Data retention: It's really, really important (but we still can't give you any details)

The inquiry into the data retention bill has started holding hearings but neither the cost nor the final data set are known

As the Parliamentary Joint Committee on Intelligence and Security held its first hearing of an inquiry into the government's data retention bill, key details of the proposed regime are still yet to be revealed.

Chief among those is the exact dataset that will be covered by the regime. The bill sets out in relatively broad brushstrokes the type of data that telcos and Internet service providers will be required to collect, store for two years and make available to authorised government agencies.

However, the detail of what exactly will need to be retained has been left to regulation (a move that has drawn criticism from both the Senate Standing Committee for the Scrutiny of Bills and the Parliamentary Joint Committee on Human Rights).

And, despite the inquiry into the bill beginning, not even the government is certain what will be included in the final dataset. Nor, judging from evidence today, what it will cost.

The first part of today's public hearing included appearances from the Attorney-General's Department, ASIO, the Australian Federal Police and the Australian Crime Commission.

The law enforcement and security organisations were united in support of the legislation, though both ASIO deputy director-general Kerri Hartland and AFP commissioner Andrew Colvin indicated they felt two years represented the bare minimum period data should be retained for.

"A two year retention period is a compromise from ASIO's perspective," Hartland said. "We've said repeatedly that we would prefer a longer period to match the long term strategic nature of serious national security threats we face.

"We've provided the committee with a breakdown of the age of ASIO's communication requests using 12 months as a benchmark but I can say in this hearing that 12 months is not a sufficient period of time. Around 10 per cent of the requests are for 12 months or more and leading into up to two years and even beyond that. "

That 10 per cent "relate to our most serious and complex cases" such as espionage. "It absolutely needs to be two years from our perspective".

"From a law enforcement perspective ... the longer the data is kept the better because there will be investigations that we would ordinarily have sought information that goes back beyond the two years," Colvin said.

"This is about trying to create a minimum standard that is level across the industry... there are Internet service providers now who routinely hold this information for up to seven years and perhaps longer depending on how their systems are configured, and from a policing perspective that would be beneficial to us, but this is about creating a minimum standard..."

The two-year period in the bill is a "time frame that law enforcement and security agencies have accepted that is appropriate in the circumstances," Colvin said.

"But I can see instances where we will still claw back further than two years if the data is held. If it's not held under this regime then that data is not available to us."

Read more: ASIC unhappy with exclusion from data retention regime

In his opening statement Colvin said telecommunications data "is a critical component of investigations".

The bill will stem a "continuing loss of capability" as telecommunications providers change their retention practices and newer players enter the telco market.

Colvin said that in AFP investigations commenced between July and September of 2014, telecommunications data was used in 92 per cent of counterterrorism investigations, 100 per cent of cyber crime investigations, 87 per cent of child protection investigations and 79 per cent of serious organised crime investigations.

Although the data retention bill has been endorsed by Australia's top cops, the exact data that will be retained has not been finalised, Anna Harmer from the Attoney-General's Department confirmed.

The government has revealed a draft data set, but the first report of the Data Retention Implementation Working Group (IWG), which includes representatives from the Attoney-General's Department, ASIO, AFP, the Department of Communictaions, the Australian Crime Commission, Telstra and Optus executives and the CEO of the Communications Alliance, has recommended a number of tweaks to it.

The cost to industry of implementing the regime is also not yet known, Harmer said.

"As the government has indicated there is a range of work being done and engagement with industry to examine the implementation of data retention and to assess the costs of implementing the data retention regime so industry ... have presented a number of views and a number of cost estimates have been circulated," Harmer said.

Because of different business models between telcos "any form of accurate costing of the implications of the provisions in the bill do require quite detailed consultation with industry which is what we're doing at the moment," Katherine Jones from the Attoney-General's Department told the hearing.

The IWG's first report, which was posted online by the PJCIS today, notes that the government has twice engaged PricewaterhouseCoopers (PwC) in an attempt to establish the cost of the regime.

"In September 2014, the AGD engaged PricewaterhouseCoopers (PwC) to develop a cost analysis for the introduction of the Government’s proposed data retention obligations," the report states.

"PwC consulted selected telecommunications industry participants regarding their current data retention practices, as well as their estimated costs of compliance with the proposed obligations. Notwithstanding consultation on the draft data set, consulted providers observed that they did not consider they could provide accurate costings without draft legislation articulating and evidencing the data retention obligations."

"In December 2014 AGD again engaged PwC to provide high level costs for the initial implementation of the data retention scheme," the report states.

PwC provided "additional information regarding data retention costings" to the AGD on 11 December but the report states that "Further costings work is required and will be undertaken by PwC over the next month."

"Costings work is ongoing and the government is engaging closely with industry and we are seeking relevant information and collaborating with industry on what the impact is," Harmer said.

Follow Rohan on Twitter: @rohan_p

Join the Computerworld newsletter!

Error: Please check your email address.

Tags civil libertiesdata retentionprivacy

More about ASIOAttorney-GeneralAustralian Crime CommissionAustralian Federal PoliceCommunications AllianceFederal PoliceOptusPricewaterhouseCoopers

Show Comments