technology and business environment Australian agencies are finding that much of the information they seek is not being kept. The main drivers are the increased use of internet protocol technology and the trend to charge customers based on volume of data sent or received rather than by transaction (such as call by call or message by message).
Australia is not alone in being forced to consider answers to these challenges. In recognition of the impact the lack of access and retention of telecommunications data is having on investigations, the European Union adopted the EU Directive 2006/24/EC on data retention on 15 March 2006. The Directive has been implemented by the majority of the 25 Member States of the EU with the remaining Member states at various stages of implementation.
The EU Directive imposes an obligation for providers of publicly available electronic communications services and public communication networks to retain communications data for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in national law. The Directive only requires the retention of subscriber and traffic data. No data revealing the content of the communication may be retained under the Directive. The data set is at Attachment A.
|
EU Data Retention Directive was declared unconstitutional in the Czech Republic. Sweden implemented it, but for only 6 months. Germany's Federal Constitutional Court declared it unconstitutional. Romania also declared it unconstitutional. Serbia implemented 6 month retention.
{{{3}}}
|
The Directive applies to fixed network telephony (landline), mobile telephony, internet access, internet email and internet telephony. The Directive specifies that certain categories of data must be retained, namely data necessary for identifying:
a) the source of a communication;
b) the destination of a communication
c) the date, time and duration of a communication;
d) the type of a communication;
e) users' communication equipment or what purports to be their equipment; and
f) the location of mobile communication equipment.
The Directive requires Member States to ensure that data is retained for periods of between six and 24 months. Because there is flexibility in the Directive's requirement the EU members have picked varying retention periods appropriate for their own local needs. There is also variability in the retention period for different types of information, for example, requiring telephony data to be held for 12 months but internet data for six months.
To protect the integrity of retained data, the Directive requires Member States to ensure that operators respect four data security principles, specifically, that the retained data shall be:
a) of the same quality and subject to the same security and protection as those data on the public communications network;
b) subject to appropriate technical and organisation measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;
c) subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only; and
d) destroyed at the end of the period of retention, except those that have been accessed and preserved for the purposes set down in the Directive.
The reasons for the implementation of the EU Directive are explained in the preamble to the Directive as a response to terrorist attacks in Europe (particularly, the Madrid and London bombings), the maintenance of ability to fight crime and terrorism and for the consistency and completeness of regulation across the EU.
For Australia, the principal argument in favour of a data retention scheme is to maintain our agencies' access to a critically important source of intelligence and evidence. Agencies have indicated that the need to access this information is immediate and that the eroding of such access is already seriously affecting agency investigations.
I understand that the AFP will be appearing before the Committee and they will be in a position to provide details of the operational requirements for a potential data retention scheme in Australia.
I thank the Committee for its work on this and the other matters that I have referred for your consideration and I look forward to obtaining your advice on what you would consider to be an appropriate data retention scheme in Australia.
Given the high level of public interest in this inquiry I intend to make this further correspondence to the committee, public.
Yours in friendship,
NICOLA ROXON
Encl: Attachment A - EU Directive on Data Retention data set
Attachment A
Article 5 of the EU Data Retention Directive
Categories of data to be retained
1. Member States shall ensure that the following categories of data are retained under this Directive:
(a) data necessary to trace and identify the source of a communication:
(1) concerning fixed network telephony and mobile telephony:
(i) the calling telephone number;
(ii) the name and address of the subscriber or registered user;
(2) concerning Internet access, Internet e-mail and Internet telephony:
(i) the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any communication entering the public telephone network;
(iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
(b) data necessary to identify the destination of a communication:
(1) concerning fixed network telephony and mobile telephony:
(i) the number(s) dialled (the telephone number(s) called), and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed;
(ii) the name(s) and address(es) of the subscriber(s) or registered user(s);
(2) concerning Internet e-mail and Internet telephony:
(i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;
(ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;
(c) data necessary to identify the date, time and duration of a communication:
(1) concerning fixed network telephony and mobile telephony, the date and time of the start and end of the communication;
(2) concerning Internet access, Internet e-mail and Internet telephony:
(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
Attachment A
(ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;
(d) data necessary to identify the type of communication:
(1) concerning fixed network telephony and mobile telephony: the telephone service used;
(2) concerning Internet e-mail and Internet telephony: the Internet service used;
(e) data necessary to identify users' communication equipment or what purports to be their equipment:
(1) concerning fixed network telephony, the calling and called telephone numbers;
(2) concerning mobile telephony:
(i) the calling and called telephone numbers;
(ii) the International Mobile Subscriber Identity (IMSI) of the calling party;
(iii) the International Mobile Equipment Identity (IMEI) of the calling party;
(iv) the IMSI of the called party;
(v) the IMEI of the called party;
(vi) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated;
(3) concerning Internet access, Internet e-mail and Internet telephony:
(i) the calling telephone number for dial-up access;
(ii) the digital subscriber line (DSL) or other end point of the originator of the communication;
(f) data necessary to identify the location of mobile communication equipment:
(1) the location label (Cell ID) at the start of the communication;
(2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.
2. No data revealing the content of the communication may be retained pursuant to this Directive.