Oz telcos' club asks: Why the hell do Australia Post, rando councils, or Taxi Services Commission want comms metadata?

Tells gov.au: There's your scope creep

When Australia implemented its telecommunications data retention regime, privacy wonks worried about the potential for scope creep. The same warnings have been made about the government's proposed encryption-busting legislation.


When's a backdoor not a backdoor? When the Oz government says it isn't


The Communications Alliance yesterday made public a list of 80 bodies (PDF) that have asked its members to hand over subscriber metadata, and warned that scope-creep could happen with Australia's "Access and Assistance" draft legislation – which calls for anyone using or selling communications services in the country to be subject to police orders for access to private data.

When the regime came into effect in 2015, only 20 law enforcement and security agencies were given the right to ask telcos to hand over stored comms data without a warrant.

However, the government amended the legislation to provide other organisations access if they could produce a court order.

The Communications Alliance polled its members about the requests they received in response to a request from the Parliamentary Joint Committee into Intelligence and Security (PJCIS). That committee is holding hearings into the government's proposed crypto-busting legislation, and the request for information arose during a hearing last month.

Communications Alliance CEO John Stanton said his group was warning that the Access and Assistance bill could have the same sort of unexpected consequences as occurred with the data retention legislation.

"One of the things that makes us really nervous about the encryption bill is not just the fact that it's full of outrageous provisions, but there are potential unintended consequences," he told The Register.

When he told the PJCIS hearing there were many more organisations requesting access than the 20 listed in the legislation, he was asked to back it up, so the alliance asked its members to identify who had made requests.

The result was a long list (PDF) of bodies in this document. While the Australian Federal Police or Australian Tax Office are unexceptional, the presence of Australia Post's Corporate Security Group, various local councils, the Department of Agriculture, the Fair Work Building and Construction Commission, and the Taxi Services Commission in the list could raise eyebrows.

In the document, the alliance added that it wasn't able to identify all the requests that resulted in disclosures.

Stanton said the huge number of requests arose not because of Section 313, which limited the warrantless supply of data to 20 agencies, but Section 280, which allowed other bodies to request data under various kinds of court orders.

That section, he said, "places carriers in a difficult position. When a council in Tasmania says 'we want data under Section 280, and we have the right', what does the carrier do?"

Stanton added that judging the legitimacy of a request isn't in the scope of most telcos and service providers.

"So you have a barrage of requests coming in from all manner of entities, which may or may not be legitimate requests."

Stanton said it could be argued the industry should have understood the implications of legislation back in 2014 and 2015. "Certainly, we didn't anticipate it, and maybe that's a failing on our part.

"I've hesitated calling it a 'back door'... but it's certainly a way in." ®

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022