09 October 2012


From Malcolm Turnbull's 2012 Alfred Deakin Lecture -
this issue of privacy is central to any discussion of liberty. In our society attempts to introduce a general law of privacy, that would for example prevent the publication of material which relate to a person’s private life and which are unrelated to their fitness for a public office or position, have always foundered. We have preferred to set the balance in favour of free speech and a free press and there is little or no restraint on the publication of private material, be they nude pictures or salacious text messages, other than the restraint and decency of would be publishers.
But rather than re-opening that particular can of worms, let us consider whether there should be any limits to the ability of third parties to retain information about us.
For how long should there be a record of our web browsing? Or of our emails? If we choose to delete our browsing history or emails or tweets or Facebook entries – should they not be deleted everywhere and not just on our own computer?
As a matter of principle I believe the answer must be yes – if I am lawfully entitled to burn copies of the letters I have written to you and the letters you have sent me in return, why can I not do the same to my emails. If I can throw my diary and my photo album in the bin, why can I not delete my Facebook page?
Well I can, can’t I?
But is a deleted email really deleted? How do we know the web page we thought we had deleted has not been cached somewhere. How can we be sure the embarrassing photo has not been copied, the stupid blog post or tweet captured in a screen shot.
Put another way, if we have the right to record something, and it is of a private quality unlike company or financial records which must be retained, should we not have the right to delete it?
And how far should a right to delete go? Just like we cannot delete an email or a letter we have sent to someone else, how can we delete the photograph we posted on line which was then copied by another? How can we have a right to be digitally forgotten without impinging on others’ right of free speech?
This issue has been brought into sharp focus by the Attorney-General’s vague but at face value far-reaching plan to expand data interception, mandatory data retention, and government access to private digital information.
And the most striking proposed expansion of government power over private data is the least clearly explained. These are amendments which provide for what is described as: “tailored data retention periods for up to 2 years for parts of a data set, with specific timeframes taking into account agency priorities, and privacy and cost impacts.”&
Internet companies will apparently be required to store parts of everyone’s data, although there is no clarity as to which material will be kept or why.
In fact there is little clarity; period. A recent letter from Nicola Roxon to the Herald-Sun bemoaning its coverage of the data retention issue provided more information about this measure than a 61-page discussion paper released by her department.
While the purported intent is that only metadata – data about data – will be available to law enforcement, security and intelligence agencies, there is no explanation of how metadata will be distinguished from data (the two are often commingled, as in the ‘subject’ line of emails), why both would not be readily available once a message has been handed over and decrypted, and indeed how readily in an IP world it is possible to keep a record of the time, date, size, sender, receiver and possibly subject of an email without also retaining the contents.
Nor has there been an explanation of what costs and benefits have been estimated for this sweeping and intrusive new power, how these were arrived at, what (if any) cost was ascribed to its chilling effect on free speech, and whether any gains in national security or law enforcement asserted as justification for the changes will be monitored and verified should they be enacted.
ASIO’s submission to the parliamentary inquiry considering the discussion paper argues that the type of information it seeks is not very different from what it has hitherto been able to obtain from telcos who retain details of telephone calls (but not the content) for the purpose of billing. In an IP world where charging is done on the basis of total bandwidth utilization, ASIO argues these details are not required by the telcos or web companies and so they can be deleted.
The German Federal Constitutional Court has recently struck down a similar data retention law noting that “meta-data” may be used to draw conclusions about not simply the content of the messages, but the social and political affiliations, personal preferences, inclinations and weaknesses of the individual concerned.
Leaving aside the central issue of the right to privacy, there are formidable practical objections. The carriers, including Telstra, have argued that the cost of complying with a new data retention regime would be very considerable with the consequence of higher charges for their customers.
And what is to happen with data stored offshore? Google hosts much, if not most, of the relevant data for Australians. But none of it is hosted in Australia. Much of our voice and video calls occur now over IP services, like Skype or Google Chat. Is their customer metadata stored in Australia? Almost certainly not.
Google currently permanently deletes emails or Youtube videos from their server once the customer deletes it. Search logs are rendered anonymous after nine months. It would be utterly impractical, and possibly unlawful, for Google to discriminate against customers from Australia and treat them differently from any others.
And finally – why do we imagine that the criminals of the greatest concern to our security agencies will not be able to use any of numerous available means to anonymise their communications or indeed choose new services that are not captured by legislated data retention rules?
Without wanting to pre-empt the conclusions of the Parliamentary Committee, I must record my very grave misgivings about the proposal. It seems to be heading in precisely the wrong direction. Surely as we reflect on the consequences of the digital shift from a default of forgetting to one of perpetual memory we should be seeking to restore as far as possible the individual’s right not simply to their privacy but to having the right to delete that which they have created in the same way as can be done in the analogue world.