Published on the 20/11/2018 | Written by Pat Pilcher
80 organisations make metadata requests, but is that a concern?..
In October 2015, data retention laws saw Australian telcos being legally obliged to monitor and record customer activity, storing metadata for two years. ISPs and carriers had to log who got called, texted or emailed, their location and the volume of data moved, the device used, plus email and IP addresses. Privacy advocates wrung their hands, fretting that data retention laws could be a slippery slope eroding personal privacy.
Now similar warning concerns are being aired with the Australian government’s proposed Access and Assistance legislation. The Communications Alliance, who represent Australian telcos, dropped petrol onto the data privacy bonfire by listing 80 organisations that they say have asked Communications Alliance members to supply subscriber metadata, warning that something similar could eventually take place with the Access and Assistance legislation which requires Australian telcos/ISPs give federal authorities access to encrypted data.
“What could Australia Post, local councils, and the Taxi Services Commission possibly want with metadata?”
The Communications Alliance argue that when data retention laws got passed in 2015, only 20 law enforcement agencies could ask for metadata. A later amendment (which they’ve labelled as scope creep) now allows other organisations access to metadata – provided they have a court order. Further driving the point home, the Alliance asked their members to list metadata requests, supplying these to the Parliamentary Joint Committee into Intelligence and Security who are currently reviewing the Access and Assistance bill.
The Australian Federal Police or Australian Tax Office asking for access to metadata is not a surprise given the role it plays in legal investigations, the 78 other Australian organisations asking for metadata makes little, if any sense at all. What could the Corporate Security Group of Australia Post, local councils, the Department of Agriculture and the Taxi Services Commission possibly want with metadata?
Of equal concern, the alliance stated in their submission that they couldn’t identify all the organisations asking for metadata, nor could they tell the committee how much data had been supplied.
“It is not possible at this stage to provide an accurate composite picture of the volume of requests and disclosures processed in respect of each of the listed entities…Determining volumes is further complicated by the fact that while responses to some requests are derived from the mandatory data retention store, some requests can also be met by interrogating business systems or databases that hold similar or identical information for commercial use.”
Herein lies the rub. While it is hard to fault the Communication Alliance’s argument that the scope and extent of the data retention bill has undergone significant change since its inception, the reality is all requests are reviewed by a judge who issues court orders for applications deemed legitimate.
Of more concern are the issues that could get lost in the ensuing witch hunt over the list of 80+ requests submitted by the Alliance.
The ensuing political side show could obscure several important issues. These include a need for oversight into data requests to track what data has been accessed by whom accurately.
The importance of this is underscored by the Alliance which in their submission to the committee notes that “The notice processes created under the draft Bill are vulnerable to the exercise of bias and lack an independent assessment mechanism. Very concerning is the lack of judicial oversight of a piece of legislation that has the potential to significantly impact on society’s overall security and the privacy of individuals.”
The Alliance also raises compliance costs as an issue, stating that “In the past three years alone, the telecommunications industry has seen (or is about to see) three key legislative changes with the introduction of the Data Retention Regime, the TSSR and now the Encryption Bill. This has resulted in a piecemeal approach to various pieces of legislation and resulted in a complex environment that is increasingly difficult and costly to navigate for both large and small to medium private sector organisations.”
These costs are not likely to be insignificant, and the reality is that they get passed onto customers. Costs aside, the Alliance also argues that the Australian Government’s piecemeal approach to cybersecurity will soon be outdated and limited in its usefulness. They are instead calling for a more holistic approach that will be less risky and more efficient.
“…the Bill, as currently drafted, bears the real risk that the potential gains to be made from improved intelligence gathering may come at the expense of significantly diminishing existing user trust and cybersecurity structures. Our industry stands at the cusp of even more dramatic changes than those that have characterised the past 20 years, with 5G, the Internet of Things, artificial intelligence and blockchain becoming a reality now or in the near future. Consequently, it appears that it may be time to consider a cybersecurity, privacy and law enforcement framework from a more holistic perspective to minimise the number of future ‘add-on’ pieces of legislation that add further to the already existing cost of compliance, complexity and risks of unintended consequences and circumvention.”