Data retention: who should pay for our national security?
3 Sep 2014|
Who should pay for national security?

The data-retention debate has been dominated by discussions over the extent to which metadata information retention is an essential tool for investigating terrorism and crime, what agencies should be able to access it, and the safeguards that should exist for privacy.

A neglected issue is who bears the costs of implementing the means to safeguard national security: do we ask telcos and internet service providers to find the money to retain metadata, or should government bear the full responsibility and foot what could be a significant bill? ISPs have been vocal about the costs that storing metadata will have on their businesses in what might be an open-ended commitment.

Generally speaking, the principle that has been adopted is that the users, providers and owners of the property or service pay for the costs of security: in other words, security is a cost of doing business in a risky world.

In that sense, ISPs and telcos are no different from other essential services and critical national infrastructure, like electricity and water companies, that have had to shoulder the responsibilities for the costs of securing their own assets.

One alternative is for the public to pay, through taxation.

The argument is one that involves issues of equity, efficiency and effectiveness. If the government subsidises data retention as part of its counter-terrorist measures, it may waste money and create a bidding contest amongst companies seeking counter-terrorism funding support. Self- reliance can provide incentives for companies to innovate in their counter-terrorism protection.

But we can’t leave all our counter–terrorism efforts to be managed solely by market forces. That approach won’t always offer adequate protection across the community. Certain threats such as chemical and biological attacks, for example, require a response with specialist equipment, which would be difficult to achieve without direct government intervention.

Lack of adequate information to price the risks associated with terrorism resulted in a market failure in insurance in this country, and prompted the government some years ago to establish the Australian Reinsurance Pool Corporation to provide reinsurance cover for losses arising from a declared terrorist incident.

When it comes to who pays for data storage, the benefits of any government intervention must be weighed against the downside of excessive cost.

Government intervention may do more harm than good in an innovative and rapidly-evolving market like data storage. If the government picked up the whole tab it could encourage gold-plating. In some cases, ISPs and telcos may well have undertaken the digital data storage required by government even in the absence of government covering the costs.

Government payment for data storage may provide a strong incentive for the telcos to classify changes to their data-storage practices as counter-terrorism measures to line up for the government payment. And as the Abbott government wrestles with budget deficit pressures, how fair would it be to ask all Australians to provide the telcos and ISPs with a large subsidy?

This argument was neatly and recently (paywalled) put by Henry Ergas in The Australian:

Retaining that data will, no doubt, force providers to incur some costs, but with data storage becoming ever cheaper, their extent is controversial. Unpopular as it may be, placing those costs on network operators gives operators strong incentives to use smart technologies to manage them efficiently. Yes, like any other regulation, the costs can be likened to a tax; but as virtually all Australians use communications networks, this tax would be levied on a broad and relatively efficient base, and one that largely matches the beneficiaries of better law enforcement.

For those reasons, I think the market has a critical role to play in data retention, but government intervention in some form shouldn’t be ruled out completely: the entire community will benefit from strengthened counter-terrorism and crime-investigative powers that a data-retention regime provides.

Maybe we need a hybrid model, where the government could pay let’s say a third of the costs, (at least for some of the smaller- and medium-sized providers). Such an allocation would need to be reviewed in a couple of years as the market for digital storage is changing quickly.

Since telocs and ISPs would pay the greater share of costs under such a model, it’s far less likely that we’ll get a gold-plated system: after all is said and done, it’s industry that’s best placed to minimise the costs for data retention.

Anthony Bergin is deputy director of ASPI. Image courtesy of Flickr user penguincakes.