Vodafone reveals plans to store users' online activity

Vodafone has revealed it is working on a methods to store details of its customers' internet usage for 90 days as a service to users, but warned the facility would not be in place in time for the potential introduction of the Government’s proposed mandatory data retention regime

Vodafone general manager of industry strategy and public policy Matthew Lobb today fronted a parliamentary inquiry into a revision of the existing Telecommunications (Interception and Access Act), of which mandatory data retention has been a major theme.

Lobb contradicted comments by Attorney-General George Brandis - who claims telecommunications companies are already storing the types of data the Government is proposing be covered under its retention scheme - stating Vodafone only currently stores traditional call data, and not troves of information related to its user’s online communications.

Lobb said linking session IP addresses to individual customers was only an emerging capability for the telecommunications sector. The infant scheme is aimed at providing more information for customers, specifically those who contest bills, he said.

“It has not been a traditional capability as part of the way we store data, but it is something that is evolving, because certainly at the moment, the billing of data has been about how much you are using, not what you are doing and where you went,” Lobb told the committee.

“Customers are now wanting to know what we claim they used their data for, so that’s in it's infancy, but it’s going to be a number of years before that gets firmly established.”

Lobb said Vodafone was starting to move to a situation where there would be a clear IP identifier to link its customers to each session in which they accessed the internet.

“The capability that’s emerging means we will be able to track the [IP identifier] linked to the appropriate customer, and we will begin to store that for a period of time,” he said.

“Customers want to know how much data they use on Facebook and Twitter, so for billing purposes we will develop that capability.”

The current plan was to store such data for 90 days for the purpose of bill disputes, Lobb said. He put the cost of such a capability at a tentative $10 million.

Mandatory data retention will cost “tens of millions”

The Government's plan would to require telcos to store traditional billing details of internet and phone account holders alongside numbers called and texted and their times and dates, when and where online communications services start and end, a user’s IP address, type and location of communications equipment, and download and upload volumes, among other things.

Lobb said the Government’s proposal would cost telcos in the tens of millions of dollars to implement and run.

“There are three components - [first], the capability of having an IP identifier that you link to a customer is an emerging capability, at the moment it’s a ‘best endeavour capability’,” he said.

“Another component is the storage of the data, which is another cost - our estimate is several petabytes of data per year, and usage is doubling annually on mobiles.

"And the other component, which is the biggest cost, is the actual ability to access and analyse the data," he said.

Internet service provider iiNet has previously put the cost of the Government scheme at $100 million.

While Vodafone already stores call data for more than two years for “tax and audit purposes”, Lobb revealed, the data covered under the Government proposal would require the significant expansion of standard telco business practices.

He said more discussion was needed around the two-year storage period proposed by the Government, which he described as being at the “upper bounds” of similar international schemes, specifically Europe, in which he said most inquiries for metadata were made for a six month window.

Similarly, the current number of agencies able to access non-content data without warrant needs to be revisited, and additionally the potential for a central authorisation agency should be studied, Lobb said.

“At the moment there is a set of authorised agents who can access the information - that ranges from national security agents ... to local councils and the RSPA,” he said.

"We think there needs to be discussion around whether there needs to be a new regime where agencies need to go through a centralised agency to access information.

"Or there needs to be a threshhold for the type of offence as a prerequisite to access the data.”

Lobb’s proposed threshold for the type of offences that would justify access by law enforcement agencies was seconded by former AFP officer and director of the Centre of Internet Safety, Alastair MacGibbon.

While arguing that the information as “extremely important to assist law enforcement to go about lawful duties,” he suggested the regime should limit the number of agencies able to access the data, narrowly define the type of offence for which such data can be sought, and introduce appropriate oversight and auditing.