A representative of the Attorney General's Department has acknowledged the potential for expansion of the subscriber data kept by telecommunications providers under the government's proposed data retention scheme.
The categories of data that are covered by the proposed scheme are outlined Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.
However, bill itself only sets out the data covered by the scheme in broad brushstrokes. The detail of the data covered by the new regime will be set out in regulations.
"The use of regulations to prescribe the details of data to be retained facilitates the prescription of the necessary technical detail to provide clarity to telecommunications service providers about their data retention obligations while remaining sufficiently flexible to adapt to rapid and significant future changes in communications technology," states the bill's explanatory memorandum.
"Do you recognise that might be precisely what raises alarm bells — that the definition of obligations that you ... lay on service providers and therefore wash through the entire Australian population could be changed without recourse to parliament?" Greens Senator Scott Ludlam asked representatives of the department at a hearing yesterday of an inquiry into potential reform of the Telecommunications (Interception and Access) Act 1979.
The hearing of the Senate's Standing Committees on Legal and Constitutional Affairs turned into a de facto inquiry into data retention.
The formal inquiry into the government's data retention bill — the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 — has been held under the auspices of the Parliamentary Joint Committee on Intelligence and Security.
The PJCIS held on Friday its third public hearing into the bill. The committee has not indicated if there will be additional public hearings scheduled, and the inquiry is expected to table its report on 27 February.
"What we recognise is that it is appropriate there be limitations on the extent to which delegated legislation [the regulations outlining what data must be retained] can be used to define the scope of a primary obligation," Anna Harmer, acting first assistant secretary for the department’s national security law and policy division, said in response to Ludlam's questioning.
"The bill that's before the parliament circumscribes the range of data that can be prescribed by regulation by setting out six categories and so the information must fall into one of those six categories in order for it to be prescribed."
"We certainly recognise that it's possible through regulation to expand and that's why there is a — I think one might describe it as a hybrid approach in which key delimiters are included in the primary legislation, the detail of the data set is in the regulation," Harmer said.
The bill specifically excludes from the scheme some data, including web browsing history and "information that is the contents or substance of a communication".
Harmer said the broad categories of data listed in the bill as subject to the scheme would act as a fetter on scope creep.
The categories covered by the bill are "Characteristics of a subscriber of a relevant service", "Characteristics of an account, telecommunications device or other relevant service relating to a relevant service", "The source of a communication", "The destination of a communication", "The date, time and duration of a communication, or of its connection to a carriage service", " The type of a communication and relevant service used in connection with a communication", and "the location of equipment or a line used in connection with a communication".
Ludlam said that one effect of using regulations to set out the detail of the data set is that it renders parliamentarians unable to amend the bill if they object to specific types of data being included in the data set. Instead they would have to vote against the bill as a whole.
The government has made public (PDF) a proposed data set for the regime. A working group that brings together government and industry representatives has recommended some tweaks (PDF) to the proposal.
The Attorney-General's Department also came under fire at yesterday's hearing for the ease with which people could evade certain types of metadata being captured by using so-called over-the-top (OTT) communications services, some encrypted communications channels such as Tor, and overseas cloud-hosted services.Read more:Some Aussies prepared to risk security and privacy for free apps: report
The department has also been criticised for refusing to reveal details of the cost of implementing the scheme. The government has promised it will offer some level of financial to telcos for the cost of setting up the scheme. The cost to the telecommunications industry and how much the government will contribute are still unknown.
The government has engaged PricewaterhouseCoopers to assess the cost of implementing the scheme. However, the PJCIS and the Standing Committees on Legal and Constitutional Affairs have not been provided with any of PwC's initial findings.
The Attorney-General's department told the PJCIS last week that there were as yet no plans to provide the committee with any of the material produced by PwC.
Follow Rohan on Twitter: @rohan_pRead more:How will data retention laws cope with the Internet of Things?