Attorney-General George Brandis has reiterated the government's intention to introduce a mandatory data retention regime but failed to answer a query by Greens Senator Scott Ludlam on what the cost of such a scheme is likely to be.
Cost allocation is one of the issues that a confidential government discussion paper circulated to industry stakeholders is seeking input on. Telcos have previously expressed concern about the potential cost of establishing and maintaining data retention scheme and whether they would be able to engage in cost recovery.
"The nature of the mandatory data retention regime will not give the national security agencies any more powers than they currently have nor will it require the telecommunications providers to do anything more than they currently do but it will mandate the continuation of that practice," Brandis told Ludlam after the Greens senator asked about the cost of a data retention regime and whether it would reduce crime.
"At the moment ASIO and the national security agencies and the government are in communication with the telecommunications providers in the development of this proposal," Brandis told the Senate.
The attorney-general cited claims earlier this month by ASIO chief David Irvine that access to metadata is "absolutely crucial" for intelligence agencies.
Irvine reiterated those sentiments today, telling the National Press Club that "for law enforcement and for security intelligence, the ability to know when one of your targets is communicating and with whom is of crucial importance in establishing networks, in giving you the ground work to decide whether in fact you want to go to more intrusive methods like warranted interceptions."
The director-general of intelligence said that in cases where people can take steps to conceal their activities, such as using VPNs, "that will present challenges but they will still leave very, very useful points of metadata that will be significant analytical tools for law enforcement and for security intelligence agencies into the future."
Ludlam today also asked Brandis' to explain his understanding of the term metadata ("preferably without reference to envelopes").
Metadata "is a term that does not have a precise definition," Brandis said. "It is a description rather than a definition. But the essential concept ... is that metadata is information about a communication not the content or substance of the communication. That is the core concept. The specific definition, which will be statutory definition, the technical specifications will be included in the legislation."
In a final question Ludlam asked Brandis if the attorney-general would be happy to publicly publish his own metadata for a week. Brandis described the question as "flippant".
Ludlam later won Senate support to for a motion to order the government to table by 3 September the “definition of ‘metadata’ as defined by the Government’s proposal on mandatory data retention” as well as the government document circulated among telcos.
The sparring over metadata comes as Fairfax Media published a leaked copy of the document.
The discussion paper (PDF) says that the government's view is that a data retention regime "should apply to all entities that provide communications services available in Australia".
"The information provided by industry will assist Government to further develop policy on a range of issues, including future versions of the data set, retention periods for each element of the data set (to a maximum of 2 years), how to ensure requirements remain appropriate now and into the future, across different systems, services, networks and providers, exemption processes, information security arrangements, cost allocation, and implementation timelines and transitional arrangements," the paper states.
Data required to be retained would not include destination URLS or IP addresses but include information relating to the use of Internet and telecommunications services that could identify a telco subscriber such as name and address, "Information necessary to trace and identify the source of a communication", "Information necessary to identify the destination of a communication", the time and duration of a communication, type of communication, what equipment is being used, and the location of communications equipment.
The requirement to not retain destination IP addresses or URLs is described as an "exception". The document states that this "exception is intended to ensure that providers of retail and wholesale internet access services are not required to engage in session logging. However, operators of such services remain obliged to retain network address allocation records (including Network Address Translation records)..."
Follow Rohan on Twitter: @rohan_p