Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Intelligence and Security - 17/12/2014
Go To First Hit

ALTHAUS, Mr Chris, Chief Executive Officer, Australian Mobile Telecommunications Association

ELSEGOOD, Mr Michael John, Member, Communications Alliance

FROELICH, Mr Peter, Industry Member, Communications Alliance

STANTON, Mr John Leslie, Chief Executive Officer, Communications Alliance

CHAIR: We will resume. For the information of our guests and visitors, we may have Senator Conroy appearing via phone hook-up. I welcome the witnesses. Would you like to add anything about the capacity in which you appear?

Mr Elsegood : I am with the regulatory team at Optus, and Optus is a member of both of the associations.

CHAIR: Thank you. Although the committee does not require you to give evidence on oath, I remind witnesses that this hearing is a legal proceeding of parliament and warrants the same respect as proceedings of the House itself. The giving of false or misleading evidence is a serious matter and may be regarded as a contempt of parliament. The evidence given today will be recorded by Hansard. Do you wish to make some introductory remarks before we proceed to questions?

Mr Stanton : Yes. We would like to echo the remarks that were made earlier in the day in testimony by expressing our sympathy, on behalf of our organisations and companies, to all of the individuals who were victims of the tragic events in Sydney this week, and in particular by sending our condolences to the families of those who lost their lives.

We are certainly grateful for the opportunity to make a submission to the committee and to appear before you today. Our submission is a high-level explanation of the issues that industry sees as important to consider before the legislation progresses further in the parliamentary process. If the committee permits, we might take the opportunity to provide supplementary material on these issues in the new year and before the final submission deadline.

I would like to emphasise at the outset that there is a long and very cooperative relationship between service providers and the telecommunications industry, and law enforcement and security agencies. As the committee has heard today, those relationships support more than 300,000 authorisation requests per annum. Service providers do recognise the importance of telecommunications data to the legitimate needs of law enforcement agencies and to their efforts to combat serious crime and threats to security.

Last time we appeared before the committee back in 2012 we stated on behalf of the industry quite clearly that we did not believe a case had been made for the type of mandatory data retention regime that was at that time being proposed. Today it is fair to say there is something of a range of views among our membership as to whether such a case has now been made, and it depends in part on the final shape of the regime, around which many questions remain.

Notwithstanding this, legislation has been introduced to the parliament. If parliament decides to bring the bill into law, we think it is vital that the legislation be clear in its requirements, that it be practical in terms of the impositions it places on telecommunications service providers, that it avoids unintended consequences, that it is mindful of personal privacy and that it is proportionate to the security challenges facing Australia. It is these issues that have driven the content of our submission.

We think equally it is very important to recognise that this bill provides not only for a data retention regime. We have perhaps at times grown a little weary of hearing this proposal described as a requirement to do no more than service providers do today. It is in most cases far from that. It is a data creation regime as well as a data retention regime, for all of those providers who do not presently retain everything in the dataset.

Data creation is typically a complex and often an expensive process. This fact, I think understandably, bears on the minds of service providers in the current circumstances, where we do not yet have any visibility of what the government's contribution to the capital expenditure here will be, whether that is a reasonable contribution or a substantial contribution, as the Minister for Communications told the parliament in introducing the bill. And in those circumstances we obviously do not know how large the financial shortfall will be in implementing and complying with the regime, that shortfall being borne by service providers, but ultimately by their customers. So while I have spoken to one misconception, if you like, that tends to be in the public debate around this issue, we would also like today, in response to questions perhaps, to correct one or two other misconceptions that we feel emerged in earlier testimony.

Our submission to the committee contains a total of 13 recommendations. I do not propose to run through all of them, but I would like to mention some, if I may, very briefly. Our first recommendation was that as much as possible of the proposed regulation be incorporated into the bill to guard against what is colloquially referred to as 'scope creep', and we also suggested some form of cost-benefit analysis or impact statement for proposed changes to regulations to help enable the parliament, when it examines those proposals, to decide whether it is proportional, whether we are being asked for a major impost in exchange for a very marginal gain in security.

