Data retention not a month's work: Telstra

Telstra has called on the Australian Federal Government to give it more time to implement a proposed mandatory data preservation system, also stating that it shouldn't have to foot the bill for such a system.

What are you looking at? image by nolifebeforecoffee, CC2.0

Keeping data on certain persons of interest is a requirement under the proposed Cybercrime Legislation Amendment Bill 2011, which a joint select committee examined today. Under the proposed amendment, which is being made primarily to ensure that Australia meets the requirements to accede to the Council of Europe's Convention on Cybercrime, internet service providers (ISPs) would be legally required to be able to preserve and store data for up to 180 days when served a notice by participating foreign nations. This data would be released later, once a warrant is issued.

Telstra already has in place the necessary systems to preserve data when necessary local warrants are sought, but not for the longer 180-day period specified in the Bill.

The draft Bill specifies that ISPs should have their systems compliant 28 days after the Act receives Royal Assent. However, representatives for Telstra have said that it and other ISPs would not be able to make arrangements to comply within the timeframe, calling instead for an implementation study period.

"Telstra suggests there be an implementation study period of 90 days following the Royal Assent of the Bill to enable [ISPs] to undertake the necessary feasibility and impact studies on our networks, and that there should then be an exemption process for [ISPs] of up to 18 months following that implementation study period, to enable [ISPs] to physically design, build, integrate and test the new systems and network upgrades, to ensure the data the law enforcement has requested can be delivered in a secure and safe method according to the lead agency's standards," said Telstra director, government relations, James Shaw.

In addition, Shaw said that ISPs are currently experiencing a large number of changes, such as altering their business processes and systems for the National Broadband Network (NBN) and IPv6. These changes would make implementing a preservation system more complex, he said.

"The activities required to comply with these arrangements are likely to require [ISPs] to divert a significant amount of time and financial resources, and are likely to involve significant amendments to our network and IT systems, which, in a company as complex as ours, are not straightforward and we suspect will also involve a reconsideration of capital programs and business planning programs within the business," Shaw said.

However, assistant secretary, telecommunications and surveillance law branch, Catherine Smith, of the Attorney-General's Department, said that she was surprised to hear that the changes to accommodate the legislative amendment would be so onerous. She said that she had thought the changes that ISPs would have to make would be minimal.

"I didn't understand from my discussions that there would be any need to build delivery standards, or have any specifications or anything like that. We're not going to tell them how to do it; we want them to tell us how it's best to be done," Smith said, pointing out that the requirements of the Act and Convention allowed ISPs to implement the system in any manner that they preferred.

"The Act and the Convention doesn't require stored information to be stored in a specific way. It doesn't require any capability. The convention already talks about not requiring industry to go outside their particular practices," she said.

"It may be in the case for a small ISP, for example, that they copy some emails on to a CD-ROM, they lock it in a protective filing cabinet and then, when the warrant comes in, that's what they hand in. There's no perfect science in how this will actually be done."

Telstra also said that it should not be responsible for the whole cost of having to implement the preservation system, since it wasn't a core part of its business.

"[These obligations] should be subject to further discussion with government as the proposed amendments we believe will place a significant resource burden on [ISPs] in the form of cost and manpower," Shaw said.

Smith said that the government is already making the necessary arrangements to compensate ISPs.

"The Telecommunications Act is being amended to ensure that [ISPs] will be able to recover costs for foreign preservation notices, and the domestic ones as well, for giving that information, storing that information and passing it over," she said.

Other organisations at the inquiry, such as the Australian Privacy Foundation and the Cyberspace Law and Policy Centre, kept privacy as a key focus of their submissions. However, when Telstra was asked if the company had any privacy concerns over the secondary use of preserved data, the company admitted that privacy had not been a focus area with regards to its submission.

"I don't think that's really an issue we've turned our mind to, to be quite honest. Our focus in dealing with this legislation has been around our obligation to preserve and then provide that [data], and how we can do that in the most cost-efficient way, but bearing in mind the need for utmost security around the preservation and transfer of that data."