Tuesday, March 10, 2015

Retention v creation? Turnbull is wrong on metadata



Government ministers have had trouble convincing voters they know what they’re talking about when they spruik ‘metadata’ retention.

From Attorney-General George Brandis’ embarrassing inability to complete a sentence when asked to define metadata, to Prime Minister Tony Abbott’s incomprehensible postal analogy, the topic has appeared beyond the grasp of the pre-Internet-generation front bench.

Even Communications Minister Malcolm Turnbull, with his capacity to smooth-talk a path through political thickets, hasn’t managed to convince technically savvy voters that he’s on top of metadata.

If he hasn’t personally waded through the Parliamentary Joint Committee’s 350-page report into the Data Retention Bill, he should at least avoid making comments that are wrong – like the assurance the bill retains a degree of status quo.

Mr Turnbull has repeatedly insisted the legislation is not requiring “telcos to record or retain information they are not currently recording”.

“That is information that is already being kept and it’s clearly, it’s, it’s an essential part of the [Internet Service Provider’s] business,” he said on ABC radio in August last year.

He went on to say that “obviously, if you were asking them to capture a whole additional set of data – you know, log sessions and so forth – which they are not currently recording or retaining” costs would increase.

He has given the same assurances on the Today show (“data that they are currently recording”) and most recently on ABC’s 7.30 (“do what they are currently doing”).

The importance of the assurance that service providers will only be required to retain data they are currently recording is reflected in the number of times it has been given.

If there were requirements on service providers to collect additional data, concerns about costs and intrusions into people’s privacy would increase.

But Mr Turnbull is wrong.

The data retention bill, if passed in its current state, or with the amendments recommended by the joint committee, will include an element of data creation.

Section 187A(6) of the bill covers this scenario by requiring that service providers retain certain data even if they are not currently doing so.

The government’s explanatory notes for the bill make it clear that if service providers are not creating the required metadata in their current business practices, then they are “required to use other means to create this information”.  

In its submission to the committee, the Communications Alliance criticised the metadata retention proposals as “a data creation regime as well as a data retention regime for all those providers who do not presently retain” all of the proposed types of data.

ASIO and the Attorney-General’s Department concurred that some data, while available to service providers, exists only fleetingly and is not currently retained.

ASIO provided an indication of the current retention times showing that some Internet service providers don’t retain data that will be required:

Inline image 1



Due to the way some services are purchased, and changing technologies, not all service providers keep data about individual Internet connections – shown above as “0 days”.

Under the new bill, all service providers will be required to keep information about source, destination, date, time and duration of an Internet connection.

This may not apply to a sixth category of data not listed in the above table: the most sensitive data being proposed under the committee’s recommended amendments to the bill – location data. 

The committee recommended that the government mandate the collection and retention of data that provides information about “the location of equipment, or a line, used in connection with a communication”.

This is the most controversial metadata proposed for retention. The committee’s intention is that this be confined to the location of a device at the beginning and end of a “session” – such as the cell-tower to which a phone connects at the beginning and the end of a call.

The definition excludes “continuous” location records: GPS data, geo-tracking and what Senator Scott Ludlum describes as “your precise location everywhere you’re carrying your mobile phone”.  However, the nebulous definition of a ‘session’ renders it contentious.

The Australian Privacy Commissioner submitted that even the limited scope of location data could become the equivalent of location tracking in some instances.

In any case, not all service providers currently collect and retain data about the location of devices at the beginning and end of communication sessions.

The Communications Alliance spokesperson said told the committee “on the mobile side, any information about mobile location may not be being stored in systems at all because there is simply no business reason to keep track of where your customers are”.

He added that providers “may keep that for a very short period of time to deal with customer complaints or technical complaints about the operation of your network”.

A small and convoluted section of the bill appears to limit the collection of location data to only that which service providers actually use – although the wording is laden with double negatives and vague terminology making it difficult to comprehend.  The government’s explanation is no clearer:

“[A] service provider is not required to keep information about the location of a telecommunications device that is not information used by the service provider in relation to the relevant service to which the device is connected.  This could include, for example, a record of which cell tower, base station or other network access point a device was connected to.”

So it appears that service providers don’t need to retain location data if they don’t ‘use’ it.  Lawyers, good luck with that.

The question of whether location information should be retained by service providers and accessed by law enforcement agencies at all is worthy of an entirely separate discussion. 

What’s important here is that the data retention scheme does contain an element of data creation – and the responsible minister should at the very least be aware of, and preferably up front, about this.

No comments: