The government’s controversial cybercrime bill won’t come on for debate in the Senate this week. The bill, designed to enable Australia’s accession to the draconian European Cybercrime Convention, is likely to be debated when the Senate next sits in October. However, due to Senate estimates hearings, there are only three Senate sitting days in October. The bill might yet slip to November.
Crikey understands, however, that ISPs, including Telstra, continue to have significant technical concerns about the bill’s requirements that ISP store data at the request of foreign governments. The bill assumes that ISPs can easily and readily intercept and store all the traffic and content data of an individual customer without additional cost or specialised systems. No provision is made in the bill for assisting ISPs with the cost of interception and storage.
However, the blithe assumption on the part of ASIO, the AFP and the Attorney-General’s Department that interception and storage of customer information by ISPs would be a simple process appears to have been wrong. According to one ISP speaking confidentially, a key problem issue is that ISPs use “load balancers” to distribute incoming data requests across their own equipment, making tracking the path of an individual request significantly harder than through a single process assumed by government. Storage capacity also appears to be a issue. Telstra advised the bipartisan Joint Select Committee on Cyber Safety, which did a quick inquiry into the bill and was mostly ignored for its trouble, that:
Telecommunications networks and systems currently deployed by C/CSPs [carriers and carriage service providers] allow for the preservation of stored communications for a short period of time allowing law enforcement agencies to obtain the necessary warrant. However, under the proposed new provisions, C/CSPs will be expressly required to preserve information for up to 180 days which will have a major impact on these networks and systems. In some cases, the existing networks may require significant modifications or even replacement to ensure compliance with such long information preservation periods. Time is required for any such modifications or replacements to be scoped and tested to determine the impacts. Time will also be required for the Lead Agency to provide C/CSPs with the technical information needed to design and build to the network structure required from the proposed new legal framework.
Telstra wants not merely a delay in the bill – the government has already agreed to amend the bill to delay commencement for three months after Royal Assent – but a process for ISPs to be temporarily exempted from the bill until they can reconfigure their systems and equipment. The Communications Alliance and the Australian Mobile Telecommunications Association jointly told the committee that the bill “may necessitate substantial changes to current operational procedures and resourcing at an industry level. Further, to the extent the 24/7 contact point is passed on to the C/CSP level, this will also affect procedures and resourcing. Industry will review existing cost recovery arrangements to adequately reflect the additional burden imposed.”
Attorney-General Robert McClelland may well be eager to ensure the passage of the bill — which in its original form had a flaw that prevented accession to the Cybercrime Convention — before he travels to Strasbourg for the “Octopus Conference” on “Co-operation against Cybercrime” in November, which promises to “provide an opportunity to interface for cybercrime experts from public and private sectors as well as international and non-governmental organisations from all over the world.”