The passing of legislation through the Australian parliament that will require telecommunications and Internet service providers to store customer metadata on file for two years has received criticism from civil liberties groups, politicians and cyber security experts. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which was ostensibly introduced to assist police and other agencies to address growing security concerns, including terrorism and other crime, has been criticised for the ‘dragnet’ way that all Australians’ metadata is collected, and the operational effectiveness of the techniques used to fight crime. Critics, such as Senator Scott Ludlam, have pointed out that applications and technology exist that allow criminals to mask their online presence and technological footprint to the extent that this legislation may prove ineffective against highly organised crime or tech-savvy terrorists.
Individuals ranging from the government's own Communications Minister Malcolm Turnbull, to Senator Ludlam and online activists have highlighted ways and means of circumventing this legislation using over-the-counter technology such as certain apps and email servers. The ease of accessibility to this technology calls into question the efficacy of these legislative reforms, and the considerable cost of implementing them, which has been estimated to be at least $300 million.
Attorney-General George Brandis has admitted that the legislation may not be enough to sufficiently target “smart criminals” but nevertheless remains an important source of investigative data. The possibility that this legislation may miss “smart” criminals and terrorist networks, the key targets of this legislation, is concerning as these groups are able to manoeuvre themselves out of the purview of the authorities and in turn go to greater lengths to conceal their identities, online presence and communications.
Under the new laws, overseas-based service such as Gmail, Hotmail, Facebook and Skype will not be included in the collection of metadata, though it is unclear if data from these services will be collected and shared through international agreements such as the Five Eyes Agreement. Corporate and academic networks, such as Wi-Fi hotspots or intranets will also be exempt. There are clear concerns that the legislation, flawed methodology aside, may undermine the competitive advantage of Australian service-providers as they are forced to comply with the laws and the associated costs of implementation and collection - that their overseas counterparts are not held to.
Under the radar; the Deep Net
As more conventional modes of communication and online commerce become increasingly surveilled, there is a fear that advanced criminal networks and terrorist organisations, with the technological capabilities and motivations, will withdraw from online arenas that can be reached by law enforcement agencies. The ‘deep net’ refers, in essence, to the side of the internet where websites cannot be reached by the average internet user. These websites cannot be accessed as they are unindexed, or invisible, and cannot be found on search engines. These anonymising capabilities are especially valuable to criminal syndicates and terrorist networks with tech know-how. These groups are able to access and utilise the deep web by using incognito networks that were originally created to distribute files, browse and set up off-the-grid websites. Deep web sites such as The Silk Road have shown that criminal enterprises have mastered this technology to buy and sell illicit goods in the black marketplace, circumventing all traditional frameworks. There is a real fear that the gaping holes in this legislation, combined with the proliferation of apps, service and non-traditional cyber networks, could mean that the targets of these legislative efforts will become more dangerous through a concerted effort to remain ‘off-the-books’. When using the deep net, the IP address of the user (which denotes location) is hidden. Cyber experts, such as Jacob Thankachen of Cyberoam North America, are concerned that this technology that was created for use by individuals who had genuine need for anonymous Internet usage has been irrevocably taken over by criminals. The difficulty for law enforcement to operate in deep net environments cannot be understated. Even when an IP address can be identified, no easy feat in itself, law enforcement would need to travel through an uncharted maze of communications of proxy servers spread across several countries requiring cooperation from different cyber law frameworks and legal systems. False IP addresses, aliases and powerful encryption are also included in the sophisticated tech basket of deep net criminals.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which was heralded as an essential tool in the cyber security arsenal of Australian law enforcement agencies, may be enough to deter minor criminals, but it remains to be seen whether this legislation will aid in the fight against major, tech-savvy criminals or terrorists, or to encourage them to use the anonymising technology that is available to persevere with their nefarious motives.
William Read is the Cyber Security Fellow for Young Australians in International Affairs.
Image credit: Perspecsys Photos (Flickr: Creative Commons)