Protecting Online Privacy: An Interview with Digital Rights Watch’s Tim Singleton Norton

The Australian government has been steadily tightening laws regarding the digital environment over the last few decades, frequently in the name of counterterrorism. However, many of these laws have been impacting the civil liberties of all individuals – none more so than the right to privacy.

The right to privacy is enshrined in article 17 of the International Covenant on Civil and Political Rights (ICCPR). Australia is a signatory to the agreement, which means we have committed to uphold the rights contained in the document at the international level.

But at a national level, there’s no bill guaranteeing citizens’ rights under the law. In fact, Australia is the only democratic western country not to have a national bill of rights.

So, as successive governments continue to enact laws providing authorities with greater access to individuals’ private information in the digital realm, it’s difficult for citizens challenge these measures, as there are no legal mechanisms upholding their rights within Australian laws.

The war on encryption

This has been going on for quite a while now. In October 2001, the Cybercrime Act (Cth) inserted section 3LA into the Crimes Act 1914 (Cth).

This enables both federal and state police to apply to a magistrate for an assistance order that requires the owner or user of a computer or smartphone to provide officers with passwords or encryption keys to their device.

Police must establish a reasonable suspicion the device contains or can enable access to evidence relating to a crime. The subject of the order, who’s not required to be suspected of any crime, has to provide any decryption information in order to make data accessible to police.

And the Turnbull government is aiming to undermine the privacy value of encryption even further. Back in July, the prime minister announced proposed new laws that would allow Australian security agencies access to the encrypted data stored by social media and technology companies.

These measures would allow security agents access to personal messages that citizens have been sending via digital communications platforms, like Facebook, WhatsApp and Gmail.

Mass surveillance

On October 5, at the Council of Australian Governments (COAG) meeting, all state and territory leaders agreed to establish the federal government’s proposed National Facial Biometric Matching Capability: another counterterrorism initiative.

The system will provide police with real-time access to a huge database of all citizens driver’s license, passport, citizenship and visa images. It’s claimed the technology will enable officers to match images of a person with those on the database, and thereby instantly identify them.

Mr Turnbull clarified that this technology will not be used on live CCTV footage. But, the COAG agreement outlines that the system will already be used for a wider range of purposes other than the original justification for its use: identifying terrorists.

The facial recognition technology will also be used in the investigation of crimes that have a maximum sentence of three years or more, prevention of identity crime, and community safety, including identification of missing persons.

Upholding digital rights

So, it’s not hard to imagine that the government could enact another law in the future broadening the reach of this mass surveillance system even further.

And that’s where Digital Rights Watch steps in. Established last year, the group aims to maintain Australian citizens’ rights in the digital environment.

Sydney Criminal Lawyers® spoke with Tim Singleton Norton, chair of Digital Rights Watch, about the government’s further encroach upon encryption, the dangers of biometric face matching, and the need to establish a digital bill of rights.

Firstly, Tim, the right to privacy is enshrined in the ICCPR, and this right extends to the digital environment.

Just how far are Australians’ rights to privacy being infringed upon, when it comes to this environment?

The privacy situation here is not good. And it’s actually getting worse. Part of that is because we have the lack of an enforceable human right to privacy.

In Australian domestic law, we don’t actually have those rights. So, when we try and push back on them, there’s nothing to really push back. We have Australia as a signatory to the ICCPR, but it’s never been enshrined in law here.

You have examples within the European Union, where they can actually push back on a rights-based approach. The government doesn’t have to show that here.

Part of the problem that we have seen in the last couple of years, the invasion of privacy has not been pushed by a government that wants necessarily to push a pro-invasion policy. But, they’re doing it under the guise of other things: counterterrorism or to combat crime.

All of those are chipping away at the right to privacy. And it’s very hard to push back without that bill of rights, or that enshrined right for a private citizen.

What do you think the government’s main objectives are as they continue to tighten freedoms in the digital realm?

Look, it is done with the right idea in mind. They are attempting to increase the strength of law enforcement. And we’re not necessarily against that. We want law enforcement to have the tools that they need to combat terrorism and crime, and all of the things they are supposed to do. And increasingly that’s happening in the digital realm.

The problem is: where is the oversight, the accountability and the transparency? That’s being used as an argument. And we’re actually supposed to say, there’s some civil liberties and some freedoms that we will give over, and in return we will get increased security and safety. That has to come with a civic understanding of how that will happen. And who is actually ordering it.

We are seeing time and time again, the legislation just gets pushed through. And it doesn’t have the parliamentary oversight. It barely has judicial oversight. And that’s one of the real worries.

It’s not so much about what they are trying to do. It’s actually the process by which it is rammed through parliament, and then we’re expected to say, “The ends justify the means. Don’t worry about that process. And you don’t need to have civic or judicial input into the process.”

