Scott Ludlam exposes raft of ways to circumvent data retention

While the Government wants Australian telcos and ISPs to store metadata, Senator Scott Ludlam has pointed out the vast array of common services Australians could use to skirt around data retention laws.

Claire Reilly Former Principal Video Producer
Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.
Expertise Space | Futurism | Robotics | Tech Culture | Science and Sci-Tech Credentials
  • Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Claire Reilly
4 min read

Senator Scott Ludlam has questioned the Government on the effectiveness of data retention. Image by CeBIT Australia, CC BY 2.0

Greens Senator Scott Ludlam has grilled the Government on its proposed Data Retention Bill, exposing the vast number of services that Australians would be able to use to prevent their online metadata from being stored.

While questioning the Attorney-General's Department during a Senate Hearing on the Bill, Senator Ludlam effectively compiled a list of ways Australians could circumvent data retention laws, including using public or library Wi-Fi, messaging via Twitter and Facebook, and even using Gmail to protect their privacy.

A representative of the Attorney-General's Department, Anna Harmer, said the Government's proposed data retention laws included exemptions for services that are provided in a "same place" or for an "immediate circle". These could include public Wi-Fi on a train or in a cafe or public library, or internal networks set up at offices and universities.

Harmer said that while the ISP offering the service to the public place would retain some information (such as details on the cafe or the period that a library had a service) "there is no obligation on behalf of the hypothetical university, coffee shop, public institution that may be providing its Wi-Fi services...to record the individual use of that service by the individual people who come into their premises".

In response, Senator Ludlam grilled the Attorney-General's Department on just how effective a data retention scheme could be if certain services were excluded.

"What that tells to me is that if you want to avoid the national data retention regime that you're seeking to impose, you use the internet at a library or come to parliament house or go to a free council hotspot or use public transport," he said.

In addition to Australians seeking out places where their traffic would not be monitored, Ludlam suggested that many Australians could inadvertently skirt data retention legislation by using so-called "over-the-top" services such as Twitter direct messages, the Facebook Messenger app or even web-based email services such as Gmail.

Pointing to the legislation, Ludlam noted that only Australian telcos and ISPs "operating in Australia" would be required to store metadata, while overseas carriage service providers would not be subject to the same data retention obligations.

The Attorney-General's Department conceded that these overseas operators, including Gmail, "would not fall within the obligation" of data retention. This reiterated the point made in the Department's 107-page submission to the Parliamentary inquiry into data retention, which stipulated only Australian service providers would need to retain data for their own web services.

Ludlam's response was swift.

So if my email account is an @iinet.net.au address, it will be within scope. And if my email address is an @gmail.com, it'll be out of scope. So all I need to do to avoid mandatory data retention is just to take a webmail service...

Why is it more complex than that? If I use a cloud hosting provider or G Chat [Google's web-based chat], or something like that, I won't be caught. If I use an iiNet or an Internode address, I will be caught...

Are you trying to drive people away from Australian service providers?

Beyond those using legitimate webmail clients and social media services, Ludlam also suggested there would emerge a "whole separate category of people" attempting to skirt data retention legislation, either "innocently or otherwise", by masking their online activity by using Tor or a VPN.

In response, the Deputy Secretary of National Security and Criminal Justice at the Attorney-General's Department, Katherine Jones, pointed to studies showing that some "offenders" are beginning to use encryption to skirt the law, adding that "the bill is focused on people engaging in criminal activity".

However, Ludlam rejected Jones' use of the term "offenders" and contested her assertion that data retention legislation would only affect criminals.

"It's rolled across the entire Australian population -- that's why people are so pissed off about it," he said. "It's not targeted or discriminate at all. It's engaged at everybody."

Ludlam's comments have been echoed by Law Institute of Victoria President Katie Miller, who said the Federal Government has "failed to demonstrate that mandatory data retention is in the public interest or necessary" and that the proposed scheme has many flaws.

"Rather than creating a scheme that targets offenders and would be terrorists, this scheme targets every user of a phone or the internet in Australia," she said.

"The result is a scheme that will unreasonably intrude on individual privacy with no guarantees that it will achieve the objectives of law enforcement agencies, because there are too many gaps in the scheme to be effective at preventing, detecting and prosecuting serious crime and terrorism."

Updated on February 4 at 11:30 a.m. AEDT to include comments from the Law Institute of Victoria.