Telstra warns of data-retention goldmine

Telstra has warned the government that the centralised system it will need to create in order to store data for two years as required under mandatory data-retention legislation would be an attractive target for would-be hackers.

Under the legislation currently before the Australian parliament, telecommunications companies such as Telstra would be required to store an as-yet-undefined set of customer data for at least two years for warrantless access by government agencies for law-enforcement investigations.

Telstra indicated that the vast majority of the requests come from government agencies via fax, and Telstra currently fields hundreds of thousands of requests for metadata and attempts to find the data across 13 different systems.

The company told the parliamentary committee investigating the legislation on Thursday that the proposed legislation would, however, force the company to centralise its storage of the data it would be required to retain.

Telstra would then associate all of the retained data for particular customers in the one place, the company indicated.

Telstra's chief information security officer Mike Burgess told the committee that this would make it a much more lucrative target for hackers.

"You would go for that system because it would give you the pot of gold, rather than working through our multitude of systems today to find that data," he said.

"What the Bill would require us to do is have that data in a location or a system where it can be accessed, and it would be associated with a particular customer, as opposed to transient data," Telstra's executive director of regulatory affairs Jane Van Beelen added.

"This would require us to keep a prescribed data set in a form that would be made available to agencies."

Burgess said it would be much simpler for a hacker to target one system over the 13 it has today.

"Across our network, we have 13 core systems; it would be complicated for a hacker to move across our network and put the pieces together to track where a person has been," he said.

Telstra has provided an estimate on the costs to establish the system to PricewaterhouseCoopers, which will advise the government on how much it will have to contribute to pay for mandatory data retention. The company on Thursday declined to reveal the figure, citing commercial confidentiality.

Part of the cost will come from Telstra having to create and store data it doesn't already use. The company indicated that it currently doesn't store assigned IP addresses on its mobile network, or missed call information.

Earlier in the hearing, the Australian Securities Investment Commission (ASIC) pleaded with the committee to amend the legislation to include ASIC in the list of government agencies that have access to the data. ASIC currently has access to metadata, but did not find out it would be removed from the list until Communications Minister Malcolm Turnbull introduced the legislation at the end of October.

ASIC commissioner Greg Tanzer said ASIC had not been consulted during the process of developing the legislation, and that the organisation needs to keep the ability to access metadata for the investigation of white collar crime such as financial fraud and insider trading.

According to Tanzer, metadata has been used in approximately 81 percent of cases that ASIC has prosecuted in the last four years.