Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Legal and Constitutional Affairs References Committee - 29/07/2014 - Comprehensive revision of the Telecommunications (Interception and Access) Act 1979
Go To First Hit

ALTHAUS, Mr Chris, Chief Executive Officer, Australian Mobile Telecommunications Association

FROELICH, Mr Peter, Industry member, Australian Mobile Telecommunications Association and Communications Alliance Ltd

RYAN, Mr Michael, Industry member, Australian Mobile Telecommunications Association and Communications Alliance Ltd

STANTON, Mr John, Chief Executive Officer, Communications Alliance Ltd


CHAIR: Welcome. Thanks very much all for talking to us today. We have received your submission as submission No. 16. Do you wish to make any amendments or alterations to your submission?

Mr Stanton : No.

CHAIR: Would any or all wish to make a brief opening statement before we take you to questions?

Mr Stanton : Yes we would. Thank you very much for the opportunity to appear today. We certainly welcome the work of the committee and we agree there is a case for reform. We are supportive of some of the recommendations that have come down from the PJCIS, but at the same time it is fair to say we are wary of the nature of some of the proposals that we are seeing put in front of the committee. I would like to start with a couple of comments around simplification, streamlining and deregulation, which many of the recommendations go to, and then my colleagues will cover other aspects of our submission.

The communications industry is certainly supportive of the present push by the government for red tape reduction and deregulation. We are making great progress in our portfolio on reforms, and that is very heartening. At the same time, we are concerned with the swath of proposals that we are seeing advanced or contemplated by law enforcement agencies and the Attorney-General's Department that have the potential to drive that red tape initiative deeply into negative territory. We have spoken to the PJCIS in the past about the potential costs of data retention being more than $500 million, substantial costs that may be involved in the proposals for a new scheme around network infrastructure security and potentially high costs for industry around online copyright enforcement. These have the potential to dwarf the entire red tape reduction achieved across all portfolios.

A number of the proposals—and we will go into more detail on this—tend to be, in our view, an exercise in shifting to industry costs that will ultimately be borne by consumers. In our submission we have emphasised the principle of cost recovery from law enforcement agencies, which we feel should be enshrined in any reforms partly because that also acts as a natural curb against excessive requests for activity by law enforcement agencies and encourages them to target their activities.

And it is not just the shifting of costs we are worried about; it is also obligations to service providers who at the end of the day are not police and can sometimes struggle to deal with requests if they are required to process issues in which, frankly, they are not trained.

I move to some of the recommendations. We agree with recommendation 3, that there is scope to rationalise and reduce the reporting requirements that presently exist. Our submission spells out how that could happen. We also see merit in recommendation 10 and believe that the minimisation of references and warrants to internal carrier or service provider processes will allow savings. Equally, recommendation 9 has some merit in its focus on streamlining legislation, and we have spelled out the various areas of duplication and ambiguity between the Telecommunications Act and the Privacy Act. We think there is some scope to do some good simplification there.

We were a little struck by some of the comments that were made by David» «Irvine» to the committee recently. He talked about data retention helping law enforcement agencies to deal with very considerable procedural and time-consuming bureaucratic processes. If in fact that was a reference to processes within ASIO or law enforcement agencies, we would certainly support an attack first on streamlining those processes and removing the difficulties rather than relying on over-the-top solutions to what ought to be a root-cause solution.

I would like to now hand over to Mr Althaus.

Mr Althaus : Thank you. I wanted to make a few observations. One of the hot buttons in this space is data retention. We have made some comments on this issue over time. It is fair to say that as recently as three days ago a senior member of a carrier that is a member of my organisation said to me lamentingly that he still did not quite understand the defined data set that was being sought. I think that is an issue of concern. Clearly, in this day and age information flows are not only huge but increasing in some spaces exponentially. They are also borderless in the sense that all of us on a daily basis I am sure traverse many websites and destinations outside of Australia.

Industry has long had a concern about the level of information that is retained by itself for commercial purposes versus information retained for other purposes. We also underscore the fact that there is a long and deep partnership that already exists between industry and law enforcement agencies. We are keen to be part of the solution, not part of the problem, but one of the large concerns that Mr Stanton has just alluded to is this cost-shifting exercise whereby a large quantum of cost in this law enforcement and national security space is ending up within industry.

