Vodafone has warned the Joint Parliamentary Committee on Intelligence and Security's inquiry on data retention that retaining detailed information on mobile data usage by customers could involve a significant cost for operators. Matthew Lobb, the telco's general manager industry strategy and public policy, also called for clarity on the retention of so-called metadata about customer usage of mobile networks.
Lobb told the inquiry that currently Vodafone retains information only for billing purposes, which in the case of data usage on mobile devices is generally just details about the time a data session is initiated and by which device, the amount of data downloaded and in which cell on the telco's network the session occurred in.
"The main message we would make is that let's think about this in terms of we've currently got: An arrangement for call records and that's proved to be useful [for] investigations. What's required to emulate that in the data world? Certainly the industry's concern is that this is a broader objective than that, and the EU directive [on data retention] that the attorney-general mentions in her letter [to the inquiry] is a good starting point.
"But there is some vagueness about what, for example, providing a record of the location, what exactly does that mean? Does that mean the cell area? Does it mean that we're required to provide location within the cell?"
A letter sent by Attorney-General Nicola Roxon to the joint committee claimed that a new data retention regime would not cover the contents of the contents of communications, but instead relate to so-called metadata. In the case of phone calls, this relates to the number dialled from a particular handset, the time the call occurred and its length.
"The Government does not propose that a data retention scheme would apply to the content of communications. The content of communications may include the text or substance of emails, SMS messages, phone calls or photos and documents sent over the internet," the letter stated
A declassified submission by ASIO to the inquiry sated that “For many years law enforcement and security agencies (as well as many others) have been able to request CAD [communications associated data] from any carrier or carriage service provider. Agencies access … this information through an internal authorisation. This power already exists; a brand new power is not being sought..."
"agencies are looking to access the same general information they have been accessing for many years; information that would enable them to trace the participants of a communication in retrospect, when the communication occurred and ideally where the parties were."
Retaining more data beyond what is currently retained for billing could impose a significant financial burden on operators, Lobb said. In addition, the retention of some information could create a security risk. "What we would be saying is certainly from a cost point of view, from a risk point of view, from a privacy point of view and from a business point of view that [the data retained] should be the minimum requirement that's useful for the [law enforcement] agencies as opposed to a broader set of requirements above and beyond the current traditional approach."
Lobb said that there are cost recovery arrangements in relation to call interception and other information, such as billing records, currently available to law enforcement agencies. If new data legislation requires information that is more detailed than the data currently retained by the telco as business records for billing and auditing purposes then that cost should be borne by the government of law enforcement agencies.
Lobb said that there needed to be clarity on what kind of metadata would need to be retained.
"If you're talking about location within the cell [that a data session takes place] that's an enormous expense. So if it's as simple as a session occurred, a data session occurred, and maybe it went to the first URL, this is what happened, [then] that's manageable. I think it would be expensive but manageable.
"If it's every single URL they went to, [the] amount of data that was used in particular downloading events and similarly with the location, that's when the cost across all your categories increases dramatically and capture becomes extremely expensive.
"So actually having the systems to be able to get information for the agencies that we wouldn't be otherwise interested in storing or capturing."
Yesterday police commissioners appearing before the joint committee said that although law enforment would like communications data to be kept indefinitely, they have compromised on a two-year period for data retention following negotiations with the Attorney-General’s department.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.