Welcome to Eureka Street

back to site


Data regime will see us funding our own surveillance

  • 09 October 2015

Talk of 'metadata' has largely faded from the headlines outside the tech press. It's a conversation that needs to continue.

From next Tuesday 13 October 2015, telcos such as Telstra, Optus and Vodafone will begin retaining your telecommunications data, as required by the data retention laws passed in March this year.

There's also roughly 400 small internet service providers who, together with the big players, will be required to comply with these retention obligations, subject to any approved Data Retention Implementation Plan and/or any relevant exemption or variation.

There seems to be still much confusion about exactly what data is going to be retained, the scope of the laws, and who will pay.

Data associated with communications services provided by your telco, such as email, mobile and landline phone calls, VoIP and text messaging, will be retained, as will data associated with your internet activity, with the express exception of web browsing history (or destination IP addresses).

Data related to the use of third-party services such as Gmail, Skype, FaceTime and Facebook, or popular messaging apps such as WhatsApp or Wikr, are not captured by Australian retention obligations.

But mandatory data retention is also a data creation regime. Then-communications minister Malcolm Turnbull, talking to ABC radio in March, claimed: 'The only thing the data retention law is requiring is that types of metadata which are currently retained will be retained in the future for at least two years.'

In fact the data retention laws include an obligation on service providers to 'create' data that falls within the data set to be retained, even if they do not currently collect or capture that data.

This isn't nitpicking. The more data that is created, the more the scheme will cost, and the greater intrusion on privacy and risk of data breach.

Australian companies are not compelled to notify their customers if their privacy may have been compromised by a data breach. We're still waiting to see the consultation on mandatory data breach notification laws which were promised to be introduced by the end of this year.

Who can access this data, and for what reason? The Australian stated in an editorial last month: 'We have no quarrel with the law's broad purpose to preserve metadata ... so counter-terror agencies can prevent attacks and prosecute wrongdoers.' But the truth is there aren't any safeguards to limit the access and use of your retained data to preventing or investigating terrorism or other serious crimes.

Unlike the laws