To give you a picture: data volumes in the mobile space alone are predicted to increase by a factor of 10 between 2013 and 2019. Should we have to build a system to retain data for a lengthy period, it is not just as simple as pushing a button or tapping an existing resource; in actual fact we would have to duplicate the data. That duplication would be required because this data comes from a multitude of IT systems within carriers. To be helpful to law enforcement agencies, it would need to be duplicated and aggregated. Then we have to store it. I am sure there is a vacant suburb somewhere where we could build a data centre! Then we have to manage it and be able to interrogate it. There are the privacy and security issues that go with that. All of these things are very considerable issues to address; and, as Mr Stanton also observed, we are not a law enforcement agency. We are a telco. We are an industry.

Typically, staff are not trained. Typically, our staff are not covered by the same legal protections that, for example, members of the law enforcement community would have. Five hundred million dollars is a large amount of money, and it would be interesting to see what that wold do in the broader law enforcement world. We do have concerns about the efficacy of such a large data retention pool. Clearly, the UK has grappled with this recently, and one thing we draw a big black line under when we talk about the UK is that the government in the United Kingdom funded the system and the agencies that use it pay for their use of it. That paradigm does not seem to be in our thinking here.

So there is a huge amount of resource, a huge amount of impost and efficacy we have a question mark around. Similarly, in our submission we go to the issue of attribute based warrants. Once again, we are not confident of the definition of this new approach. The intuitive concept of being able to take a thin slice of data to be more efficient and effective is appealing, but for us we would have to capture and hold everything to enable that slice to be found and processed. Similarly, attribute based warrants are once again passing a responsibility into telcos to interpret, judge and react to warrant requests in a more forensic way than simply downloading the data and handing it over. These sorts of transferences of responsibility, cost and performance to us present a significant dilemma. I will stop there because I know we want to get to question, but data retention and attribute based warrants are two very glaring examples of some of the challenges that we face. I underscore the fact that we want to be part of the solution, not the problem.

CHAIR: Thank you very much for your opening statement and for your evidence. Let's start with the cost estimates—the half billion dollars. I understand that is going to be an approximation, but at least you have had a stab at it. That is either passed on to industry and then you have to pass it on to your customers or it is, as you say, absorbed by the agencies, which is then charged back to us all as taxpayers. So there is kind of no avoiding it, is there? People are going to need to pay for this one way or another. Tell us what the $500 million buys us. Is that set-up costs only? What does that actually look like? Where does that money go?

Mr Althaus : We have looked at set-up costs. It is an estimate, as you say. It is also an estimate based on what we understand is the task. There is some further clarification required there, but certainly, when we did the back of the envelope, we were looking at set-up and operational costs. Suffice it to say there is some great concern around definition. So it is difficult to be precise, but it was not long before we were in the hundreds of millions. Then, when we start looking at volumes of data that are projected, that number began to escalate. My colleagues might want to add to that.

Mr Stanton : I think the other point about this ultimately being borne by the taxpayer is fair enough, but I think the difference is that if it were to be included within the budget of the agencies then the agencies have to fight for those funds, and that puts a natural discipline on them They have to justify it. It will tend to rein in the expansiveness of the sorts of requests, systems and facilities they might want to have in place. I think it has some internal rigour which is attractive.

CHAIR: Okay. I guess it is attractive from a commercial point of view as well. Between you, you collectively represent everything from the very largest to the very smallest players in these markets. A Telstra—very large institutional capacity, very strong technical background—can potentially absorb some of these costs. Are you concerned that, if the burden of paying for these systems does need to be absorbed by the industry, that is going to hit smaller players much harder than larger ones?

Mr Stanton : I think it would tend to hit them differently depending on their size. A large organisation like Telstra, sure, has capacity, expertise and all of that but also a vastly larger number of databases that it has to interconnect and be able to interrogate. If you go down to the smallest of players, you have a simpler task, but they may be in a position where they end up doing this effectively manually. So the unit costs could end up being higher for a smaller player, but the capex could be much less because it is effectively an opex-type exercise rather than a capital one.

Mr Althaus : Notwithstanding the size and dimension, quite a number of the tasks here are, as we have alluded, moving us outside a typical business service environment even for those that are already servicing agencies substantially, particularly in the data retention context.

