The mandatory data retention regime fight is about to be joined in earnest and Attorney-General George Brandis best be prepared for a tussle, if the submissions made to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) are anything to go by.
The proposed regime has been controversial from the start and the government has so far managed to antagonise all and sundry, with the telecommunications industry, consumer groups and industry bodies up in arms about the implications of the laws.
The privacy watchdog isn't impressed either with Australia's Privacy Commissioner Timothy Pilgrim warning that the scheme creates "undefined and uncontrolled security vulnerabilities."
Pilgrim's greatest concern is that the reservoir of data collected and stored by the telcos becomes a target for hackers and malicious actors, and without a mandatory data breach mechanism in place the public is left exposed.
Pilgrim has been a passionate advocate of mandatory data breach notification laws and while the telecommunications industry may not appreciate his imputation that telcos are not good at protecting customer data, the privacy commissioner backs it up with evidence.
"I note that Australian service providers have experienced significant issues in handling and keeping personal information secure. Major telecommunications services providers that will be covered by the scheme are amongst the 20 entities most complained about to our office," Pilgrim says.
"Further, since 2010, major telecommunications companies have been the subject of 13 Commissioner’s own motion investigations, including: a 2011 incident in which the personal information of 734,000 customers was inadvertently made available online, and a 2013 incident in which the subscriber information of 15,775 customers, including over 100 silent line customers, was inadvertently made available online."
Both incidents pertain to Telstra, the nation's most powerful telco, and if that's the track record of the big end of town, one can only imagine the challenge posed by the proposed scheme to mid-tier telcos and service providers.
Undeterred by the criticism, the Attorney-General’s office is forging ahead with its plans and has reiterated its position in a lengthy submission to the committee.
The data retention rationale
It traverses a rather well-worn path. According to the attorney-general's department, the use of telecommunications data is one of the least privacy intrusive investigative tools available to agencies, who are apparently left out in the cold.
“Australia’s law enforcement and national security agencies are facing several challenges which have increased their need to reliably access telecommunications data,” the department says.
According to the department, these include:
- Long-term decline in and significant industry inconsistency in the retention of relevant telecommunications data.
- A long-term decline in agencies’ ability to lawfully access the content of communications under warrant has been a trend, driven by technological change and the globalisation of telecommunications, requiring them to increasingly rely on alternative investigative techniques, including access to telecommunications data, and
- An increasingly high-risk operational environment, caused in part by the increased risk of a terrorist attack.
The submission goes on to articulate why the data is useful, citing examples of how and when it has been of use to the agencies
As for the alternatives, the department doesn’t see merit in a voluntary code of practice for data retention, citing the inconsistent application of the existing data retention obligations under the TCP Code
“Billing information’ is limited to information required to bill a subscriber. For ‘traditional’ telephony services that are billed on a per-call basis, the TCP Code requires providers to keep many types of telecommunications data that are critical to law enforcement and security investigations, including call charge records. However, these obligations do not apply in relation to many new and emerging services, such as untarrifed, unlimited or ‘infinite’ plans that are commonly offered by providers of Voice over IP (VoIP) services, and that are increasingly being released by fixed-line and mobile service providers,” the department says.
“Media reporting suggests that Australia’s mobile providers are currently migrating to entirely IP-based networks that would largely remove the need for per-call billing, creating a substantial risk that the proportion of services covered by the obligation under the TCP Code to retain billing records will decline dramatically in the next 24 months.”
With regards to expanding the existing preservation notice regime to apply to telecommunications data, the department is unconvinced that the measure will adequately address the “capability challenges” faced by agencies.
The same applies to the need of warrants to access the data, with the department saying that the independent oversight of an agency’s access to data is preferable to agencies obtaining warrants.
Dollars and cents for telcos
The one thing missing from the submission is the issue of cost and that’s the one issue that has got the telecom service providers worried.
The Communications Alliance and the Australian Mobile Telecommunications Association have criticised the rushed process put in place by the government to ascertain the cost impost of the proposed regime.
It’s a key consideration as far as the telcos are concerned, with Telstra saying that the upfront capital cost associated with building the necessary infrastructure to comply with the bill will be significant.
“The capital costs will be incurred in building a centralised mediation platform to extract, store, retrieve and process the required telecommunications data for the agencies. In addition, we will need new systems and interfaces between this platform and our existing network elements to extract data we do not currently collect today. Such a platform would be similar to the systems deployed by telecommunications companies in European countries (such as the United Kingdom) that have at one time mandated data retention obligations in recent years,” Telstra says in its submission.
Apart from the upfront spend, there will be ongoing costs related to maintenance and securing the data.
It really does boil down to dollars and cents for the telcos and unless the Coalition government, with the help of PricewaterhouseCoopers, can come up with a palatable number and sufficiently convince the industry that they won’t be left carrying the load, there’s a potential for long running acrimony.
As the holders of the metadata, the telcos find themselves in an invidious position but that’s only one avenue of opposition that the government has to tackle.
Submissions ranging from AIMIA, the digital policy group representing tech giants including Google, Twitter, Facebook, Microsoft, and eBay, to the Victorian Commissioner for Privacy and Data Protection and The Internet Society of Australia have all unequivocally voiced their discontent.
Their concerns revolve around familiar anxieties -- the proposed regime is intrusive, poorly defined and an ineffective tool designed to give our law enforcement agencies more power.
The Parliamentary Joint Committee getting ready to deliberate on the issue should by now be fully cognisant of the two opposing rationales. The submissions delivered to it don’t add any new nuance but rather reinforce the polarised state of affairs.
George Brandis, his fervour further galvanised by the recent tragic events in Sydney and France, seems unwilling to concede an inch on the issue. Just how foolhardy that stance turns out to be remains to be seen but the data retention fallout could be potentially lethal for an increasingly unpopular Coalition government.