news The Parliament’s Joint Committee on Law Enforcement has recommended the Australian Taxation Office be added to the list of agencies able to access data retention under Australia’s new data retention legislation, as part of a report that also recommended other technological measures to curb financial crime.

The data retention legislation restricted the type of departments and agencies which would be able to access the stored data to ‘criminal law enforcement agencies’. This included police and related agencies, but locked out a variety of other agencies such as the ATO who had previously been able to access data stored by telcos such as Telstra, Optus, Vodafone and so on.

However, the list of agencies who can access data stored by telcos under the new legislation has already started increasing. The Australian Border Force Bill passed in May added the new Australian Border Force agency to the list. And yesterday, the Joint Committee on Law Enforcement published a new report recommending the ATO also be given access to all Australians’ retained data.

The Committee is a long-standing one and is dominated by the Coalition and Labor, with Liberal Democrat Senator David Leyonhjelm being the only crossbench member.

Yesterday the Committee published its report of its inquiry into financial-related crime, which has been running over the past year. The report mainly deals with law enforcement arrangements to support tracking and dealing with financial crime. However, it contains several recommendations which will be of interest to the technology sector.

The Committee’s third recommendation, for example, is that “subject to appropriate safeguards including adequate privacy and oversight arrangements,” the Government designate the ATO as a ‘criminal law enforcement agency’ under the Telecommunications (Interception and Access) Act, which would give the ATO access to the data retention powers.

The Committee stated that the purpose of this move would be to protect public finances from serious criminal activities such as major tax fraud.

The Committee also recommended that the Australian Securities and Investments Commission consider and implement mechanisms to make its response to Internet-based financial-related crimes “far more expeditious”, and that the national audit office conduct a performance audit of ASIC’s technological capacity, and provide a report to Parliament on the issue.

Beefed-up powers for the Australian Transaction Reports and Analysis Centre — which tracks transactions in Australia — were also recommended.

Perhaps controversially, the report also recommended that financial institutions which issued debit and credit cards create an “opt-in” function that would require customers to consent to contactless payment technology features being activated on their cards.

The Greens have previously spoken out about the possibility for the data retention legislation to expand in scope.

“[Attorney-General] Senator Brandis made a great show of narrowing the range of agencies that would be able to access this collected material,” Greens Senator and Communications Spokesperson Scott Ludlam said in the Senate when the Australian Border Force was added to the scheme.

“And here we are in parliament, on the very next sitting week after that mandatory data retention bill passed, and the first example of scope creep lies on the table today. Of course, the Australian Border Force wants to be able to scrape people’s home and email records and find out who they have been talking to and where they were.”

“This is the first instance of scope creep. It gives me absolutely no pleasure to say ‘we told you so’, but we did; we said at the time of the data retention debate that the bill has scope creep written into it.”

opinion/analysis

There is a great deal that is sensible in the Joint Committee on Law Enforcement’s report on financial crime. The Committee took a greal deal of evidence from many parties, as is usual doing any parliamentary inquiry, and some very interesting aspects of this shadowy branch of the financial system were brought to light. I commend the Committee on its report, which makes for very interesting reading.

Some of the recommendations made by the Committee are very sensible — I don’t think anyone has a problem with the Reserve Bank or the Australian Federal Police being given extra powers to track counterfeiting, for example.

And the review of ASIC’s technological capability is also timely. The agency’s incompetence in this area — which resulted in the accidental blocking of hundreds of thousands of websites through the Section 313 power — is well known. I hope that review goes ahead.

However, I must note that I am disturbed by the bipartisan recommendations that the ATO be given data retention access, and that some kind of ‘opt-in’ mechanism be added to contactless credit and debit cards.

The ink on the Data Retention legislation is barely dry. This legislation went through a torturous process as it progressed through the Parliament, and the ATO and other agencies had a very ample chance to have their say about it. They did so — at length — and both major sides of politics largely rejected the agency’s arguments, constraining data retention access more tightly, to criminal law enforcement agencies.

Now it appears that the ATO has been a bit more convincing, and Labor and the Coalition have been persuaded by its case for access to the data retention powers.

To my mind, this is not good enough. The data retention legislation has not yet had time to start functioning — many telcos have not yet implemented their plans to meet the requirements of the legislation. We don’t know how well the bill will yet work. The Joint Committee on Law Enforcement should not be seeking to change the scope of the legislation at this point.

The opt-in recommendation on contactless cards (payWave and PayPass) is also a poor one. This technology has been a huge boon to Australians, cutting huge swathes of time and effort out of payments. It functions well and already has effective security restrictions around how it can be used. There is no momentum or need to modify Australia’s approach to contactless cards at this point, and few serious security risks.

I am disappointed that the Committee has caved into the demands of law enforcement agencies on this front, and is seeking to curtail the rapid expansion of an extremely useful and quite harmless technology in Australia’s banking sector.