As the government's new national security legislation returns to the House of Representatives to be rubber-stamped, division is emerging among Australian carriers about what metadata they might consider retaining.
Data retention isn't in the current tranche of legislation, but the government intends to put its metadata retention scheme to parliament before the end of 2014. At a parliamentary committee into proposed revisions to the Telecommunications Interception Act, Telstra and Vodafone have given an insight into their different attitudes to holding customer data.
Speaking to the inquiry on Friday September 26, Vodafone said it's trialling systems that would retain customer Web browsing habits, telling the Senate committee that the aim of the system would be service improvement rather than data retention compliance.
The company said as a service trial, the association of IP address with customer browsing (at the site level rather than tracking individual pages) would only be held for 90 days – long enough to help with things like resolving billing disputes. To extend the same system to the two years that intelligence and law enforcement agencies want would cost millions or tens of millions of dollars, the company claimed.
While storage is cheap, Voda said, surrounding the customer data with security, databases to retrieve data, and business processes to make sure the right data is deleted at the end of the data retention period would all load up the costs of the system.
Telstra told the same committee it has no intention to retain mobile users' browsing data, with chief risk officer Kate Hughes saying the carrier only wants to keep “what we need for billing purposes or network assurance purposes.”
In a reference to the security honeypot data retention would create, Hughes noted that if the carrier isn't holding the customer data, “we can't inadvertently breach a customer's privacy and we're not then required to secure it”.
The Register notes that Telstra has previously toyed with collecting mobile users' URL history, in 2012, when its use of Netsweeper software became public knowledge.
It would appear from Telstra's evidence to the Senate committee, that Netsweeper is no longer in the Telstra network.
Not just carrier data?
It has also emerged, via a drop to The Australian, that the government is looking at services like Skype, Twitter and Facebook in its metadata proposals.
The Australian says the consultation paper proposes that “any company” providing communications services to Australians be swept up in the regime.
The Oz quotes from the paper that “Data-retention obligations should not be limited to licensed carriers but should also extend to any entity that provides communications services to the Australian public”.
User information like date of birth, name and address would be retained, the discussion paper says, and if The Australian is correct, services delivered “directly or through contracts involving third parties” are on the wish-list of attorney-general George Brandis. ®