In July, Turnbull announced that in the name of counterterrorism the government is proposing new laws requiring social media and technology companies to allow security agencies access to people’s encrypted messages.

What sort of consequences would these measures have for your average citizen online?

To start with, it is incredibly naive. I would expect better from a prime minister that has a background in technology himself. If it’s not impossible, it would actually break the systems.

Encryption is a part of coding. Encryption is part of how you build these systems. To then say, “Well, we’re going to create back doors. We’re going to give those to government. And they won’t be penetrable by other forces.” It’s ludicrous. There’s a real technological problem there about the stupidity of actually saying that’s what we want.

But, then there’s the moral imperative around the idea that people have a right to use the communication techniques they choose in order to communicate with other people. And they have a right to that privacy.

We have these ideas around our ability to talk to people on the street, or in private, or in our own homes. And then, we’re starting to give over control of those technological means to other people.

That’s the slippery slope. When you start talking about it as encryption, people go, “Oh, that seems reasonable.” But then, when you start actually explaining, “Well, if you give over that encryption, then you give over the privacy of your communications.” And that’s where people go, “Oh, hang on. Why would I need to do that?”

That’s the big problem. And that’s the impact on users that I see. If you start giving over access to encryption as a whole, then of course, why would you need to be encryptioning?

In your capacity as the chair of Digital Rights Watch, you sent a letter to the Australian attorney general’s office in June, outlining your concerns about the federal government’s position on encryption.

What are your main concerns? And how did the attorney general’s office respond?

It was interesting actually. We saw some comments from the Ambassador for Cyber Affairs. He was making some rather worrying comments about how they would like to have access to encryption, and they’d been talking to people about it. And so, we thought we’d just clarify it.

Now, whether or not that actually sparked them to decide to come out, isn’t very clear. But, very soon after we got our response the prime minister was out there pushing the idea that they want to have access to encryption.

The response was that they needed to come out and say it. Rather than just assuming that people weren’t noticing.

We got a very standard response: it’s all in the guise of counterterrorism, it’s protecting the individual, it’s a necessary part of cyber counterterrorism.

The offence provisions of the Defence Trade Control Act 2012, and the Amendment Act 2015 came into effect on April 1 2016. The initial act established the Defence Trade and Goods List, which is a list of technologies and goods that Australians are not allowed to publish or supply to anyone outside of the country. This list includes encryption technologies.

Why would the government want to restrict the sharing of digital technologies, like encryption?

It’s about protectionism. And it’s about trying to build more of a technological industry here in Australia, and then protect that IP. Maybe it’s about getting those contracts so we can have strong defence. And then contract strong encryption research to Australian-led companies. That’s my assumption though.

We looked at what that Act would do, and that’s the reading we had. It is about restricting access to those organisations or companies that were not already on a white list.

Last week, at the COAG meeting it was decided that the National Facial Biometric Matching Capability will be established. Digital Rights Watch has strongly condemned this measure.

What are your main concerns about this system? And what dangers does it pose?

On the whole, the main thing we’ve got a problem with is that it’s a massive overreach. There’s been no proof as to why it’s necessary, and nor why it is proportionate to the risks that they’re talking about. It’s a huge invasion on everyday citizens.

It was quite scary to actually see COAG very quickly adopt it. And the premiers. In particular my own premier in Victoria, Daniel Andrews, who came out and said, “No, no, it’s a justifiable measure.” Like we need to invade the privacy of everyday citizens in order to protect them. That’s a really worrying step from the government.

When it was originally muted, we were hopeful that some of the premiers might actually push back a bit. But, as many predicted, when you put the spectre of national security over something, state premiers don’t feel they have the validity to push back on a prime minister.

It’s just creeping. We’ve had the capability for the facial biometric recognition database for quite a while. For about two years now. But, as it expands, and as it sucks up more of these data sources, that’s where you’ll see the false positives pop up. And that’s where you’ll see racial or socioeconomic profiling happening within the algorithms themselves.

Up until now, it’s been within the counterterrorism and cybercrime division. And then, it’s been popped out to airports. And you’re like, “OK. That makes sense.” Airports are a primary input and output of people, which is where there’s worry about terrorism. So, giving access to that database makes a bit of sense.

But, now we’re going to everyday citizens and their driver’s licences. And where does it stop from there? How much data does the government actually need to suck up?

It will expand. And it will keep on having this excuse of it’s just in the security and safety of the everyday public.

One of our concerns is that it’s not proportionate to the need. And the other one to throw in is that there’s a great risk of data breaching as well. The government has had countless examples, where they’ve shown they are incapable of managing that scale of data: huge data breaches from Centrelink, from the ABS, the Department of Immigration.

Whether the database is stored within a government agency or it is outsourced to a contractor, why would we trust these massive troves of data? It’s very personal information, particularly when they are cross referenced, and we start building up profiles of individual citizens.

