Inside Australia's data retention proposal

Telecommunications industry sources have called the claims by Attorney-General media relations that web browsing history would not be recorded in a controversial data retention proposal a bit cute and a question of terminology and semantics.

The Attorney-General's Department has been looking at the European directive on data retention, to consider whether such a regime is appropriate within Australia's law enforcement and security context, the Attorney-General's Department had said. It has consulted broadly with the telecommunications industry.

Data retention requires telecommunications providers, including internet service providers (ISPs), to log and retain certain information on subscribers for local enforcement agencies to access when they require it.

Importantly, the EU directive requires ISPs to retain data necessary to trace and identify the source, destination, date, type, time and duration of communications — and even what communication equipment is being used by customers and the location of mobile transmissions.

Importantly, the EU directive requires ISPs to retain data necessary to trace and identify the source, destination, date, type, time and duration of communications — and even what communication equipment is being used by customers and the location of mobile transmissions.

For telephone conversations, this means the number from which calls are placed and the number that received the call, the owner of the telephone service and similar data such as the time and date of a call's commencement and completion.

For mobile phone numbers, geographic location data is also included. The data is retained for periods of not less than six months and not more than two years from the date of the communication.

There was more material in a data set the Attorney-General's Department gave telecommunications companies that the source found a bit frightening. They want allied personal information with that account, including, [the department] said, passport numbers.

The customer that we

So they're asking for all details of the customer that we would hold on record, which includes anything, like multiple email addresses.Industry consultationsA consultation in March this year, just three months ago, was held with industry to discuss the data retention proposal. It's understood that this was the first formal consultation with the telecommunications industry, with a number of telcos in attendance.

Representatives from telecommunications companies Telstra, Optus, iiNet, Internode, Nextgen and the Comms Alliance were in attendance, among others, according to an industry source.

The briefing in March saw industry members involved given hand-outs discussing the proposal. Each document handed to industry members was marked in red with a message stating: This document is provided in-confidence to telecommunications industry participants for consultation purposes and is not for further distribution outside your organisation, according to one source.

Asked to clarify whether the Attorney-General's Department expected a telecommunications provider to perform deep packet inspection (DPI) to collect all the data that is in the proposed data set — which includes email addresses of sender and recipient, session initiation protocol identifiers and instant message screen names — or whether those only applied to the actual providers of email services, Voice over IP (VoIP) services and instant messenger services, the department's response, according to the notes, was to the effect of if you don't like the data set you'll be able to ask for an exemption from the parts you don't like.

Another source close to the consultations told ZDNet Australia that telecommunications providers currently only retained data necessary for operational and financial purposes, which is often stored for years. The current proposal, even forgetting whether web browsing history would be recorded, went much further than that, the source said.

The meeting notes

According to the meeting notes, one law enforcement agency in attendance at the briefing raised concerns with the increasing use of encryption, off-shore service providers for email, VoIP and uptake of IP-based services that have less logging than telephony services. Also raised by that agency was that some telecommunications companies didn't log the data they wanted.

Details of how many requests the Australian Federal Police (AFP) made for telecommunications data — without interception warrants — between 2008-2009 was also revealed at the briefing.

The AFP, according to the meeting notes, made more than 16,000 requests to over 50 telecommunications companies for data during that period. According to the note, the AFP told the briefing that it wanted to automate the process of requesting and obtaining access to telecommunications data.