Welcome to Brandistan, home of wobbly data retention

Thanks to George Brandis' multi-disciplinary expertise, Australia's digital surveillance future is shaping up more like Brazil than Nineteen Eighty-Four.
Written by Stilgherrian , Contributor

Australia's new telecommunications data retention regime was the politech topic du jour this week, for all the wrong reasons. We saw yet more evidence that the entire scheme -- regardless of whether you support this increased digital surveillance or not -- has been poorly thought through, and is being poorly implemented.

As telecommunications industry negotiator John Lindsay tweeted on Monday, the new world of mandatory data retention actually kicked off months ago. In April, telcos were required to retain customer data they might otherwise have deleted.

But this week saw two significant milestones. Service providers are now required to retain the full data set as specified in the legislation -- that is, they're required to create new data on their customers' activities that they otherwise would never have created. And they're required to store all this retained data securely. Or, at the barest minimum, have approved plans or exceptions.

It's fail on both counts, and the Ringmaster of Fail is of course Australia's favourite attorney-general, Senator George Brandis QC.

ZDNet reported on Monday that telcos aren't ready and don't understand what they're meant to be doing. More than a third of telcos say they're "not confident at all" that they understand what data the law requires them to retain and for how long.

Brandis' response? Blame the telcos for not understanding his vision.

"I think the obligation is expressed very clearly in the legislation. If there is confusion among some members of the industry then I suspect that's a question better directed to them," Brandis told ABC Radio's AM on Tuesday.

"That is set out with particularity in the legislation ... There is a detailed technical specification which is set out in the legislation."

Except that the government-supplied data definition [PDF], which expands upon the list in legislation, is not a technical specification at all. It's just some handout. Read it for yourself.

A technical specification would list the specific protocols and data fields to be recorded -- notice how the words "specific" and "specification" start with the same letters, George -- not vague descriptions that included phrases like "such as" and "may include".

The attorney-general is of course the Coalition's long-running trial of government by Dunning-Kruger effect, as a quiet straw poll over beers of members of parliament and lawyers alike would soon confirm. So he doesn't know the difference between a technical specification and some hand-wavey list of stuff he's put into law? That's all part of the plan.

As for securing this highly personal data, well...

On Thursday, an audience member at the national conference of the Australian Information Security Association (AISA) in Melbourne asked a panel on government infosec what's being done at a practical level to safeguard that information. Telstra's national security advisor Rachael Falk answered for her own organisation.

"We are securing that data. We recognise its importance. The law is the law, so it's in place now," Falk told the conference. "It's like anything else that's of significant value. It's protected. We apply our security standards to it, irrespective of what it's used for."

It's hardly surprising that Telstra could answer confidently. Australia's biggest telco has a hardcore infosec team, led by a former senior officer of the Australian Signals Directorate (ASD). But what about the rest?

"Who verifies that everybody's following rules? There's several hundred telcos having this information," the audience member asked. "Or is it squirrels guarding the nuthouse?"

Dr Suresh Hungenahally, chief information security officer for the Department of Economic Development, Jobs, Transport and Resources, said that an organisation is responsible for securing the data it creates. This is true, but of course it doesn't answer the question.

The actual answer is that there aren't any extra safeguards. As usual, there's just the overworked Privacy Commissioner and his team, dealing with data breaches after the event -- provided organisations even own up to them, in the absence of mandatory data breach notification laws.

So in summary, the government has outsourced surveillance to organisations that don't know what they're meant to be doing, with no proper oversight of how they're getting on.

Welcome to an Australia that's less like George Orwell's Nineteen Eighty-Four, more like Terry Gilliam's Brazil.

Welcome to Brandistan -- mind the squirrels.

Disclosure: Stilgherrian travelled to Melbourne as a guest of Tanium.

Updated 5:06pm AEDT 16 October 2015: Article previously stated that a data definition did not exist in the legislation.

Editorial standards