Are you surprised? We are not. The cracks showing up in the new mandatory data retention by ISPs law, demonstrate how it can be used for corporate interests.
As we foreshadowed, a new law requiring mandatory data retention by ISPs was introduced into the Australian federal parliament at the beginning of this month. In the few days since then, there have been claims and counter-claims about whether data obtained under the new law would be limited to use in fighting major crimes (such as terrorism, as the government originally claimed), or if it could be used to target citizens who download and share files online.
While the current party line, from flip-flopping Attorney-General George Brandis (whom some may remember from this train-wreck interview in which he attempted to define “metadata”) is that the new laws “can't be and they won't be” used to prosecute file sharers, because copyright infringement is only a civil offense.
But the cracks in the line appeared quicker than expected. First, in August, Tony Abbott admitted in a television interview that requiring internet service providers to retain data on their customers' activity was not just about anti-terrorism and national security but could be used to fight "general crime". Then came the second warning. When the Australian Federal Police commissioner Andrew Colvin, was asked whether data retention could be used to police copyright infringement, Colvin responded:
“Absolutely, I mean any interface, any connection somebody has over the internet, we need to be able to identify the parties to that connection ... So illegal downloads, piracy ... cyber-crimes, cyber-security, all these matters and our ability to investigate them is absolutely pinned to our ability to retrieve and use metadata”.
History tends to repeat itself
It seems that down under there are a wide range of criminal offenses defined under Australia's copyright law, including penalties for sharing copyright works on (what is loosely defined as) a commercial scale, and penalties for breaking DRM—both of which result from Australia's 2005 free trade agreement with the United States, and are likely to be replicated and perhaps toughened in the Trans-Pacific Partnership.
Moreover, as Minister for Communications, Malcolm Turnbull, has admitted, once the data has been collected and is being retained by an ISP, there is nothing to prevent a civil court from allowing access to that data to other parties, for purposes other than those the government intended. This might, for example, include a movie studio suing an ISP for release of retained customer data to support lawsuits or shakedown claims against those customers. (By no coincidence, exactly such a lawsuit is currently underway.)
The only solution is the obvious one—not to require the collection and retention of the data in the first place.
If data stored under a compulsory mandate can be misused for extraneous purposes, history tells us that it will be. This lesson lies behind the adoption of data minimization as a key principle of modern data protection law—a lesson that Australia's lawmakers seem to have forgotten. If even the government itself can't give a clear account of what metadata will be collected and whether or not it will be used in enforcing copyright laws, why should ordinary Internet users have any faith that their collected data won't be misused in practice? Better yet, don’t wait for your government to do this and that, just protect yourself here.