Australian telecommunications companies and internet service providers were given until January 9th, 2015 to offer an estimate of what it will cost them to comply with data retention laws, and appear to have been told of that deadline on Christmas Eve.
The Register has sighted an email sent from a senior executive of the Communications Alliance, an industry group, to over 40 carriers. Dated December 24th the email included a document titled “Industry FAQs on the Government’s proposed data retention obligations” dated “December 2014”.
The email also included the following text:
”Following the introduction of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill, the Attorney-General’s Department has engaged PricewaterhouseCoopers (PwC) to develop a detailed estimate of the capital investment required by industry to comply with the proposed data retention requirements.
Communications Alliance is helping PwC to distribute a short set of questions (attached) on the likely impact of these requirements on your organisation, to help PwC develop an overall estimate of the capital investment required.”
The email offers a deadline of “cob Friday 9 January”.
The Register has since learned that the deadline has been extended until January 16th, after negative industry feedback on the first deadline.
While the metadata of the documents we've seen offer a “created” date of December 24th, The Register cannot say with certainty if the Attorney-General’s Department, The Communications Alliance or PwC distributed the information and questions for the first time on December 24th. We understand some carriers received this information for the first time on Christmas Eve, but cannot say with certainty this was the case for all carriers. It's hard to find out because it's a holiday!
If Christmas Eve was the date of delivery the timing is extraordinary: there were just nine working days between December 24th and January 9th, and many Australians take holidays at this time of year. Even with a new deadline of January 16th, it is unlikely telcos and carriers will be able to assemble an “A-team” during this time, perhaps making this consultation less than optimally rigorous.
Even if the request was first communicated on December 1st, and even with the extra week, carriers will be making assumptions about a draft metadata data set. It's hard to say if their attempts to so so will yield a useful estimate for the final data set the government adopts.
The PWC questionnaire, which we believe to be authentic as its metadata contains the names of two Associate Directors, includes two extraordinary questions:
“What operational benefits would the additional stored data provide to your business?”
How would your estimated upfront capital costs change if the mandatory data retention period was different to that currently proposed? (12 and 36 months)
The questionnaire is otherwise anodyne, asking for subscriber numbers and for respondents to offer “estimated upfront capital expenditure to comply with the proposed requirements.”
There's also questions asking for “the most significant drivers of the costs you have identified above” and future capital costs.
The main part of PwC's data retention cost questionnaire
PwC's involvement and the timeframe are not unexpected. The firm's known to have been aboard since October 2014 and the first report (PDF) on the metadata retention laws says that the government is committed to making a “substantial contribution to both the cost of implementation and the operation of this [metadata retention] scheme.”
“PwC and AGD will engage with industry over the course of December 2014 and January 2015 to develop a model for making that contribution.”
The Register will watch with interest to see just what kind of model emerges from the scanty information the questionnaire calls for.
The FAQ appears, on the basis of a “why are you working instead of eating the leftover ham”-style-reading of the document, not to offer any new revelations about the regime. But it does offer lots of information on the practicalities of data retention: carriers will be able to compress data, outsource its storage, apply existing security regulations outlined in the Privacy Act, Telecommunications Act and “other relevant standards (such as the Payment Cards Industry Standard)”. No recovery time objective is set other than that retrieval times be timely swift that they do not hinder investigations.
The FAQ explains that carriers will be required to log “communications sessions” of two sorts:
Which leads to this explanation of how an application like email might be monitored:
An email session is defined at the application service level as starting when a user connects to the mail server to check their email and finishing when that user disconnects from that mail server. However, each email sent and received during that session is an individual, discrete communication. As such, providers of email services will be required to keep records about each email. This is different to the access service level communication session, defined as starting when that user logs onto their internet service via an access network, such ADSL, and finishing when that user logs off from that network. Each packet sent and received over an access service is a ‘communication’, however these packets together constitute a single communications session. As such, if carrier ABC provides the access service, then it retains communication session records appropriate to its level (such as the time the user logs on and off and its allocated network identifiers).
The FAQ also attempts to make it clear that carriers won't be required to record the content their users access, explaining that the draft legislation includes a “note [that] puts beyond doubt that a service provider that operates an internet access service is not required to keep information about their subscribers’ web browsing history for that service.”
“Although the note identifies web browsing as a specific application of the exclusion, the section applies to all internet protocols that run OTT of an internet access service,” the FAQ continues, and “providers of internet access services will not be required to keep destination addresses for SIP, FTP and other protocols running over the top of their internet access service – provided that they do not operate these services.” ®