CHAIR: With regard to the system as it stands at the moment before we even start talking about data retention: there are something in the order of 320,000 or 330,000 warrantless metadata requests being sent to your members every year. That number is also growing quite rapidly. Talk us through how that looks from your end process-wise. I understand what happens at the agency end—they fill out about a four-page application that is ticked off internally. How are these things delivered to your members, and what happens when they are?

Mr Ryan : You talk about a warrantless application; we tend to refer to them as 'lawful requests'. We ask the agencies. It is not just agencies but also police forces as well.

CHAIR: Local governments, the RSPCA—we know they are there.

Mr Ryan : They all try, yes—including the ACMA, too. They all do it under such sections as 284 or 287. Some send them electronically. Some fax us those applications.

CHAIR: Faxes still exist?

Mr Ryan : Yes. It is a bit of a concern going forward, but anyway. They send us those applications and we will then extract the information. It falls generally into two areas. One is personal information. So, Senator, they may send us your phone number and they want your name, address and possibly what the service is. That information is extracted out of an industry system called the IPND, the Integrated Public Number Database, which was set up in about 1998 to service both law enforcement and emergency services. That is where the majority of those what you call warrantless requests, and we call lawful requests, are received to fulfil.

CHAIR: I guess the reason I make that distinction is that some of the requests that you get for more intrusive surveillance are warranted—they have been through either the AAT or a judicial process. That is why I make that distinction. Maybe for the AMTA folk: there was a bit of reporting, maybe three or four weeks ago, about the use of tower dumps here in Australia, where, rather than going after a particular record, someone will come to you and say, 'We want all the traffic off the cell tower within a defined period of time.' How do those requests come to you and how hard is that to provide?

Mr Ryan : I am not saying that all carriers or ISPs actually respond to those sorts of requests.

CHAIR: That is a very interesting thing to say. What lawful power do you have to resist such a request when it is made?

Mr Ryan : From our perspective, we look at it as: are they reasonable or not?

CHAIR: What is your test for reasonableness? Where is that written down?

Mr Ryan : We use both the T(IA) act and the Telecommunications Act to make those decisions.

CHAIR: So these are requests, not demands?

Mr Ryan : Yes.

CHAIR: That is very interesting.

Mr Ryan : Generally they are not requests for tower dumps, or cell dumps, as you suggest; they are actually single requests for location.

CHAIR: The location of a particular handset, for example?

Mr Ryan : Yes.

CHAIR: I understand that, but I understand also that you do get requests sometimes if a car accident or a particular awful thing happens within an area covered by a particular cell tower—or a crime is committed—and you are asked to provide all the traffic that transited through that point at a period of time.

Mr Ryan : We request the agency to supply us with the handsets that they are after.

CHAIR: Just talk me through how that would work.

Mr Ryan : We are not too sure where they would get that information from, but they may investigate as to what handsets are in that location at that particular time and then give us the telephone number of those handsets.

CHAIR: How commonly are you having to have these—maybe 'arguments' is a slightly strong term; these negotiations with agencies? How frequently is that happening?

Mr Ryan : Not very often.

CHAIR: Okay, but it does happen.

Mr Ryan : It does happen.

CHAIR: With most of what we have heard thus far, it sounds fairly streamlined: a warrant goes through the appropriate process; it is served; you provide the information; the crimes are solved.

Mr Ryan : Yes.

CHAIR: This sounds really different.

Mr Ryan : But the warrant itself is usually related to one or two handsets rather than many handsets. We do not like, I suppose, the agencies fishing for information. We are very prescriptive in when we respond.

CHAIR: Sure, but then you are providing a public interest function quite separate to your role as an industry. I guess that is a statement rather than a question.

Mr Ryan : We try to make sure we stick within the law.

CHAIR: Yes, but it is quite a big call, because that kind of assumes that you believe that in some instances the agencies themselves are not, and that is why you are having to perform that function.

Mr Ryan : No. We do not believe they are not within the law. We prefer them to be within the law and more easily, from our perspective, to respond to their requests.

CHAIR: I am sure other senators have questions, so I will come back later if there is time.

Senator IAN MACDONALD: Mr Althaus, you mentioned a suburb might be free to store all the data. Can you give us some guess—it may be better than a guess—or some concept of what sort of space you are looking for to store all this data?

