Privacy issues with tower dumps and unspecific collection of data

July 8, 2014 |

The New South Wales Police Commissioner recently raised the hoary old chestnut that we face a a stark and of course immutable dichotomy – privacy or security.  That is captured in the Sydney Morning Herald Article Time to trade privacy for safety, says NSW Police Commissioner. The context is the police and security services demands, if not obsession with expanded data retention laws.  The starting point is that it is not logical.  There can be both privacy and security.  It is not one or the other.  It would be wrong to only critisise the police for this utterly wrong headed nonsensical simplifying of what is a far more complex and important issue.  Prime Minister Gillard was equally foolish in November last year as reported in  Privacy or protection? You can’t have it both ways, says Julia Gillard.  Whatever her legacy may be, this was to use and abuse a Churchillian phrase, not her finest hour.  Silly really.

The issue of widespread data collection by law enforcement which has the effect of obtaining information from those who are not the subject of investigation is highlighted in the article Police scoop up data on thousands in mobile phone ‘tower dumps’ to track down criminals.  It is heavy handed hoovering up of metadata with a view of sifting through the chaff until a grain or more is found.  The problem is that the chaff is information belonging to innocent bystanders.  As the US Supreme Court has recently found data on or from a found can provide as much or more information about a person’s private life as a search warrant of their place would reveal. It is a worrying development, if not abuse, that should generate legislative concern.

The article provides:

Australian federal and state police are ordering phone providers to hand over personal information about thousands of mobile phone users, whether they are targets of an investigation or not.

Fairfax Media has confirmed Australian law-enforcement agencies are using a technique known as a “tower dump”, which gives police data about the identity, activity and location of any phone that connects to targeted cell towers over a set span of time, generally an hour or two.

A typical dump covers multiple towers, and mobile providers, and can net information about thousands of mobile phones.

The dumps are usually used in circumstances when police have few leads and can be a useful, powerful tool in tracking down criminals. But privacy advocates say that while they may be helpful to police, they also target thousands of innocent people and don’t have any judicial oversight.

In addition to no warrant being required to request a tower dump containing the mobile phone data of thousands of people to track down one or more criminals involved in a crime, privacy advocates also question what is being done to the data collected once an investigation is complete.

USA Today initially reported how US law-enforcement agencies were using the tower dump tactic earlier this year.

NSW Police, Victoria Police and the Australian Federal Police all declined to comment.

But Fairfax Media has been able to confirm that “tower dumps” were an investigation tool often used by NSW Police.

A NSW Police spokesman said it would “not comment” on its “operational capabilities”.

Victoria Police wouldn’t discuss tower dumps either, saying it did not comment on “police methodology”.

And the Australian Federal Police also said it would not comment on its “technical capabilities”.

Some phone companies receiving the requests, however, admitted that tower dumps occurred.

“On occasion mobile network operators receive requests from Australian law-enforcement agencies to provide communications information from a specific tower,” a Vodafone spokeswoman told Fairfax. “These requests usually cover short periods and the information provided is only metadata.”

Metadata is information about the time, duration and destination of calls but not their content. Metadata can also include location data about a mobile phone, even when it’s not on a call.

Telstra wouldn’t say whether it received tower dump requests but believed they were lawful.

“A request for non-content information on the use of a particular tower during a specified period of time may be lawful under certain circumstances,” a Telstra spokeswoman said.

Meanwhile, Optus would not comment on the tower dump practice at all, saying instead that it assisted “law-enforcement and national security agencies as required in the legislation…”

Greens Party spokesman for communications, Scott Ludlam, said this was the first time the practice of tower dumps had been confirmed to occur in Australia.

“It’s another example where [agencies] are collecting the entire haystack in order to find the needle,” Senator Ludlam said in an interview with Fairfax.

“What we’ve seen with other techniques like this is there is no requirement to destroy the material that is collected incidentally after an investigation is complete,” Senator Ludlam said.

He added that he would like to see more transparency around what type of crime needed to be committed in order for tower dumps to occur.

“What we need is transparency as to what’s being done and who is doing it,” he said. “Ultimately I think we need a lawful warranting process to start to apply to [requests for data] like this.”