Our second recommendation, I am pleased to say, is now also a recommendation of the working group—that is, if there are changes to regulations they ought to not be able to come in with immediate effect, but rather only after the parliament has had an opportunity to review them. In recommendation 3 we talk about retention periods. We note in the submission that the retention of telephony data for a period of two years is not too far away from what typically happens today, and so is certainly one of the less controversial pieces of the dataset from industry's point of view, but we have recommended a period in the order of six months for internet related data. We would be happy to talk to some of the issues around that with the committee. We have also made the point that in the event that the retention period for internet related data is less than two years, there may be some providers who would actually prefer to keep it for two years. If that is the case, then the legislation might need to provide an assurance that keeping it for two years does not expose the service provider to breaches of the Privacy Act.

At recommendation 7 we have raised questions around oversight arrangements. We do not claim to have solutions for those; it is more to highlight the issue. Similarly, at recommendation 8 we have noted, as was discussed this morning, the question of a generic warrant as it was raised by David» «Irvine» . Recommendation 9 is important from our perspective; it is around the question of whether individuals will be able to access on demand their own metadata. We would like to reinforce the fact that the right to personal information stored by CSPs absolutely ought to be maintained—there is no question in our minds about that—but we are concerned about the precedent that may be set that enables hundreds of thousands or more individuals to demand access to their metadata. There was some discussion about this earlier today, and the sense, I believe, from the testimony was that cost recovery would be available in the event that this was exercised by individuals. We were not 100 per cent sure whether that was cost recovery from the customer or from the government, and that is something we will try to clarify offline with the department.

Mr RUDDOCK: [Inaudible] to your customer. If I want my data from my provider, then I ask the provider. If the provider wants to provide it, then they provide it at my cost.

Mr Stanton : That was the assumption we drew, but we were not certain. We were just looking for clarity on that, so thank you very much.

We have asked at recommendation 11 whether the regime is proposed as a proportional response, given in part the fact that there are many ways to circumvent it. At recommendation 12 we have asked whether the committee would like to reaffirm its previous recommendation that the costs to comply with the data retention regime be reimbursed by government. We also asked that the cost situation be clarified before the bill is next debated. We have also raised the question of whether there is a competitive disadvantage, which we believe there is, for local providers if they are expected to foot a large bill or a substantial proportion of the bill for a data retention regime when offshore providers offering services in Australia are not asked to do the same.

Finally, we have asked the committee to bear in mind that the telecoms sector security reform provision is coming down the chute towards us—in the new year, we believe—and it is worth noting that the last time that was described to us by government, it was proposed that industry also pay a multi-million dollar bill to support that initiative. We cover in our submission the question of exemptions, and I am pleased to say that the working group on which we have been participants has provided some clarity around the services that will be eligible for exemption—or are at least recommended to be eligible for exemption. There remains a significant issue though around business services, where it is not clear which of those may or may not be eligible for exemption. It appears we are looking at a bespoke process where individual applications will need to be made for an exemption. That makes it a little bit harder at this point to estimate the costs on the industry side as well. I will pause there, Mr Chairman; thank you for your indulgence.

Mr NIKOLIC: You say in your submission that government has not made a sustainable case for imposition of mandatory data retention. What in your view would constitute compelling evidence that would make that case?

Mr Stanton : We have not seen, for example, the information which I believe has been made available to the committee about the relative importance of data of differing ages. Certainly we look at the overseas experience where almost all the rest of the world has gone for a shorter period of retention around IP-related data. So historically we have not been convinced—

Mr RUDDOCK: So you are only quarrelling about the question of the length of time; you are agreeing that in principle that it is appropriate to access data?

Mr Stanton : We support the accessing of data every day of the year.

Mr NIKOLIC: But you make the point 'the government has not yet made a sustainable case for the imposition of a mandatory data retention regime in Australia', yet we have New South Wales Commissioner Scipione saying:

There is not a terrorism investigation since 9/11 which has not relied on metadata.

«David» «Irvine» , who you mentioned, said:

Unless metadata storage practices change, counterterrorism efforts will be severely hampered.

The head of the AFP said:

Without a two-year data retention period, the AFP is concerned investigations that rely heavily on telecommunications data will continue to be frustrated by inconsistency in retention of data by Australian service providers.

What weight do you place on the evidence of those who actually run these operations against your judgment that a sustainable case has not been made and what weight do you place on 35 Western countries imposing a regime—of varying durations, by your own admission? And if none of those things are compelling enough to say the case has not been made, what would?

