Labor's data retention plans are getting more convoluted with every attempted explanation. The government insists that it only needs metadata (not content), but is having a tough time explaining how this would work in practice, to the extent that the Parliamentary Joint Committee on Intelligence and Security was still seeking clarification last week of what the Government wants stored.
“Only metadata” is still a pretty big ask. In July the Economist reported, "Metadata (the records of who people call and email, and when, as distinct from the content of conversations) can now be amassed on a vast scale, and run through powerful software that can use it to create a fairly complete portrait of a person’s life and habits – often far more than just a few recorded conversations".
There are good grounds for suspecting that the Government is unclear about its own requirements because it is trying to match its legislation to the latest in “off-the-self” surveillance technology to process these mountains of metadata, instead of working out what it needs to counter real criminal or terrorist threats.
The multi-billion “off-the-shelf” surveillance industry has been busy marketing and selling privacy-invading technology to governments around the world following the September 11 attacks. Attendance sheets from the Intelligence Support Systems World conferences (aka Wiretapper’s Ball) - which are closed to the media and include training sessions - confirmed the attendance of the Australian Federal Police in Washington DC in 2006, the Attorney-General's Department in Dubai in 2008 and Prague of that same year, the Communications Authority in Prague in 2008, the Department of Foreign Affairs and the Australian Embassy in Dubai in 2008, the Australian Federal Police in Prague in 2008 and the Australian Government in Dubai in 2008.
This doesn’t mean surveillance software was acquired by Australia’s representatives then, but it does demonstrate a clear awareness of and interest in this technology.
And who could we expect our representatives to tango with at the Wiretapper’s Ball? Gamma Group, marketing its FinFisher IT Intrusion Portfolio range? SS8, proudly showing off its next generation monitoring and analysis platform Intellego? Or perhaps the Hacking Team , whose less than subtle title is self-explanatory. You can just imagine our intrepid secret agents coming back bedazzled from roadshows like that, or after sales pitches from spy software vendors, and insisting that they must have these latest technologies if they’re to have any chance of staying ahead of the ever-expanding security threats. And who is there to look critically at demands like these?
It is clear from numerous reports that together this sort of software can covertly extract data from a computer system; bypass logon screens without changing passwords; remotely monitor mobile phones; infect computers for physical access; secretly monitor computers; intercept Skype calls; turn on web cameras and record every keystroke; provide high capacity access, data storage, retention, and extraction of metadata at speeds necessary for the analysis of mass metadata and more.
In August this year, Boston-based security risk-assessment company Rapid7 conducted a global scan of computers on the Internet. They found a match in Canberra to FinFisher Spyware, which can secretly monitor computers. But they qualified their finding: "Locations are not proof that governments of these countries use Gamma’s FinFisher. It’s possible that Gamma clients use computers based in other nations to run their FinFisher systems."
Even though the Department of Foreign Affairs & Trade confirmed in an email statement that they do not use FinFisher it remains to be seen whether other government agencies, like ASIO, would provide a similar assurance.
If the Australian Government is attempting to equip Australia against emerging and evolving threats it’s easy to see how “off the shelf” surveillance technology might play a part. There’s a disturbing relationship between the available technology and its vendors and the global push for increased official surveillance.
As Nigel Brew noted in a recent paper on data retention and national security:
[The unclassified ASIO submission to the inquiry] does not offer any real evidence to suggest that it has experienced any problems accessing communications data when it has needed to. Similarly, there does not appear to be any publicly available source in which the AFP outlines what proportion of its large number of requests for communications data was unsuccessful due to the data no longer being available from carriers and carriage service providers.
Our government has vastly expanded official “policing” capabilities and is still on the bandwagon with the current proposals to amend the ASIO Act to remove doubt that ASIO is able to cooperate with the private sector. It also wants ASIO officers and human sources protected from criminal and civil liability for certain conduct in the course of authorised intelligence operations; third party computers and communications in transit able to be used to access a target computer under a computer access warrant; computer access warrants able to be issued in relation to a computer, computers on a particular premises, and computers connected to a particular person or computer network; and to remove restrictions that hinder ASIO from doing anything under a computer access warrant that adds, deletes or alters data or interferes with, interrupts, or obstructs the lawful use of the target computer by other persons.
The difficulty for the Parliamentary Joint Committee on Intelligence and Security, and for any inquiry looking at questions like these, is that for the real players it’s all a game of prevarication. The emotional power of the “terrorist threat” (with little if any hard evidence of its nature and extent) enables our security agencies to push their own interests with the government. They are shrouded in secrecy and unaccountable in any real sense, which permits them to dribble out only what may be necessary in terms of information, explanations and justifications.
Surely it doesn’t jeopardise their activities for the government to tell us – paying heed to any genuine security concerns - what they want to do, how they intend to go about it, how much it’s likely to cost us and what it is likely to mean for people who may be affected.