When Australia implemented its telecommunications data retention regime, privacy wonks worried about the potential for scope creep. The same warnings have been made about the government's proposed encryption-busting legislation.
When's a backdoor not a backdoor? When the Oz government says it isn'tREAD MORE
The Communications Alliance yesterday made public a list of 80 bodies (PDF) that have asked its members to hand over subscriber metadata, and warned that scope-creep could happen with Australia's "Access and Assistance" draft legislation – which calls for anyone using or selling communications services in the country to be subject to police orders for access to private data.
When the regime came into effect in 2015, only 20 law enforcement and security agencies were given the right to ask telcos to hand over stored comms data without a warrant.
However, the government amended the legislation to provide other organisations access if they could produce a court order.
The Communications Alliance polled its members about the requests they received in response to a request from the Parliamentary Joint Committee into Intelligence and Security (PJCIS). That committee is holding hearings into the government's proposed crypto-busting legislation, and the request for information arose during a hearing last month.
Communications Alliance CEO John Stanton said his group was warning that the Access and Assistance bill could have the same sort of unexpected consequences as occurred with the data retention legislation.
"One of the things that makes us really nervous about the encryption bill is not just the fact that it's full of outrageous provisions, but there are potential unintended consequences," he told The Register.
When he told the PJCIS hearing there were many more organisations requesting access than the 20 listed in the legislation, he was asked to back it up, so the alliance asked its members to identify who had made requests.
The result was a long list (PDF) of bodies in this document. While the Australian Federal Police or Australian Tax Office are unexceptional, the presence of Australia Post's Corporate Security Group, various local councils, the Department of Agriculture, the Fair Work Building and Construction Commission, and the Taxi Services Commission in the list could raise eyebrows.
In the document, the alliance added that it wasn't able to identify all the requests that resulted in disclosures.
Stanton said the huge number of requests arose not because of Section 313, which limited the warrantless supply of data to 20 agencies, but Section 280, which allowed other bodies to request data under various kinds of court orders.
That section, he said, "places carriers in a difficult position. When a council in Tasmania says 'we want data under Section 280, and we have the right', what does the carrier do?"
Stanton added that judging the legitimacy of a request isn't in the scope of most telcos and service providers.
"So you have a barrage of requests coming in from all manner of entities, which may or may not be legitimate requests."
Stanton said it could be argued the industry should have understood the implications of legislation back in 2014 and 2015. "Certainly, we didn't anticipate it, and maybe that's a failing on our part.
"I've hesitated calling it a 'back door'... but it's certainly a way in." ®