Tech + law policy to-read list – suggestions welcome!

Here’s some of the books I’m planning to read this year.

Dragnet Nation by Julia Angwin

It’s Complicated by danah boyd

Hacker, Hoaxer, Whistleblower, Spy by Biella Coleman

Here’s a review by Paul Bernal.

Information Doesn’t Want To Be Free by Cory Doctorow

I’m currently reading Australia under Surveillance by Frank Moorhouse (thanks @JuliaPowles for the recommendation.)

If you’ve got some suggestions to add, do let me know.


From @PaulBernalUK

Wikipedia and the Politics of Openness, by Nathaniel Tkacz  (and Bernal’s review)

From @JuliaPowles

The Glass Cage: Automation and Us, by Nicholas Carr

The Internet is not the Answer, by Andrew Keen

From @Gazzy_D

The End of Absence, by Michael Harris

This Machine Kills Secrets, by Andy Greenberg

What I’ve already read ….

I’ve read and recommend —>

Rebecca Mackinnon’s Consent of the Networked,

Glenn Greenwald’s No Place to Hide,

Rebecca Giblin’s Code Wars,

Mark Pearson’s Blogging and Tweeting without Getting Sued, which I’ve reviewed,

Nick Cohen’s You Can’t Read this Book

Tim Wu’s The Master Switch

Nate Anderson’s The Internet Police: How Crime Went Online, and the Cops Followed



Tech + law policy to-read list – suggestions welcome!

So what’s missing from the Australian government’s new website on data retention?

Last Friday, I stumbled across a new section of the Attorney-General Department’s  website “explaining” the government’s controversial data retention Bill.

And I found a few things missing …

Data retention does not provide new powers for agencies to access metadata. It simply obliges telecommunications companies to retain a limited set of records for two years

What’s missing?

  • There is little “simple” or “limited” about this proposal for mass surveillance of all Australians.  Just a few weeks ago, the Parliamentary Human Rights Committee was scathing in its criticism of the Bill.
  • It is not helpful to say the Bill proposes a “limited” set of data when the data is yet to be defined and will only be defined in Regulations.  Indeed, the Scrutiny of Bills Committee recommended the data set be defined in primary legislation itself and not left to Regulations.
  • The obligation is not simple or limited  when there is an express requirement in the Bill to create data when the service provider does not already capture data that falls within the (yet to be defined) data set. (See proposed section 187A(6) of the Bill).

More than 25 countries around the world have implemented data retention laws similar to those proposed by the Australian government

What’s missing?

  • Any mention of the fact that the EU Court of Justice ruled in April this year that the EU Data Retention Directive was invalid and …

entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary

  • As Stilgherrian reported last week Australia’s data retention plans are looking increasingly out of touch.   “To say that the West is going the way of data retention is a serious misrepresentation.” (As I set out in a recent blog post)
  • Silicon Valley has been damaged by the Snowden revelations. Senator Wyden has made the case that the spying has hurt the American economy.
  • United Nations human rights expert concluded in a recent report that mandatory data retention “amounts to a systematic interference with the right to respect for the privacy of communications”, and therefore “it is incompatible with existing concepts of privacy for states to collect all communications or metadata all the time indiscriminately”.

International experience indicates that the cost of mandatory data retention schemes is small

What’s missing?

  • Well, any evidence …  In the UK, an impact assessment estimated that the cost of retaining IP addresses (not the whole data set) at nearly $50 million (AUD)
  • In 2010, Digital Rights Ireland reported:

    Several network operators said the need to invest in retention infrastructure had caused them to delay or abandon improvements to national networks.
    Deutsche Telekom claimed it had spent €5.2 million on implementation of retention infrastructure and €3.7 million a year to facilitate about 13,000 call data requests and 6,500 internet data requests. Other operators said they had spent in excess of €4 million setting up systems for providing access to stored data.

Warrants are typically reserved for the most intrusive powers, such as the power to use force to enter a home, to intercept phone calls, or to arrest a person. Many powers, including access to metadata, simply do not rise to that level.

What’s missing?

  • If “metadata” is not intrusive, why, as Josh Taylor has reported, won’t Senator Brandis provide access to his own communications data?
  • 11 countries in the EU require some form of judicial authorisation before access to “metadata” is provided.
  • Earlier this month, the Human Rights Committee recommended that a warrant should be required for “metadata” access.

