Scams, petrol price rorts are why we need data retention: ACCC
The Australian Competition and Consumer Commission (ACCC) has welcomed the Australian government's proposal to force telecommunications carriers to retain customer data for up to two years, stating that it will assist in the investigation of petrol price collusion and other scams.
As part of a broad review of Australia's national security and telecommunications legislation, the government has flagged that it is interested in requiring internet service providers (ISPs) to store an as yet undefined set of customer data for up to two years, and access to that data should be provided when investigating crimes that carry a jail term of three or more years.
The proposal has been met with outrage from privacy advocates, as well as the Greens and even some people within the Coalition. Attorney-General Nicola Roxon has moved to pour a "cold shower" over some of the criticism, however, stating that the government is only looking at keeping metadata — such as the data from when a call is made or an email is sent. But as was pointed out by iiNet, the government is also looking at obtaining destination IP addresses, which would provide a list of every website visited by a user.
While there has been a lot of criticism of the proposal, many government agencies are in favour of it, and not just the Australian Federal Police (AFP) and the Australian Security Intelligence Organisation (ASIO). In a newly published submission, the ACCC said that in order to bring relief at the petrol pump, data retention is vital for obtaining evidence on whether petrol retailers are colluding on price rises, as well as for stopping cartel conduct and scams.
"Communications information is often crucial to the ACCC's investigation of breaches of competition and consumer law. In cartel cases, it can provide the evidence of when calls were made, their origin, destination, and duration," the ACCC said. "This information is often the only irrefutable evidence of contact between cartelists, and is critical to successful investigations and prosecutions. In the investigation and prosecution of scam conduct, it provides the name and address of the person behind the telephone, IP number on a web page, or an email address."
Speaking before the committee investigating these proposals in Canberra today, Communications Alliance CEO John Stanton said that two years to retain the data is too long, and the committee should look to the European data-retention model, where most information required for investigation is less than three months old, and, at most, six months old. The ACCC disagreed in its submission, however, saying that the majority of the data it required is older.
"The ability to guarantee the availability of communications data some time into the future is particularly important to the ACCC in its investigation of cartel conduct. This is because cartel conduct is secretive in nature, and often does not come to light until years after the cartel was originally put into effect by the cartel participants," the ACCC said.
In 2011 and 2012, the ACCC estimated that two-thirds of the requests for communication information was for data that was over two years old. While the watchdog isn't pushing for the data to be held for longer, the ACCC said that there should be no obligation to force carriers to delete the data after two years.
Holding on to the data for any length of time is a serious privacy concern, however, according to Australian Information Commissioner Timothy Pilgrim. In his recently published submission to the inquiry, Pilgrim warned that a data-retention scheme could create a "honey pot" of personal information that could be the target of hackers.
"The need for government involvement in establishing an appropriate security regime, including through regulation, is evidenced by the number of large-scale data and security breaches that have occurred in recent times," he said.
"The Australian Privacy Commissioner's own motion investigations into these breaches have noted the failure of a number of organisations to adequately protect the personal information," he said.
In some cases, telecommunications companies were breached even when complying with their requirements.
"The commissioner [also] found that the data breach in question occurred despite the organisations having taken reasonable steps to protect the personal information," he said. "Data breaches may occur, for example, due to a malicious attack, even though all reasonable steps have been taken to secure the data."
The information commissioner has called for clarification on what information should be retained, and suggested that further analysis be undertaken on what government agencies require.
The lack of clarity around the government's data-retention proposal was the theme of the day at today's committee hearing. Law Council of Australia spokesman Philip Bolton told the committee that the government hasn't explained why it needs data retention.
"We don't understand fully what is proposed. We don't fully understand why it is necessary. That's why we are unconvinced that the proposal is proportionate, but we do understand there is a potential for every single person who uses a mobile telephone or a computer to have everything they say or do on it subject to scrutiny by law-enforcement and intelligence agencies," he said.
"All of my data is going to be up there, all of my data is going to be accessed and will be vulnerable to hacking," he added. "It will be vulnerable to unlawful access from corrupt people in law enforcement, [and] we need to be satisfied that the utility overcomes those problems.
"For people who make a living out of weighing evidence, we just don't see that the evidence trumps the privacy [impact]."
Labor Senator John Faulkner also expressed his reservations about the proposal, probing the Communications Alliance on discussions that the industry conducted with the government in 2010. According to Stanton, while the government has not detailed what specific data it is seeking today, two years ago the government was seeking metadata.