Telcos warn of criminal advantage in data retention

Criminals could take to smaller telcos or internet service providers to escape the Federal Government's proposed data retention regime, Telstra and iiNet have warned.

The telcos fronted a parliamentary committee inquiring into the retention proposal, which aims to keep telecommunications metadata for two years.

Representatives for Australia's largest carriers warned that criminals could simply move to smaller internet service providers and telcos to escape the purview of spy agencies hoping to use captured metadata to make associations or connections between suspects.

Telstra representatives said the proposal, which suggests establishing a tiered model to separate the obligations of larger carriers from smaller ones based on the size of their customer base, would simply make it easier for criminals and suspects to choose which telco to use for communications.

"At the moment, there's organised criminal gangs that aren't using our services," said Darren Kane, director of Telstra's corporate security and investigations group.

"Telstra is probably a victim of our own success in relation to this. We have a long history of support for law enforcement and national security agencies and as a result, they know that the quality of the reporting and information we're able to deliver an expert testimony in court.

"Common sense says they probably won't use our services."

Those in the industry have also suggested to iTnews that some organisations could almost completely bypass internet service providers or telcos to escape investigation.

The discussion paper (pdf) upon which much of the committee hearings are predicated suggested that while large carriers would continue to provide "comprehensive interception and delivery capability" under proposed amendments, medium and smaller carriers would be obliged to provide significantly less data and interception capability to authorities and spy agencies.

Smaller carriers, the paper stated, "have less potential to be required to execute an interception warrant and less capacity to store and retain information about communications and customers".

But smaller carriers, telcos warned, could also be more susceptible to breaches of the central data repositories they would be required to establish to meet any future data retention obligations.

When questioned by Labor MP Michael Danby on whether data breach notification legislation would be a sufficient pre-requisite to the scheme, iiNet chief technology officer John Lindsay said that it would likely ignore the "250 other little" telcos which did not have the size or capacity to capture and retain data like larger companies.

Industry have continued to argue that the cost of establishing such a system on a per-telco basis, with no financial input from the agencies expecting to use the data, would be beyond their capability.

Though some industry bodies have placed a $500-700 million figure on such a system, Telstra would not provide an estimate on its requirements. Representatives for the telco said it would take millions to scope out a purpose-built system collecting and retaining data from at least 14 separate legacy IT systems and "thousands of IT units" within the company.

The cost would also include the ability to secure and block inappropriate access to such a system, they said, while allowing access to the system at terminals within authorities' offices.

iiNet's chief regulatory officer, on the other hand, estimated a startup cost of $60 million for the IT systems and build requirements to establish a system for its users, with a potential exponential increase in ongoing operational costs to deal with doubling data volumes every two years.

Without government incentives, it would have to introduce a $5 a month levy on customer bills in order to recoup those costs, he said.

But all telecommunications representatives before the committee hearing on Thursday said the "moving feast" of requirements from authorities meant confusion continued to rein on what the retention regime would require from companies.

ASIC requests all data

Despite constant assurances from law enforcement authorities that a data retention regime would only require metadata, the financial services regulator surprisingly asked for all data to be kept by telcos and ISPs to facilitate investigations into fraud and insider trading.

Greg Tanzer, commissioner for the Australian Securities and Investment Commission, told the committee hearing that while market fraud investigations could be solved within a relatively short time frame, those involving corporate fraud often took years to resolve and required historical information to determine.

When asked by Liberal MP and former Attorney-General Philip Ruddock whether ASIC agreed only to receive metadata, like other authorities, or content as well, Tanzer said, "We want both".

"ASIC does not want to lose the current access that we have to metadata," he said.

"But in terms of data retention we are interested in stored communications as well."

Liberal senator George Brandis accused ASIC of attempting to achieve "function creep" through the committee hearings, while seeking access to powers that would technically be more powerful than those associated with murder investigations by law enforcement authorities.

"I can't eliminate from my thinking the possibility that a mandatory requirement to retain metadata might involve also incidentally to that, the retention of content as well, which some agencies would not be able to obtain but you can," he said, in the clearest opposition from the coalition against the Government's data retention proposal so far.

iiNet's Dalby warned that an expansion to include actual content would significantly increase the onus on telcos.

"The picture that comes in my head is of a primary school student ringing mum to say, 'Soccer training is finished. Can you pick me up?'" he said.

"That just seems to me to be not justified. There has been no identified, or advised, massive failure that warrants gathering all data on all people, all the time.

"There is no conclusion that gathering this data would stop 9/11, there is no connection between gathering massive amounts of data improving the halting of terrorist activity that I'm aware of."