Christmas Eve email asked Oz telcos for metadata retention costs by Jan 9th

7-day extension allowed for questions inc. 36-month retention option and benefits to telcos of storing data

Australian telecommunications companies and internet service providers were given until January 9th, 2015 to offer an estimate of what it will cost them to comply with data retention laws, and appear to have been told of that deadline on Christmas Eve.

The Register has sighted an email sent from a senior executive of the Communications Alliance, an industry group, to over 40 carriers. Dated December 24th the email included a document titled “Industry FAQs on the Government’s proposed data retention obligations” dated “December 2014”.

The email also included the following text:

”Following the introduction of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill, the Attorney-General’s Department has engaged PricewaterhouseCoopers (PwC) to develop a detailed estimate of the capital investment required by industry to comply with the proposed data retention requirements.

Communications Alliance is helping PwC to distribute a short set of questions (attached) on the likely impact of these requirements on your organisation, to help PwC develop an overall estimate of the capital investment required.”

The email offers a deadline of “cob Friday 9 January”.

The Register has since learned that the deadline has been extended until January 16th, after negative industry feedback on the first deadline.

While the metadata of the documents we've seen offer a “created” date of December 24th, The Register cannot say with certainty if the Attorney-General’s Department, The Communications Alliance or PwC distributed the information and questions for the first time on December 24th. We understand some carriers received this information for the first time on Christmas Eve, but cannot say with certainty this was the case for all carriers. It's hard to find out because it's a holiday!

If Christmas Eve was the date of delivery the timing is extraordinary: there were just nine working days between December 24th and January 9th, and many Australians take holidays at this time of year. Even with a new deadline of January 16th, it is unlikely telcos and carriers will be able to assemble an “A-team” during this time, perhaps making this consultation less than optimally rigorous.

Even if the request was first communicated on December 1st, and even with the extra week, carriers will be making assumptions about a draft metadata data set. It's hard to say if their attempts to so so will yield a useful estimate for the final data set the government adopts.

The PWC questionnaire, which we believe to be authentic as its metadata contains the names of two Associate Directors, includes two extraordinary questions:

“What operational benefits would the additional stored data provide to your business?”


How would your estimated upfront capital costs change if the mandatory data retention period was different to that currently proposed? (12 and 36 months)

The questionnaire is otherwise anodyne, asking for subscriber numbers and for respondents to offer “estimated upfront capital expenditure to comply with the proposed requirements.”

There's also questions asking for “the most significant drivers of the costs you have identified above” and future capital costs.

PWC data retention cost questionnaire

The main part of PwC's data retention cost questionnaire

PwC's involvement and the timeframe are not unexpected. The firm's known to have been aboard since October 2014 and the first report (PDF) on the metadata retention laws says that the government is committed to making a “substantial contribution to both the cost of implementation and the operation of this [metadata retention] scheme.”

“PwC and AGD will engage with industry over the course of December 2014 and January 2015 to develop a model for making that contribution.”

The Register will watch with interest to see just what kind of model emerges from the scanty information the questionnaire calls for.

The FAQ appears, on the basis of a “why are you working instead of eating the leftover ham”-style-reading of the document, not to offer any new revelations about the regime. But it does offer lots of information on the practicalities of data retention: carriers will be able to compress data, outsource its storage, apply existing security regulations outlined in the Privacy Act, Telecommunications Act and “other relevant standards (such as the Payment Cards Industry Standard)”. No recovery time objective is set other than that retrieval times be timely swift that they do not hinder investigations.

The FAQ explains that carriers will be required to log “communications sessions” of two sorts:

Access Service (lower level) —the communication session is bounded from authentication (i.e. log-on) to de-authentication (i.e. log-off).
Application Service (higher level) —the communication session is bounded from application-level session establishment messages to application-level session terminating signalling messages.

Which leads to this explanation of how an application like email might be monitored:

An email session is defined at the application service level as starting when a user connects to the mail server to check their email and finishing when that user disconnects from that mail server. However, each email sent and received during that session is an individual, discrete communication. As such, providers of email services will be required to keep records about each email. This is different to the access service level communication session, defined as starting when that user logs onto their internet service via an access network, such ADSL, and finishing when that user logs off from that network. Each packet sent and received over an access service is a ‘communication’, however these packets together constitute a single communications session. As such, if carrier ABC provides the access service, then it retains communication session records appropriate to its level (such as the time the user logs on and off and its allocated network identifiers).

The FAQ also attempts to make it clear that carriers won't be required to record the content their users access, explaining that the draft legislation includes a “note [that] puts beyond doubt that a service provider that operates an internet access service is not required to keep information about their subscribers’ web browsing history for that service.”

“Although the note identifies web browsing as a specific application of the exclusion, the section applies to all internet protocols that run OTT of an internet access service,” the FAQ continues, and “providers of internet access services will not be required to keep destination addresses for SIP, FTP and other protocols running over the top of their internet access service – provided that they do not operate these services.” ®

Keep Reading

Sunday: Australia is shocked UK would consider tracking mobile data to beat pandemic. Monday: Australia to deploy drone intimidation squads

Updated Bloody poms are full of great ideas

Pot, meet kettle: Google claims Australia's pay-for-news plan could see personal data put to nefarious uses

YouTubers advised of opportunity to ‘get involved’ in some kind of push-back

Australia starts second fight with Google, this time over whether app stores leak data, gouge devs, steal ideas and warp markets

Apple also in sights of inquiry that could spark more new laws

Australia to track coronavirus encounters with payment card records

Plan calls to link government data across jurisdictions, even sharing airline records to track outbreaks and people who may be at risk of infection

Australia sues Google over data collection practices that merged DoubleClick data to create single user profiles

Alleges opt-in that promised “more control” actually sent more data without informed consent. Google 'strongly disagrees'

Epic Games brings its Fortnite fight with Apple to Australia

+Comment Why Australia? Because it’s currently running an inquiry into app store monopolies, that's why

Google won’t let Australia have shiny new toys unless it picks apart pay-for-news plan

Pauses News Showcase rollout while it awaits government capitulation

IBM’s Cloud just ruined a perfectly good lunchtime by losing power to a few racks in Australia

Reminder: Top-tier clouds promise they’re really good at keeping power on all the time

Biting the hand that feeds IT © 1998–2020