Law enforcement and national security agencies suggest that a data retention period of two years is necessary to maintain our agencies’ investigative capabilities

What’s missing?

  • Retention periods typically are between 6 months and 12 months in the EU.
  • In the UK, for example, a 2011 report revealed that, over a 4 year period, 74%+ of disclosures to law enforcement agencies, where the age of data being sought was known, related to data that was less than 3 months old.

The government will reduce the number of agencies permitted to access metadata. Only agencies that have a clear need for such access and well-developed internal systems for protecting privacy, such as law enforcement and intelligence agencies will be able to access the data. Data must be reasonably necessary for the purposes of investigating criminal offences and other permitted purposes.

 What’s missing?

  • The Bill only limits the agencies that can automatically access metadata. It does not significantly limit the very broad range of agencies that can apply to access metadata (see proposed new clause s 176A). Proposed section 176A will allow a broad range of agencies ranging from ASIC to local councils and the RSPCA to apply for access to data.
  • There is no definition in the legislation about “well-developed internal systems for protecting privacy”.  The Minister is simply  to have regard to whether the agency who wants access to metadata is required to comply with the Australian Privacy Principles or a comparable scheme.  Just this week, the Attorney-General Department itself asked for return of improperly redacted submissions which revealed individual’s personal information.

Will data retention be used for copyright enforcement? The Telecommunications (Interception and Access) Act 1979 only allows access for limited purposes, such as criminal law enforcement matters. Breach of copyright is generally a civil law wrong. The proposed data retention regime does not change this in any way.

What’s missing?

  • If data is in the possession of a party it can be compelled to provide it to a litigant by coercive court processes such as discovery or subpoenas. As Ben Grubb has reported, data retention would be a “boon for private investigators” and lawyers acting for clients in a range of disputes.
  • The Australian Federal Police admitted that legislation for new mandatory data retention obligations on Australian telecommunications companies could be used to fight online copyright infringement.
  • The government will need ISPs to retain (source) IP addresses if it wants to introduce a notice scheme where ISPs are forced to police online copyright infringement.  Josh Taylor has reported on how film studios want to use data retention to crack down on piracy.

many member states have implemented the EU data retention directive by widening its scope and retaining data that was not retained in the past, often allowing it to be used for more purposes than outlined in the directive, such as for civil litigation on copyright in the UK. Such expansion is referred to as “mission creep” by privacy advocates.


Note: the above italicised extracts from the government’s new “explainer” on data retention can be found on the following pages:

Further resources:  commentary and analysis on Australia’s controversial data retention bill:





So what’s missing from the Australian government’s new website on data retention?

Update on the status of data retention laws in Europe

The Australian Government has looked to the European experience as a model for its data retention scheme. In July 2014,  Attorney-General Brandis saId that data retention ‘is very much the way in which western nations are going.

Data retention – EU experience*

Country Retention Period Authorisation required to access “metadata” Status of Telecommunications Data Retention Regime
Australia 2 years No judicial oversight. Data retention bill has been introduced into Parliament.
Austria Ruled Unconstitutional
Belgium Between 1 year and 36 months for ‘publically available’ telephone services.No provision for internet-related data. Access must be authorised by a magistrate or prosecutor. Under challenge
Bulgaria 1 year.Data which has been accessed may be retained for a further 6months on request. Access only possible on the order of the Chairperson of a Regional Court Ruled Unconstitutional in 2008 & again on 12 March 2015: Bulgaria’s Constitutional Court scraps data retention provisions
Cyprus 6 months Access must be approved by a prosecutor if he considers it may provide evidence of committing a serious crime. A judge may issue such an order if there is a reasonable suspicion of a serious criminal offence and if the data are likely to be associated with it. Ruled Unconstitutional – violated right to privacy
Czech Republic Ruled Unconstitutional
Denmark 1 year Access requires judicial authorisation; court orders are granted if application meets strict criteria on suspicion, necessity and proportionality Session logging ceased 2014
Estonia Access requires permission of a preliminary investigation judge in force
Finland 1 year Subscriber data may be accessed by all competent authorities without judicialAuthorisation. Other data requires a court order. Under review after the CJEU judgment in April 2104. Finland must revise its data retention laws:
Germany 1 year Ruled Unconstitutional.No mandatory data retention. In the new Telecommunication Act enacted in 2012 the provisions on data retention were simply deleted and not replaced by a new data retention concept.
Greece 1 year Access requires judicial decision declaring that investigation by other means isimpossible or extremely difficult. Still in force
France 1 year Police must provide justification for each request for access to retained data and must seek authorisation from person in the Ministry of the Interior designated by the Commission nationale de contrôle des interceptions de sécurité. In force
Spain 1 year Access to the data by the competent national authorities requires prior judicialauthorisation. In force but under review
Hungary 6 months for unsuccessful calls and 1 year for all other data Police and the National Tax and Customs Office require prosecutor’s authorisation. Prosecutor and national security agencies may access such data without a court order Further constitutional challenge is being prepared as of April 2014
Italy 2 years for fixed telephony and mobile telephony data,1 year for internetaccess, internet email and internet telephony data Access requires ‘reasoned order’ issued by the public prosecutor. In force
Lithuania 6 months Authorised public authorities must request retained data in writing.For access for pre-trial investigations a judicial warrant is necessary In force
Latvia 18 months Authorised officers, public prosecutor’s office and courts are required to assess ‘adequacy and relevance’ of request, to record the request and ensure protection of data obtained In force
Luxembourg 6 months Access requires judicial authorisation. Under review. Luxembourgish Justice Minister on the day of the CJEU judgment announced that a detailed analysis of possible consequences for the national law will be undertaken.
Malta 1 year for fixed, mobile and internet telephony data,6 months for internet access and internet email data Requests must be in writing – Malta Police Force; Security Service In force
Netherlands 1 year – telephony, 6 months internet-related data Access must be by order of a prosecutor or an investigating judge 11 March 2015,  national law suspended -(decision is a preliminary injunction rendering the obligation ineffective) Google Translate version of judgment.  Dutch court suspends metadata surveillance law over privacy – report from
Romania (6 months under the earlier annulled transposing law) Ruled Unconstitutional
Poland 2 years Requests must be in writing and in case of police, border guards, tax inspectors, authorised by the senior official in the organisation. Under challenge
Portugal 1 year Transmission of data requires judicial authorisation on grounds that access is crucial to uncover the truth or that evidence would be, in any other manner, impossible or very difficult to obtain. The judicial authorisation is subject to necessity and proportional requirements. in force
Slovenia 8 months for internet related and 14 months for telephony related data Access requires judicial authorisation. Ruled Unconstitutional. Ordered that data collected under the data retention law be deleted
Slovakia 12 months, 6 months for Internet services Requests must be in writing. Ceased following judgment of European Court of Justice. Records deleted.
Sweden 6 months Under Challenge by ISPUp to 2013 CJEU challenged Swedish govt for their delay in implementing the Directive due to domestic controversy.Swedish data retention laws being considered by national courts March 2015. (See report)
UK 1 year Access permitted, subject to authorisation by a ‘designated person’ and necessity and proportionality test, in specific cases and in circumstances in which disclosure of the data is permitted or required by law. Under Challenge.  A list of current legal challenges to UK’s surveillance regime, via Bureau of Investigative Journalism
Ireland 2 years for fixed telephony and mobile telephony data, 1 year for internet access, internet email and internet telephony data No. Requests to be in writing from police officer/military over specified rank & tax/customs official over specific grade. Under Challenge
Switzerland[i] Under Challenge
Norway N/A N/A No mandatory data retention regime

* Updated: March 2015

  • EU: 11 Member States require judicial authorisation for each request for access to retained data.
  • EU: In 3 Member States judicial authorisation is required in most cases.

Further reading

European Commission on data retention:

Resources relating to communications data retention in the EU

Evaluation Report on the Data Retention Directive (2011)

Boehm & Cole study on data retention after the judgment of the Court of European Justice:

Australian Privacy Foundation’s submission to PJCIS page 31 – 33

Update on the status of data retention laws in Europe

“Mummy is in hospital and daddy is sick …” An afternoon’s visit to MITA detention centre in Melbourne

Visit to MITA (Melbourne Immigration Transit Accommodation) detention centre Broadmeadows (24 July)

I’ve just now properly digested my mother’s account of one of her regular visits to detention centre located in suburban Melbourne after some travel this past week. It seemed timely to publish this given today’s evidence at the national inquiry into children in immigration detention.

This is a lightly edited version of her letter, published with her permission:

When normal visiting hours started at 2pm there was great sadness, as a stateless Rohingya family from Burma, mother, father and three children, who have not long started school, had that morning been sent back to Christmas Island. They had only recently been reunited with their teenage son after 2 years separation. On Wednesday they had to say goodbye to him as he was sent back to Brisbane.

