Internet Service Providers (ISPs) will only be required to retain data for targeted individuals who are being investigated for serious crimes under the European Convention on Cybercrime, the Attorney-General's department has told a joint committee tribunal.
When the Attorney-General's department flagged in May last year that it intended to accede to the convention, there were concerns that ISPs would be required to store information on all user emails and communications for later use by law enforcement agencies.
Catherine Smith, assistant secretary in the telecommunications and surveillance law branch of the Attorney-General's Department, told a joint standing committee on treaties this morning that the convention would only require ISPs to retain selective data on specific individuals who were being investigated for a serious crime.
"It is a targeted preservation of a person's data. We have talked to industry in the past about preserving data on a voluntary basis and they have done this in many cases where there are serious matters afoot," she said. "[But] more generally the retention of all of the communications on their network is a very different issue and having to retain those and retrieve those would be quite a different scenario. And we're not talking about that at this stage."
"As part of this [convention]," Angus McDonald, first assistant secretary in the national security law and policy division of the Attorney-General's department, interjected after Smith's comment. McDonald was possibly implying that the government could extend the collection of data beyond what was required for the convention.
However, for this convention data collection would be targeted, McDonald said.
"Some people think that what we're doing is requiring people to keep huge amounts of material when in fact all we're after, under this, is material they've already got and just ensuring it doesn't get destroyed before we get through the process of getting authorisation," McDonald added.
"In some cases that may be as small as one text message, in other cases it might be two months worth of emails. It'll differ depending on the case," Smith said.
Smith added that telcos are supportive of the targeted measures because they would provide them with "clarity" of what data they are required to retain. Smith pointed out that the cost burden of retaining data was getting cheaper as storage goes down in price.
Although legislation has not yet been developed, Smith said that, under the convention, law enforcement agencies would approach an ISP with a certificate, requiring information pertaining to an individual to be retained until the agency can get a court order or warrant.
"If, for some reason, a judge didn't wish to issue a warrant then the provider would then just destroy the information as they would in their normal course of business," she said.
Parliamentarians overseeing the hearing also flagged concerns raised by the West Australian government that the amendments to federal telecommunications and criminal laws, which are necessary to accede to the convention, may have an impact on existing state laws regarding computer crime. McDonald said that as most crime covered by the convention involved telecommunications, not computer crime specifically, it was unlikely that there would be any impact.
"We're of the view that incremental expansion [of legislation] will not have an impact on state and territory offences. It's about transnational crime as well and no issues have been raised in this area that concern us."
McDonald said the recent Operation Rescue that led to the arrest of nearly 200 suspected paedophiles and rescued 230 children highlighted the importance of countries signing up to cybercrime conventions. He said it had been an investigation undertaken by the AFP and then extended to the United Kingdom, Thailand, Canada, Italy and New Zealand.
"It's a question of being on the team. It's quite important for us to send the right signals in terms of our law enforcement cooperation," he said.