Australia’s mandatory data retention scheme begins tomorrow

The Australian Federal Government's mandatory data retention scheme comes into effect tomorrow, forcing Australian carrier service providers to store certain information in regards to their customers' usage for a period of two years. Certain providers will however have until April 2017 to be fully compliant with the scheme.

Somewhat erroneously referred to as metadata, the information local telcos and internet service providers (ISPs) will need to retain is as follows:

The sender and recipient's phone number or email
The time, date and duration of a communication
A user's IP address
The location of the communication equipment used
The type of communication
Bandwidth usage such as the amount of data uploaded and downloaded

The content of messages, phone calls and text messages will not be stored, and neither will a user's web browsing history. The information is best described as the details surrounding a communication, rather than the communication itself. Critics of the scheme say this can still provide a number of insights. A phone call made to the number of a divorce lawyer still provides meaning, even without knowing what was discussed, for example.

ISPs and telcos who have not been able to comply with the scheme by tomorrow's deadline have had the opportunity to submit an implementation plan and ask for an extension. Providers who have successfully applied for an extension will have until April 13, 2017 to begin capturing and storing their customer's information.

When providing an implementation plan, providers were asked to list existing services already compliant with the scheme, services that generate data that will need to be captured by the scheme, and a date by which the service will be fully compliant with new obligations. Providers have also been asked to supply "interim" milestones leading up to the April 2017, such as increasing the retention period for data not currently being kept for two years.

Telstra chief information security officer Mike Burgess previously said that the telco is aware of the risks of data retention, and will make use of the entire extended implementation period to make sure it has "the right protections in place".

"We are still developing our implementation plans but we have already decided to store our customer metadata encrypted at facilities located here in Australia," said Burgess in a post on the Telstra blog earlier this year. "While geography alone is not a good measure of security, storing the data in Australia should help allay the concerns of some customers."

"We understand that customer metadata has enormous value not just to our customers and law enforcement agencies but also to a range of malicious actors who may seek to gain access to our systems."

"We understand the implementation of the data retention laws is a work in progress and we are working with the Federal Government to fulfil our obligations by April 2017," said a Vodafone spokesperson in a statement. "Industry is still seeking clarification from government about how the funding allocated to the significant cost of systems set up and on-going data retention will be distributed among the carriers."

While much of this information is already captured by telcos and ISPs for billing, administrative and taxation purposes, concerns have been raised in regards to the two-year storage period. In addition to the cost of storing what could amount to petabytes upon petabytes of information per year, experts have suggested that these data sources would be highly attractive targets for cyber-criminals.

"If I know I can get to someone's data through these data retention data centres, that's definitely going to be a target rich environment," said renowned hacker Kevin Mitnick, during a question and answer session at CeBIT 2015.  

"In my experience, everything has been hackable. Can they be defended? You can raise the bar extremely high and make it extremely difficult, but at the end of the day, everything that I've seen out there has been broken. It just depends on time, money and resources."

The scheme does not require providers to keep data in Australia.

The Federal Government, who proposed the bill, believes it is essential in fighting terrorism, child abuse and other serious crimes.

"By passing this Bill, the Parliament has ensured that our security and law enforcement agencies will continue to have access to the information they need to do their jobs," wrote Attorney General George Brandis and former Communications Minister Malcom Turnbull in a joint media release. "No responsible government can sit by while those who protect us lose access to vital information, particularly in the current high threat environment."

At least 21 agencies will have warrantless access to the data captured by the scheme.

Greens Senator Scott Ludlam was a vocal opponent of the Bill, going as far as calling it "massive, passive surveillance", while it was under debate in Senate. He has repeated encouraged Australians to find ways to bypass the scheme, such as the use of a Virtual Private Network (VPN), both in Senate, and via his social media presence.

Turnbull, now sitting in the Prime Minister's chair, previously explained the ways in which Australia's could circumvent the scheme during a live interview on Sky News.

"There are always ways for people to get around things, but of course a lot of people don’t," said Turnbull. "That’s why I’ve always said the metadata, the data retention laws, the use of metadata is not a silver bullet, it’s not a 100% guarantee, it is one tool in many tools."

Turnbull told Sky News that the use of an over-the-top application such as WhatsApp, Wickr, Skype or FaceTime effectively masks a user's communication.

"All that the telco can see is that my device has had a connection with the say the Skype server or the WhatsApp server, but it doesn’t see anything happening with you," said Turnbull on the use of such apps.

Turnbull has recently come under criticism for his use of Wickr, and a non-government email service. Crikey journalist Josh Taylor suggested the use of these technologies could hinder the freedom of information act, legislation under which "any document, post-it note, SMS, or any other form of communication" can theortically be accessed by the public.