The government's new data retention bill has drawn mixed responses from industry with iiNet and Electronic Frontiers Australia opposing the legislation while Telstra is voicing its support.
Mandatory data retention laws require telecommunication companies and ISPs to retain records of people’s telephone and Internet communications for two years.
Communications Minister Malcolm Turnbull on Thursday morning introduced the <i>Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014</i> into the House of Representatives.
Turnbull said existing powers and laws are not adequate for law enforcement to carry out their ongoing investigations, pointing to the data preservation notices under the Interception Act.
Jon Lawrence from Electronic Frontiers Australia - a non-profit organisation that represents users concerned with online liberties and rights - said he does not believe the preservation notices have been tried and fully utilised yet.
“They obviously provide the opportunity for a targeted approach to this. We don’t object to targeted surveillance, we object to indiscriminate surveillance, which essentially is what a mandatory data retention program is,” he said.
He added that the Coalition government contradicted itself in saying it is not asking ISPs and telcos to retain anything they are not already retaining, and then made a statement that the preservations notices are inadequate.
“If they weren’t asking the ISP to retain any data they currently are not, then the legislation would be unnecessary.”
Steve Dalby, iiNet’s chief regulatory officer, said the government has failed to explain why mandatory data retention legislation urgently needs to be passed through the Senate.
“We maintain there is no urgency for this bill to be passed. There is still no explanation of why there is any need for urgency or why the existing law is insufficient.”
The definition of metadata in the bill is not totally clear, Lawrence and Dalby said.
According to the bill, metadata is:
- source of communication
- destination of communication
- date, time and duration of communication, or of its connection to a relevant service
- type of a communication, or a type of relevant service used in connection with a communication
- location of equipment, or a line, used in connection with a communication.
Lawrence said the last point about location of equipment is especially of concern.
“What you are talking about here is recording the location of everyone that has a mobile phone.
"Whether you are making a call or not, that information is being locked - as long as your phone is on and registered on a network, it’s talking to the towers. It’s really creating a map of where you go all the time,” he said.
“There’s a guy from Germany called Malte Spitz, who managed to extract six months of metadata from his mobile phone provider, which is T-Mobile, and he mapped it with Google maps. It’s really quite scary to watch.”
Turnbull said that “providers will not be required to keep detailed location records that would allow a person’s movements to be tracked akin to a surveillance device”.
Lawrence argued even with basic location metadata, a person’s movements could still be potentially mapped.
“A friend of mine who lives in inner city Melbourne walks his kid to day care every morning. There’s a strip joint pretty close to this day care, which is a peculiar planning decision. If you look in the logs of his iPad, it has him down for visiting the strip joint at 9:00am every weekday morning.
“So you have issues there with false positives and that’s what happens when you start collecting data,” he said.
iiNet's Dalby said there is a need for clear definition of terms, including what type of personal information may be captured by the proposed legislation
“This is now at least the fourth data set of a retention regime floated by the government, and given this type of confusion we need to take a deep breath, step back and have a good look at this new bill,” he said.
Turnbull also said the data retention bill does not require service providers to store contents of communication including subject lines of emails, posts on social media sites, Web browsing history and the IP addresses of the websites that people visit during their Internet activity.
But most people in this country use a Web-based email account, and "it’s not clear to me how you can track information about those emails without tracking the URLs, because it is Web-based", Lawrence argued.
When it comes to the government expecting to “make a substantial contribution both to the cost of implementation and operation” of a data retention scheme, Lawrence said tax payers will ultimately pay.
“Sounds like a big new surveillance tax to me. We are talking about hundreds of millions of dollars here, and it’s probably going to be a combination of both tax and increases to connectivity charges.”
He added that the ISP sector is not a homogeneous group of companies, and smaller companies will be hit the hardest with the cost of storing large volumes of data for long periods of time.
“There are some really potentially quite significant competitive issues here, which could potentially drive smaller players out of the market,” Lawrence said.
Meanwhile, Telstra has welcomed the legislation and is pleased the government wants to resolve outstanding issues.
“It continues the commitment they have shown in industry consultation in recent weeks to meet national security objectives, while minimising the impact on industry and consumers,” a Telstra spokesperson said.
“Complying with the legislation will go beyond Telstra’s current business practices, but we are encouraged by the government’s statements on costs, that the type and volume of data is limited and that web browsing history will not be part of the scheme.”
Telstra also pointed out how important service providers are in retrieving stored data for law enforcement agencies to do high level investigations.
“Lawful access to telco data is an important tool for law enforcement and national security agencies that has helped save lives and solved serious crimes. In a sector with rapid technological change, it makes sense to look at clarifying the obligations on industry.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.