Australia's telecommunications providers will from today be required to store the non-content data of all customers for up to two years, but many claim to be unsure whether they have been granted an exemption.
The legislation passed in March after the Labor and Liberal parties united to wave the bill through the Senate and knock back 104 amendments put forward by the Greens, independent MPs Nick Xenophon and David Leyonhjelm, and the Palmer United Party.
The scheme has been forecast to cost between $188.8 million and $319.1 million to set up, and around $4 per customer per year to maintain. The government has said it will allocate $128.4 million to telcos to assist with compliance.
From today, Australia's four biggest carriers as well as around 400 service providers will be forced to comply with the requirements, unless they have been granted an exemption or extension for compliance by the Attorney-General's Department.
The AGD has refused to detail how many providers are compliant at the scheme's first day of operation.
It similarly refused to detail how many have been granted extensions or exemptions, despite no requirement for confidentiality of such details in the legislation.
However, according to a survey of the membership base of telco representative body the Communications Alliance, around 84 percent of respondents said they would not have been compliant if they hadn't submitted an implementation plan.
Carriers can apply to the Attorney-General's Department to request more time to meet their obligations, as part of the so-called data retention implementation plan (DRIP). The maximum amount of time for a DRIP is 18 months, until April 12 2017.
Around 58 percent of Comms Alliance survey respondents said they had submitted a DRIP to the AGD, while 23 percent more said they would soon. Just 19 percent said they had not.
However, a staggering 76 percent of those that had submitted a DRIP claimed they had not yet heard back from the AGD as to whether it had been approved.
A total of 9 percent had received approved DRIPs, and around 14 percent said final approval was still pending.
ISPs and telcos can also request an exemption or variation on their obligations, in cases where their services aren't of much interest to law enforcement agencies, or where the cost of compliance would be too high.
The AGD has warned those approved for exemptions to keep quiet or risk having it overturned. It claimed the release of such details would "reveal gaps in data retention coverage that could be exploited by criminals".
Thirty-nine percent of Comms Alliance members said they had lodged an application for exemption or variation on their requirements.
Again, 90 percent of those claimed the AGD had not yet gotten back to them on whether their request had been approved.
Costs to the industry
Most of the ISPs surveyed put the cost of setup to comply with the scheme at between $10,000 and $50,000 for the business.
A quarter said it would cost between $50,000 and $250,000.
Most ISPs weren't "at all" confident they correctly understood what data they needed to retain and encrypt under the scheme. Just 11 percent said they were very confident with their obligations.
Communications Alliance CEO John Stanton said the results highlighted how challenging compliance was for the industry.
"It is no surprise that many service providers won't be compliant when the legislation comes into force - many of these because they are still waiting to hear from government as to whether their implementation place have been approved," Stanton said.
"The onus remains on government to work constructively with industry - and not rush to enforcement - over coming months to help providers come into line with what is proving to be a very challenging and somewhat confusing impost on the industry."
A scramble for industry
Carriers were only given a few short months to submit implementation plans to the AGD for approval, a move which recently prompted the Comms Alliance to call on the government to roll back its deadline for compliance.
“Our industry intelligence tells us that the implementation process is way behind schedule – with many ISPs affected by the legislation still struggling to understand their obligations and therefore still compiling their implementation plans," CEO of Internet Australia Laurie Patton said yesterday.
The AGD is also yet to detail how the $128.4 million the government will provide to the scheme - which is aimed at taking some of the pain from the massive systems changes telcos were forced to undertake - will be allocated.
"The government has indicated it will consult with industry in coming weeks on how to apportion the subsidy and this remains an urgent task, as service providers are now having to commit to investment decisions without know how much of that spending will remain unfunded," Stanton said.
"There is a risk that some, perhaps many, of the smaller ISPs will simply go out of business as a result of this new law," Patton said.
"This is especially unfortunate for regional and remote internet consumers who rely on local ISPs because they offer a specialised and personalised services."
How does it work?
The metadata list that telcos and ISPs are required to store includes, among other things:
- names, addresses, birthdates, financial and billing information of internet and phone account holders;
- traffic data such as numbers called and texted, as well as times and dates of communications;
- when and where online communications services start and end;
- a user’s IP address;
- type and location of communication equipment; and
- upload and download volumes.
The companies are not restricted in where they can store the data. There is a requirement that the data be "encrypted", but no detail surrounding how.
Companies that fail to comply with the scheme face a $2 million penalty.
Local email service providers will also be required to store details about emails sent and received by subscribers, and service providers supplying wi-fi to cafes, restaurants, transport bodies and hotels are also obligated under the scheme to retain data.
The data can be accessed by around 21 government agencies.
The list currently includes the AFP, state police forces and anti-corruption commissions; Border Force; the Australian Crime Commission; the Australian Commission for Law Enforcement Integrity (ACLEI); the Australian Competition and Consumer Commission (ACCC); and the Australian Securities and Investments Commission (ASIC).
The approval of new agencies to the list is at the discretion of the Attorney-General. A parliamentary committee recently recommended the Australian Tax Office be added.
Services providers are required to keep confidential the agencies that seek access and those customers being targeted. The Attorney-General’s Department is required to publicly report on the operation each year.
