Inside Australia's data retention proposal

Summary:Telecommunications industry sources have called the claims by Attorney-General media relations that web browsing history would not be recorded in a controversial data retention proposal "a bit cute" and a question of terminology and semantics.

Telecommunications industry sources have called the claims by Attorney-General media relations that web browsing history would not be recorded in a controversial data retention proposal "a bit cute" and a question of terminology and semantics.

ZDNet Australia broke the news on Friday that the Federal Government Attorney-General's Department was considering how it could best implement a data retention regime in Australia.

"The Attorney-General's Department has been looking at the European directive on data retention, to consider whether such a regime is appropriate within Australia's law enforcement and security context," the Attorney-General's Department had said. "It has consulted broadly with the telecommunications industry."

Data retention requires telecommunications providers, including internet service providers (ISPs), to log and retain certain information on subscribers for local enforcement agencies to access when they require it.

The regime sees certain data logged before any suspect is identified, meaning that every internet users' online activities are logged by default.

Europe has one

Such a system currently exists in Europe, and has been adopted by select states. The call for the European directive on data retention came after the 2004 Madrid train bombings in Spain.

Importantly, the EU directive requires ISPs to retain data necessary to trace and identify the source, destination, date, type, time and duration of communications — and even what communication equipment is being used by customers and the location of mobile transmissions.

According to the EU directive, where internet access is concerned, ISPs must retain the user ID of users, email addresses of senders and recipients, the date and time that users logged on and off from a service, and the IP address (whether dynamic or static) applied to their user ID.

Importantly, the EU directive requires ISPs to retain data necessary to trace and identify the source, destination, date, type, time and duration of communications — and even what communication equipment is being used by customers and the location of mobile transmissions.

For telephone conversations, this means the number from which calls are placed and the number that received the call, the owner of the telephone service and similar data such as the time and date of a call's commencement and completion.

For mobile phone numbers, geographic location data is also included. The data is retained for periods of not less than six months and not more than two years from the date of the communication.

The proposed Australian regime

The information that the Australian system, if implemented, would get ISPs to log and retain is yet to be set in stone by the Attorney-General's Department. ZDNet Australia reported various ISP sources' claims that it could extend as far as each individual web page an internet user had visited. This was echoed by an industry source that was quoted in the Sydney Morning Herald newspaper on Saturday.

Attorney-General Robert McClelland's media advisor on Monday denied "web browser history" would be logged. "This is not about web browser history," said McClelland's media liaison Adam Siddique. "It's purely about being able to identify and verify identities online," he added, linking the initiative to the ability for law enforcement to track criminals online.

Yesterday, the Attorney-General's Department said that the Australian Government was "still considering and consulting on this subject and as such it would be inappropriate to comment at this stage", and did not rule out logs of URLs being retained.

Industry sources remain adamant that draft documents they have been given show the proposal could stretch as far as web browsing history, and argue the government was denying it would require ISPs to log "web browsing history" in the media as a way of quashing privacy fears.

Robert McClelland

Attorney-General Robert McClelland (Credit: Attorney-General's Department)

"The major problem here, and as it was explained, [is] that all information in the handouts [suggested] that any information which is logged must be retained," said an industry source close to the consultations with the Attorney-General's Department. "Therefore any ... proxy logs would fall under this category."

A "proxy" is often used by ISPs to cache internet traffic to save on bandwidth. Proxy logs are relevant because they record each individual URL an internet user visits. The source said that if the logs were turned on and the Australian proposal, as explained and shown in draft documents to the source, was implemented, ISPs would need to retain the data contained in the logs.

"This becomes even more of a problem should a [mandatory internet filter] system be put in place as it is capable of logging all users' normal HTTP activity," the source said, pointing to the Federal Government's proposed mandatory internet filter that intends to block access to refused classification material. "Providers may be able to turn off the log feature; however, if they do not — or require this user data for other billing or service requirements — then they will be required to retain the data under the proposal as explained," the source said. "So to say URL history will not be retained is not accurate."

Another industry source told ZDNet Australia it was "a little bit cute" for the Attorney-General's media advisor to say that the Federal Government wasn't looking at a proposal to require ISPs retain "web browsing history".

"I think they're being a little bit cute when they say they want the source and the destination IP addresses for internet sessions [while] saying 'we're not really asking for web browsing history'," the source said.

"Now sure, if you go into Internet Explorer you can go into internet options and you can get your 'history', but you know, carriers don't really use URLs, they use IP addresses, and it's the IP address that translates to a URL and vice versa. They're one and the same."

There was more material in a data set the Attorney-General's Department gave telecommunications companies that the source found a "bit frightening". "They want allied personal information with that account, including, [the department] said, passport numbers."

"Why the hell an ISP would ask anybody for a passport number is beyond me," the source said. "And I am not aware of any telephony requirements that ask for passport details.

"So they're asking for all details of the customer that we would hold on record, which includes anything, like multiple email addresses."

Industry consultations

A consultation in March this year, just three months ago, was held with industry to discuss the data retention proposal. It's understood that this was the first formal consultation with the telecommunications industry, with a number of telcos in attendance.

Representatives from telecommunications companies Telstra, Optus, iiNet, Internode, Nextgen and the Comms Alliance were in attendance, among others, according to an industry source.

The briefing in March saw industry members involved given hand-outs discussing the proposal. Each document handed to industry members was marked in red with a message stating: "This document is provided in-confidence to telecommunications industry participants for consultation purposes and is not for further distribution outside your organisation," according to one source.

ZDNet Australia yesterday requested the release of those documents to allow greater transparency and a public debate on the matter. However, the department refused access, stating documents provided "in-confidence" were not able to be released.

