Govt mulls cloud, social intercepts

Cloud providers and social networks could be obliged to capture and store customer information for lawful interception under a new proposal by the federal Attorney-General's department.

The proposal is part of a wide-ranging review of telecommunications interception and intelligence community legislation Attorney-General Nicola Roxon referred to a parliamentary committee in May for further consideration.

In a 61-page discussion paper released on Tuesday (pdf), the department said it was considering whether to expand the interception regime beyond its existing scope of telcos and internet service providers.

The department looked to include the "broad range of current telecommunications industry participants" that had grown since the law's inception in 1979.

It highlighted social networks and cloud computing providers, whose exclusion under current legislation created "potential vulnerabilities in the interception regime that are capable of being manipulated by criminals".

"Consideration should be given to extending the interception regime to such providers to remove uncertainty about the application of industry obligations in relation to agency requests and to better position Australia to meet domestic and international demands," the discussion paper notes.

Cloud providers and social networks would likely fall alongside telcos, under a three-tiered system the Government is simultaneously considering.

The system would look to reduce the onerous requirements on smaller telcos and ISPs to capture and store customer data, while ensuring those that were able to do so effectively would continue.

It was unclear whether the tiered model would be based simply on business size and cost of implementation, or also look to separate telcos and ISPs — which largely have an Australian presence — from cloud, social media and other application players that are often based in the US and may or may not host data locally.

The move to include cloud operators in particular could provide authorities with the ability to more easily decrypt data stored on infrastructure-, software- or storage-as-a-service solutions.

Consultant Rob Livingstone said subjecting cloud operators to interception obligations would likely work for Australia-based companies, while those with data based overseas would require multi-lateral agreements.

"If you have a cloud service provider, carrier and cloud consumers all in one legal jurisdiction ... it becomes a lot simpler," he told iTnews.

"But when you have a multi-national which operates across seven or eight international jurisdictions, not all jurisdictions have got equivalent back-to-back agreements as to who can do what in each other's jurisdictions, requesting information from a cross-jurisdictions point of view.

"It's not only a technical issue but it's also a governance issue of who can you go to, which jurisdiction are you able to go to seek that information then enforce the availability of that information."

Livingstone said the proposal's effect on Australian regulation was unlikely to deter multi-national cloud vendors such as Amazon and Google to host data onshore.

International governments have often requested data, or the removal of such data, from major websites and social networks including Twitter and Google, even when held in the US.

But these powers largely fall outside of existing interception laws.

A transparency report released recently by Twitter showed Australian authorities had requested data from the microblogging network less than ten times in the first six months of 2012, with the actual data being provided to government powers a third of the time.

The US, by comparison, had made 679 queries during the same time period, receiving the actual data three-quarters of the time.

The ability to request data from social media pales in comparison to the amount of data captured locally by telcos and ISPs, where authorities have spent $50 million and requested both stored and live data intercepts more than 250,000 times over the past 12 months.

But the inability to intercept and capture all data relating to a communication through the the ISP or telco — with many application services hosted overseas — made "the provision of assistance to Australian agencies challenging".

Data retention

The potential for further amendments to existing interception and intelligence gathering legislation has attracted criticism as an expansion to what Greens senator Scott Ludlam said was already a "phenomenal amount of government surveillance".

The proposal's referral to a committee in May was also the first time that the contentious data retention proposal was brought back into the spotlight since Roxon assumed office as Attorney-General.

The inquiry is the first public discussion of such a proposal, which would see ISPs collect and store customer data for up to two years, up from current requirements to store only transactional data for 180 days.

Unlike some other, more concrete proposals, the data retention aspect is currently only marked as the Attorney-General "seeking views" but Senator Ludlam said the inquiry failed to provide for stronger privacy safeguards on timing and rights around communication interceptions.

"This extreme proposal is based on the notion that all our personal data should be stored by service providers so that every move we make can be surveilled or recalled for later data mining," he said in a statement.

"It comes from a mindset that imagines all Australians as potential criminal suspects, or mindless consumer drones whose every transaction should be recorded and mapped."