What you need to know about Australia’s mandatory data retention scheme
Australia's controversial mandatory data retention scheme is now in effect, and it's a little confusing to say the least. Even the providers who are being forced to capture and retain information aren't confident they know what's going on. To try and help clarify the scheme, we've got answers to some of the most important data retention questions.
What is data retention?
The Australian Federal Government's mandatory data retention scheme is a new set of laws that require Australian telcos and internet service providers (ISPs) to capture and store certain information about their customers for a minimum of two years.
What is being retained?
Telcos and ISPs are required to store the following information, often referred to as "metadata":
The name, address, and billing information of the user
The sender and recipient's phone number or email
The time, date and duration of a communication
A user's IP address
The location of the communication equipment used
The type of communication
Bandwidth usage such as the amount of data uploaded and downloaded
The content of email, phone calls and text messages will not be stored, and neither will a user's web browsing history. The information is best described as the details surrounding a communication, rather than the communication itself – the envelope, rather than the letter.
Critics of the scheme say this can still provide a number of insights. A phone call made to the number of a divorce lawyer still provides meaning, even without knowing what was discussed, for example. The meaning one can derive from metadata increases when this information is available is bulk. For example, if a user receives a phone call from a doctor, then follows it up with a call to a psychologist.
Who has to retain this information?
All Australian telcos and ISPs are required to retain this data by law.
Certain providers may be granted an exemption from the scheme in cases where the services aren't of interest to law enforcement, or where the cost of the compliance would be too high. These providers are however required to keep their exemption private according to a report published by iTnews. A provider who discloses this exemption would risk having it revoked.
Who can access the collected data?
At least 21 government agencies have warrantless access to the data captured by the scheme. This includes Border Force, the Australian Security Intelligence Organisation, the Australian Federal Police, the Australian Crime Commission, state police forces, anti-corruption commissions, the Australian Securities and Investments Commission, and the Australian Competition and Consumer Commission.
The Attorney General is able to add additional agencies to this list at his discretion. A parliamentary committee has recommended that the Australian Tax Office be added to the list of agencies that can access data captured by the scheme.
Why is it being retained?
The Federal Government, who proposed the bill, believes it is essential in fighting terrorism, child abuse and other serious crimes.
"By passing this Bill, the Parliament has ensured that our security and law enforcement agencies will continue to have access to the information they need to do their jobs," wrote Attorney General George Brandis and former Communications Minister Malcom Turnbull in a joint media release following the passing of the data retention Bill.
"No responsible government can sit by while those who protect us lose access to vital information, particularly in the current high threat environment."
Why are people concerned about this?
There are three key factors as to why people are concerned about data retention: privacy, fear of a hack, and cost of implementation.
Greens Senator Scott Ludlam was a vocal opponent of the Bill, going as far as calling it "massive, passive surveillance", while it was under debate in Senate.
"It is corrosive of the very freedoms governments are meant to protect."
From a security perspective, data retention stores used by providers have been described as a honey pot for hackers. Ethical hacker and director of Whitehack Adrian Wood told CyberShack that even if an attacker didn't see a financial opportunity, they could be driven by ideology.
"We've seen a spate of hacks primarily motivated by ethics rather than money," said Wood. "Giving the government such a massive middle finger is probably a greater incentive than money ever could be to an even more dangerous and skilled group of hackers."
As with the Ashley Madison hack, Wood said information revealed through an attack on data stores could potentially be used to blackmail individuals.
"The main difference is, Ashley Madison was an opt-in service, and this is a mandatory invasion of privacy."
Wood also suggested that other governments could potentially be interested in stealing the data retained under the scheme.
"My main fear is another government stealing the information, this data could be very valuable to other governments who'd like to do harm to our corporations and our people. There certainly is plenty of precedent for it."
Australian businesses, including ISPs and telcos, are currently not required to notify customers of breaches.
Lastly, providers have raised concerns in regards to the cost of implementation. While the government will provide AUD$128.4 million towards the scheme, it has yet to detail how this will be distributed between providers.
"Industry is still seeking clarification from government about how the funding allocated to the significant cost of systems set up and on-going data retention will be distributed among the carriers," said a Vodafone spokesperson in a statement provided to CyberShack.
It is possible that any shortfalls in funding could be passed onto customers.
Are all providers retaining this information from today?
While providers are technically required to start retaining data from today, they were also given the option to submit an implementation plan. Providers who submitted such a plan (and had it approved) have an additional 18 months to implement the scheme, giving them until April 2017.
While the Attorney General's Department has refused to comment on how many providers are currently compliant, a survey of telecommunications body Communication Alliance members revealed that just 16% of providers are ready to retain the data required of them.
Don't providers already have this data?
Some of this data being stored under the scheme is already kept by providers for billing and administrative purposes, but not necessarily for as long a time frame as two years.
According to senior communications lawyer Leanne O'Donnell, the scheme will also require providers to create and capture new categories of data for information they do not currently retain. Data surrounding emails sent using ISP-provided addresses is one area where new categories would need to be created to comply with the scheme.
Where will this information be stored?
Currently, there are no restrictions as to where the data collected under the scheme can be stored, provided it is encrypted. Former iiNet chief regulatory office Steve Dalby previously suggested that internet service providers would try and find the cheapest option for storing data, which at the time of writing was China.
Can the data retention scheme be bypassed?
Data retention is surprisingly easy to bypass. Over-the-top services such as iMessage, Viber, Facebook Messenger, FaceTime, and Skype are all exempt from the scheme. If you're sending a text using iMessage to another iMessage user, the data surrounding that communication won't be stored.
International email service providers such as Google (Gmail) and Microsoft (Outlook.com) are not required to capture and store metadata either.
What's a VPN?
Simply put, a Virtual Private Network (VPN) allows users to access the internet through another computer's connection. Without a VPN, you're probably reading CyberShack from Australia. With a VPN, your connection to the website could be coming via the Netherlands, but relayed back to your computer at home.
As such, a user's provider sees a connection to the server the user is accessing through their VPN service, rather than the site the user is accessing.
Is a VPN a cure all?
Not really. The data retention scheme is more so focused about email, text messages and phone calls. The legislation explicitly states that providers do not have to record a user's web traffic and browser history. While it is possible a provider could still record internet history, iiNet has previously said this would require a petabyte of storage per day for its user base alone. This would dramatically increase an ISP’s hardware requirements.
Nonetheless, a VPN can be used to afford user additional privacy regardless of data retention. When searching for a VPN, ethical hacker Adrian Wood recommends users look for one outside of Australia and the United States, one that doesn't keep logs, and one that is properly encrypted.
Mullvad and Cryptostorm.is are his top picks.
If you've got any other questions about data retention, let us know and we'll do our best to answer