'

Telcos not ready, don't understand data retention: Comms Alliance

Almost 40 percent of telcos don't understand data retention, while 84 percent will not be compliant by the implementation date, according to a survey by Comms Alliance.

Australian telco industry group Communications Alliance has published a survey revealing "a low state of readiness" among telecommunications providers for the new data-retention laws, with only 16 percent expecting to be compliant in time.

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, passed by the Australian government in March, came into effect at midnight on Tuesday. It will see customers' call records, location information, IP addresses, billing information, and other data stored for two years, accessible without a warrant by law-enforcement agencies.

Comms Alliance's survey was completed by 63 telcos by October 9, with 36.51 percent of respondents revealing that they were "not confident at all" on understanding what data the law requires them to retain and for how long, with only 11.11 percent "very confident" -- and 83.87 percent admitting that they would not be fully compliant with the obligations once they came into effect.

A Data Retention Implementation Plan was submitted by 57.69 percent of respondents with the Communications Access Coordinator; however, 75.86 percent have still not heard back from the coordinator on whether their plan had been approved.

"It is no surprise that many service providers won't be compliant when the legislation comes into force -- many of these because they are still waiting to hear from government as to whether their implementation plans have been approved," said Communications Alliance CEO John Stanton.

In relation to the costs associated with the scheme, telcos were split almost 50-50 on whether they requested from the government partial or full reimbursement of expenses incurred as a result of fulfilling data-retention obligations.

Less than a week out from the start date of the regime, telcos remained uncertain on what the costs imposed by setting up a system would amount to: 10.17 percent said less than AU$1,000; 8.47 percent pointed toward between AU$1,000 and AU$10,000; 32.20 percent suggested AU$10,000 to AU$50,000; 25.42 percent said AU$50,000 to AU$250,000; 11.86 percent said AU$250,000 to AU$1 million; 6.78 percent suggested between AU$1 million and AU$10 million; and 5.08 percent said it would cost them more than AU$10 million.

The government announced in its 2015 Budget in May that it would allocate AU$131.3 million to the scheme, with Stanton saying at the time that this amount was predicted to cover between only one-third and half of the estimated cost to ISPs.

"All providers are still waiting to hear from government as to how it will apportion the AU$131.3 million that has been pledged in assistance to partially meet the set-up costs that service providers -- and, ultimately, their customers -- are facing as a result of the regime," Stanton added on Tuesday.

"The government has indicated it will consult with industry in coming weeks on how to apportion the subsidy and this remains an urgent task, as service providers are now having to commit to investment decisions without knowing how much of that spending will remain unfunded.

"In light of the survey results, the onus remains on government to work constructively with industry -- and not rush to enforcement -- over coming months to help providers come into line with what is proving to be a very challenging and somewhat confusing impost on the industry."

Of the telcos responding to the survey, 61.41 percent had also requested, or intended to request, an exemption for any or all of the data-retention or encryption requirements -- with 90.91 percent not yet hearing back, and 4.55 percent having their applications declined.

In July, the Labor opposition party called for a review of the data-retention legislation despite helping to pass the law, saying the retention period, cost, and provision of warrantless access all need to be revisited.

At the 2015 ALP National Conference, the party passed an amendment to its Draft National Platform to include a review of the law, saying it creates "a culture of fear" and invades the privacy of Australian citizens.

"These laws help create a culture of fear, a culture where we are all under suspicion and subject to heightened mass surveillance," New South Wales Labor MP Jo Haylen said.

"The challenge for lawmakers is to strike the right balance ... between privacy and security, between transparency and strength, and between the power of government and the rights of citizens. The government's data-retention laws do not strike the right balance, and neither does Labor's support of these laws."

Electronic Frontiers Australia (EFA) has also previously called for amendments to the legislation to shorten the "unjustifiably long" two-year retention period.

Internet Australia, meanwhile, has pointed to the high cost of implementing the scheme and storing the data, saying that it will likely be passed on to consumers.

"The amount of funding allocated by the government to reimburse service providers is simply inadequate. What's more, we still have no information about how it will be allocated among the hundreds of ISPs," CEO Laurie Patton said in June.

Other critics have argued that the data retained under the legislation will be a "honey pot" for would-be hackers.

Prior to the law's passing, Australian Privacy Commissioner Timothy Pilgrim attempted to argue that the two-year retention period should be assessed against the risk to privacy of storing such a large amount of personal data. He pointed out that 90 percent of investigations relying on retained data only use data that is less than one year old.

"If a decision is made to implement a scheme such as this which is going to require, as I said, the holding or the collection and retaining of huge volumes of data and personal information about people for a long period of time, we need to look at what else we can put in place to do our best to secure that information," Pilgrim said.

Such a risk would be compounded by the fact that national security agencies will be accessing and sharing the customer data -- despite these organisations having a long history of privacy breaches through carelessness.

In February last year, the Immigration Department published the details of almost 10,000 asylum seekers, including their full names, dates of birth, genders, nationalities, periods of immigration detention, locations, boat arrival information, and the reasons why an entrant was classified as having travelled into Australia "unlawfully".

In a similar gaffe, the same department accidentally emailed the passport numbers, dates of birth, and visa information of world leaders attending last year's G20 summit in Brisbane -- including those of US President Barack Obama and Russian President Vladimir Putin -- to a member of the Asian Cup Local Organising Committee.

The effectiveness of such a regime is also under question, with newly minted Prime Minister Malcolm Turnbull having previously admitted that VPNs would circumvent the measures.

"You've all got VPNs [virtual private networks] anyway, so all of you appear to be somewhere in Iowa when you go online, I know that," Turnbull said at the GovHack awards in August last year.