Australia begins mass data retention under new law

  • Published
A page of code on a computer screenImage source, Reuters

Large amounts of telecommunications metadata must now be kept for two years by Australian telecommunications companies, under a new law which came into effect on Tuesday.

It covers data on who called or texted whom and for how long, as well as location, volume of data exchanged, device information and email IP data.

It also makes it much easier for authorities to access the records.

The new law has caused heated debate among Australians.

Some have said the laws - an expansion of existing rules on what data can be retained - are justified, but others have raised concerns about civil liberties or potential flaws in the scheme.

Why was it implemented?

The bill was introduced to the Australian parliament when current Prime Minister Malcolm Turnbull was communications minister.

Image source, EPA
Image caption,
The prime minister, who introduced the bill when he was communications minister, admitted he uses encrypted messaging apps

He said then it was "critical" for security agencies and law enforcement, citing investigations into domestic terrorism.

"No responsible government can sit by while those who protect us lose access to vital information, particularly in the current high threat environment," he said, in a joint statement with Attorney-General George Brandis.

What does it cover?

The government has stressed that the data retained is only "metadata" and does not include the content of calls and messages themselves.

The law also does not require firms hold on to a web users' browsing history.

The authorities also point out that some of this data was already being retained by telecommunications companies, albeit on an ad hoc basis.

Also, while Australian internet services are required to keep detailed records of almost everything about an email or chat conversation apart from their content, foreign platforms, like Gmail, Hotmail, Facebook and Skype are exempt.

Internal email and telephone networks, such as those operated within companies and universities, are also exempt.

What are the concerns?

Opponents point out that, considered in entirety, such metadata paints a detailed picture of what people are doing, even if the content of messages is not included.

Image source, @snowden
Image caption,
NSA leaker Edward Snowden weighed in on the new rules

They also point out that while terrorism and child abuse investigations are often cited to justify the laws, they also allow for data to be requested for much more minor crimes.

The process of request has also become much easier. Typically it will not now require a warrant.

It will still take a warrant to access a journalist's data to identify their sources, but that hearing will take place in private. And no warrant is needed for government agencies to search the data of its own ranks.

The multi-million dollar scheme has also come under fire for its cost, which will be partially borne by the government.

Australian Green Party Senator Scott Ludlam tweeted that it was "absurdly expensive and complex for ISPs to implement, trivially easy for anyone to defeat" - a reference to the prime minister's admission that he uses encrypted messaging apps himself.

The Green Party voted against the bill, along with six independent senators, but was overwhelmingly defeated.

The security of the servers used to hold the data has also been a question, with mass data breaches becoming increasingly common around the world.

Not ready?

Australian lobby group the Communications Alliance has said most internet service providers (ISP) are not yet storing metadata as the law requires.

Some online services are also unsure about whether the law covers them and precisely what data they need to keep, the body said. Cost was also cited as a concern, with ambiguity about how government money set aside to help, will be spent.

ISP's who are not yet ready to collect all the data can be granted 18-month extensions by the Australian government, as long as they submit plans to start doing so. But the survey found that most of those who had applied for extensions had yet to hear whether they had been approved.

Is anyone else doing this?

Telecommunications providers in the UK retain metadata for a minimum of one year, although the UK's High Court ruled in July that aspects of the Data Retention and Investigatory Powers Act, were unlawful.

Image source, Reuters
Image caption,
The geographic location of servers - these in Iceland - is an increasingly important data security concern

Despite this, the order to nullify that part of the legislation has been suspended until March. Meanwhile the UK is pushing ahead with even tougher legislation.

In the US, a court ruled in August that the National Security Agency (NSA) could continue to collect phone metadata, although Congress changed the law earlier in the year to allow phone companies to keep their own databases, which the government can query.

In China, few protections exist against any form of state surveillance, and in Russia a law came into force in September requiring technology companies to store any data on Russian users on servers within the country - readily accessible to local authorities.