The Data Retention Bill
What it is:
Reading the entire Bill is a lot to cover, however the summary as explained on Australian Parliament website, explains that the Data Retention Bill seeks to:
- Amend the ‘Telecommunications (Interception and Access) Act 1979’ to require Internet Service Providers to retain ‘Telecommunications Data’ (Not Content) for two years.
- Provide a review by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) of the Mandatory Data Retention Scheme no more than 3 years after the end of its implementation phase.
- Limit the range of Agencies that are able to access the ‘Telecommunications Data’ and ‘Stored Communications’.
- Provide for record-keeping and reporting the use of, and access to, ‘Telecommunications Data’.
- Require the Ombudsman to inspect and overs these records for compliance and ‘Telecommunications Act 1979’ to make consequential amendments.
Telecommunications Data (aka metadata)
The Second reading of the Bill explains in further detail the definition of what ‘Telecommunications Data’ is quoted below:
“The type of data referred to in the bill as telecommunications data, more often described as metadata, is information about a communication but not its content. So, in the telephone world, it reveals that one number belonging to a particular account was connected to another number at a time and for a duration, but does not reveal what they discussed. In the IP world it reveals that a particular IP address, which may have been observed to have been engaged in some unlawful activity, had been at the relevant time allocated to a particular account. In the context of messaging—email, for example—it reveals the sender, recipient, time and date, but again not the content. Access to content, I stress, requires a warrant.” – Malcom Turnbull, Minister for Communications
As Mr Turnbull states in his presentation, ‘Telecommunications Data’ would only be the source and destination endpoints that are tracked, not the data that is exchanged and any access to the exchange data would require a warrant. Mr Turnbull goes on to provide a brief case point about a child exploitation case who has been unable to identify 156 out of 463 potential suspects due to not being able to access their IP Address history from the ISP, who was not retaining that particular information.
Data Retention
The data retention component of the bill seeks to “allow regulations to prescribe a consistent, minimum set of records that service providers (aka ISPs) who provide services in Australia must keep for two years”
Mr Turnbull goes on to explain that the two year retention period is provided under the advice of law enforcement and security agencies, he also explains that the Australian Government recognizes the concerns that would be raised from the public regarding privacy and has committed to addressing the concerns by allowing the PJCIS to review the draft dataset and allow public inquiry.
Cost
The Bill has raised some concerns about the cost of storing the metadata and Mr Turnbull has responded to this concern by indicating that the Australian Government will make a “Substantial Contribution” to the cost of implementation and operation of the proposed scheme.
Who can access the data (Access Arrangements?)
Turnbull has indicated that the bill does not provide any of the agencies any new access or powers to data, the bill ensures that the data will continue to be available to agencies as part of legitimate investigations, subject to the same limits that currently apply. Turnbull has stated that the bill will strictly limit the range of enforcement agencies that are permitted to access the telecommunications data without a warrant.
Concluding remarks
In his conclusion Turnbull has stipulated that the bill is critical to prevent the capabilities of Australian Law Enforcement and National Security Agencies being further degraded and that it does not expand on telecommunications data (metadata) that is already being accessed by these said agencies.
He states that the bill simply ensures that the telecommunications data is mandatory retained for a period of 2 years so that the data can be resolved to an account holder.
Finally, Mr Turnbull states that the bill specifically precludes any obligations to retain information related to web browsing activities and that the bill only allows access to the customer IP Addresses and not the website IP Addresses.
So what does this mean?
History unfortunately shows us that even the most securely protected data is subject to vulnerabilities from interception by malicious sources and data leaks are very common in today’s technology fueled planet. Retaining the telecommunications data and having the safeguards in place to prevent enforcement agencies being able to access the contents is a great idea on paper, but the reality is that the contents will also need to be retained to provide these agencies with access to it in the event that they can obtain a warrant and storing the data means that it is available for the potential to be exploited.
How does this affect me?
Generally speaking, it won’t affect the average law-abiding internet user. I use the term law abiding as there simply would be no reason to investigate the data captured for an individual that doesn’t show up on the radar, this process would take time and require human resources which cost money.
Torrent users may feel a slight squeeze, however most IT savvy users will simply connect to a VPN to do their downloading which means that the Telecommunications data is unreadable.
My Final Thought
Whilst personally, I do agree in principal with the reasons for keeping telecommunications data (metadata) I also am torn on the idea, as there is absolutely no guarantee that the metadata will be completely secure from outside exploitation or more importantly from inside exploitation.
Having policies in place to prevent enforcement agencies from accessing data doesn’t actually prevent them from doing so, it only provides a harsh consequence to the individuals that potentially would think of doing so and as we have seen in the past, the information that has been exploited has already been leaked by the time a prosecution takes place, if at all. The RSA ‘breach’ which occurred in March 2011 is a perfect example of Data Leaking due to exploitation and the attackers remaining at large and this firm is a major security company.
One thing is for certain, the introduction of this bill will change the shape and way that users who have things to hide operate and this in time may make the idea of retaining telecommunications data redundant as there will be ways around it.