Commentary from some sections of the IT community on the recent killings in Norway reminds us national security is still haunted by two visions:
1) With enough data it will be possible to comprehensively identify would-be terrorists or other offenders to prevent their destruction of lives and property.
2) Privacy law, in its current form, is fundamentally impeding, if not preventing, action by officials to save lives and prosecute criminals.
Neither of these views is realistic, although cold hard facts haven't prevented the waste of billions of dollars and millions of words.
An omniscient national security scheme, with tireless programs seamlessly parsing public and private sources of information to discern terrorist needles in digital haystacks, is an attractive idea.
The desire for such a scheme reflects the ambitions of IT researchers, the commercial interests of technology vendors, popular faith in the wonders of technology and the need for policymakers to be seen to be doing something.
Unsurprisingly, the US Government hyped a Total Information Awareness initiative, which would gather extensive digital data on every single person in the States in the name of security.
Other governments have embraced less ambitious, but still expensive, programs.
Given the opacity of these security programs, it’s difficult to say for sure whether watching everyone all the time would, or could, produce consistently useful results.
But one oft-heard lament in the intelligence community over the last 50 years is this: adding more data often just adds more noise, not more useful information.
Terrorist outrages often can’t be addressed in advance precisely because analysts have too much, not too little, information: the data is there, but its significance is only discernable in retrospect.
Effective anti-terrorism activity is often distinctly low-tech (for example neighbours reporting suspicious activity, guards challenging fake identity documents, people keeping doors locked and passwording databases) and will remain so in a world where humans are still central to data analysis.
Privacy law
So given the amount of data is not an issue, it might seem fair to assume, as mentioned above, that privacy law is preventing effective policing – and that therefore privacy (indeed law) is something that can and must be sacrificed.
One distinguished academic claimed this week on The Conversation that privacy law in Europe doesn't allow law enforcement bodies access to anything.
That claim is demonstrably incorrect.
It would greatly surprise officials whose access to electronic information isn’t prevented by privacy law, or any other law.
It would also surprise those criminals currently in prison or being prosecuted in Europe.
Privacy, data protection and other laws in Europe quite explicitly allow law enforcement access to electronic information.
Such laws represent a balance between the rights of individuals and the community. This is not something that should be abandoned lightly.
Australia’s national Parliament is currently considering the Cybercrime Legislation Amendment Bill 2011.
That legislation strengthens Australian data protection law (useful in dealing with unauthorised access to, and use of, financial databases or attacks on the NBN).
It also enables Australia to join the Council of Europe Cybercrime Convention, an international agreement that facilitates sharing by law enforcement agencies of information about the voice, email and other electronic communications of Australian consumers.
Contrary to claims made in the previous Conversation article that privacy law stops policing in the EU and elsewhere, police continue to use traditional and new tools.
The Cybercrime Convention will see Australian police legally access information on a targeted basis. (No-one should want them to access information illegally, given memories of past abuses by state police forces, the CIA, the FBI, the UK Metroplitan Police and other agencies).
In contrast to early proposals, the Cybercrime Legislation Amendment Bill doesn't involve phone companies and ISPs having to retain the traffic data of all customers for several years, and doesn't give police carte blanch to listen to all calls or read all emails before passing that information to a foreign partner.
As with traditional wiretapping law, it involves independent supervision and authorisation by judges and magistrates.
Officials who can demonstrate a reasonable cause for requesting access to private communications will be able to do so, and will be authorised to convey information to foreign governments.
Privacy law will otherwise protect personal communications.
So where does that leave us? Should we be concerned about our online behaviour and exposure.
Let’s put it like this. Intelligence and IT enthusiasts are free to place all of their data health records, tax files, financial records, bedroom videos in the public domain.
Very few have yet to do so – and that should tell you all you need to know.