must read Thousands of hacked Disney+ accounts are already for sale on hacking forums

Optus gained exemption to store metadata unencrypted

Use of legacy applications allow Optus to seek an exemption from the rules.

(Image: Optus)

Optus has confessed it received an exemption to keep its legacy systems free from encryption when complying with Australia's data retention scheme.

"The legislative provisions which allow for certain exemptions to be granted were an important factor in Optus achieving compliance in an efficient and timely manner," Optus said in a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the mandatory data retention regime.

"Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemption from the encryption obligation."

The telco said there had been no reported "security incident or breaches" related to the retained data.

According to the metadata legislation, section 187BA states a service provider must encrypt the information stored.

Under Australia's data retention obligations, telcos must store customer call records, location information, IP addresses, billing information, and other data for two years, and make it accessible without a warrant by law-enforcement agencies.

Optus said to improve the "quality of service" it offers to agencies seeking what Optus confesses on its site is personal information, the company automated its response for certain data that is subjected to frequent requests.

"This system provides 24x7 automated and timely responses to authorised requests received in a pre-defined format," it said.

In earlier submissions, a number of Australia's enforcement agencies had pushed for a standardised format and costs for data retrieved from telcos.

Optus said cost differentiation should be expected however, since carriers operate with different underlying cost drivers and systems.

"There will be a mix of automated and human intervention applied depending on the data and request type," it said.

After shutting down Vividwireless, which was purchased for AU$230 million back in 2012, Optus said shutting down systems and moving data so it could be accessed took "considerable effort".

"In the context of a [carriage service provider] ceasing to trade this can be challenge as its business and IT systems are typically retired, its staff move on, and special arrangements are needed to maintain continuity of access to data and expertise to interpret it," it said.

Overall, Optus said it did not want changes to the retained metadata data set, but did question whether the government wanted the large amount of data expected to be generated by machine-to-machine communications and Internet of Things devices stored.

"Optus recommends that the PJCIS commission a report from Departmental officials on whether data retention obligations should be modified as they apply to low latency 5G machine to machine services and applications, and the emerging range of IoT use cases and devices," the company said.

"It may be appropriate, for example, for across the board rulings or exemptions to be made for these classes of services and it should not be left to individual providers to seek such exemptions."

A spokesperson for Optus told ZDNet the exemptions for its legacy systems were "very limited in scope and conditional on other significant compensating controls being in place to protect the security of the data".

"These controls have been independently assessed by the Office of the Australian Information Commissioner and found to be satisfactory," the spokesperson said. "The Office of the Australian Information Commissioner has a role under the legislation to review the security of personal information kept for data retention."

Updated at 10:07am AEST, 17 July 2019: Optus comments added.  

Related Coverage

Australian enforcement agencies angling for metadata review on telco cost recovery

Agencies are very happy with Australia's data retention scheme, with one using it in 90% of investigations.

Services Australia has six weeks to work out what exactly it's meant to do

Canberra appoints Australian media and technology executive cum public servant the task of setting the strategic plan for Services Australia.

Encryption laws are creating an exodus of data from Australia: Vault

Detrimental effects are both real and perceived, according to Australian cloud provider.

Commonwealth Ombudsman singles out Home Affairs over stored communications and metadata handling

Continues trend of former Department of Immigration agencies dragging the chain.

Australian governing parties hosed in digital rights election survey

Liberal and Nationals parties get lowest score in every category.

Visit ZDNET