The Department of Home Affairs has raised the prospect of forcing Australian telcos to capture an expanded range of user data including MAC addresses, IP addresses and port numbers under mandatory data retention laws.
In a submission [pdf] to a parliamentary inquiry, the department said that the expansion of information captured - as well as increased retention beyond the current two years - could “address emerging trends in technology”, and assist agencies with “prolonged investigations”.
“For example, including media access control (MAC) addresses and devices which identify serials would provide better information as to which device was being used at the time of an offence,” Home Affairs said.
“MAC data is not currently retained under the Data Retention Act, but is a form of data that will become increasingly important to law enforcement and intelligence agencies.
“Similarly, including IP addresses and port numbers to attribute data accessed on mobile phones, would allow agencies to make better use of mobile phone data.”
The department said that Victoria Police had recently used MAC addresses to track a stolen mobile phone and “obtain surveillance footage of [the] possible offenders”.
Home Affairs also raised the prospect of mandatory retention of data beyond the current two years.
It suggested pressure for this was coming from agencies ensconced in “prolonged investigations”, though Home Affairs noted the case for longer retention was far from clear cut.
“The Home Affairs Portfolio notes that an increased retention period would further assist agencies with managing investigations,” it said.
“... Any expansion of the retention period would require greater consideration, including an examination of privacy implications, and that there have been no changes in the investigative environment to warrant such consideration at this time.
“When these considerations are weighed against changes in public attitudes towards privacy and the need for strong privacy protections, the most appropriate way forward would be to retain the existing scope the legislation.”
Telcos are arguing for data to be mandatorily retained for less than two years, given most requests are for newer data.
Communications Alliance - which represents telcos - said the two-year retention period had been proven to be “unnecessarily wide”.
In a submission of its own, the Communications Alliance argued that a “loophole” in Section 280 of the Telecommunications Act that allows dozens of non law enforcement agencies access to retained data be closed off.
The Alliance said there are now 87 different bodies nationwide that have made requests for telecommunications metadata, of which 27 have tried to use the laws since November last year.
These include councils, “illegal dumping” authorities, and overseers of industries such as construction and fisheries.
“The general public (to the extent it is informed about these matters) and also experts, often mistakenly believe that the telecommunications data of ordinary Australian people can be accessed, without a warrant, by only a very limited number of 22 law enforcement and security agencies,” the Alliance stated.
“The website of the Department of Home Affairs lists 14 agencies (police forces of states are listed as one agency) as the only agencies that have access to telecommunications data on a warrantless basis.”
Home Affairs implored the government not to close off Section 280 access.
“A range of government agencies not designated as ‘enforcement agencies’ for the purpose of the Data Retention Act investigate criminal activity or protect public revenue,” it said.
“Examples of this include coroners’ courts, state justice departments, state revenue offices, Australia Post and the Australian Taxation Office.
“It is important to note that Section 280 itself does not authorise the disclosure of data. Rather, the section works in connection with existing laws, passed by Commonwealth or State and Territory legislative bodies, which set out their own thresholds and safeguards for access to personal information by relevant authorities.
“Section 280 enables these underlying laws to function as intended by relaxing the prohibition against disclosing telecommunications data if it is in response to a lawful request.
“Removing this exception would have serious implications to a range of entities across Australia.”