iiNet has made public its response to the government's industry consultation paper on mandatory data retention, as proposed under new broad national security laws. The activist telco says that the majority of the customers it consulted are against the proposal, that the procedures would add significant cost to its bottom line that would be passed on to customers, and that there is no evidence the new regime will be more effective in law enforcement.
The response published by iiNet is clear in its attitude to the topic of data retention. The opening statement does not mince its words: "Blanket data retention is mass surveillance. It is not something that we currently do, and would add significant costs to the way we do business."
There are five pillars, explained in more detail throughout the paper, that iiNet objects to the data retention regime on. They are, in order —
The basis of our objection to mandatory data retention includes:
- a lack of evidence suggesting changes to the current laws will prove more effective than existing laws, where we already cooperate with law enforcement agencies;
- a lack of justification as to why we should be monitoring our customers for two years on the chance this data may help an investigation;
- no explanation why the existing (and less than two-year-old) preservation notice regime is insufficient;
- ISPs are not ‘agents of the state’ but if we are compelled to take this role, the government should be responsible for the storage and security of this data; and
- an international trend away from blanket data retention by progressive governments, particularly in Europe.
With almost two million customers across internet, telephone and IPTV services, iiNet is one of the largest telecommunications players in Australia and would therefore be strongly impacted by the government proposals to force ISPs to store data on their users' online activities, at their own cost. Contrary to government suggestions, iiNet says, it does not already store the data on customers that the government is looking to retain and later access: "In many instances we don’t store how a customer used to have their service and settings configured as we provide the service in response to how our customer has requested it that particular day."
A huge list of customer data is proposed to be mandated to be stored as part of the retention regime; iiNet's explanation of the requested info stretches to 20 dot points, including the level of bandwidth available to a customer, physical locations of devices and connections, communications logs including internet traffic destinations and upload/download volumes, and a swathe of personally identifiable information on customers themselves. iiNet says that the regime would require it to create entirely new categories of data to retain, including the access logs for over 3.5 million emails sent and received on its network daily.
The iiNet response's overarching theme is concern over ambiguity in the consultation paper's language, with terminology like "network identifiers" and "location identifiers" not detailed enough to itself identify specific classes of information. That information is often shared across multiple ISPs due to the distributed nature of the internet, and therefore the responsibility for capturing and maintaining data is equally convoluted and confusing.
All of this is wrapped up in iiNet's efforts to maintain its customers' privacy, not to retain data that is not relevant to its operations as a money-making enterprise and as a publicly-traded business entity, and to not act as "agents of the state". iiNet is only one of many voices in the data retention argument, but it is a strong one, and it is strongly speaking out against the proposed regime. [iiNet]