If we’re OK with the idea of a government having it, then are we OK with the idea of someone hacking in and taking it away. And I think the answer has to be no for most people.

Digital Rights Watch has pointed out that Australian copyright laws need to be updated to reflect advancements in digital technologies.

How do you propose these laws be amended?

One thing would be to incorporate an element of fair use in Australian copyright law. The way that our copyright law is drafted it is ridiculously outdated for a digital age. And putting in place a fair use principle, and actually having a bit more flexibility in how that could be used would enable us to have more flexibility and the protections of copyright.

There are mechanisms like Creative Commons that will actually enable us to do that.

You’ve also raised concerns about preserving freedom of speech on the internet. Marginalised groups have been able to gain a greater voice through their use of the internet and social media.

The 1994 Zapatista uprising in Chiapas, Mexico is said to have been so successful in its initial stages as the group was able to gain the support of international non-government organisations due to its presence on the internet.

But, governments continue to tighten controls over what can be expressed and accessed online citing terrorism and paedophilia as reasons.

Do you think governments focus on these reasons, while they actually have the dual purpose of shutting down dissenting voices?

Shutting down voices and actually having freedom of speech on the internet is a core part of what we stand for. So last year, we joined the Keep It On campaign, which is a global campaign against internet shutdowns. Part of the recognition there is government or telco-led shutdowns harm human rights and economic activities. Most of them are done for political or social reasons.

At the same, we can see governments using more targeted mechanisms to remove internet content, not just the mass scale up of China’s Firewall, but other countries that are pressuring internet companies and social media platforms to remove content usually for political purposes. Like in Turkey, which is pretty renowned for censoring speech critical of the president, or in relation to Kurdish independence.

It’s an issue we’ve tried to lend support to at the global level, because it’s not actually coming up in Australia. We have pretty good freedom of speech, even at a cultural level. That said, there are still some loopholes and problems within laws.

We recently saw the Australian Securities and Investments Commission accidently order a whole bunch of Australian ISPs to block access to hundreds of thousands of websites. It was addressed and fixed. But, from our point of view, we were sitting there going, “We support the idea of no internet shutdowns. It doesn’t happen in Australia.” And then we saw this. It was clearly some little cog hit another cog and they shutdown hundreds of thousands of websites.

We’ve also got our own website blocking regime, under copyright specifically. Pirate Bay is blocked in Australia. Now, is there a freedom of speech element there, or is there a protection of IP? That does raise a fuzzy question.

But, for us, we are worried about having a government stepping in and say, “This is what a citizen can see. And this is what they can’t see.” That’s not freedom of speech at its core.

We do worry about the safeguard. On how the measures are taken to censor speech online, and how they comply with human rights standards. And again, it goes back to these ideas: Are they necessary? Are the proportionate? Do they have oversight? And are they transparent?

And lastly, what needs to happen to protect citizen’s rights in the digital environment? What sort of measures need to be put in place to bring an end to the ever-increasing encroachment of people’s rights online?

Part of the reason we founded Digital Rights Watch was to educate and empower citizens on their digital rights. That has to be the first step. People have to be aware of what’s happening. And aware of what rights are being violated, if any. Or even just to question them, and to push back.

We had a huge uptake when we launched our Get a VPN Day earlier this year, which was to mark the day of the introduction of mandatory metadata retention. And I think a big part of that is that we identified the people. There is an issue. We think it’s not right. And here’s what you can do about it.

And it was really popular. It went global in terms of how many people were engaging with it.

But, that’s not really enough, because it’s still a very niche issue. There are still people who will buy the argument: if you’ve got nothing to hide, you have nothing to fear. And also, the idea that I want to be protected from the nasty, evil terrorists that is clearly chucked out by a government whenever they want to scare a populace. That message works.

So, part of what we try to do is push questioning those rights. And question the idea of what a government should and should not be able to do.

Ultimately, we need to move towards a bill of rights. I know there has been a lot of talk in various jurisdictions about a digital bill of rights. That could take a number of forms. We could just have the Australian Human Rights Charter, and that would have digital elements. Because if it is written now it will take into account the digital environment.

We could have a digital bill of rights specifically looking at how we use and democratise online space. And there are other people who have actually said that we can use existing instruments.

I’ve been working with Amanda Third from the University of Western Sydney, who’s been talking about whether or not the Convention on the Rights of the Child needs to be amended and updated to a digital age.

So, there’s a number of different ways it could end up. The Greens have also proposed a Digital Rights Commissioner to sit with the Human Rights Commission, which wouldn’t have the powers of implementing. But, it would be a watchdog, and would able to be an arbiter of back and forths on how these things work.

There’s a few mechanisms we could land on. But, ultimately, our first step is can we just raise the public’s consciousness to be more aware of these ideas.

Tim thanks very much for taking the time out to have this chat with us today.

No problem.