The Parliamentary Joint Committee on Intelligence and Security is currently conducting an inquiry into reforms to Australia's interception and security legislation.
The inquiry relates to the Telecommunications (Interception and Access) Act 1979; Telecommunications Act 1997; Australian Security Intelligence Organisation Act 1979; and Intelligence Services Act 2001 and began in July this year.
One of the most contentious aspects of the terms of reference include "tailored data retention periods for up to two years for parts of a data set, with specific timeframes taking into account agency priorities and privacy and cost impacts".
Below, Computerworld Australia presents a selection of concerns about the proposals raised during the inquiry.
Australian Mobile Telecommunications Association (AMTA); Communications Alliance
John Stanton, CEO, Communications Alliance: "We certainly believe that carriers should not be required to create or hold data that they would not otherwise be creating or holding for commercial purposes. And, so far as data retention is concerned, we believe that any move down the track of additional data retention requirements should be based on full cost-recovery from government, just as is occurring today in the UK."
Chris Althaus, CEO, AMTA: "This discussion on data retention has been going on for some time. To the department's credit and the agency's credit it has taken a range of twists and turns and we have always had a full and frank discussion about it. However, it has tended to be a discussion on the agency's terms."
Althaus: "Just blindly following Europe, where there have been substantial critiques of this approach, is not something we support."
Electronic Frontiers Australia
Andrew Pam, board member: "...similar data retention requirements in Europe are now being challenged on constitutional grounds and a number of countries because they are really very difficult to effectively address. We just do not see any adequate justification in the proposal as it is put before us now. It is not that it may not be possible to justify, but no evidence of any serious justification has as yet been put forward."
Pam: "The longer the system exists, if it exists for a period of decades, then over that time it is a near certainty that there will be some abuses of the system. And then you have to weigh up the consequences of those abuses against the potential good that has come out of having the system in place. It is sometimes a difficult judgement to make, but history has shown that there are known negative consequences of introducing these systems."
Pam: "It can be corrosive to a democracy when the view of the public is that they are living in a surveillance state."
Steve Dalby, chief regulatory officer: "The estimated cost for us would be about $20 million for the IT equipment and about $10 million for the building itself to meet the current traffic levels operating over our network ... If we take that cost and determine what it will cost our customers when we pass it through, we are assuming an increase in the cost of a service -- any one of our services -- of about $5 per month."
Dalby: "I could not imagine that only one portion of telecommunications services would be covered by such proposed data retention leaving the rest empty, because that would leave an open house for anybody who wants to bypass those things that are being retained."
Dalby: "To suggest that we want the IP addresses but not the content is not true because you cannot have that cake and eat it too."
John Lindsay, chief technology officer: "I would also note that that data is a very tasty prize and that the approaches from commercial organisations to gain access to that data stream are very lucrative."
Matthew Healy, national executive, industry and policy: "The easiest example [of what data we keep] would be a mobile phone record where we keep the details of the number that was called, who was called and [what] the duration of the call [was]. That is billing information. That is how we bill. We would keep that for more than two years and, in some circumstances, over seven years."
Christopher Zull, senior manager, industry and policy: "The government has had a convergence review. We are still looking at the blurring lines between telecommunications and broadcasting and other forms of digital interaction. We think it is just an arbitrary way of carving that out."
Zull: "It seemed to us to be a bit unusual that there was no draft legislation at this point. We asked whether we would expect to have that. The answer was, 'Yes, we would expect that in due course'."
Office of the Victorian Privacy Commissioner
Anthony Bendall, acting privacy commissioner: "I am not expressing that it is impossible that that might happen, but at this point of the discussion paper there has not been enough evidence given that either of these types of proposals are necessary for the purposes that have been set out or that the way they are proposed is the least intrusive and most protective that it could be."
Bendall: "...my impression is that it turns on its head the premise that underlies privacy legislation and the whole concept of privacy that you only collect and retain information that is necessary and that you only do that in the least intrusive way."
Bendall: "It assumes that everybody's privacy should be invaded to the extent that that retention happens, on the off-chance, and even if it turns out that it is useful, it would be useful in a tiny proportion of cases."
James Shaw, director, government relations: "What we know is it would cost several million dollars just to scope out the cost of preparing the data sets for the agencies under a data retention proposal."
Shaw: "...agencies themselves will face significant costs in that they will have costs of accessing that data and then manipulating and investigating it in a way that makes it usable for them and also their own destruction costs at the end of the process."
Shaw: "In terms of putting a firm proposal -- and that would involve looking at the costs as well as the technology side -- we think that it would take at least a year, and then the implementation of the scheme would be rolled out over the years from that point in time when there was a decision about what the final form would be."
Darren Kane, director, corporate security and investigations: "The issue with this is that it is such a moving feast that there could not be agreement from the departments around the datasets. Each time a dataset was agreed upon [in Attorney-General's Department talks], the complexity and the evolution of the network meant that that was expanded upon or contracted. The issue over many years has been exactly what datasets the departments and the agencies require from the industry."
Kane: "...there are organised criminal gangs that are not using our services. I have made a note here that Telstra is probably a victim of our own success in relation to this. As I said, we have a long history of support for law-enforcement and national security agencies and as a result they know the quality of the reporting we are able to deliver and expert testimony in court. Common sense says they probably would not use our services."
Kane: "The simple evolution of technology would mean that we could not capture or provide any metadata or any content around something like Gmail, because it is Google-owned, it is offshore and it is over the top on our network. The real value of what we might have in our data retention scheme would be greatly diminished as soon as the good, organised criminals and potential terrorist cells knew that we were not capturing that data."
Shaw: "Regrettably, not all the intelligence rests on the good side of the equation. There are some smart people out there who want to do bad things and they will, invariably, find ways to utilise technology for their benefit."
Matthew Lobb, general manager, industry strategy and public policy: "First, it would be very expensive to set it up and, second, it would start to become quite problematic information for us to be able to protect and store. So, from a principles point of view, what we would suggest is that we look at what is the minimum useful new storage requirement that emulates the current call storage arrangement. That might simplify resolving this issue."
Follow Stephanie McDonald on Twitter: @stephmcdonald0
Follow Computerworld Australia on Twitter: @ComputerworldAU