Mr Althaus : The technology around data storage is improving and changing all the time. Data centres are the fundamental bedrock of cloud services around the world, and data centres underpin all of the industry's operations. Certainly the numbers of data centres and the capacity within them—multistorey buildings chock-a-block full of servers, with huge air-conditioning units et cetera and power redundancy are common the world over.

In terms of a suburb, yes, there are more and more facilities required to be geographically located. The volume of data is increasing at huge rates. The other important point is when organisations within the industry look at the best commercial arrangements there is an enormous amount of data that is stored offshore. In terms of the location of information, the physical assets of data centres are certainly numerous here but equally there is an enormous amount that do not call Australia home.

Senator IAN MACDONALD: Could you identify a big data centre in Australia where data is currently stored?

Mr Althaus : There are many. In fact, there are quite a number of commercial enterprises that specialise specifically in addressing the task of supplying information storage management solutions that are selling their services to all manner of the IT industry.

Senator IAN MACDONALD: I am just trying to conceptualise it. Would it be a building as big as this one we are in? How many storeys?

Mr Althaus : Bigger and more numerous. I think the physical size of buildings depends on who is investing and whose services they are seeking to support. It is simply a matter of the facility will be built with the technology and the equipment to do the job.

Senator IAN MACDONALD: Are they usually in a remote area, in the centre of the city or wherever you can get land cheaply?

Mr Stanton : They are always close to good fibre connections and strong backhaul. In Sydney, for example, one of the primary data centres is down on the harbour near Darling Harbour. To look at it from the outside you could imagine it was a university building. It is a long building about four storeys high. It is very substantial. At least as big as Parliament House.

Senator IAN MACDONALD: If someone put a bomb under that and blew it up—

Mr Althaus : That would be a bad thing.

Senator IAN MACDONALD: It would, but what impact would that have? Would that data be gone forever or would it be stored somewhere else as well?

Mr Stanton : Typically, you would expect sensitive data to be replicated in a geographically diverse place and you would expect the data centre to be on a self-healing fibre loop, if you like, so that you do not physically take a piece of the network out. You would hope that the redundancy provisions kick in almost immediately and that the data is still available. What that means of course is you have incurred a lot of additional cost in replicating data and facilities to give yourself that security and that is what feeds into the sorts of high numbers that we talk about when we look at what data retention could mean.

Senator IAN MACDONALD: Is there an alternative though?

CHAIR: Paper.

Senator IAN MACDONALD: Paper? Now you are really talking! Some data has to be kept.

Mr Althaus : The short answer is: no, not at present. Cloud services are what we commonly see now as the way of the future in terms people not holding as much data themselves and their data is in the cloud or in a data centre somewhere. The speed and performance of networks enables access and management of those data resources to occur in an efficient and effective way. We are still struggling in this day and age with not only the volume, especially in this data retention context, but also the ability to store, manage, interrogate and protect privacy and security. Those things are all germane to the overall bill here. In the data retention context, as we said, to a large degree it involves some duplication of what is already going on.

Senator IAN MACDONALD: I will finish there, Chair, but you have just deflated me. When I log onto my cloud, I do not know quite what it means, but I always thought it was something in heaven that looked after my stuff.

CHAIR: It is building in an industrial park somewhere, Senator Macdonald.

Senator IAN MACDONALD: That is a disappointment.

CHAIR: It is not quite as romantic as it sounds.

Senator LEYONHJELM: You refer to this huge borderless data issue and you have talked about the fact that a lot of the data in relation to Australians, if it is stored, if it is retained, it would actually be stored offshore. Does the reverse occur? Do you face dealing with inquiries for data from countries, the UK for example, that already have data retention requirements? How do you deal with them if you do?

Mr Froelich : I suppose, strictly speaking, industry members do not deal with foreign agencies. All foreign requests would be filtered through the Australian Federal Police generally under the provisions of any international mutual assistance agreement. So strictly speaking, no, we do not deal with foreign agencies or intelligence groups at all.

Senator LEYONHJELM: All right. On the assumption that only the Americans can claim extra territoriality of their laws, if Australian data was stored and the data centre was in a lower cost country than Australia, which would almost be inevitable you would think, how would you deal with that in that case? Would you only be obliged to search the databases stored within Australia?

