Revealing which telecommunications providers have been granted exemptions from a requirement to encrypt information covered by the data retention scheme could expose them to security risks or public ridicule, according to officials at the Department of Home Affairs.
The legislation implementing Australia’s data retention regime requires that service providers “must protect the confidentiality of information” retained to comply with Section 187A of the Telecommunications (Interception and Access) Act through “encrypting the information” and “protecting the information from unauthorised interference or unauthorised access”.
However, the Communications Access Co-ordinator (CAC) — a function that currently sits within Home Affairs – is empowered to sign off on Data Retention Implementation Plans (DRIPs) that exempt a service provider from the obligations of Section 187BA (which outlines the encryption requirement).
Earlier this year Optus revealed that it would have struggled to comply with its data retention obligations if it hadn’t been granted an exemption from the metadata encryption requirement. Optus revealed in a submission to a review of the data retention scheme by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that it had “applied for and received limited exemptions from the encryption obligation”.
An Optus spokesperson said at the time that the telco had “received some initial exemptions relating to legacy systems” that were “very limited in scope and conditional on other significant compensating controls being in place to protect the security of the data.”
Computerworld has repeatedly sought details from Home Affairs about which other telecommunications providers were granted partial or full exemptions from the encryption obligation, but the department has not issued a response.
A Freedom of Information request lodged earlier this year was rejected on the grounds that releasing the names of telcos granted an exemption would be a breach of confidence and that it would “cause detriment to the service provider/s”.
As part of an internal Home Affairs review of the FOI decision the Office of the CAC was consulted.
The review decision stated that the advice of the CAC was that releasing the relevant document “could expose the telecommunications service providers to commercial or criminal exploitation of the security practices put in place to protect retained data”.
“Specifically, the Office of the CAC noted the potential risk that releasing a list of the providers granted full or partial exemptions, without detail or supporting context, could create the perception that those companies had inferior security practices,” states the review decision, which upheld the initial rejection of the FOI request.
“Further, the Office of the CAC noted that releasing the names of the providers granted exemptions could allow nefarious actors to infer trends based on these exemptions and surmise broader security practices. Either of these eventualities would be to the detriment of the providers in question.”
The review decision states that if the document containing the name of the telcos was released “any service providers identified on (or absent from) the Document could result in a threat to safety (via exploitation of its security systems), financial loss, and exposure to ridicule or public criticism.”
“Australians are already having the metadata of their private interactions constantly recorded and collected, in an unethical and warrantless system that is completely unnecessary,” Tim Singleton Norton, the chair of advocacy group Digital Rights Watch (DRW), told Computerworld.
“The very least that anyone could presume is that this data is being housed and protected properly through strong encryption.
“The exemptions to this encryption requirement being handed out to telecommunication companies show the reality of this regime - that it is a huge, complicated, and expensive imposition on their business.”
“It's clear that the government has no respect for the individual privacy of Australians - from providing itself with the power to break encrypted protocols, to allowing these exemptions to the security of metadata collected. It's time for the mass surveillance of our citizenry to come to an end,” the DRW chair said.
The metadata encryption obligation was not included in the original data retention bill. It was added following a February 2015 bipartisan report from the PJCIS that recommended the bill “be amended to require service providers to encrypt telecommunications data that has been retained for the purposes of the mandatory data retention regime.”
In its report from that inquiry, the PJCIS noted that there were “security risks associated with the proposed mandatory data retention scheme and the potential for increased unlawful access to personal information”.
Based on the evidence presented during its inquiry, the committee concluded that “data encryption is a necessary and appropriate measure in order to secure retained data and that this requirement should be included in the Bill”.
The PJCIS said, however, that the CAC should be allowed to “authorise other robust security measures” in “limited circumstances in which technical difficulties prevent encryption from being implemented in existing systems”.
(The PJCIS also recommended the implementation of mandatory data breach notification scheme by the end of 2015; rules giving effect to that recommendation .)
The first PJCIS public hearing as part of the review of the data retention scheme will be held tomorrow.