Although the Attorney-General’s Department releases a once-a-year report detailing how many requests are made to telecommunications companies for metadata in Australia, it’s unclear whether a tower dump is counted as one metadata request or otherwise.

Considering thousands of users are affected by tower dumps, Ludlam argues that they should count for the number of those who are affected.

Around 330,000 requests for metadata were made by law-enforcement agencies in 2012-13, according to the latest report published by the Attorney-General’s Department.

 This and other surveillance developments prompted an editorial in today’s Age titled Checks needed on all the data scooping.  It is timely.  The privacy implications are clear and the oversight is lacking.  Giving a range of bodies, starting with police but extending down to local councils power to demand phone companies’ metadata without proper scrutiny is setting the scene for abusive behaviour in the future.  Instead of reaching for such data as a last resort it becomes a first resort.  It is potentially appallingly privacy intrusive with no effective balancing act being put in place.  It is unfair on phone companies to respond to ever increasing demands.  It has reputational consequences.  In the United States companies such as Google are publicising the demands on data made by governmental agencies.  Co operating is one thing, being forced to respond to demands which cut across the trust factor that users have in a phone company, ISP, browser etc.. is another.  As with much of privacy related regulation in Australia the law is lagging far behind the technological developments.

The editorial provides:

While debate continues to rage in the United States about government surveillance of telecommunications data, matched in Britain, Germany and elsewhere, there is near-silence or complacency about the issue in Australia. Yet the incidence of data intercepts in this country, when measured on a per capita basis, far exceeds what is going on in most other countries. We are among the most surveilled people in the world.

Every day, telecommunications providers are handing law enforcement, security agencies and other regulators masses of data about our phone calls. Information about who we called, when we called and where we were at the time can be obtained on demand by an array of agencies without so much as a warrant. There is no judicial oversight and no transparency about which other agencies might use the information, or where it might end up.

Should we be worried? Or should we accept the assurances of law enforcement authorities and other agencies that they are scrupulous in how they handle this information? It is an important issue, because it is through increments that we lose important rights. Sometimes they disappear before we are fully cognisant of the inherent value of such rights.

While there may be excellent reasons for the authorities to want access to data about the phone records of criminals, there are legitimate concerns about those authorities scooping up information about other entirely innocent and unassociated people – and therein lies the tension between preserving personal rights and ceding them for the public good.

In examining potential changes to the Telecommunications Act, a Senate committee headed by Greens senator Scott Ludlam is trying to discover how much officially sanctioned data surveillance is being done, and to what extent it is being passed to agencies overseas.

It is not only police and crime investigation agencies that can request phone companies’ metadata. Customs, the Australian Securities and Investments Commission, Australian Competition and Consumer Commission, the Tax Office, Department of Human Services, Immigration Department and local councils can, without needing to provide a warrant, request personal information about millions of phone users. So, too, can Centrelink, the RSPCA, Medicare and the Civil Aviation Safety Authority.

Yet no single authority monitors the validity of such requests. Nor, for that matter, is there anyone (other than a state-based commissioner in Queensland) vested with looking after the interests of the public. Figures released in December by the Attorney-General’s Department show there were 330,640 data requests by government authorities in 2012-13, up 13 per cent from 2011-12.

Many questions arise. What safeguards are in place to ensure authorities do not abuse their power? How is the information stored? Who has access to it? How long is it retained? What are the thresholds for seeking such an authorisation? Are those thresholds proportionate to the potential threat posed by the person?

We believe the level of requests in Australia justifies a more stringent regime, including a public interest commissioner to monitor data surveillance requests. The UK Interception of Communications Commissioner has said that, in his view, as long as a person does not associate with potential terrorists or criminals then he or she ”can be assured that none of the interception agencies … has the slightest interest” in examining their phone or internet activities.

Assuming, as we do, that Australia is not a festering outpost of potential criminals, then it has to be asked if our authorities are too fast and loose with their requests to scoop up data. Unless we begin to understand what is happening in this area, we will not be able to recognise the point at which all this data collection has gone too far.

It is a prescient piece which should be heeded and acted upon.

One Response to “Privacy issues with tower dumps and unspecific collection of data”

  1. Privacy issues with tower dumps and unspecific collection of data | Australian Law Blogs

    […] Privacy issues with tower dumps and unspecific collection of data […]

Leave a Reply