This Week In Your Metadata: Government Wants It, Telcos Don't Mind

A Federal Government committee met in Canberra yesterday and today to talk about mandatory retention of your telecommunications metadata for (at least) two years, bringing in telecommunications companies and industry groups to share their thoughts and to face grilling from a line-up of senators and MPs. The general gist? It looks like the data retention scheme is going ahead, and Australia's biggest telcos seem happy to help.

Smartphone image via Shutterstock

Both Telstra and Optus have said during their appearances at the PJCIS hearing these past two days that they would agree that the data retention proposal is "basically workable" and could be implemented, but may take as long as two years to put an appropriate data-catching filter into action.

Crucially, both Optus and Telstra are keeping quiet on their estimated costs of implementation. Number three telco Vodafone says the volume of data will amount to petabytes, and Optus has explicitly said that it will incur "significant costs" putting a scheme into place.

Possibly the biggest problem with any potential data retention scheme is the potential for that data to be used by an increasingly wide range of agencies for an ever-expanding portfolio of uses. Corporate watchdog ASIC lobbied the PJCIS Thursday for warrantless access to metadata despite being left off the initial list of approved agencies (like the AFP and ASIO), and Telstra believes metadata could be used in future piracy lawsuits.

Moreover, a central retained-metadata repository at every telco would be at high risk of being accessed by hackers -- bringing a wide and diverse range of data into one place, rather than keeping it in all its current constituent parts, would make it an incredibly attractive honeypot and a one-stop shop for compromise: according to Telstra, present the two options to any hacker and "you'd go for [the data retention scheme] system, because it would give you the pot of gold".

Importantly, the government has included no rules for data destruction within the retention scheme, as pointed out by both Optus and the Inspector General of Intelligence and Security (IGIS). As well as leaving Optus in the dark about what they are actually supposed to do at the end of the proposed two year retention mandate, it also means that data could be retained for longer periods with little or no oversight.

Strangely enough, self-styled "we fight for the users" telco iiNet was not present at the hearings. Its attitude is that its energy is best spent arguing for a more specific data set.The committee's report is due in less than a month, with no data set or cost of implementation made public.