Govt shelves telco data retention scheme

The Federal Government will temporarily shelve its proposal for a mandatory data retention regime for telecommunications metadata after a parliamentary committee failed to reach a verdict on the controversial scheme.

The committee, which released its report today, alleged it had been unable to rule on the validity of the proposal due to crucial information being withheld by the Government, such as the proposed contents of any draft legislation.

Attorney General Mark Dreyfus said the Government would put the proposed scheme on hold pending further advice.

“The committee did not make a recommendation in relation to whether Australia should pursue a data retention regime, but the committee did make a number of recommendations in relation to the details of a potential data retention regime," he said.

“Accordingly, the Government will not pursue a mandatory data retention regime at this time and will await further advice from the departments and relevant agencies and comprehensive consultation."

Dreyfus' commitment falls short of demands by the Greens to "unequivocally reject mandatory telecommunications data retention in the wake of the release of [today's] report".

Today's National Security Inquiry report is the result of one of the most “complex and controversial inquiries ever undertaken" by the Parliamentary Joint Committee on Intelligence and Security.

The commitee examined:

• changes to interception of communications and access to data under the Telecommunication (Interception and Access) Act 1979;
• reform of telecommunications security in the Telecommunications Act 1997, and
• Australian Security Intelligence Organisation Act 1979 and the Intelligence Services Act 2001.

A-G withheld information

The Government’s proposed mandatory data retention scheme was one of the most contentious inclusions in the report, proposing to require telcos to store metadata on Australian citizens for up to two years. 

The committee slammed then-Attorney General Nicola Roxon and her department for not providing enough detail on the proposed reforms, hampering the inquiry and causing confusion on what data was to be retained under the regime. 

The committee commenced its inquiry in July last year, with only two lines of text on the data retention reforms to work off.

It claimed the Attorney-General's department had much more detailed information on the topic which it did not pass over until November last year.

“This lack of information from the Attorney-General and her Department had two major consequences. First, it meant that submitters to the inquiry could not be sure as to what they were being asked to comment on," the report stated.

"Second, as the committee was not sure of the exact nature of what the Attorney-General and her Department was proposing it was seriously hampered in the conduct of the inquiry and the process of obtaining evidence from witnesses.

“The Committee was very disconcerted to find, once it commenced its Inquiry, that the Attorney-General’s Department (AGD) had much more detailed information on the topic of data retention. Departmental work, including discussions with stakeholders, had been undertaken previously. Details of this work had to be drawn from witnesses representing the AGD.”

The committee also blamed the Government’s refusal to make draft data retention legislation publicly available for its inability to properly consider the proposed reforms, and therefore make concrete recommendations.

It called on the government to release draft data retention legislation which would ensure stored metadata could not be accessed by government security agencies without a warrant. It also recommended a ban on agencies accessing browsing data. 

Metadata access by law enforcement grew significantly over the last few years.

According to the Attorney-General's Telecommunications (Interception and Access) report, 293,501 authorisations for access to metadata were made in the 2011-12 financial year, compared to 243,631 metadata authorisations in the prior year.

Heavy cost for industry

The committee recommended the Government foot the bill for the introduction of any data retention regime, backing the position of the telecommunications sector.

Two telecommunications industry bodies pegged the maximum cost to industry at up to $700 million.

The Australian Mobile Telecommunications Association (AMTA) and the Communications Alliance said set up would cost around $100 million, while the inclusion of source and destination IP address would push costs to between $500 million and $700 million. 

“The inclusion of a single additional data element has the potential to increase the capture and retention cost by tens of millions of dollars,” they added.

Telstra’s submission to the inquiry said data retention would result in significant costs to telcos and would require "large scale and detailed technical feasibility studies in order to understand what network, IT, vendor changes would be necessary and the costs of implementation and compliance with any new data creation and retention regime.”

iiNet put its own costs at $20 million for equipment and $10 million for data centre building. 

“That is to meet current levels. If we amortise the hardware over two years and the data centre over ten years, we estimate a cost of about $1 million per month, plus power and overheads,” it said. 

It said taking into account the growth in traffic would mean the cost could grow to $60 million, which would force it to increase the cost of its services by $5 a month. 

The Australian Interactive Media Industry Association backed the recommendations of AMTA and the Communications Alliance for the Government to pay for the regime. 

“The costs of fulfilling law enforcement requests should be met by the law enforcement authorities that request the information, and not directly or indirectly on service users.”

Privacy unaddressed

The Committee found while a mandatory data retention regime would be of significant benefit to national security agencies, it also raised “fundamental privacy issues and is arguable a significant extension of the power of the state over the citizen.”

“No such regime should be enacted unless those privacy and civil liberties concerns are sufficiently addressed,” it said in its report.

“Ultimately, the choice between these two fundamental public values is a decision for Government to make.

"The Committee would have been in a better position to assess the merits of such a scheme, and the public better placed to comment, had draft legislation been provided to it.”

Inclusions for legislation

The committee made a range of recommendations on what should be included in any draft data retention legislation: 

• any mandatory data retention regime should apply only to meta-data and exclude content;
• the controls on access to communications data remain the same as under the current regime;
• internet browsing data should be explicitly excluded;
• where information includes content that cannot be separated from data, the information should be treated as content and therefore a warrant would be required for lawful access;
• the data should be stored securely by making encryption mandatory;
• save for existing provisions enabling agencies to retain data for a longer period of time, data retained under a new regime should be for no more than two years;
• the costs incurred by providers should be reimbursed by the Government;
• a robust, mandatory data breach notification scheme;
• an independent audit function be established within an appropriate agency to ensure that communications content is not stored by telecommunicationsservice providers; and
• oversight of agencies’ access to telecommunications data by the ombudsmen and the Inspector-General of Intelligence and Security.

It also recommended a mechanism be put in place allowing oversight of the scheme to the committee, as well as an annual report be provided to Parliament, and the regime be reviewed three years after it is implemented.

Greens back own bill

Greens Senator Scott Ludlam said the report "vindicates the Greens’ long standing call for the Telecommunications (Interception and Access) Act to be reformed, but does not tackle the key problem - the interception of communications without a warrant.”

The Greens’ Telecommunications Amendment (Get a Warrant) Bill 2013 is currently before the Senate.

It aims to restore warrant procedures back to how they were before changes were made in 2007 allowing law enforcement agencies to seek non-content telecommunications data, or metadata, without requiring a warrant.