Mr Froelich : It depends on how a particular lawful request is formed to the industry member. For each group, if you have things hosted in a different geographic location then obviously you are subject to the laws of that geographic location. If that information traverses Australian networks or Australian territory, then under the rules in the Telecommunications Act and the Telecommunications (Interception and Access) Act we are obliged to provide that material under a lawful warrant. We would do so; we would respond to any lawful warrant.

Senator LEYONHJELM: In theory then, another country could say that the data is stored within their borders and so they could stop you from doing that?

Mr Froelich : Strictly, yes. You would be subject to the laws of the geographic location, but we would respond to anything that meets the obligations under the Telco Act or the TIA Act.

Senator LEYONHJELM: Okay. I do not quite understand the comment that you do not like phishing in relation to Senator Ludlam's question about tower dumps and you also included cell dumps. How do you decide what phishing is? What are you referring to there?

Mr Ryan : When we receive a lawful request, we like a telephone number or a name—so fairly standardised and succinct. This is so that we do not have to step into the role of a policeman to try to decide what is relevant and what is not. If you send us a telephone number, we will get the information on that telephone number and send it back—end of story. So we have responded to that warrant. Or if it is a name or handset information et cetera. We do not try to decide what you do and do not want. If we get a phone number or a name, that is it.

Senator LEYONHJELM: So if somebody asks for all of someone's friends on Facebook, that is not your cup of tea?

Mr Ryan : No. We would not even know where to start.

Senator LEYONHJELM: That is fine. Thank you.

CHAIR: I might put this to our next witnesses as well, but since we have the mobile industry here, can you help us out? Included in the Attorney-General's definition of metadata, which is the working definition across the various agencies that you deal with, location records are fair game: the location or the approximate location of a handset at the time of a particular event or call or whatever. From an industry point of view, what is the range of accuracy? Assuming that the GPS on the handset is not turned on, so just from the triangulation of the cell towers, how accurately can you determine somebody's location at any given time?

Mr Froelich : So I guess specifically that answer varies according to the geographic locations. For example, in a country town there may only be one cell tower that has what we call an omnidirectional antenna propagation. You can tell the distance from the antenna, but without the GPS turned on the phone assisted GPS location function is not available to you—I think the parameters you set around it was around not having GPS on. When you get into an area like where we are now, in central Sydney, you would be able to triangulate, and triangulate implies that you have three towers, to measure the distance from each tower to get a relatively accurate approximation down to 10 metres to 50 metres, in that sort of range, whereas in a country town it might be a doughnut shape of perhaps 100 kilometres.

CHAIR: One hundred kilometres? So within the range of the particular tower, you have a distance but not bearing?

Mr Froelich : Yes, you have got a distance from the tower only. You have set the parameter in the question around having GPS turned off, so the accuracy would not be that great, no.

CHAIR: Obviously for billing purposes or even for the call to function you need to record that, you need to know that information, otherwise the system does not work.

Mr Froelich : The billing function is based on the tower that you send your signal through. If you were making a call that was a distance of 500 kilometres from Broken Hill to Sydney—whether it was 500 kilometres or 600 kilometres it would not really matter in the billing function because you are still connected to the same tower.

CHAIR: And what is the range—you were talking before that in a regional town there might only be one tower providing that service. What is the approximate range? How far can you get from that tower before the signal drops out?

Mr Althaus : It depends to some extent on what frequency you are operating on. There would be a range depending on the network parameters that you are dealing with at the time. We can give you a range. We can take it on notice if you like and give you an estimate.

CHAIR: If you like; just industry estimates. To my mind, the geolocation included in the definition of metadata is one of the more invasive reasons why I want this material to need to be accessed via warrant rather than someone stamping a piece of paper and serving you with it. The vast majority of Australians probably live well within range of two or more cell towers at any given time. So that material is all being logged. How long is that held for across the industry? Is there an average, or is it just up to individual company policy?

Mr Froelich : I think specifically for that information it is quite transient because it does not necessarily form a billing function. The structure of the storage of data in the telco industry is such that under the structures of the privacy legislation we only keep information for as long as we have a business need for that. So that location information is particularly transient.

CHAIR: Days? Weeks?

Mr Froelich : Perhaps here and now really.

CHAIR: Really?

Mr Froelich : It is where you are at that point in time.

