Telecommunications (Interception
and Access) Amendment (Data
Retention) Bill 2014
AIIA response to Bill and
Explanatory Memorandum
January 2015
T 61 2 6281 9400 E [email protected]
About AIIA
The Australian Information Industry Association (AIIA) is the peak national body representing Australia’s information technology and communications (ICT) industry. Since establishing 36 years ago, the AIIA has pursued activities aimed to stimulate and grow the ICT industry, to create a favourable business environment for our members and to contribute to the economic imperatives of our nation. Our goal is to “create a world class information, communications and technology industry
delivering productivity, innovation and leadership for Australia”.
We represent over 400 member organisations nationally including hardware, software, telecommunications, ICT service and professional services companies. Our membership includes global brands such as Apple, Avanade, EMC, Google, HP, IBM, Intel, Lenovo, Microsoft, PWC, Deloitte, and Oracle; international companies including Telstra and Optus; national companies including Data#3, SMS Management and Technology, Hills Limited, Technology One and Oakton Limited; and a large number of ICT SME’s.
Overview comments
The AIIA appreciates the opportunity to provide this response to the Telecommunications
(Interception and Access) Amendment (Data Retention) Bill 2014, and accompanying Explanatory
Memorandum. While we support the objective of public safety and security proposed by this initiative, we have concerns that the draft legislation may not be the most effective means to achieve this objective. AIIA’s key concerns relate specifically to:
the non-specific, all-encompassing nature of the draft Data Set and the ambiguity this will create for service providers;
clarity regarding ‘exempt’ services;
the unquantified nature of the financial impact on service providers and ultimately consumers and how these costs will be accommodated; and
inadequate substantiation for the proposed two year data retention period.
With these in mind, AIIA does not believe that sufficient case has been made that the Regulations would result in a net benefit to society.
Given these concerns, detailed more thoroughly in this submission, AIIA recommends:
that the passage of the Bill be delayed to allow sufficient consultation with parties that may be affected to ensure understanding whether they will be subject to the regulations; reduction of the two year retention period – to better align with the practices of overseas
jurisdictions;
changes to ensure affected parties have time to implement the necessary changes to their infrastructure – should it proceed;
a cost-benefit analysis to better understand the financial impact of the changes and who is responsible for the cost of the infrastructure required; and
changes to ensure that only information related to national security is obtained and sensitive data is adequately protected.
The need to manage potential unintended security risks associated with the proposed requirements
Specific comments
Scope of regulations
Our understanding is that proposed legislation will apply to all entities providing communications services such as telecommunications services, and providers of over-the-top services such as web-based mail services, VOIP services and cloud services. There is an exception for services provided to those within the service provider's immediate circle or where the connectivity is provided to people in the same place. These exceptions exempt communication services within a corporate group and services such as the provision of WiFi services by a café.
The Bill requires that service providers keep certain information for two years from the date when the account of the relevant customer is closed and broader categories of information for not less than two years from creation. Service providers that are not able to comply immediately can seek approval to implement a "data retention implementation plan" while taking steps to fully comply. Service providers can seek an exemption from the requirements. This is at the discretion of the Communications Access Co-Ordinator and combined with the ambiguous nature of the scope of legislation raises concerns regarding potential scope creep. Cloud providers and VoIP operators for example, are unclear the extent to which they will be subject to the new legislation. Regulations will be made specifying details of information to be kept, including information about subscribers, accounts, telecommunications devices, other services, the source of a communication, the destination of a communication, the date, time and duration of a communication, the type of communication, service used and the location of equipment or line used.
'Data' excludes content and Internet browsing but, in the case of 'criminal law enforcement agencies' includes stored communications (texts and emails). The proposed law provides that regulations cannot require a service provider to keep the contents or substance of a
communication, nor an address to which a communication was sent from a telecommunications device. This exception is intended to make clear that browsing histories are not required to be retained. However, the breadth of the information that may be retained may be sufficient to enable such a history to be reconstructed.
Notwithstanding articulation of these general elements, the exact scope of data to be collected remains ambiguous. The description of information that may be encompassed by the legislation (described in the Explanatory Memorandum Schedule 1, Part 1, paragraph 26), creates more rather than less ambiguity. Frequent reference to ‘any information’ and ‘any identifier’ relating to the data elements (i.e. contracts, plans, agreements, data etc.) will create compliance challenges and without specific guidance, service providers will be compelled to over engineer their systems and compliance regimes.
