In Confidence
Offices of the Minister X
Amendments to the 2015 Data Retention Bill.
Proposal
1 . That the Minister considers amendments to the 2015 Data Retention Bill (the Bill) that will reduce the cost of its implementation and address some privacy concerns.
Executive Summary
2. The development of the “Internet of Things” (IoT)1 brings a new and rapidly changing scenario for metadata retention. This scenario has increased the cost of the implementation of the Bill and created new serious privacy issues. The proposed amendments will reduce the cost of the Bill and will address some of these concerns. This will be achieved by reducing the time required for Telcos to store metadata up to
one year and reviewing the scope and type of metadata to be collected. Scope for exceptions to these amendments are considered for the interest of National Security.
Background
3. The Data Retention legislation passed both houses on 26 March 2015.
4. The legislation:
4.1 Requires telecommunications companies to retain customer’s phone and computer metadata for two years
4.2 Introduces an independent oversight mechanism.
4.3 Allocated $131 million over three years to help Telcos meet some of the cost of complying with the scheme
5. The scenario for metadata collection has dramatically changed in since 2015:
5.1 IoT brings a new and rapidly and constantly changing scenario for the enforcement of the Bill.
5.2 Currently, more than [xx] billion devices2 are connected to the Internet, ranging from private transport, clothes and kitchen appliances to devices inserted in the human body. This has a great impact on the cost of data collection and citizen privacy.
6. The costs and risks of storing metadata for two years outweigh the benefits. The costs to taxpayers increase but not the benefits. Some of the causes for this are:
6.1 With the development of IoT, new types and more vast volumes of data is constantly generated. The situation is far more complex than when the law was passed in 2015 because the great heterogeneity of the data. As a result, the cost of storing and analyzing data is geometrically increasing.
6.2 For the same reason, the costs of keeping data safe from cyber-attacks are systematically growing and Telco’s are requesting that the Government fund the added expenses.
6.3 Since its implementation in 2015, metadata collection has proved to be less effective than expected against its intended targets. Criminals, terrorist and other individuals of interest use easily available workaround methods to evade surveillance. For example, they use strongly encrypted communications, lowlatency Internet anonymity networks like Tor and Virtual Private Networks.
7. New types of data are been created on a regular basis and it is difficult for Government to keep pace with the fast development of IoT. The massive amount of types of metadata created makes difficult to regulate its collection and analysis across different Telco’s.
8. The intrusive nature of some new types of metadata generated by new devices is particularly problematic for privacy concerns. A significant part of this data has limited value for Law Enforcement (and, if necessary, can be obtained by other means) and is very intrusive (i.e. health monitoring devices).
9. After the implementation of the Trans-Pacific Partnership (TPP)’s agreements on copyrights, the metadata collected has been required in legal processes related to copyright infringements. This discredited the initial intention of the Data Collection Law
when it was passed in 2015. The complexity of this scenario is greatly increased by the fact that Australian’s metadata could be stored overseas.
10. Australia is been criticized for its metadata collection laws by international Human Rights organizations. This negatively affected Australia’s bid for a seat on the United Nations Human Rights Council for 2018-20.
11. Issues related to Government funds have strained the relations of Government and Telco’s. Cooperation between the Government and the private sector is a core element of the Cyber Security Strategy.
12. Currently, part of the costs of storing metadata is reflected in the price of Internet Services. Telco’s attribute this to the Government legislation.
Comment
13. The reduction of the time required to one year will decrease the cost of storing metadata by 50 percent.
14. Identifying and limiting the types of metadata to be collected to those that represent a higher value source of information for Law Enforcement will:
14.1 further reduces the costs as less useful metadata generated by IoT represents a large percent of the metadata currently collected;
14.2 facilitate analysis of metadata by focusing on those of higher value for Intelligence purposes; and
14.3 address privacy concerns by stopping the collection of data that is highly intrusive and less value for Intelligence Agencies and Law Enforcement.
15. The reduction of the scope and time of the collection of metadata will lessen the vulnerability to cyber-attacks by making more feasible to develop effective technical solutions.
15.1 It is not possible to build systems that are invulnerable to cyber-attacks. However, a more homogeneous collection of data will create a more predictable scenario that will facilitate technical solutions.
16. The one-year period reduces by half the number of new and updated technologies and devices deployed in the IoT during a collection period. This will reduce the complexity of security and analysis, and facilitate the deployment of automated solutions.
17. Intelligence and Law Enforcement Agencies should still be able to seek authorization for prolonging the timeframe of data collection from individuals of interests, as long as the Agencies provide reasonable grounds for it.
18. Savings from this measure can be used for research and development, in collaboration with international partners like the United States of America, of automated solutions.
18.1 Current technological developments make possible to improve targeted collection of metadata for more than one year, using profiles of potential or identified targets. For example, a user’s online behaviours and/or connexion to known targets could trigger a metadata collection routine for that user. Individuals identified as “high risk” could be also considered potential targets of metadata collection.
Recommendations
19. That the time for retention of metadata is reduced to one year. Intelligence and Law Enforcement Agencies will still be able to seek authorization for prolonging the timeframe.
20. That the type of metadata collected is reviewed to identify those that may represent a highest value for Law Enforcement and those that are more sensitive for privacy concerns. This will inform a decision on what data should be collected or not.
21. That savings from these measures are invested in the development of technologies that facilitates targeted metadata retention and analysis.