CHAIR: It just goes straight through and it drops off.

Mr Froelich : Yes, there is no reason to keep that information.

CHAIR: Well ASIO believe they do have reason for you to keep that. That is part of our half a billion dollars I presume.

Mr Froelich : If you want to retain that, yes, it forms part of the—

CHAIR: No, I do not. I think it is a terrible idea!

Mr Froelich : If the law enforcement community wanted to retain that, yes, you would have to create structures to actually do that rather than the transient nature of what the data is at the moment.

CHAIR: Say you kept it for a couple of hours—or under data preservation notices is it correct that at the moment, if they are tracking a particularly bad line, they can serve your members with a notice that says: 'Don't throw that away; we might need that. We might come with a warrant later.'?

Mr Froelich : No, for transient data—we do not see the application of a preservation notice; we only see the application of a preservation notice for stored communications. This does not form a stored communication such that—if I could define stored communications as communications that come to rest on our networks, like email perhaps SMS and MMS. Those types of stored communications can be preserved, but we would not accept a preservation order for transient data.

CHAIR: Truly? How difficult would it be to do so? To my mind I can actually see a legitimate reason why that might be quite valuable for law enforcement purposes and, if it was targeted and discriminate, why it might be quite useful to trap that material for a period of time. How difficult is that to institute on a very targeted basis rather than across the entire population?

Mr Froelich : In a strictly engineering answer, because that is the part of the business I come from—

CHAIR: Yes, if you like.

Mr Froelich : we can build anything with time and money. Anything can be built—

CHAIR: Apart from safe nuclear power! Sorry.

Mr Froelich : I do not work in that industry so I will not comment, but I take your point. Given sufficient time and money, we can build any system that is required, provided it fits within the structures of the legislation.

Mr Ryan : Industry is building a project now, it is getting towards completion in, hopefully, September or October, to deliver your location in emergency to emergency service organisations. We are building the capability within the network—it is called push MoLI—the legislation is under the emergency call service determination to capture your location when you call 000. Along with your call we will capture your location. As Mr Froelich just said, depending on the cell tower, the number of cell towers, we will capture your location to send along with that emergency call to 000 and then onto the emergency service organisation. But that is a defined need, if you like, that the community has asked for.

CHAIR: Now imagine that I switch on the GPS function on my handset. How accurate does that become from the back end point of view? I know how accurate it is for me, but as far as the service provider is concerned.

Mr Froelich : It takes you down to the 10-metre range in terms of using assisted GPS is embedded signalling functions within the network. It will take you down into the 10-metre range of accuracy.

Senator LEYONHJELM: Not if you are inside; only if you are outside.

Mr Froelich : Yes. The GPS requires a link to satellite access.

Mr Ryan : That is assuming that each carrier actually has access to that layer of information.

CHAIR: That is my next question. How much of that GPS data resides on the handset and how much of it is transmitted back through your networks to be stored for arbitrary periods of time?

Mr Ryan : I cannot speak for all carriers. Some carriers just do not currently have that access. If I go back to the push MoLI project, that is something we are looking at the future. That is the next phase of it, if you like.

Senator IAN MACDONALD: You are calling it 'push molly'?

Mr Ryan : Because the network pushes it to the emergency services organisations. Rather than using, say, a 287 request they request the carrier to pull it from the network.

Senator IAN MACDONALD: What is the molly part?

Mr Ryan : Mobile location information, sorry.

CHAIR: That is all right. I don't think any of us here is an engineer; please bear with us. Just explain for me again in words of great simplicity how from the carrier's point of view the GPS functions on these phones, which I expect most people wander around with switched on so they can use maps or whatnot, that operates for people using smartphones from a back-end engineering perspective. Can that material lawfully be accessed for good reason by intelligence or law enforcement agencies?

Mr Froelich : If required, yes. Assisted GPS signalling functions within the network are available within that host network, if you will. By host network, I mean the underlying access network that you purchased your phone through. At the carrier aggregation level—the connection between carriers—it is not necessarily translated across carrier borders. There is no reason to hand off a customer's location information once you have changed from one carrier to another. That information is useful perhaps in a marketing sense to the host carrier, where you might want to perhaps direct that person to their nearest pizza shop or something like that. We would not necessarily translate it across carrier borders, no.

