Agencies trying to access metadata when not specifically listed as an enforcement agency for the purposes of Australia's data retention regime has been labelled as a "serious and persistent phenomenon" by the Communications Alliance industry group.
Writing in a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the mandatory data retention regime, Comms Alliance said it was a "problem that continues to grow in magnitude".
Australian Communications and Media Authority (ACMA)
Australian Building & Construction Commission
Australian Sports Anti-Doping Authority
Australian Transport Safety Bureau
Clean Energy Regulator
Coroners via NT Police
Coroners via Tas Police
State Coroner's Court
WA Department of Mines, Industry Regulation & Safety
SA Department of Consumer and Business Services
Health Support Queensland
Hunter Region Illegal Dumping Squad
Legal Services Commission
Liverpool City Council
Local Government Investigations and Compliance Inspectorate (Vic.)
National Disability Insurance Agency
NT Office of Information and Public Interest Disclosures
Office of the Health Ombudsman (Qld)
Queensland Office of Industrial Relations
Report Illegal Dumping (NSW)
State Penalties Enforcement Registry (Qld)
Veterinary Surgeons Board of WA
Victorian Building Authority
The submission added that even some of the agencies that are not enforcement agencies are able to gain data, but they are not able to interpret the metadata.
"They then take up more of the CSPs' time to explain the data, then sometimes also call on CSPs [carriage service provider] to appear in court on relatively minor issues as expert technical witnesses," the submission said.
"These additional impositions on the time and resources of CSPs also, of course, go unreimbursed."
The industry group is calling for the closure of the loophole that allows agencies to use existing powers outside of the data retention act to access metadata.
When the metadata laws were passed, access was reduced to 21 enforcement agencies. However, subsequently, 61 agencies that previously had access to metadata were looked to be declared as enforcement agencies.
"On advice from the Attorney-General's Department, the department has considered other methods of obtaining metadata using statutory coercive powers under portfolio legislation, and by engaging the Australian Federal Police (AFP) to obtain metadata," the Department of Agriculture and Water Resources wrote a letter dated June 10, 2016, and published on RightToKnow.
"The department has received preliminary legal advice as to the merits of using coercive powers, which suggests that the approach is problematic due to the construction of portfolio legislation.
"Advice received from the AFP indicates that it does not have the resourcing, compliance, or risk considerations to obtain metadata on behalf of other agencies, including the department."
The Comms Alliance said 94% of all metadata requests were made for data less than a year old, with 79% for data less than 3 months old.
"This demonstrates that the approach taken by the Australian government when drafting (and passing into law) the DR [data retention] regime was unnecessarily wide," it said.
"While significant investments into storage capabilities have already been made, Industry considers that a shorter retention period would be more appropriate, also with view to a potential increase in telecommunications data that may be generated as technologies evolve."
The industry group said due to the "very wide" definitions in the legislation, it is possible that machine-to-machine communication would be included, and this would lead to "exorbitant costs" for carriers due to the "explosion" in data with Internet of Things devices.
"The legislation ought to put beyond doubt that such communications are excluded from the DR Regime," it said.
In earlier submissions, enforcement agencies said they were happy with the two-year period, but in an ideal world like, they would like to see it be extended to a longer period.
"It will be many years before the telecommunications data which is presently still retained by telecommunications providers, outlives its usefulness to law enforcement," the Australian Commission for Law Enforcement Integrity said.
"The dangers of mandating a minimum retention period include the possibility that telecommunications providers, which presently retain more data than is required under the regime, will eventually, and perhaps sooner rather than later, reduce their holdings, and that all providers will treat the minimum as a maximum."
"The legislative provisions which allow for certain exemptions to be granted were an important factor in Optus achieving compliance in an efficient and timely manner," Optus said.
"Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemption from the encryption obligation."
The telco said there had been no reported "security incident or breaches" related to the retained data.
Home Affairs also ran the line that everything was fine with the data retention regime because no breaches had been reported.
"The evidence to date supports that the existing data security arrangement have been effective," the department overseen by Peter Dutton said.
Home Affairs, meanwhile, also floated the idea of extending the retained data set to include MAC addresses and even port numbers.
"Including media access control (MAC) addresses and devices which identify serials would provide better information as to which device was being used at the time of an offence," the department said.
"MAC data is not currently retained under the Data Retention Act, but is a form of data that will become increasingly important to law enforcement and intelligence agencies. Where providers do retain this information, it is a significant investigative tool."
The department at the same time put forward the idea of tracking port numbers used by mobile devices.