As of yesterday (14 October 2015) all Australian communications providers (such as telephone companies and ISPs) are required by law to collect and store for two years large amounts of personal data about every phone call made, email and text message sent, and internet activity performed by everyone in Australia.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill was proposed last year, and passed Senate in March this year 43 votes to 16, with the support of the opposition Labor party (it was Labor leader Julia Gillard who first suggested legislation of this kind back in 2012.)
The information collected will be accessible without a warrant to a worrying large range of government organizations, and the list of authorized authorities can be further expanded by the Attorney-General at his or her discretion.
The organizations currently permitted to access Australian citizen’s data under the law are: the Australian Federal Police, State Police forces, the Australian Commission for Law Enforcement Integrity, Australian Crime Commission, Australia Customs and Border Protection Service, the Australian Competition and Consumer Commission, the Crime Commission, the Police Integrity Commission, the Crime and Corruption Commission of Queensland, the Corruption and Crime Commission and the Independent Commissioner Against Corruption.
Following alarmed concern from the media about what effect this legislation could have on the confidentiality of its sources, the Government secured Labor support for the Bill by agreeing to a warrant system, whereby requests for surveillance data about journalists must be approved by a “Public Interest Advocate.”
“This is still a process that’s going to be conducted in secret. The Public Interest Advocate as I understand it will be lawyers granted security access, so essentially, people approved by the Government to make decisions about the Government getting access to a journalist’s data.”
So what can be collected?
The new law covers the collection of metadata, rather than the actual content of messages, calls, and browsing history. Metadata content collected includes:
- Incoming caller identification
- Outgoing caller identification
- The date, time and duration of a phone call
- The location of the device from which it was made
- The unique identifier number assigned to a particular mobile phone
- The email address from which an email is sent.
- The time, date and recipients of emails.
- The size of any attachment sent with emails and their file formats
- Account details held by the Internet Service Provider (ISP) such as whether or not the account has been activated or suspended
Governments and surveillance organizations are always keen to downplay the significance of collecting ‘only’ metadata, but if it is so harmless, then the question has to be asked: why are they so keen to obtain in by any means necessary?
“Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”
Given the huge invasion of our privacy that bulk collection of metadata represents, there is very little evidence that it is effective in protecting us, as is claimed by those trying to justify such an intrusion into our basic civil rights. A 2014 report by the New America Foundation think-tank found that,
“Surveillance of American phone metadata has had no discernible impact on preventing acts of terrorism and only the most marginal of impacts on preventing terrorist related activity.”
Even ex-NSA Gen. Keith B. Alexander has admitted that mass spying on citizen’s metadata has failed to produce any tangible results.
Thanks largely to the Australian Government’s inability to enforce the new laws on uncooperative international companies, users of services such as Skype, Gmail, and Facebook Messenger are effectively exempted from metadata collection.
How much will it cost?
In its initial assessment of how much the metadata retention scheme would cost, a cross-party committee setup by the government estimated an initial upfront cost of $188.8 million to $319.1 million AUD (approx. $137.5 million to $232.6 million USD).
Unsurprisingly, the Government is keen to emphasize the lower figure, and has pledged $131 million AUD “to assist the telecommunications industry to upgrade its systems to implement the Government’s metadata retention policy.”
Equally unsurprisingly (especially given the government committee’s own report), many fear that the costs will be much higher, and that this will inevitably be passed onto Australian consumers. As Laurie Patton, CEO of online rights group Internet Australia notes,
“The Government’s budgeted amount of $128 million is clearly well below the likely total costs for the industry. This means that consumers will eventually pay more in Internet access fees. It is extraordinary that an Act of this complexity is due to come into effect before anyone knows how much they will receive to cover their costs of compliance.”
How can I protect myself?
As already noted, users of international services such as Gmail, Skype, and Facebook messenger will not be spied on by the Australian Government (although Google and Facebook etc. do a great deal of their own spying for commercial purposes, and at least historically, have been quite cosy with the NSA.)
Better tools include:
Phone and text
All conventional phone and SMS message metadata is now collected, so to avoid this you should instead communicate via encrypted chat and VoiP. For maximum security we favor TextSecure/RedPhone/Signal, but WhatsApp is much more popular, so your friends and family are much more likely to actually use it.
Despite being owned by Facebook, WhatsApp uses end-to-end encryption (based on, but not compatible with the encryption used for TextSecure, in fact) and is a therefore pretty secure.
You should always regard email as fundamentally insecure. Services such as ProtonMail and Tutanota are much more secure than something such as Gmail, and should help protect you against blanket surveillance (by any government), but are no protection against a targeted attack.
Internet providers (ISPs) are not required by the new law to collect browsing history (although they commonly do so anyway,) but are required collect a lot of data when you use the internet, such what time you connect, how long for, etc.
By far the most effective way to prevent your web activity being spied upon is to use a good VPN service, as this encrypts all communications between your computer (or smart phone etc.) and the VPN provider’s servers.
This means that your ISP (and therefore the government, unless it targets you specifically) cannot know what you get up to on the internet. It also prevents anyone watching on the internet from knowing your true IP address, as they will simply see the IP address of your VPN server.
It is unclear at this time whether VPN providers and their servers are subject to the new Data Retention Bill, but to be on the safe side we strongly suggest choosing a provider that is not subject to Australian laws, and using a VPN server located outside Australia.
The VPN providers listed in our article on 5 Best VPNs for Australia are all good options for protecting against surveillance by the Australian government, but those also wanting to evade surveillance by the NSA might want to consider BolehVPN or IronSocket (both of which are located in non-Five Eyes countries and run servers out of Hong Kong.)