Telstra questions whether metadata restrictions are working as intended

Freeloading agencies skirting Australia's metadata restrictions often do not understand, or adequately protect requested metadata, the telco says.

Australia is reviewing its metadata and encryption laws ZDNet's Chris Duckett tells TechRepublic's Karen Roby that an Australian parliamentary committee is looking into the nation's controversial laws, but it is no reason to pop champagne. Read more: https://zd.net/2YhRrHG

Australia's incumbent telco has questioned whether the legislation restrictions on the nation's metadata regime are "operating as effective as intended".

The scheme, which has cost telcos AU$210 million so far to set up and operate, forces carriers to store customer call records, location information, IP addresses, billing information, and other data for two years, and make this information accessible without a warrant by law-enforcement agencies.

However, despite the legislation spelling out only 21 enforcement agencies have the ability to access the retained data, many other agencies are also able to request metadata under different legal provisions.

Telstra said in a submission to the Parliamentary Joint Committee on Intelligence and Security review of the mandatory data retention regime that some of those agencies skirting the metadata laws are not paying for access.

"There is a risk this type of access to telecommunications data could erode public trust in the regime and undermine the relationship we have with our customers in relation to protection of their privacy," Telstra wrote.

"In some cases, these agencies and bodies are also not contributing to the cost recovery of the regime."

Read: Optus gained exemption to store metadata unencrypted 

In an earlier submission, the Law Council of Australia said the agencies that are able to access metadata should be spelled out in legislation, however Telstra was not so brave, instead saying non-enforcement agencies should be forced to go through the same process as enforcement agencies.

"It would provide clarity that all entities seeking telecommunications data are captured under the standard cost recovery system of the regime, which may also encourage them to carefully consider the amount and scope of data required," the telco said.

Generally agreeing with the submission by the Communications Alliance, Telstra echoed that non-enforcement agencies often request large amounts of data and are unable to interpret it.

Telstra added that non-enforcement agencies might not be encrypting data received from telcos.

"We believe there is a need for the introduction of appropriate oversight mechanisms to ensure measures are in place to securely protect disclosed data and to control who can/can't access the data," Telstra said.

The telco joined calls that Internet of Things (IoT) data should be exempted from the metadata regime.

See also: Home Affairs floats making telcos retain MAC addresses and port numbers

"It seems unlikely that the timing and length of data sessions from a smart meter which provides throughput or output measures at regular intervals would provide useful information to the listed law-enforcement agencies," Telstra said.

Last week, Home Affairs Minister Peter Dutton defended the checks and protections within Australia's data retention regime.

"There are mechanisms in place, safe checks, and they should be adhered to, and if not, there are consequences for that," he said.

"Take the protections very seriously. But in the end, the vast majority of cases, 99% of the use of these laws will be appropriate, and they'll be used in a way that that will result in protecting Australians -- and that's the reality."

Later in the week, ACT Policing confessed to accessing metadata without authorisation 3,249 extra times in 2015 than previously disclosed.

"Once the issue was discovered, ACT Policing notified the Ombudsman's Office to seek advice on how to remedy this administrative oversight," it said.

"ACT Policing has sought legal advice regarding the management of two matters relating to a missing persons case and a criminal matter where the data in question may have been used in a prosecution."

The only consequences identified by ACT Policing on Friday was "refresher training" for officers.

Related Coverage