Privacy, security, and no breach reporting
The legislation made it through the senate despite a number of concerns being raised by various parties, covering privacy, security, cost and the necessity of two-year mass retention.
Specific issues include the ability to store the metadata offshore, the lack of specifics on how the data should be encrypted, lack of requirement for it to be destroyed, as well as wider concerns about the potential "honeypot" the data troves create for malicious actors.
ISPs are not restricted in where they can store the data, which presents a problem when jurisdictions have different privacy legislation to Australia.
“How can we be sure of the security of our private information if it leaves Australia?" Patton said.
Similarly, Australian businesses are not currently required to notify their customers in the event of a data breach.
The government has previously promised, as part of the data retention scheme, to introduce legislation for mandatory data breach notification by the end of the year.
But public consultation does not yet appear to have begun, and no draft legislation has been published.
The government only has 14 sitting days left in which to introduce the legislation, at which point the bill would go to committee for review, meaning a scheme is unlikely to be operational this year.
When contacted for comment, the AGD would only say the bill would be introduced before the end of the year.
Privacy Commissioner Timothy Pilgrim has long advocated for a mandatory data breach notification scheme, citing telcos' poor records when it comes to security data.
In March this year, Optus admitted to suffering three data breaches affecting more than 300,000 customers.
Telstra leaked 734,000 customer details in 2011 and a further 15,775 customer details in 2013, and its Pacnet subsidiary suffered a large-scale breach this year, just before Telstra took over ownership.
Pilgrim has argued the retained data troves would likely serve as a honeypot for hackers - a call similarly made by Telstra - meaning a mandated breach reporting scheme was required.
"You would go for that system because it would give you the pot of gold, rather than working through our multitude of systems today to find that data," Telstra CISO Mike Burgess said in January.
IBRS infosec analyst James Turner told iTnews the data would be of great interest to both organised crime gangs and nation states.
"There's a growing sentiment in the security industry that if you cannot protect the data, then you should not be asking for it," he said.
"I think most of the telcos actually do not want this legislative burden because, sadly, most will struggle to protect this data adequately, and a compromise means everyone loses, and loses badly."
Last week it was revealed Prime Minister Malcolm Turnbull was using a private email server to conduct government business and communicate with journalists.
He argued many members of parliament used private messaging systems - citing Wickr, a service Turnbull has previously admitted to using - for "non-sensitive material" because of their "superior functionality" and "convenience".
“All communications or records of a minister which relate to his or her duties are [subject to many exemptions] potentially subject to freedom of information whether it is on SMS, a private email server or a government email server," he said in a statement.
"The majority of government correspondence is routine and of a non-sensitive nature and is therefore not subject to sensitive security markings."
He was unapologetic about his email set-up, and said he would continue to use the private email and claimed to be "careful about security".
US presidential candidate Hillary Clinton was similarly recently found to be using a private server for email correspondence, but later apologised and admitted it should have been used for government business.
Hackers reportedly targeted Clinton's personal email server after she left the US State Department in February 2013.
Turnbull has also previously admitted the ease at which the data retention scheme can be circumvented by virtual private networks and over-the-top services, like his favoured Wickr messenger app.
He appeared on television in March advising whistleblowers to use over-the-top applications like WhatsApp or "more encrypted applications to avoid leaving a trail at Telstra or Optus".
"If ... I communicate with you via Skype for a voice call or Viber, send you a message on WhatsApp or Wickr ... then all that the telco can see is that my device has had a connection with the Skype server or the WhatsApp server…but it doesn’t see anything happening with you," Turnbull said at the time.
"There are always ways for people to get around things, but of course a lot of people don’t. That’s why I’ve always said the data retention laws, the metadata use is not a silver bullet, it’s not a 100 percent guarantee, it’s one tool in many tools."
Greens MP Scott Ludlam - a long-time vocal critic of the data retention scheme - at the time said the government was effectively "incentivising people to use offshore providers".
Today he said Turnbull's use of such technologies was indicative of the way the Prime Minister treated the security of his own information "as opposed to the rest of us".
"Between that and his helpful tips and tricks is a remarkably cavalier approach to everybody else's privacy, while making sure his own communications are secure," Ludlam said.
Is it worth it?
Critics of the data retention scheme question its necessity given the likes of ASIO has said almost all of the collected data will be useless.
ASIO director-general Duncan Lewis earlier this year said law enforcement agencies would never use most of the data that is retained.
"But unless the data set is complete, then it would be an incomplete exercise when we are going in on a lead. You wouldn't know what you had missed out on and what you hadn't," he said at the time.
"95 percent, 99 percent, whatever the figure is, will be of no particular relevance to the investigation."
Technology lawyer Leanne O'Donnell pointed to a 2011 study that found data retention had no effect on the crime rate or effectiveness of criminal investigations in Germany.
A 2014 Privacy and Civil Liberties Oversight Board report [pdf] similarly found data retention offered little value to US law enforcement.
"I believe telecommunications data can be a useful tool for law enforcement. But that is not the same as asserting that a mass data retention scheme is necessary, proportionate, or likely to be effective," O'Donnell wrote.