The Bill requires that service providers keep data for two years. Service providers that are not able to comply immediately can seek approval to implement a "data retention implementation plan" while taking steps to fully comply. To be approved, a data retention implementation plan must contain an explanation of current practices for keeping information, interim arrangements that the service provider proposes to be implemented while the plan is in force and the day by which the service provider will be able to retain the information as required by the legislation. Given the infrastructure required to comply with the requirements, it is questionable if
the proposed 18 month implementation plan period is sufficient.
these requirements to be designed into the infrastructure in the most efficient manner. In many, if not all instances, the requirements of the Bill will impose significant additional costs on service providers.
AIIA does not support the proposed two year data retention period. Any data required to be retained should be for the shortest duration necessary to support the operational requirements of the respective agencies. A review of similar initiatives overseas shows that in the European Union for example, retention periods are typically between 6 and 12 months. In our view, Australian security agencies have not to date provided any substantive justification for the extended two year period.
Further, while the statutory right of access is limited to enforcement agencies, there is nothing in the current draft legislation to prevent civil litigants seeking access to the data. It can be anticipated that telecommunications companies will need to accommodate an increase in legal demand for stored information and manage the procedures required for deleting information that is older than the required retention period.
Compliance costs to industry
The extent to which any of the required data is already collected by service providers varies greatly between service providers. Regardless, in all cases there will be a substantially increased
requirement to capture, store, identify and segregate and send sensitive data in ways that currently do not exist in service providers’ systems today. Both complex technical solutions and security arrangements will be required to accommodate the vast amount of data to be retained. This will necessarily impose significant additional cost on service providers.
While the Telecommunications (Interception and Access) Act 1979 (Cth) provides that interception agencies are to bear the costs incurred by a carrier in developing, installing and maintaining a delivery capability required by the Communications Access Co-Ordinator, no similar provision is made to assist service providers meet the costs of new obligations. Although there are reports that the Government is considering compensation to companies subject to the new requirements, whether these extend beyond implementation costs to the ongoing costs of maintaining,
administering and protecting retained data is also unclear.
Potential security risks from the proposed requirements
Information security is an international concern. The Bill, specifically its requirement to store a substantially larger repository of potentially highly sensitive data, fails to acknowledge
additional security requirements to protect this data. With the value of highly sensitive
information well recognised, there is concern that mandating the retention of data will increase the risks of cyber-hacking. For this reason, the legislation must include a full assessment of increased security risks and how these can be managed. AIIA recommends that this must include at a minimum:
assessment of the increased personal and national security risks of asking service providers to collect the required highly sensitive data;
the development of a mandatory security standard and reporting and auditing requirements particularly in regard to any security breaches;
ensuring data is protected from being accessed in civil and criminal cases by subpoena; restricting the collection and use of the data only to issues of national
security or serious domestic offences, i.e. it should not be used by third parties as a back-door to obtain for example, information about online copyright infringement etc.; and
appropriate sanctions/penalty, or exclusion from sanction/penalty, in the event of a data breach where the risk was increased by the new legislation.
Conclusion
In summary, the lack of clarity regarding the Bill’s scope and proposed application: will increase the cost of providing services where service providers anticipate the
requirements but the requirements are not used;
be detrimental to consumers through increased prices and (potentially) reduce services to consumers as the cost of data retention requirements make some services uneconomic; disadvantage the conscientious and proactive service providers as their services will
(likely) be provided at a greater cost;
is not consistent with similar approaches overseas that have significantly shorter retention period obligations.
Notwithstanding our support for the Government’s national security objectives AIIA is strongly of the view that the model captured by the current legislation is costly both to establish and maintain (especially for a broad range of non-telecommunications specific service providers) and unjustifiably onerous in its requirement to retain substantial volumes of data for such a long period. The fact that the legislation lacks clarity and precision, creates increased ambiguity for a broad range of service providers. AIIA therefore recommends:
that the passage of the Bill be delayed to allow sufficient consultation with parties that may be affected to ensure understanding whether they will be subject to the regulations; a cost-benefit analysis to better understand the financial impact of the changes and who
is responsible for the cost of the infrastructure required; and
reduction of the two year retention period – to better align with the practices of overseas jurisdictions;
changes to ensure affected parties have time to implement the necessary changes to their infrastructure – should it proceed;
changes to ensure that only information related to national security is obtained and sensitive data is adequately protected.
The need to manage potential unintended security risks associated with the proposed requirements.
