Fitbit metadata not required for data-retention scheme

Health devices that track a person's every movement will likely be left out of the Australian government's proposed mandatory data-retention regime.
Written by Josh Taylor, Contributor

The Australian government has been advised to leave out metadata created by "life-logging" devices, IPTV, and a range of other irrelevant devices that might be caught up in the mandatory data-retention scheme.

Legislation before the parliament will require telecommunications providers to retain customer data, such as call logs, assigned IP addresses, and other so-called metadata for two years for law-enforcement agencies to access without a warrant for the investigation of crimes.

The legislation leaves out the actual data that the companies will be required to retain, however, as this will be set by the attorney-general of the day through regulation.

The Attorney-General's Department, the Australian Federal Police, the Australian Security Intelligence Organisation (ASIO), the Australian Crime Commission, Communications Alliance, Telstra, and Optus have formed a working group designed to work out the exact data that will need to be kept by telcos based on the draft data set released by the government in October.

In the group's first report, it has recommended that a number of services including IPTV, video on demand, internet radio, music streaming, dark fibre, telehealth services, and so-called life-logging services such as Fitbit be all or partially exempt from the mandatory data-retention regime.

These exemptions would all be determined on a case-by-case basis, the group said. It wouldn't be public knowledge about which services were exempt, because the group said it may lead to people seeking to avoid the data-retention scheme by moving to those services.

"The [group] considers that it would be appropriate that data-retention exemptions be confidential, noting that disclosure of an exemption could make that attractive to users seeking to evade detection, making the exemption inappropriate," the group stated.

The actual data set to be retained will not be known until after the Joint Standing Committee on Intelligence and Security has handed its report to the parliament in February. At the committee's first hearing on Wednesday, Shadow Attorney-General Mark Dreyfus noted that the committee was being asked to give recommendations on a data set it knew nothing about.

"Perhaps this is a rhetorical question, but how is this intelligence committee to scrutinise the scheme unless the government has a settled idea, a settled definition, of the dataset that it wants to force companies to keep?" Dreyfus asked.

Attorney-General's Department first assistant secretary Anna Harmer said that the draft data set is "a fairly advanced document".

"While it is a draft data set, it is certainly one that is advanced and has been informed by extensive consultation, and we would consider it to be an advanced document for the committee's consideration," Harmer said.

The group has recommended that changes to the data set only come into effect once parliament has had a chance to review the changes.

Costs still unknown

The other major factor that has yet to be determined is how much the scheme will cost telecommunications companies to build and operate systems to retain data, and how much of that cost taxpayers will bear.

PricewaterhouseCoopers was commissioned to determine the cost for the government, and although Attorney-General George Brandis rejected a Senate motion calling for the release of the report, the working group's report shows that PwC had not managed to determine the cost for mandatory data retention in its report to the government.

Instead, the firm will now consult with telcos about their costs and report back to the government in a month.

Communications Alliance CEO John Stanton told the committee on Wednesday that the costs estimated by the industry three years ago were "very large", and Telstra general manager Peter Froelich said that it will take half a year before full costs are known.

"From a larger industry perspective, it will take us a further six months' worth of work to develop those really detailed costings. Everything we are doing at the moment is a very rough order of magnitude costing, and over a two-year build period. So it is very rough stuff at the moment," he said.

As the committee is due to report at the end of February, with the parliament to debate the legislation after that date, Stanton said he is concerned that legislation might be passed before the industry has a complete view on the cost of setting up and running the mandatory data-retention scheme.

Editorial standards