The joint parliamentary committee on national intelligence and security has delivered its long-awaited report into wide-ranging proposed national security reforms, but has left a decision on whether internet service providers (ISPs) should be forced to retain telecommunications customer metadata for up to two years to the Australian government.
In the report, committee chair Labor MP Andrew Byrne slammed the Attorney-General's department for a "lack of information" provided to the committee on the data retention proposal until it was drawn out of witnesses at the inquiry over a number of months.
"The committee was very disconcerted to find, once it commenced its inquiry, that the Attorney-General's Department has much more detailed information on the topic of data retention," he said.
"Departmental work, including discussions with stakeholders, had been undertaken previously. Details of this work had to be drawn out from witnesses representing the [department]."
The report said that there were "a diversity of views" in the committee as to whether there should be a mandatory data retention scheme, and it should be left to the government to decide whether to push ahead with such a scheme. If there is a scheme, the committee said there should be an exposure draft of the legislation published beforehand, and the legislation should only apply to metadata and not the content of communications.
Internet history should be excluded, and any metadata that has the chance of including content should also be excluded and require a warrant to access.
If ISPs are required to keep the data, it should be mandatory that the data is encrypted, and the data should not be kept for more than two years. The government should shoulder the costs for providers to keep this service, the committee said.
Should the government go ahead with the scheme, there should also be an oversight committee and annual reports on the scheme submitted to parliament, the committee has recommended.
The committee said that much more work has to be done before it reaches legislation.
"A mandatory data retention regime raises fundamental privacy issues, and is arguably a significant extension of the power of the state over the citizen. No such regime should be enacted unless those privacy and civil liberties concerns are sufficiently addressed."
The committee made 43 recommendations overall, with just two focused on the issue of data retention. Among its other suggestions, the committee recommended the inclusion of privacy protections in the Telecommunications (Interception and Access) Act, as well as recommending that the Attorney-General's department review the threshold for access to telecommunications data, with a view to reduce the number of agencies that access it. Currently, over 40 agencies have access to telecommunications data.
The committee also recommended that if the government decides to make it an offence to fail to assist with the decryption of communications, then it should be developed with the telecommunications industry and the Australian Communications and Media Authority (ACMA) to ensure that the ISPs know what their obligations are.
In the area that was viewed as a reaction to providers using Chinese vendors' technology in their physical infrastructure, the committee has recommended that there be a framework established for providers to protect their infrastructure from unauthorised interference. Industry should also provide government with assistance in assessing national security risks to telecommunications infrastructure.
As this is the last sitting week of the federal parliament prior to the September federal election, and with over 50 Bills needing to be voted on, legislation arising from this report will not be seen until after the election. Greens communications spokesperson Scott Ludlam, who is on the committee, told ZDNet last month that he predicted a slightly watered-down version of data retention would likely return under either a Labor or Coalition government after the election.