Meeting notes taken by one industry source at the March briefing, and seen by ZDNet Australia, show questions asked by industry in attendance. The notes show industry representatives raising issue with the proposal, arguing for the government to say what was wrong with current arrangements, where local enforcement agencies are required to get a court order to begin tapping a connection.

"People pointed out numerous flaws with the proposal at a conceptual and technical level, which [the Attorney-General's Department] didn't seem to care about," the meeting notes said.

The notes said industry could not be provided with any statistics on the number of information requests that had failed due to telcos not retaining their logs for long enough.

"Several industry participants said that the government hasn't made a case that such a system is needed," the notes said. "It was suggested that they collect such statistics via the existing reporting obligations of [Carriage Service Providers] and [local enforcement agencies], which got a smirk out of the guy from the [Attorney-General's Department], but he rejected out of hand."

The notes also showed the Attorney-General's Department pointing out that the law enforcement agencies were asking for data to be retained for five or 10 years. According to the notes, the industry was told it "should be grateful" that the government was only going to require a retention period of two years "at this stage".

As for who would wear costs for logging and retaining data, it appeared clear from the notes that industry would. "Industry must wear the cost of capturing and storing the data," the notes said. "Agencies who make requests for data will pay the incremental cost of answering those requests only".

The major problem here, and as it was explained, [is] that all information in the handouts [suggested] that any information which is logged must be retained

Industry source

An industry source close to the consultations said they would rather not do this, as it would be costly, and said that there were many ISPs out there that may have "lax" security, meaning that the data held had the potential to leak.

"It will be expensive," the source said. "Today we can pretty much count on the fingers of one hand simultaneous taps that are in place. There's not massive amounts of it going on. And the leap from that to all customers continuously is two orders of magnitude, probably.

"If we're going to have all that data on you, me and my mum stored somewhere, well maybe you can trust us, maybe you can trust [other telcos], but what about the 300 other odd ISPs? And that's why I think that if this goes through and the Parliament decides it's what Australia wants, which I doubt, then I think it should be stored somewhere centrally by the Federal Police or the Attorney-General's Department, or someone else. Not a bunch of private enterprise operators that are all focused on keeping their costs down."

Conclusive evidential certificates were also proposed by the Attorney-General's Department, which are used to prevent any challenge to the accuracy of data provided to law enforcement, according to the meeting notes. Such a certificate requires a carrier to sign off on data handed over, pledging it is accurate.

Asked to clarify whether the Attorney-General's Department expected a telecommunications provider to perform deep packet inspection (DPI) to collect all the data that is in the proposed data set — which includes email addresses of sender and recipient, session initiation protocol identifiers and instant message screen names — or whether those only applied to the actual providers of email services, Voice over IP (VoIP) services and instant messenger services, the department's response, according to the notes, was to the effect of "if you don't like the data set you'll be able to ask for an exemption from the parts you don't like".

Erosion of privacy

Another source close to the consultations told ZDNet Australia that telecommunications providers currently only retained data necessary for operational and financial purposes, which is often stored for years. The current proposal, even forgetting whether web browsing history would be recorded, went much further than that, the source said.

The Attorney-General's Department doesn't get it. They don't get it that ... a proxy log isn't just a [network] switch. They think [that], because it is a computer, to say 'Retain the data' is a minor step.

Industry source

"[They're] asking us to retain data for law enforcement purposes that, under existing privacy laws, we would be breaking the law if we retained for any longer than for operational purposes," the source said.

The industry, according to sources, has tried to draw a distinction between retaining data that they already put on their operational systems versus retaining data that might exist on network infrastructure, but to no avail.

"The Attorney-General's Department doesn't get it," the source said. "They don't get it that ... a proxy log isn't just a [network] switch. They think [that], because it is a computer, to say 'retain the data' is a minor step."

The source said the privacy commissioner had already "given the tick" to the proposal.

"Representation that the [Attorney-General] has made to industry is that it has consulted the Privacy Commissioner, and the Privacy Commissioner has advised that [the proposal] doesn't breach the privacy act. Not that there is not an erosion of privacy, but that it merely doesn't breach the privacy act."

ZDNet Australia asked the Privacy Commissioner if it had given a "tick of approval" to the proposal, and received this statement:

"My office was consulted by the Attorney-General's Department on this proposal last year as part of initial consultations including with industry. At this stage, we understand the government is still considering the matter and we look forward to providing further comment as the proposal is developed. In general, limiting the amount of information collected and the length of time it is retained is good privacy practice; however, under our legislation it is important to balance other community interests such as public safety and national security with privacy considerations. My office would also expect that any proposed legislation would have the appropriate privacy safeguards built-in."

The status quo

According to the meeting notes, one law enforcement agency in attendance at the briefing raised concerns with the increasing use of encryption, off-shore service providers for email, VoIP and uptake of IP-based services that have less logging than telephony services. Also raised by that agency was that some telecommunications companies didn't log the data they wanted.

Details of how many requests the Australian Federal Police (AFP) made for telecommunications data — without interception warrants — between 2008-2009 was also revealed at the briefing.

The AFP, according to the meeting notes, made more than 16,000 requests to over 50 telecommunications companies for data during that period. According to the note, the AFP told the briefing that it wanted to automate the process of requesting and obtaining access to telecommunications data.

If you have any information please don't hesitate to contact us, your identity will remain anonymous.

Front page image credit: Twyfelfontein Binoculars image by M0Rt3s, CC BY-SA 2.0

Topics: Government, Big Data, Government : AU, Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.