Metadata collection "loophole" costs telcos millions

Telcos have spent millions processing requests for metadata from organisations such as councils, which unlike law enforcement agencies, don't have to reimburse them.

Telcos have spent $72.8 million on retaining metadata and responding to access requests since the 2014-15 financial year, accounting for the total $275.5 million spent and $202.6 million reimbursed by the government.

The 2015 amendments to the Telecommunication (Interception and Access) Act (TIA) granted 22 law enforcement agencies warrantless access to metadata, but at least 80 non law enforcement agencies have accessed the data through Section 280 of the Telecommunications Act. 

Industry can only recover the costs of responding to metadata access requests from law enforcement agencies listed in the TIA, and not organisations like local councils requesting data using the older Section 280(1)(b) of the Telecommunications Act.

Last month, Telstra raised the industry costs and privacy risks of scope-creep in its submission to the current review of the Electronic Surveillance framework.

Telstra recommended “requiring all agencies requesting access to telecommunications data to follow the process set out for enforcement agencies in Division 4 of Chapter 4 of the TIA Act rather than relying on section 280 of the Telecommunications Act.”

“A number of Government agencies who are not enforcement agencies under the Telecommunications (Interception and Access) Act 1979 (TIA Act) are able to access telecommunications data using other Commonwealth or State legislation.”

“Most of these laws have no requirement for the requesting agency or officer to consider privacy when exercising these powers and contain no specific cost recovery provisions.”

“Any agency able to access telecommunications data or content should… (2) be required to reimburse service providers on a cost recovery basis.”

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended the repeal of section 280(1)(b) in its 2020 review of the mandatory data retention regime.

The Communications Alliance —which represents telcos—said in its submission to the review of the Electronic Surveillance framework last month that it was "disappointed and bewildered by the fact that Government has not responded to this important report [PJCIS’s 2020 review], more than one and half years after its release.” 

The Alliance said failure to repeal section 280 of the Telecommunications Act had “led to more than 80 agencies making requests for metadata, over and above the 22 Criminal Law Enforcement Agencies that were originally intended to be the only agencies vested with such powers."

In its submission to a 2019 parliamentary inquiry the Alliance said these organisations included councils, “illegal dumping” authorities, and overseers of industries such as construction and fisheries.

The Communications Alliance, Telstra, and Vodafone either declined to comment or did not respond to requests to know which non law enforcement bodies made requests during the last reporting period and what information was requested.

The reimbursement from law enforcement agencies no longer seems to cover the cost of keeping data and responding to TIA requests. According to the 2020-21 TIA Act Annual Report released last month, the industry was reimbursed just $13.3 million of the $25.2 million cost of complying with the metadata regime.

Additionally, industry received $131.5 million through the single-round, data retention industry grants programme in 2016, Home Affairs told iTnews.