Hacking

Australia’s data retention regime started today

From today, telco and internet service providers are obliged to capture and store your metadata for two years for access by authorised government agencies under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth), which amends the Telecommunications (Interception and Access) Act 1979 (Cth).

PrivacyBy the time you finish reading this sentence, your service provider may have recorded your access to the internet, the time of your access and your approximate location.

Unless your service provider is struggling with implementation, in which case they would have submitted an implementation plan to the Commonwealth Attorney-General’s Department, detailing how they plan to implement full compliance by April 2017. In the meantime, Internet Australia, the peak body representing Australian internet users, called for a review of the data retention regime yet again, less than a week before its implementation, highlighting remaining areas of concern, such as:

  • the length of the proposed retention;
  • the level of oversight within agencies able to access the data;
  • government funding for the implementation; and
  • the location and methods of storage of the collected metadata from a security perspective.

John Stanton, the Chief Executive Officer of Communications Alliance, the peak Australian body representing the telecommunications industry, reportedly noted many service providers are still waiting to hear from the government about whether their implementation plans have been approved, and when government subsidies toward the upfront capital costs of the implementation will be distributed.

The data retention law does not require that your browser history be recorded, so the web address of the site(s) you are visiting is not required to be captured. This makes me question how useful such data would be from a national security agency perspective – after all, you could be looking at, or searching for, fluffy cats … or something very sinister – but the data collected under the new law need not capture that information.

Having said that, service providers may record destination IP addresses regardless, and many of them are likely to do so, as removing that information from the data set captured may be difficult and costly. This means that destination IP addresses, bundled up with data collected under the retention regime, will also most likely become available to those government agencies authorised to access the data captured.

Part 5‑1A—Data retention

Division 1—Obligation to keep information and documents

187A Service providers must keep certain information and documents

(1) A person (a service provider) who operates a service to which this Part applies (a relevant service) must keep, or cause to be kept, for the period specified in section 187C:

(a) information of a kind prescribed by the regulations; or
(b) documents containing information of that kind;

relating to any communication carried by means of the service.

(2) The kinds of information prescribed for the purposes of paragraph (1)(a) must relate to one or more of the following matters:

(a) characteristics of any of the following:

(i) the subscriber of a relevant service;
(ii) an account relating to a relevant service;
(iii) a telecommunications device relating to a relevant service;
(iv) another relevant service relating to a relevant service;

(b) the source of a communication;
(c) the destination of a communication;
(d) the date, time and duration of a communication, or of its connection to a relevant service;
(e) the type of a communication, or a type of relevant service used in connection with a communication;
(f) the location of equipment, or a line, used in connection with a communication.

(4) This section does not require a service provider to keep, or cause to be kept:

(a) information that is the contents or substance of a communication; or
Note: This paragraph puts beyond doubt that service providers are not required to keep information about telecommunications content.
(b) information that:

(i) states an address to which a communication was sent on the internet, from a telecommunications device, using an internet access service provided by the service provider; and
(ii) was obtained by the service provider only as a result of providing the service; or

Note: This paragraph puts beyond doubt that service providers are not required to keep information about subscribers’ web browsing history.

If you are driving to work, it’s probably best not to Google anything while at the wheel, because that will create another entry in your personal metadata file. Would you be involved in an accident, that data could be matched to show you were likely distracted by accessing the internet at the time.

If you catch public transport, Google away, just be aware that your access to the internet will be captured again, together with the time and the approximate location of the device you are using. However, what you Googled won’t be captured.

If you send an email, the message won’t be recorded, but the time it is sent, and the address of the sender and the recipient(s) are captured. If an authorised government agency requires access to the content of an email they will still need to get a warrant.

When he was the Director-General of Security, the head of the Australian Security Intelligence Organisation, David Irvine said he was ‘not quite sure why’ there was such a fuss about the then proposed data retention legislation. In the meantime, General Michael Hayden, the former director of the NSA and the CIA, noted ‘we kill people based on metadata.’

Yet research available indicates that ‘mass untargeted surveillance of internet-based communications is an excessive tool with respect to its potential for abuse against both society and individuals, and that its ability to prevent crime or terrorism are limited.’

Although, many law enforcement agencies, including the Australian Federal Police, insist that in practice metadata supports their criminal investigations and prosecutions.

Related stories:
Is data retention swallowing your legal professional privilege?
Is cryptography the newest human right?

It’s unclear how much the data retention regime will cost to customers, but someone will have to pay for the capturing, storage, securing, management and access of the data.

The Commonwealth Attorney-General’s Department engaged PricewaterhouseCoopers to cost the implementation of the proposed data retention regime and, according to the government, PwC arrived at the upfront overall capital cost of between $188.8 and $319.1 million. We have to rely on the Attorney-General for these figures as the government refused to release the PwC report.

That estimate was intended to ‘inform the Australian Government in delivering on its commitment to make a reasonable contribution to the capital costs of implementation of the data retention regime.’ It remains to be seen what that ‘reasonable contribution’ might be and how it will be made. It must also be noted this estimate only relayed to the cost of the ‘upfront capital cost’ of data retention, and does not address the cost of ongoing maintenance, management, security or access.

The databases maintained by telecommunications and internet service providers as the result of our data retention law will be to hackers what candy is to children, so security of that data will be a significant ongoing issue. Some hackers will see the hacking of these databases as a mere challenge or a game. Other hackers could create a map of your movements based on your metadata, may pinpoint your home and work location, and that’s just scratching the surface when it comes to the potential misuse of metadata.

At least we will be able to exist in blissful ignorance about any breach of that data, because Australia still doesn’t have compulsory data breach disclosure laws in place that would oblige companies to tell us if our data is hacked.

While the data retention amendments were rushed through Parliament in record time, the mandatory data breach disclosure provisions are certainly not getting the same priority.

All in all, the process, from debating and passing the law to the implementation of the data retention regime, does not fill one with immense confidence …

Leave a comment. Comments are moderated ...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s