Living in the land of data retention

In light of recent reports that the Australian National Security Committee (NSC) is about to sign off on mandatory data retention laws for telecommunications and internet service providers, debates around data privacy are heating up.

While ASIO cites the practice as a necessity, some internet service providers argue that data collection is simply too costly to maintain or enforce. Egged on by revelations such as the Australian Federal Police’s (AFP) recent mishandling of sensitive telecommunications data, civil libertarians and some information security experts are also vocal on the issue, claiming that the mandatory collection of metadata is an outright invasion of privacy.

For the average Australian, understanding what this scheme means to organisations and individuals alike is complex, especially as there’s minimal transparency around what constitutes metadata in the first place. But this isn’t the only issue- many are still in the dark about how much data retention is already taking place and subsequently, why a mandate on an existing practice should come with the financial burden that affected organisations say it would.

The data on metadata

Despite edging closer to passing this legislation (a decision which does not require endorsement from the larger Cabinet), the NSC has offered several, sometimes contradictory definitions of what classifies as “metadata.” There have been suggestions that the metadata proposed for retention pertains only to information contained in signalling processes for phone calls, emails and any other online activity- i.e. the transactional “footprint” of a communication. Other reports have said that it may also include information around locations, phone numbers, IP addresses and email addresses- however the exact level of detail is unclear.

Critics of the scheme have suggested that telecommunications metadata reveals a lot more than what the security agencies would have us believe, particularly when it comes to external IP addresses. If this information was also to be classified ‘metadata,’ agencies would then be able to track (without warrant) the internet destinations frequented by targets- offering a much more intricate picture of their life and habits.

Under the new scheme, metadata will be held for two years. Yet even today, if a customer requests a detailed billing record from a telco or ISP for a previous payment, that data is more often than not available. Why? Because many providers are already voluntarily holding onto at least a year’s worth of data to support their billing, accounting and auditing needs- a practice limited only by storage capacity.

In the land of mandatory data retention

If the National Broadband Network (NBN) increases available bandwidth to the extent it is designed, one can expect that the volume of traffic flowing across it will expand to fill the available capacity. More traffic means more metadata to store, which means an even greater cost to providers retaining that metadata - a cost that will ultimately be passed to the end-user. Representatives from the Australian Mobile Telecommunications Association (AMTA) and the Communications Alliance estimate that the scheme could cost as much as half a billion dollars. But why should transparency around a practice that’s already occurring be justification enough to hit consumers with higher fees? I would argue that it’s not.

And the impact isn’t only a financial one - if laws around mandatory data retention are to be passed in this country, we can expect to see data increasingly become the target of subpoenas as litigators seek information that they know exists. Some law enforcement agencies have stressed that this sort of accessibility is fundamental to their practice - even though they’ve managed for so long to function without it. Others such as the Australian Lawyers Alliance are critical of the practice, warning that criminal trials may be jeopardised as juries become aware that information was accessible online.

Despite these objections, communications data retention policies exist in some form or another in many countries throughout the world. For most Australians, a mandatory data retention scheme will only mean a higher monthly bill, for others (organisations included), the issue shifts to debates around security and privacy. Either way, it’s certainly interesting that despite the uproar we’ve witnessed after the National Security Agency (NSA) was discovered retaining domestic metadata, that Australians would pass a law that sends us down the same garden path.