ISPs could pay millions to store web data

But one telco exec guffs at big brother claims

Online personal data will be placed at risk and Internet Service Providers (ISPs) may be forced to cough up millions if the Federal Government acts on plans to legislate data retention laws, industry insiders say.

A handful of industry sources present at a closed-door, high-level meeting with the Federal Attorney-General (AG) allege the proposed laws will force ISPs to capture, retain and secure the search engine results of Australians at their expense, which some say could run into millions of dollars.

But one top director of an ISP who wished to remain anonymous due to confidentiality agreements said the AG had discussed the feasibility of data retention laws for more than a decade.

The latest incarnation was intended, the director said, to codify law around the common existing practice of collecting “radial data” which contains IP addresses and download quantities used in billing verification and supplementary lawful evidence.

He claims the Attorney-General's Department is considering a proposal similar to the European Commission’s Directive on Data Retention which has seen Member States divided in their support: The German Constitutional Court asked telecommunications providers to remove collected data after it declared elements of the policy unconstitutional in March, while others have either fully or partially mandated the policy including France, the UK and Spain.

Read more on about opposition to Europe’s telecommunications data retention

Yet another executive for a large ISP present at the Melbourne meeting on 12 March rejected suggestions by the AG Department that it will not capture “web histories”, and said such data could be a risk in the hands of small service providers.

“The AG [Department] is indicating the data will need to be held at our cost, and at some time in the future they will pay for the retrieval of data on an individual.[It is] estimated that storage requirements of data could cost hundreds of millions of dollars,” the source said, a claim supported by two additional industry executives.

“The [large telcos] will provide very competent security for the stored data, but there are hundreds of ISPs in Australia and some at the tail-end will think it suffice to store data cheaply [in a manner] of great concern and risk.”

The source claimed the AG Department intends to tie captured web site data to individuals, and to do otherwise is “pointless”.

Computerworld Australia was told by a third executive who attended the meeting that a directive to store online communication data would fill the data centre of one of Australia’s largest ISPs, and such a move would be “outright rejected” by providers.

Optus government and corporate affairs chief, Maha Krishnapillai, and Communications Alliance chief executive officer, John Stanton, both cautioned the government to consider the proposal’s privacy and security ramifications on industry.

"Key factors for the [Federal Government] to consider include the breadth of the data-set to be retained, the duration for which it needs to be retained, and who will bear the cost of the retention exercise,” Stanton said.

“We have also raised the question of privacy concerns that may be attached to any move in this direction.”

Telcos have long supplied radial data on their subscribers to the AG office, which is one of the leading departments in cyber-security in the country. But industry sources claim pressure is mounting for ISPs to police and censor data traversing their networks, and point to the Federal Government’s data retention proposal and Internet content filter plan.

A spokesman for the Federal Attorney-General’s Department would not elaborate on the data retention proposal, nor verify claims that the government intends to wrap legislation around existing practice.

He said only that the proposal is designed to provide useful data to assist law enforcement.

Senator Penny Wong, representing the Attorney-General's Department, said in the Senate that the data would be used to identify "parties to a communication, when and where that communication was made and the communication's duration, [but understands] it would not extend to the content of the communication.

"My advice is the government would ensure that any proposal would be consistent with the privacy act and the government's privacy reforms," she answered in response to questions from Greens senator, Scott Ludlam.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags data rententionstorageAttorney-General's Departmenteuropean unionsecurityCommunications Allianceoptusgovernmentprivacy

More about Attorney-GeneralEuropean CommissionFederal GovernmentOptus

Show Comments