We also heard that there would be a mass and memorial service at 5pm for the brother of one of the Tamil ASIO rejected men who tragically lost his life in Sri Lanka after much suffering.

Another ASIO rejected Tamil man came to me very upset as the day before he had just received another rejection. I had been seeing him on the last few visits as he asked me if I could give him some clothes for his 9 year old daughter, who is having a birthday soon, and his seven year old son so he could send the clothes to them in Sri Lanka.

We meet two grandmothers. One was to be sent back to Christmas Island the next day.

We had parcels for 8 individuals or families. One was for another large extended family. The father is a very bad diabetic requiring 2 injections daily and is having a lot of problems with his eye sight.

Another parcel was for a family where the mother is extremely depressed. There is the husband and 2 young children.

One parcel was for a 19 year old young lady who was born in Afghanistan but grew up in Pakistan. This beautiful young women arrived in Australia by plane 18mths ago seeking asylum. She spent 6 months in Maribynong and has now been in MITA for 12 months. She has seen over a thousand people come and go in that time and is very depressed.

We also had a parcel for an Iranian family, mother, father and 5 year old son. The mother suffers from severe depression and has spent time in hospital. She told me last week that it was her birthday on the 26th and also asked for clothes for the family. They were given clothing and a cake to celebrate her birthday. The husband was very grateful, saying it made his wife happy. She didn’t feel well enough to come to the visitors centre.

An Iranian man that I have assisted with clothing came and said hello. He is still waiting to have surgery on his knee that was damaged in the February riots on Manus Island.

Two mothers, sisters, both with 2 young children were bought in to meet us. They came from Christmas Island at the end of last week. They are suffering from severe depression. It became very emotional when one of the mothers showed me her arms. Both arms showed the scars of over thirty burn marks. She said to me, “all we want is freedom.” “Christmas Island is very bad.” I told her that we do not like what our government is doing. They told us they had a brother on Christmas Island but they rarely saw him because he was in another compound.

Another mother who we have assisted a number of times came to me very concerned about her 4 years old daughter who suffers from epilepsy, and having fits almost every day. She is also concerned that her daughter is very underweight and doesn’t like the food. When I first met the mother about 6 months ago she told me that she and her daughter had been sent to Perth for her daughter’s treatment. They were there for 2 months. During this time her husband and older son where left back on Christmas Island. They were reunited in MITA shortly after the mother and daughter arrived.

An 8 year old girl came up to me and said to me, “mummy is in hospital and daddy is sick.” We have assisted and met with this family many times. The mother is in hospital on suicide watch. Her 8 months old son is with her at the hospital. It is not her first visit to hospital. When the mother was around 6 months pregnant she was sent to Darwin to wait for the birth of the baby. Her husband, son and daughter remained on Christmas Island, affecting everyone’s mental health.

Another mother came and proudly showed us her little 2 weeks old daughter. We had supplied clothing for the baby and the whole family.

At 5pm we went into memorial service for the young Tamil man. This was held in a class room next to the visitors centre. It was a very moving and emotional ceremony. A Tamil priest co-celebrated the mass with Fr Peter. The Tamil priest personal knew the young man. The gospel was read in English, Italian, Arabic and Tamil.

“Mummy is in hospital and daddy is sick …” An afternoon’s visit to MITA detention centre in Melbourne

MsLods’ news round-up: law + technology


Modernising (Irish) Copyright: fair use, Irish-style. | The IPKat |

Copyright reform is in the air. | Project DisCo | featuring The Creationistas:

The New York Times endorsed a secretive trade agreement that the public can’t read. | Washington Post |

Rights issue forces last minute change at the Malthouse. | Performing ArtsHub |

Defamation & media law

Today Tonight agrees not to show ambush footage of Simon Gittany. | SMH |

Privacy & security

Australian authorities clock 50% success rate in Apple data requests. | ZDNet |

Google is ordered to block images in privacy case. | New York Times |

Russian Internet Surveillance: meet the new boss, same as the old boss. | Global Voices Advocacy |

Yes, there actually is a huge difference between government and corporate surveillance. | The Washington Post |

