The Attorney-General's Department's mandatory data-retention proposal still has major privacy and security issues to be addressed, according to Australia's third-largest telecommunications company iiNet.
Since the government's initialof plans to introduce legislation to force telecommunications companies to store an for up to two years for access without a warrant by government agencies, it has been in discussion with the telcos over the exact formation of the scheme.
So far, it has issued two discussion papers to the industry, but has refused to release either to the public. The first was leaked to Fairfax Media, stating that ISPs would be required to retain customer details including name, address, registered devices, identification used on the account, billing details, and even the "available bandwidth" and "upload and/or download volumes" on a user's broadband service.
The second discussion paper has not yet been provided to the public; however, iiNet made its response to the paper public on Thursday (PDF). It outlines the company's ongoing objections to mandatory data retention, stating that the case has not been made for law enforcement to need the laws, and asking why ISPs should be "agents of the state" in spying on their customers.
Attorney-General George Brandis has said on numerous occasions that the laws will not "involve anything beyond what telcos do at the moment", but iiNet said that the data set defined in the paper is beyond what the company already retains today. IP logs, for example, the company claimed it does not keep.
"iiNet has no business need to retain IP logs after routing. We do not use them for billing purposes. This specific category of data would also require us to start retaining Wi-Fi access logs," iiNet said.
"The apparent requirement to capture the location when a communication or session starts and when a communication or session ends is of concern. iiNet should not be required to create and retain records about our customers' use of our services that would not otherwise be created for our business needs."
iiNet also indicated that the proposal could place internet service providers in violation of the Australian Privacy Principles, which state that an organisation must not keep personal information unless it is necessary for the organisation's functions.
"So, on the one hand, we have one government agency highlighting the need for businesses like iiNet to respect and protect our customers' personal information, and on the other, government and law enforcement agencies calling for mandatory data retention of all our customers," iiNet said.
The company has issued the Attorney-General's Department with a series of questions that remain unanswered by the discussion paper, including:
- How the system will be reconciled with the Privacy Act
- The limits on agency access to customer data
- Ensuring the data is only used for national security or the enforcement of serious criminal laws
- What data disposal requirements there will be
- What oversight there will be over the ISPs and the agencies as part of the scheme
- How often the data sets required to be retained will be reviewed.
iiNet's submission comes as, John Stanton, CEO of industry lobby group Communications Alliance,on Wednesday that Brandis may introduce the legislation as early as the end of this month, in the next sitting period.
"It scared the hell out of me, because when I look at where it appears to me to be at, at the moment, the notion that they could bring forward legislation in two weeks from now ... it appears to me unlikely, but if they do, I am scared about the process by which they get to that point," Stanton said, indicating that there is still " a long way to go" in discussions with industry about the scheme.
Greens communications spokesperson Scott Ludlam has called for Labor in opposition tothe mandatory data-retention legislation when it is brought before the parliament.