Amazon asks for clarification of data retention requirements under Australia's encryption laws

The technology giant is concerned the Act does not make it clear if it is subject to the data retention obligation under Australia's encryption laws.

Amazon has asked for clarification from the Australian government on who exactly is required to retain data under the Telecommunications and Other Legislation (Assistance and Access) Act 2018.

"The Act's Explanatory Memorandum states that interception and data retention obligations remain subject to 'existing legislative arrangements', which apply only to carriers or carriage service providers, who are only a subset of technology providers captured by the scope of the Act," the tech giant said in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security's (PJCIS) review into the laws.

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

Amazon said the language used in the Act does not make it clear that only carriers or carriage providers are subject to such obligations, which it said potentially expands obligations to other entities.

"This anomaly needs to be corrected," it wrote.

While Amazon said it recognises the complex dilemma facing law enforcement and security agencies with "advances in information security and the widespread adoption of encryption technologies", it also used its submission to reiterate its position that the Act alters the balance between law enforcement needs to access readable data and the right of technology users to expect that the products and services they use are free from interference.

"The Act has the capacity to reduce consumer trust in technology," Amazon said.

Australia's Right to Know, a collection of local media entities, has meanwhile made a submission [PDF] to the PJCIS review in regards to another piece of Australian law -- the mandatory data retention regime of the Telecommunications (Interception and Access) Act) 1979 (TIA Act).

The data retention regime that came into being on March 2015 requires carriers, carriage service providers (CSPs), and internet service providers (ISPs) to retain a defined set of telecommunications data for two years, ensuring that such data remains available for law enforcement and national security investigations.

Under this framework, approved law enforcement agencies are able to access this data without a warrant and the coalition is specifically concerned in relation to freedom of the press and access to journalists' metadata.

"The [Journalist Information Warrant] Scheme is poorly drafted, cloaked in secrecy, and does nothing to address concerns relating to identification of journalists' sources," the coalition of media organisations submission read. 

"In our view the JIW Scheme and related legislation relating to access to journalists' records more broadly require fundamental reconsideration and immediate amendments."

Right to Know has asked for amendments to the legislation.

"Foremost, we recommend that accessing the metadata and/or content of journalists' communications for any reason or purpose associated with undertaking professional journalistic activity should not be the subject of any authorisation for disclosure, including any warrant issued, under the TIA Act," it said.

Pointing to the Australian Federal Police (AFP) raids on a News Corp journalist and ABC's Ultimo headquarters last month in its submission, the coalition said it believes that journalists who are reporting in the public interest should be exempt from the operation of the legislation.

Read more: Huge scope of Australia's new national security laws reveals itself

If its request is not accepted, Right to Know has listed how the JIW Scheme "must" be overhauled.

A Journalist Information Warrant (JIW) is required for all warrants sought under the TIA Act when the subject of the warrant is a journalist, media organisation or similar; an application for a JIW must be contestable and authorised only if the public interest in accessing the metadata and/or content of a journalist's communication outweighs the public interest in not granting access; the JIW Scheme must apply consistently to ASIO and enforcement agencies; and transparency across all elements of the JIW Scheme is required.

In its submission [PDF], the AFP provided figures on the total number of authorisations made each year since the introduction of the regime.

In the 2017-18 financial year, the total number of authorisations made under journalist information warrants was 58. The total number of journalist information warrants issued to the agency under that subdivision, during that year, was two.

A number of submissions made to the PJCIS review showed agencies were generally happy with the regime.

Some agencies however, like the Australian Commission for Law Enforcement Integrity, would in an ideal world like to see the two-year period for retention be stretched to a longer period.

"It will be many years before the telecommunications data which is presently still retained by telecommunications providers, outlives its usefulness to law enforcement," it said.

"The dangers of mandating a minimum retention period include the possibility that telecommunications providers, which presently retain more data than is required under the regime, will eventually, and perhaps sooner rather than later, reduce their holdings, and that all providers will treat the minimum as a maximum."

SEE ALSO