Australia's internet service provider industry has reacted angrily to tight timeframes and an ongoing lack of clarity from the Attorney-General's Department about the impending data retention regime.
Industry members fronted up to a briefing on the scheme, which comes into effect on October 13, held by the Communications Alliance in Sydney today.
The briefing was intended to provide ISPs and telcos some guidance and clarity on meeting their obligations under the new law.
But industry members reacted angrily to a presentation from AGD data retention lead Jamie Lowe over a perceived lack of clarity around the data to be stored as well as extremely tight compliance timeframes.
The compliance deadline is October 13, but Lowe today revealed carriers and service providers will need to have their implementation plans in by mid-August - just four months after the legisation was given royal assent.
Under the legislation, the telco industry will need to retain a defined set of non-content or metadata for two years to assist law enforcement - a dataset the industry is arguing is opaque in its precise parameters.
"We're being bullied and pushed down a specific path for timeframes," ISP advisor Skeeve Stevens said.
"We've got 60 days to be compliant - [it's such] a stupid timeframe.
"Most of the information [Lowe] gave was a complete obfuscation and the actual information - what we're supposed to keep - the real examples seems to just be fog. There are just so many questions.
"I actually have no problem complying, I just have no idea what to comply to. The biggest chasm we have is we actually don't know what to do, and that's the key problem here."
He warned that dozens of small ISPs are unlikely to be compliant because they have "no idea" what they are supposed to retain.
CEO at Real World Technology Solutions Andrew Yager said the majority of the industry is still confused.
"The team [at AGD] are saying talk to your lawyers, because they are the only people that can decipher this - which from an engineering and operating point of view is doing everybody's head in," Yager said.
"When will we get clarity, and when will we actually get a concrete definion from the vague one that is currently present?"
Lowe said her department was working on a rolling document with the Communications Alliance that provides advice to industry, which she said was constantly evolving.
Head of the communications security reference group inside the Comms Alliance, Patrick Fair, said a matrix for the dataset was currently being developed in consultation with the industry group and AGD.
The matrix will contain advice on data to be retained from the 13 most popular services.
"We need to have a chat with the AGD about what's in that matrix and see if it meets their expectations, and then look at some exemptions that eliminate the noise and doubt," he said.
Industry members also raised issue with the lack of clarity on what penalties they could be liable for if they misinterpret their obligations and are unable to provide certain data upon request. They also asked about the repercussions of third-party attack or systems crash.
"What if the Amazon Glacier node I'm storing the data on fails, or something is hacked?" Stevens asked.
"Who is personally liable? Are you going to come after me? The third party? Who are you actually going to come after?"
"If I'm collecting those records, what if it turns out to be wrong? What if I thought I was doing it right, but then someone taps me on the shoulder and asks for the record, and it turns out I've misinterpreted my obligations?" director of government relations at AARNet Peter Elford queried.
Lowe said the best course of action was to submit an ISPs understanding of the obligations to the AGD so it could advise in writing.
AGD representative Anna Harmer confirmed there were no criminal penalties under the scheme, but ISPs could face civil penalties for non-compliance. She did not address the issues of third-party system crashes or cyber attacks.
"There is the potential for the provider to be the subject of inquiry from ACMA," she said.
Lowe said the department had created a specific team within the AGD - that she dubbed the A-Team - to liaise with industry on their obligations.
ISPs and telcos are also now able to access a ‘data retention hotline’ and dedicated email address to request information, ask for advice and discuss their data retention implementation plan.
Vendors pitch to struggling ISPs
Meanwhile, technology vendors are competing for a slice of the newly-created data retention market, pitching their wares as the solution to telco headaches when it comes to complying with the new law.
The Communications Alliance expects the hundreds of providers at the small end of town will struggle to meet their new obligations.
Today it invited three technology vendors - BAE Systems, HP and Yaana Technologies - to an industry briefing to pitch their solutions to ISPs still struggling with the scheme.
“Their motives are entirely philanthropic, as you would expect,” Stanton joked.
“We have hundreds of smaller providers subject to the data retention regime who may not be in a position to easily step up to these requirements.
“[The Comms Alliance] is not endorsing any solution but we thought it might make sense to bring together three of these potential providers to start a conversation [and allow] providers to get a sense of what’s out there.”
BAE Systems representative Rajiv Shah said Australia would benefit from other countries forging the way with data retention ahead of them.
“Data retention isn’t anything new globally. We’ve been providing solutions in the UK and European Union for ten years now,” Shah said.
HP’s Duncan Smith similarly said his company has also been providing data retention solutions to a number of countries in the EU including Germany, the Netherlands and Switzerland, as well as Japan, for a number of years.
He pushed for the industry to standardise on one specific solution, and promised HP would store the data in its ASIO-certified facility in Sydney.
“If you all [implement] separate solutions it’s going to be a very difficult job. You’ll have risk of massive duplication of effort and long timeframes to get compliant."
ISPs and telcos can call the data retention hotline on 026141 2884 or email the team at email@example.com