Australia's data retention scheme is still a mess

Australia’s telecommunications providers are continuing to push the federal government for changes to the nation’s data retention scheme to address what they say are concerning issues with the legislation.

The contentious scheme went live in October 2015. It requires carriage service providers to store the non-content data, or metadata, of all customers for up to two years to aid law enforcement.

Carriers have been able to apply for a so-called data retention implementation plan, which gives them a maximum 18 months - until April 13 this year - to comply with their new obligations. Most took up this option.

The scheme has been highly criticised by telcos, who say it is an expensive burden; and by privacy advocates, who say it represents an unjustified intrusion into the lives of citizens.

Previously raised issues include the ability to store the metadata offshore, the lack of direction around how the data should be encrypted, the lack of requirement for it to be destroyed, as well as wider concerns about the potential "honeypot" the data troves create for hackers.

But a year-and-a-half on from the introduction of the scheme - and just weeks out from the deadline for full compliance - carriers are still fighting with the Attorney-General’s Department to fix holes in the governing legislation.

The Communications Alliance, the industry representative body, wrote to the AGD late last year highlighting its ongoing concerns with the legislation.

It revealed at an update on the regime last week that it was hoping to start consultation with the department on some of its issues in the coming weeks.

Ongoing problems

One of its concerns is what constitutes a ‘communication’ under the legislation.

The definition of 'communication' in the data retention act is broad and includes its ordinary meaning, which is the exchange of information.

The obligation for telcos is to retain any metadata for 'services that carry communications or enable communications to be carried'.

The Communications Alliance believes the current definition brings machine-to-machine (M2M) communications into scope for retention.

“We all know that most of machine-to-machine communications might not be very useful. It’s not very interesting to know whether a parking meter has communicated with the council,” director of program management Christiane Gillespie-Jones told last week’s event.

“Having said that we are at the advent of the internet of things. With a predicted 30 to 75 billion devices connected in 2020, this is something that should be fixed up. It should be clear that communications from these devices are not included in the legislation.”

She said the AGD had advised that it was not the intent of the legislation to include M2M communications, and the agency had indicated it was “open to discussion” about how to better clarify this.

Encryption of the retained data continues to be a concern to telcos, the representative body said.

While the legislation requires telcos to encrypt the data that is stored, it does not direct them on how to do so.

The Communications Alliance argues this obligation should be changed to ‘securing’ the data, rather than ‘encrypting’ it.

“It is the security of the data that matters. Encryption can be secure or insecure, depending on whether the key to encryption, for example, is available easily. So it should be a requirement to keep the data secure, to protect it, as opposed to encrypt it,” Gillespie-Jones said.

The AGD’s response to this call was “as we expected it”, she said - the department advised that if a provider can demonstrate they are keeping the data securely without encryption, they may apply for an exemption or variation to the obligation.

Circumventing the law for data access

The Communications Alliance also raised concerns about agencies that had been excluded from accessing the retained data finding other avenues to get access to it.

Access under the scheme is limited to 21 law enforcement agencies.

Prior to the introduction of the scheme the government cut the amount of agencies able to ask telcos for data down from 80, after privacy and civil rights advocates questioned why the likes of local councils and environmental bodies needed access to the data.

But the Communications Alliance told the AGD that those agencies that had been excluded were using other legislation to get access to the data.

They are able to do so because the data retention law forces telcos to respond to any lawful requests for information.

Local councils are asking for the data to manage minor traffic offences and unlawful removal of trees, the Communications Alliance said.

The RSPCA, state coroners, and the Environment Protection Authority are also using powers in their own statutes to circumvent their exclusion from the data retention scheme.

Such organisations were among those lobbying the AGD to be designated a criminal enforcement agency under the TIA Act, a classification that is required to access the data.

“The access to the data is not always in the context of criminal law or national security as it was intended, and it would be desirable to create a threshold of seriousness as to when an agency can actually request that data and get access to it,” Gillespie-Jones said.

“And when that threshold has been met, define a common process as to how these agencies get access so providers aren’t left figuring out which agency is using which legislation and whether they have the right to access that data or not.

“It should not be up to providers to make that judgement call.”

She said the department had indicated it was open to discussion on addressing the issue.