Agencies trying to access metadata when not specifically listed as an enforcement agency for the purposes of Australia’s data retention regime has been labelled as a “serious and persistent phenomenon” by the Communications Alliance industry group.
Writing in a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the mandatory data retention regime, Comms Alliance said it was a “problem that continues to grow in magnitude”.
Comms Alliance provided a list of 27 agencies to be added to the list of agencies it disclosed in November.
Those agencies are:
- Australian Communications and Media Authority (ACMA)
- ASIC WA
- Australian Building & Construction Commission
- Australian Sports Anti-Doping Authority
- Australian Transport Safety Bureau
- Clean Energy Regulator
- Coroners via NT Police
- Coroners via Tas Police
- State Coroner’s Court
- WA Department of Mines, Industry Regulation & Safety
- SA Department of Consumer and Business Services
- Health Support Queensland
- Hunter Region Illegal Dumping Squad
- Legal Services Commission
- Liverpool City Council
- Local Government Investigations and Compliance Inspectorate (Vic.)
- National Disability Insurance Agency
- NT Office of Information and Public Interest Disclosures
- Office of the Health Ombudsman (Qld)
- Queensland Office of Industrial Relations
- Report Illegal Dumping (NSW)
- SafeWork NSW
- State Penalties Enforcement Registry (Qld)
- Veterinary Surgeons Board of WA
- Victorian Building Authority
- Victorian Fisheries
- Victorian Ombudsman
The submission added that even some of the agencies that are not enforcement agencies are able to gain data, but they are not able to interpret the metadata.
“They then take up more of the CSPs’ time to explain the data, then sometimes also call on CSPs [carriage service provider] to appear in court on relatively minor issues as expert technical witnesses,” the submission said.
“These additional impositions on the time and resources of CSPs also, of course, go unreimbursed.”
The industry group is calling for the closure of the loophole that allows agencies to use existing powers outside of the data retention act to access metadata.
When the metadata laws were passed, access was reduced to 21 enforcement agencies. However, subsequently, 61 agencies that previously had access to metadata were looked to be declared as enforcement agencies.
As reported previously by ZDNet, the Attorney-General’s Department had previously been advising agencies and departments to attempt to access metadata through other means.
“On advice from the Attorney-General’s Department, the department has considered other methods of obtaining metadata using statutory coercive powers under portfolio legislation, and by engaging the Australian Federal Police (AFP) to obtain metadata,” the Department of Agriculture and Water Resources wrote a letter dated June 10, 2016, and published on RightToKnow.
“The department has received preliminary legal advice as to the merits of using coercive powers, which suggests that the approach is problematic due to the construction of portfolio legislation.
“Advice received from the AFP indicates that it does not have the resourcing, compliance, or risk considerations to obtain metadata on behalf of other agencies, including the department.”
The Comms Alliance said 94% of all metadata requests were made for data less than a year old, with 79% for data less than 3 months old.
“This demonstrates that the approach taken by the Australian government when drafting (and passing into law) the DR [data retention] regime was unnecessarily wide,” it said.
“While significant investments into storage capabilities have already been made, Industry considers that a shorter retention period would be more appropriate, also with view to a potential increase in telecommunications data that may be generated as technologies evolve.”
The industry group said due to the “very wide” definitions in the legislation, it is possible that machine-to-machine communication would be included, and this would lead to “exorbitant costs” for carriers due to the “explosion” in data with Internet of Things devices.
“The legislation ought to put beyond doubt that such communications are excluded from the DR Regime,” it said.
In earlier submissions, enforcement agencies said they were happy with the two-year period, but in an ideal world like, they would like to see it be extended to a longer period.
“It will be many years before the telecommunications data which is presently still retained by telecommunications providers, outlives its usefulness to law enforcement,” the Australian Commission for Law Enforcement Integrity said.
“The dangers of mandating a minimum retention period include the possibility that telecommunications providers, which presently retain more data than is required under the regime, will eventually, and perhaps sooner rather than later, reduce their holdings, and that all providers will treat the minimum as a maximum.”
Meanwhile, Optus confessed it received an exemption to keep its legacy systems free from encryption when complying with its data retention obligations.
“The legislative provisions which allow for certain exemptions to be granted were an important factor in Optus achieving compliance in an efficient and timely manner,” Optus said.
“Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemption from the encryption obligation.”
The telco said there had been no reported “security incident or breaches” related to the retained data.
Home Affairs also ran the line that everything was fine with the data retention regime because no breaches had been reported.
“The evidence to date supports that the existing data security arrangement have been effective,” the department overseen by Peter Dutton said.
Home Affairs, meanwhile, also floated the idea of extending the retained data set to include MAC addresses and even port numbers.
“Including media access control (MAC) addresses and devices which identify serials would provide better information as to which device was being used at the time of an offence,” the department said.
“MAC data is not currently retained under the Data Retention Act, but is a form of data that will become increasingly important to law enforcement and intelligence agencies. Where providers do retain this information, it is a significant investigative tool.”
The department at the same time put forward the idea of tracking port numbers used by mobile devices.
Soon it might just be easier for Australia’s telcos to keep a copy of every TCP or UDP header for the cops to poke through.
Use of legacy applications allow Optus to seek an exemption from the rules.
Agencies are very happy with Australia’s data retention scheme, with one using it in 90% of investigations.
The Communications Alliance has detailed a list of agencies that tried to access telco metadata following the introduction of Australia’s metadata retention regime.