Essay / by Gabby Shailer
These essays are original pieces written in the lead-up to The Privacy Workshop.
In August 2014, the National Security Commission agreed to expand the mandatory data retention scheme (the scheme) to two years. The reason cited for the expansion was the continued need to protect the Australian Commonwealth from the threat of “cyber-terrorism” ((Simon Benson, Federal government to keep your mobile and internet data for two years in war on homegrown extremists (5 August 2014) The Daily Telegraph http://www.dailytelegraph.com.au/news/nsw/federal-government-to-keep-your-mobile-and-internet-data-for-two-years-in-war-on-homegrown-extremists/story-fni0cx12-1227013435230)). In the aftermath of the policy change many have questioned if the scheme will provide a greater level of security for the Commonwealth and, if not, is the curtailment of the right to privacy justified.
As it stands, Security and Liberty (Right to Privacy) are politically positioned as two opposing ideas. The Federal Government is continually asking the citizen to accept limitations to privacy on the promise of a stronger sense of security. Ian Hunter from the University of Queensland articulates this idea by conceptualising a “security state” as a reasonable default setting of any liberal democracy. He defines a security state as a kind of temporary uneasiness that is necessary to allow the Executive to control threats to the Commonwealth ((Ian Hunter, The default setting of the liberal state (7 November 2005) Australian Policy Online http://apo.org.au/commentary/default-setting-liberal-state)). The Executive is empowered under the Constitution to take all means necessary to protect the Commonwealth from reasonable threats, even if it means temporarily suspending the enjoyment of rights ((Australian Constitution [Cth], S61)). The question is, is the Australian Executive legitimately exercising its power by establishing the cyber-security state?
There is a popularly accepted idea that an act of terrorism goes beyond the mere criminality of the act. It is the conceptual attack on the way of life of a nation that elevates the action to a threat on the body politic. For example in the aftermath of the September 11 attack, George Bush stated:
“Freedom itself was attacked this morning… and freedom will be defended” ((September 11th – A Memorial Tribute (2011) Founders of America http://www.foundersofamerica.com/sept11_.htm))
It was the attack on the freedom of America that would go on to justify many deaths and extensive destruction.
The High Court of Australia relied on the conceptual notion that terrorism was an attack on the fabric of a nation when it upheld the expansive powers of the anti-terror laws in 2007 ((Thomas v Mowbray  HCA 33)). However, theorists question if the act of “cyber-terrorism” as currently defined by the Criminal Code 1995 (Cth) (the Code) should be distinguished from an act of terrorism based on the same rationale ((SM Furnell and MJ Warren, ‘ Computer Hacking and Cyber Terrorism: The Real Threats in the New Millennium?’  18 Computers & Security, 28.)). Not to say that unauthorised actions within a computer system are not criminal; the question is does the current legislative definition describe an act that is a threat to the Australian Commonwealth. If not why does the Federal Government need my metadata?
By way of example, Section 100.1 (2) f (v) of the Code states that a disruption to essential Government services would constitute a terrorist attack. In 2003, there were several international instances of disruptions to essential power services, none of which made international news. In one example, 50 million households lost power in the United States. The outage was caused by computer faults that could have easily been created by a deliberate action. Despite the scale there was no noted cause of mass panic ((Andrew Jones, ‘Cyber Terrorism: Fact or Fiction’  June Computer Fraud and Security, 4, 4.)). It is difficult to argue that an action would meet the intention requirement to terrorise ((Criminal Code Act 1995  Part 5.3 S100.1 2 (c) )) if there is no panic caused by the act.
At the very least, the example above illustrates the act of terrorism cannot be converted into its computer-based equivalent by jamming the word cyber in anywhere that is deemed plausible. This is an important distinction because Federal Agencies are only empowered to act on cybercrimes that would meet the heightened threshold of a threat towards the Government. We may end up in a situation where the law is so confused by catching provisions (( ‘Cybercrime Legislation Amendment Bill 2011 Explanatory Memorandum’  http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r4575)) and High Court Precedents ((Momcilovic v The Queen  HCA 34)) that laws are invalidated by each other and acts will go unpunished for administrative reasons.
I would argue that the legislature has erred by not considering the way a disruption to a computer system would be perceived by the population. There are definitely instances where the disruption to a computer system would create an event that would threaten the security of the Commonwealth. But these instances would constitute a small percentage of the possible actions that could fall under the definition of terrorist act in the Code ((Criminal Code Act 1995  Part 5.3 S100.1)).
The scope of the scheme as a policing policy suffers from a lack of foundations provided by the Code. The citizen is constantly assured that expansive intelligence schemes will protect the Commonwealth from the cyber-threat, where our Federal Government is either unable or unwilling to define what that cyber-threat is. The question of proportionality must be considered given the highly intrusive nature of metadata ((Alan Rusbridger and Ewen MacAskill, I, spy: Edward Snowden in exile (19 July 2014) The Guardian http://www.theguardian.com/world/2014/jul/18/-sp-edward-snowden-interview-rusbridger-macaskill)). General Michael Hayden, retired head of the National Security Association went as far as saying “We kill people based on metadata” (( Alex Newman. “We Kill People Based on Metadata,: Admits Former CIA/NSA Boss (13 May 2014) The New American http://www.thenewamerican.com/usnews/crime/item/18244-we-kill-people-based-on-metadata-admits-former-cia-nsa-boss)).
Also of concern is how often metadata is accessed. For example, in 2012-2013 metadata was accessed by the Australian government a total of 319,874 times. This number equates to one access for roughly 67 Australians ((Gillian Lord, Privacy fears as Australian surveillance laws are dragged into the digital era (25 July 2014) The Guardian http://www.theguardian.com/world/2014/jul/26/privacy-fears-australian-surveillance-laws-digital-era)) and is more votes than the Australian Labor Party were able to win at the recent Western Australian Senate Election ((Western Australian Senate Election Results (2014) Australian Electoral Commission http://results.aec.gov.au/17875/Website/External/SenateStateDop-17875-WA.pdf)). The opportunity for abuse is clear.
There are clearly some flaws in cybersecurity policy at a Federal Level. The scheme appears to not be targeted at gaining intelligence related to a realistic notion of what may constitute a computer based threat to the Commonwealth. This is possibly due to the fact that the act of cyber-terrorism is not adequately articulated in the Code. With this in mind questions must be asked: namely, why does the Government need my metadata?
Gabriella Shailer is currently completing her Master of Philosophy in the area of political theory and cyber-security law. Her research is focused on questioning if the current direction of the Cyber-Security policy (specifically the Mandatory Electronic Data Scheme) is consistent with the existing theoretical principles of Social Contract Theory as situated in an Australian Setting.
She has previously completed research papers in Security Law as it relates to the Australian Constitution and the protections afforded to human rights.