nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Australia's media regulator to oversee new data retention regime

Bill pitched as essential anti-terror and crime measure

By Simon Sharwood, 30 Oct 2014

Australia's government has tabled its data retention Bill and outlined a willingness to assist carriers and internet service providers (ISPs) pay for their retention rigs.

The Bill also explains a little about how retention rigs will need to be constructed and anoints the Australian Communications and Media Authority (ACMA) as the arbiter of whether carriers and ISPs' proposed schemes are appropriate.

The draft law also offers, for the first time, a definition of “metadata”. Here it is:

(a) characteristics of any of the following:
(i) the subscriber of a relevant service;
(ii) an account relating to a relevant service;
(iii) a telecommunications device relating to a relevant service;
(iv) another relevant service relating to a relevant service;
(b) the source of a communication;
(c) the destination of a communication;
(d) the date, time and duration of a communication, or of its connection to a relevant service;
(e) the type of a communication, or a type of relevant service used in connection with a communication;
(f) the location of equipment, or a line, used in connection with a communication.

The bill excludes a requirement to retain the content of any communication: both communications minister Malcolm Turnbull and attorney-general George Brandis have been at pains to point out the law will not require service providers to retain “the content or substance of any communication, including subject lines of emails or posts on social media sites”. The Act will also “expressly exclude a person's web-browsing history”.

Both ministers also said the new law does not, and is not intended to, give Australian law enforcement agencies any new powers. Both instead pitched it as a measure that will ensure ISPs and carriers retain data that law enforcement agencies feel is an essential investigative tool.

Turnbull's speech introducing the bill included comments to the effect that a “major child exploitation investigation” has been hampered because the Australian Federal Police “has been unable to identify 156 out of 463 potential suspects, because certain providers do not retain the necessary address allocation records”

“These records are critical to link criminal activity online back to a real-world person,” he added.

In a later press conference, ASIO and the AFP credited metadata as having played a role in detecting and preventing terror attacks on Australian soil.

On the question of the costs imposed on service providers, Turnbull said the government is willing to make a “substantial” contribution, as it is aware “we are asking companies to do things that are not core business.” Turnbull said but is awaiting a consultation process before even contemplating a figure. Current speculation about the costs of data retention, Turnbull says, are not accurate.

One detail that has been revealed is that carriers will be responsible for their own security arrangements for retained data, and Turnbull also floated “reforms to strengthen the security and integrity of Australia's telecommunication infrastructure by establishing a security framework for the telecommunications sector” that will “ provide better protection for information held by industry in accordance with the data retention regime.”

There's also some new oversight for retained data. The Commonwealth Ombudsman will, for the first time, scrutinise metadata access requests.

To prove their ability to comply with the law, Carriers will be required to create a “data retention implementation plan”. The ACMA has been chosen to vet those plans because it “ … has substantial expertise relating to the technical and commercial operation of the industry” and “As such... is the appropriate body to review any dispute over a request to amend a data retention implementation plan.”

It's not clear that the ACMA has the expertise to assess the many pieces of infrastructure required to retain data: the agency's strategic intent is “promoting self-regulation and competition in the communications industry, while protecting consumers and other users”. The agency's main technical role appears to be regulating spectrum use, not assessing the complex stack of technologies required to siphon data from networking kit, into databases, onto storage devices and then made available to law enforcement authorities.

The bill's been referred straight to the Parliamentary Joint Committee on Intelligence and Security. Turnbull says the data set carriers will be compelled to retain is not final. His speech also makes numerous references to ongoing consultation with industry to hammer out the details of the retention mechanisms.

Community opposition to the bill has been considerable, not least because no definition of metadata had previously been offered. ISPs, led by iiNet, have also positioned metadata retention as tantamount to a tax as it will increase their costs and therefore their prices.

Turnbull looks to have gone some way towards countering the second objection and the bill at least advances debate on the first.

But there's doubtless plenty of life left in debate over this proposal. We'll report it as it unfolds. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing