Confusion reigns over whether Aussie VPNs must keep user metadata

Australian virtual private network providers are at odds over whether they are required to comply with the country's data retention laws and store user metadata due to a lack of clarity and guidance by the federal government.

The data retention scheme came into force in October 2015 and forces carriage service providers to store the non-content data, or metadata, of all customers for up to two years to aid law enforcement.

But providers of virtual private networks (VPNs) - used to securely communicate over the internet - don't agree on whether they fall under the obligations. VPNs have been touted as a way for users to avoid having their metadata retained under the scheme.

Perth-based Wangle recently claimed its VPN offering was Australia's first 'data retention and ACMA-compliant VPN'.

The Australian Communications and Media Authority (ACMA), declined to comment on Wangle's claims, and whether or not VPN providers are captured by Australia's data retention laws. 

It instead referred enquiries to the industry body for telecommunications operators, the Communications Alliance.

The Communications Alliance told iTnews its understanding was that carriers who offer VPNs were likely in scope, but said the position on sole VPN operators was unclear. It is seeking clarification from the department.

Enquiries to the Attorney-General's Department, which drafted the laws and is the main overseer of the scheme, were similarly unenlightening.

A spokesperson said a VPN provider would be captured under the legislation if it met the criteria for "relevant services".

The TIA Act defines a relevant service as one that:

• carries communications or enables communications to be carried by means of guided or unguided electromagnetic energy or both;
• is operated by a carrier or carriage service provider or an internet service provider; and
• is offered by a person who owns or operates infrastructure in Australia that enables the provision of any relevant service.

All three criteria have to be met for VPN provision to count as a relevant service under the Act.

The AGD spokesperson refused to further clarify how VPN providers could decide whether or not they are covered by the Act and therefore need to retain user metadata to be compliant with the data retention laws.

The department said VPN providers can contact the Office of the Communications Access Co-Ordinator (OCAC) for assistance 'understanding and complying' with data retention obligations.

Patrick Fair, partner at Sydney law firm Baker & McKenzie, told iTnews his reading of the law was VPN providers that only provide security over third-party networks are not considered carriage service providers.

“The easy test of this is: could I have used the service without buying connectivity from someone else?” he said.

“If you had to buy your connectivity from someone else, the someone else is a carrier or a carriage service provider, and the online service you accessed is OTT [over the top].

“The fact that many over the top service providers appear to be supplying services that do carrying of messages - for example, any number of mail services - is generally a matter that confuses people who don’t work in this area all the time."

Fair noted the matter was nominated as a “broken concept” in ACMA’s discussion paper on issues around the telco regulatory environment.

Butting heads

Wangle chief executive Sean Smith told iTnews he was "very sure" his business was subject to the scheme.

"We worked very closely with ACMA and the office of the CAC who were very clear on this position," Smith said.

Competing provider VPNSecure of Brisbane, however, believes it does not fall under the data retention law, founder and chief executive Shayne McCulloch told iTnews.

"When the metadata laws came out we registered a company outside of Australia ready to move everything. We then began to seek independent legal advice on if we would fall under the metadata retention scheme," he said.

"The conclusion drawn from our independent legal advice is that we are not an ISP or specifically a carriage service as outlined by the Telecommunications Act." 

The company also consulted with industry experts that agreed with the provided legal advice.

VPNSecure will move out of Australia if it becomes subject to the scheme, McCulloch said.