CHAIR: When you say carrier borders, you mean if a Telstra handset rings an Optus one?

Mr Froelich : Yes.

CHAIR: But that material could potentially be within the dragnet of data retention. It is there. What I am trying to understand is that it is not simply isolated on this phone; it is being transmitted back and forth.

Mr Froelich : Yes. That comes down to the statement made by Mr Althaus before that within the data retention dataset we are unsure at this stage as to what that looks like.

CHAIR: Me too.

Mr Froelich : If that was included in the dataset we have to build systems to do that.

CHAIR: Just to be very clear, then I think we had probably let you go and call our next witnesses, it is entirely technically within the range of possibility and has probably already been done that you could be tracking somebody from that information. You could be tracking somebody around a live map—in fact, very many somebodies simultaneously—everywhere they went, every time they sent a text message, every time they made a call, purely on the basis of metadata alone. It is not content data under any legal definition.

Mr Froelich : No, that is not beyond the realms of possibility.

CHAIR: I guess I am asking you an engineering question rather than a legal one. We will get to the legalities later.

Mr Froelich: Yes, you can do it.

CHAIR: I do not have any other questions.

Mr Althaus: What we have been talking about demonstrates that on our side of this discussion there is an enormous amount of expertise and experience. To the best of our ability and awareness of what is coming in technology terms and service and application terms we would love it if there were a much clearer and more pragmatic dialogue between agencies and industries to talk about their needs and our capacity in a pre-emptive way rather than our being constantly in a reactive mode to proposals that are potentially quite problematic and in some cases are not that well thought out or whatever. I guess as a closing comment, some more dialogue would be a helpful thing.

Senator IAN MACDONALD: Along that line, is anyone speaking to your groups about a possible change to this act and what needs to be in it? Are you having discussion with any government department?

Mr Althaus: Yes, we are. One of the things we find problematic is that it is often the case that ideas and concepts are formed and are well advanced in an agency's mind, and perhaps an earlier and ongoing discussion with industry would be beneficial.

Senator IAN MACDONALD: This is not really part of this inquiry, but you should make sure and if we can help—I cannot, because most of what you are talking to me about I have no idea about; that is not your presentation but my capacity—it is important for the nation and for the government that if this act is to be reviewed that it is done taking into account the experts that actually make it work and can see where a little bit of extra time might make it better for everybody. It is important, as I say, that you use us if you can, but it is important that your views are taken notice of even if they are not adopted.

Mr Althaus: We certainly agree and we put them forward at every opportunity.

CHAIR: Are you presently in discussion with the Attorney-General's Department or anybody else around data retention proposals in any kind of formal way?

Mr Stanton: At the association level? No, there is no active consultation about that at the moment. We have been in discussion very recently about the TSSR proposal—that is the infrastructure security proposals that AGD have been putting forward.

Senator IAN MACDONALD: What is TSSR?

Mr Stanton: It is a framework that the Attorney-General's Department wants to put in place to provide greater surety around the protection of critical infrastructure in the telecommunications industry.

Senator IAN MACDONALD: What does it stand for?

Mr Althaus: Telecommunications security sector reform—we live and breathe acronyms.

Senator IAN MACDONALD: You are not as bad as Defence.

Mr Stanton: On data retention right now, no, nothing in particular.

Senator LEYONHJELM: You were talking about $500 million for data retention, is that based on each ISP doing its own data retention? Have you looked at some kind of pooled system? Is it feasible or not an option?

Mr Stanton: That number was based on market-share-based extrapolations of each major player putting in place their own system.

Senator LEYONHJELM: Doing your own thing.

Mr Stanton: Yes.

Senator LEYONHJELM: Okay. Does that make more sense than having a pooled system? I will make my position clear: I do not want any system. But if you had one, would it be cheaper or more efficient to have a pooled system or for each organisation to do its own thing?

Mr Stanton: I think you would have to start from the basis of the dataset requested and look at the issue in that light. You would have to take into account interoperability and privacy issues. I cannot give you a simple answer to that question.

CHAIR: Have you looked at renting some space at that big NSA data centre in Utah?

Mr Althaus: No, sir.

CHAIR: That is a no, for Hansard. We will suspend the committee. I greatly appreciate your expertise and time. I know you are all busy people. It has been really instructive.

Proceedings suspended from 10:49 to 10:57