Fears Coalition's encryption cracking laws could expand metadata retention

The Coalition’s encryption cracking legislation could expand the reach of metadata retention laws, the peak communications industry body has warned.

The Communications Alliance has told a parliamentary inquiry that the bill appears to give law enforcement agencies the power to require tech giants like Facebook and Google’s Gmail to retain users’ metadata, including browsing histories.

The Communications Alliance has revealed that at least 80 government agencies including several local governments have requested metadata from its members, using a backdoor in legislation despite an apparent limitation in Australia’s metadata laws nominating just 20 agencies with that power.

The parliamentary joint committee on intelligence and security is currently examining the telecommunications (assistance and access) bill, which contains powers to require tech companies to build new capabilities or provide technical assistance to law enforcement agencies’ surveillance activities, such as breaking encryption.

The bill contains a limitation that “technical capability notices” cannot require “designated communications providers” to retain metadata where Australia’s controversial metadata retention laws – which passed in 2015 – apply.

Christiane Gillespie-Jones, the director of program management at the Communications Alliance, told the hearing on Friday that this limitation did not prevent law enforcement agencies issuing a “technical assistance notice” which are “wide enough” to require modification of software to retain metadata.

The shadow attorney general, Mark Dreyfus, asked whether the new bill would allow requests for forms of metadata currently excluded from the metadata retention law, such as browsing history.

“At the moment I don’t see anything that would stand in the way of agencies requesting that because it sits outside the data retention regime but inside the powers of what I think this law would potentially allow an agency to do,” Gillespie-Jones replied.

Dreyfus then asked if technical capability notices for metadata could be issued to companies which are not “designated communications providers” to which the metadata law applies, such as “over-the-top providers like Gmail or Facebook”.

“I would say so, yes,” Gillespie-Jones replied. She called for greater attention to the way the encryption cracking bill interacts with the existing metadata retention regime.

Australia’s metadata retention law contains a list of 20 agencies that are permitted to request metadata, but the Communications Alliance has warned that a separate section in the Telecommunications Act has allowed agencies to use their own powers to seek metadata.

That section permits “disclosure or use of information or a document if … the disclosure or use is required or authorised by or under law”.

In a supplementary submission the Communications Alliance has alerted the committee to 80 agencies that have requested metadata from its members.

The non-exhaustive list includes: city councils in Bankstown, Brisbane, Fairfield and Rockdale; Australian Border Force; Centrelink; various federal departments including industry and agriculture; the Fair Work Building and Construction Commission; New South Wales’s Family and Community Services; primary industries departments in four states; anti-corruption bodies; the Taxi Services Commission; and Racing Integrity Victoria.

The Communications Alliance chief executive, John Stanton, stressed that not all requests were necessarily complied with but warned small internet service providers and telcos may not have legal expertise to discern if the requests were within the agencies’ power.

Stanton had said that while the Coalition government had “[extolled] the virtue” of the reduction of agencies that could access metadata in the legislation, the “opposite had occurred” as the result of an “unintended consequence”.

“I hesitate to call the situation a backdoor but it’s certainly a way in that’s been used by many entities.”

Australia’s metadata law is due to be reviewed in 2019.

Following Melbourne’s Bourke Street terrorist attack, the home affairs minister, Peter Dutton, has called on Labor to pass the encryption bill. The opposition has committed to scrutinise the bill and maintain bipartisanship on national security.