Queensland Justice accidentally discloses sensitive data. | iTnews |


You can see a sunset from space. | The Atlantic |

Painting the big picture in cancer care. | Canberra Times | g49ES

From Walmart to Bitcoin: The CEO behind the Chinese exchange sending BTC to new highs. | Forbes |

I Loved You, Blockbuster: Alexis C. Madrigal. | The Atlantic |


What future for Australia’s National Broadband Network? | Computerworld |

NBN Co brings in another Telstra exec. | iTnews |

Trade marks & brand protection

A decades-long rivalry between ‘Patsy’s’ restaurants heats up. | NY Daily News |

Rock’n’roll and a hard place: Can Kelly Van Halen register her name as a trade mark?  | The IPKat |

Social media

Doge is an actually good internet meme. Wow. | Gawker |

Time to turn Twitter’s hashtags into cash bags. | AFR |

The hidden technology that makes Twitter huge. | Businessweek |


10 November 2013

MsLods’ news round-up: law + technology

MsLods’ news round-up: law + technology


Singapore Government to consult on role of website blocking in fighting online copyright infringement. | Out-Law |

We are all creators now: collections, creation and copyright. Free public event, Powerhouse Museum, Sydney:

Study shows that hip hop sampling boosts sales of the songs sampled. | Forbes |

Creative Commons endorses ‘ongoing efforts to reform copyright law’. | InfoJustice |

Defamation & media law

Lord McAlpine settles defamation action with Alan Davies over Twitter comment. | The Guardian |

Cathy Gellis wins pro bono victory against UK defamation subpoena. | Popehat |

Why journalists need the Open Government Partnership to help them. | The Guardian |

Privacy & security

Medical start-up invited millions of patients to write reviews they may not realise are public. | Forbes |

Keeping teens ‘private’ on Facebook won’t protect them. | TIME |

NSA monitored calls of 35 world leaders after US official handed over contacts. | The Guardian |

LinkedIn ‘Intro’duces insecurity. | Bishop Fox |


NASA shoots lasers at the moon to create insanely fast Internet. | Wired Science |

How Sony is turning into a ghost in Japan and around the world. | Kotaku |


Landline complaints surge, NBN nearly fault free:  TIO. | ZDNet |

iiNet sees domestic capacity as new ISP ‘choke point’. | IT News |

NBN Co picks ‘turnaround experts’ for company review. | ZDNet |

Trade marks & brand protection

What happened when Ryanair boss Michael O’Leary went on Twitter for live Q&A? He crash-landed spectacularly. | The Independent |

Thai coffee stall vows to fight Starbucks logo lawsuit. | The Guardian | 

Social media

White House national security staffer fired for Twitter postings under alias. | The Washington Post  |

Justice opens up to social media. | The Age |

Yes, Twitter is flawed during an event like the Boston bombings — and so is everything else. | Giga OM |

27 October 2013

MsLods’ news round-up: law + technology

MsLods’ news round-up > law and technology

MSLODS’ ROUND-UP  – Technology, Intellectual Property & Media Law


Harvard law professor, Lawrence Lessig sues Australian record company over Phoenix’s “Lisztomania”. | The Boston Globe |

No Coalition policy on data retention, copyright infringement. | ZDNet |

The CopyKat – your weekend copyright catchup. | The 1709 Blog |

New research by Ericsson showing reduction in file sharing, especially in the US. | Ericsson TV & Media Lab Report 2013 |

White House copyright czar jumps to industry anti-piracy group. | Wired |

Defamation & media law

Social media risks and rewards – @journlaw’s public lecture. | journlaw |

Privacy & security

Draft Australian Privacy Principles Guidelines released for consultation. Comment period closes 20 September 2013. | OAIC |

‘Baby Monitor Hack’ could happen to 40,000 other Foscam users. | Forbes |

Melbourne IT breach highlights need for security culture. | ZDNet |


Twitter and Facebook’s global impact as told through which governments want their data. |  Quartz |

A data broker offers a peak behind the curtain. | New York Times |


NBN Co reins in rollout transparency. | IT News |

Trade marks & brand protection

Apple hoping to trade mark the term ‘STARTUP’. | ™Watch |

Social media

Workplace clashes involving social media. | Law Report – ABC Radio National |

Australian government makes frequent requests for Facebook user data. | IT News |

Turning a “No Comment” company into a social media advocate. | MIT Sloan Management Review |

Twitter General Counsel steps down as company prepares to go public. | New York Times |

1 September 2013

MsLods’ news round-up > law and technology