Government officials have no idea where Australians’ metadata, compulsorily retained under its mass surveillance laws by communications providers, is being stored.
Officials of the Attorney-General’s Department made the extraordinary admission today in hearings of the Joint Committee on Intelligence and Security, which is examining the Telecommunications and Other Legislation Amendment Bill 2016. That bill establishes new notification requirements relating to Australian companies’ data security and requires them to “do their best to manage the risk of unauthorised access and interference to networks and facilities” as well as giving AGD and the Attorney-General additional powers of information-gathering and direction.
Committee deputy chair and former chair Anthony Byrne quizzed AGD officials about how much metadata retained under the government’s data retention laws is stored offshore by service providers. Officials said they didn’t know, despite an industry consultation process that commenced in 2012.
One of the key concerns expressed about the mass surveillance scheme — established by the Abbott government in 2015, allegedly in response to growing terrorist threats — was that the metadata of most of the population of Australia would be a highly attractive honey pot for organised crime and hackers. Data held overseas, rather than locally, was of particular concern, with a number of stakeholders such as the Victorian Privacy Commissioner, the Law Council of Australia and the Australian Information Industry Association complaining that the data retention bill did not prevent offshore storage of Australians’ data. The government at that time declined to address those concerns, but promised a mandatory data breach notification scheme — which, after years of waiting, was only just passed this week.
Remarkably, however, despite years of industry consultation, the Attorney-General’s Department has no idea just what amount of data is stored offshore by companies since the scheme began. AGD is currently conducting an inquiry into whether data retention — originally promised by the government to be entirely confined to terrorism and major crime — should be expanded to civil litigants, which would enable organised crime figures suing for defamation, violent partners in Family Court litigation and copyright troll firms to obtain sensitive personal information.
Byrne labelled the department’s ignorance “ridiculous” and “unacceptable”. “So we don’t have any idea of how much data is stored offshore by major telecommunications companies or any companies?” he asked. “No,” bureaucrats replied. Byrne challenged them on whether the current bill would enable AGD to work out where data was being stored, with officials, after some hasty consultation among themselves, saying that it would.
However, the bill only requires notification of changes by services providers “that are likely to make the network or facility vulnerable to unauthorised access and interference”. That is, assuming providers admit that moving data offshore would make it vulnerable (an unlikely scenario — what company would tell its customers it’s moving their data to China and it might make it more likely to be hacked?) — it would only have prospective effect. All existing offshored data would not the subject of notification.
The admission by AGD comes not long after Fairfax revealed an Indian company was illegally purchasing Australians’ metadata sourced from Australian telcos for sale to private interests.