Image: Getty Images/iStockphoto

Australia's cops and spooks want to increase the time for which telcos must retain customer communications data from the current minimum of two years to as much as seven years. But should they get what they want?

In last Friday's hearing of the Parliamentary Joint Committee on Intelligence and Security (PJCIS), agencies were hit with this question of social license.

Will citizens continue to accept that the powers being granted are appropriate given the trade-offs and risks involved?

As noted when PJCIS savaged the Department of Home Affairs, mandatory data retention was sold on the basis of a strictly limited number of agencies fighting the worst crimes of all -- terrorism, child abuse, and transnational organised criminals.

But as we now know, metadata is still being made available to agencies such as local governments, even non-government organisations like the RSPCA and the Victorian Institute of Education, and for much tamer offences.

Labor's Anthony Byrne wondered whether, say, the Australian Security and Intelligence Organisation (ASIO) was concerned that extending the powers so widely, and so questionably, undermined ASIO's social license to access that information.

"I do share that concern," said ASIO director-general Mike Burgess.

"It's really a matter for those agencies who are seeking the lawful access to justify. But without that, yes, it would undermine the public trust in why the parliament gives laws like this and why we need them. Totally agree with that point."

Law enforcement and intelligence agencies need to justify their powers too, however, but sometimes it feels like there's a bit too much hand-waving.

They point to specific case studies where more powers such as longer data retention would have been useful, or even more than useful, but is "useful" sufficient?

There's also the oft-repeated claim that what they're asking for is simply the digital equivalent of what they've had before.

Australian Federal Police (AFP) deputy commission Karl Kent told PJCIS that mandatory data retention represented "the maintenance of our long-standing investigative capabilities". But isn't it more than that?

As for the lingering powers under section 280 and section 313 of the Telecommunications Act 1997, apparently they're OK just because they're there.

"These are quite long-standing provisions, and ... they pre-dated the data retention arrangements," said Jennifer McNeil, first assistant secretary of the Communications Infrastructure Division of the Department of Infrastructure, Transport, Regional Development and Communications.

"There's nothing new in this, and it's entirely appropriate for there to be a mechanism by which the cooperation of carriers and carriage service providers can be secured."

Having a mechanism is certainly appropriate, but as Shadow Minister for Home Affairs, Senator Kristina Keneally said, things have changed.

"We've essentially made it a lot easier for the long-standing provisions for those types of bodies to access quite a significant set of data," Keneally said.

"So we're seeking to understand why organisations, or what types of offences, or what types of activities are they investigating."

Exactly, dear government departments, this is a review. That means looking at whether the laws need changing, even the old ones. Powers shouldn't always get to be ratcheted up without some others getting ratcheted down.

It's worth mentioning again that last month we saw a key watchdog, the Independent National Security Legislation Monitor (INSLM), propose for closer oversight of the much-discussed encryption laws.

Like clockwork, Home Affairs pushed back.

And then there's the matter of Clearview AI

Last week, it was revealed that controversial facial recognition company Clearview AI had suffered a data breach. Among all the personal data was its entire client list.

It turns out that AFP plus police forces in Queensland, Victoria, and South Australia have dozens of registered accounts with Clearview AI. Between them they've run more than 1,000 searches.

Now PJCIS has only just completed a review of a proposal for a national facial recognition system. They sent the draft legislation back for further work. That reworked legislation has yet to be presented to Parliament.

Given that, Shadow Attorney-General Mark Dreyfus had a simple question.

Dreyfus: Does the AFP use this technology? Kent: I'm aware, I've asked that question today off the back of media reporting myself, and to give you a fulsome answer I'd like to take that on notice until I've clarified the information. Dreyfus: The media report says that the AFP has rejected several Freedom of Information requests in relation to Clearview AI. Do you know why those requests have been rejected? Kent: I have had advice from my legal team who have advised me that they need to do some further digging, given the media reporting and the matters raised in that article, or those articles. Dreyfus: You'll appreciate the concern in this committee that in the absence of an existing legal framework in Australia, the thought that such facial recognition technology was being used by the Australian Federal Police would be a concern. So we would like to take that on notice. Kent: Yes, I'd like to take that on notice.

One wonders why a police service would need to consult its legal team before answering such a simple yes or no question.

This caginess is yet another reason to wonder whether the agencies still have their social license. At the very least, the question needs to be asked.

Related Coverage