Mr Stanton : The question of sustainability of the argument rests in part around the detailed scheme—whether it is proportional, how much is captured by it, what the exemptions are, what cost recovery arrangements are and how it deals with things like exemptions. As I said in my opening remarks, there is a diversity of views among our membership about a data retention regime. Some of our members have come out publicly and said, 'We should support it'. We are in a position where we are trying to better understand what the overall regime will look like. That is why we raise these recommendations and issues. We may come out of this process with a package which we think is sustainable because it has addressed the many issues from above the data set which we think need to be looked at.

Mr NIKOLIC: So you do not agree that the information available on the public record since 2001, the benefit of metadata for breaking a number of important, for example, counterterrorism cases, child exploitation cases and the evidence presented both publicly and to this committee—I am sure you are aware of that evidence from the various agencies who run these operations—that that still does not make the case, in your view, for a data retention regime? And you talked about your members and the diversity of opinions but clearly the weight of opinion among your members was such that you concluded government had not yet made a sustainable case.

Mr Stanton : And what we have done in our submission is put forward positive and constructive recommendations about how the regime could be brought to a position where it is sustainable. We are aware of the evidence which has been put on the table about how metadata assists the work of law enforcement agencies. We do not dispute it. We have said in our submission it is important that we acknowledge that. Every one of our members works hard to support those law enforcement agencies and has done so constructively for many years. We are not seeking to be obstructive in any way to the legitimate aims of the law enforcement agencies or the need to ensure that Australia is secure.

Mr NIKOLIC: I am not saying you are, Mr Stanton, but you are making judgments on the basis of relative value of this information to law enforcement agencies by your own admission here. One of your recommendations, to paraphrase you, says that you are not sure of the benefits of data retention because of the ways to circumvent it. I would be interested to know what is your group's experience in running intelligence led operations that would enable you to make a judgment on the basis of relative value of this information based on ways that you can circumvent the information. Surely those law enforcement agencies are pretty well placed to understand the relative values of both the data set being exploited by them for intelligence purposes and their ability to counteract an agile adversary that is trying to circumvent those things. Despite their intimate knowledge of those things, their strong evidence to this committee and in the public domain is that this remains something that is essential to their operations. You have made a recommendation. I am wondering on what basis you justify the recommendations that this may not have great value because of ways to circumvent it.

Mr Stanton : The recommendation raises the question about whether it is a proportionate response. That is based, in part, on our observations as to the many ways that such a regime can be circumvented. It is also based on the feedback that our members hear from agencies about the real-world experiences of circumvention. We do not in our recommendations say that this ought not be done. We are simply raising it is an issue that may be worthy of consideration.

Mr NIKOLIC: You also use the words 'potentially enormous cost' in the second paragraph of your submission. I am wondering what benchmarking you have done of those countries that have implemented some form of data-retention policy to reach the judgement that this is 'a potentially enormous cost impost'.

Mr Stanton : We know the calculations that we did three years ago, when this committee last examined this topic, and the numbers and estimates that we came up with at that time. Our members are still working through with PwC, as was said to the committee this morning, to see what this dataset—to the extent that the other elements of the scheme can be known—will mean in terms of costs. The last time we ran a ruler over this it was a very large number.

Mr NIKOLIC: A lot of things have happened in the last three years, including a number of similar countries to ours, western countries, implementing such a regime. My question is not what the results were of your study three years ago on the potential costs but what benchmarking you have done with competitors, like-minded countries, that might have imposed this sort of data-retention regime, to better understand what the costs actually are rather than what the estimate might have been three years ago.

Mr Stanton : There has not been any publicly available data that we have seen from overseas regimes. In regimes like the UK they are still arguing about what the legislation they passed means, so I do not think they have a concluded view on what the cost might be.

Mr NIKOLIC: The British telecom—and your other peer organisations around the world where these things have been implemented—I imagine, might have some idea. Has there been any interaction between the Communications Alliance and like-minded peak bodies or major telecoms, in countries where a data-retention policy has been implemented, to understand what their experience relative to cost is?

Mr Stanton : No, there has been no formal benchmarking study done. We have been more focused on what the regime would mean for us in our market.

Mr CLARE: One of the questions we posed to the law-enforcement agencies is what proportion of the historical metadata they rely upon is less than three months old or less than six months old, less than nine months old, less than 12 months old, less than two years old or more than two years old. We have had varying amounts of success in getting that data so far. I think I can speak for other committee members in saying that it is important information for us in our deliberations. Is that the sort of information your members might be able to provide to the committee with some level of detail, perhaps not here but on notice?

Mr Elsegood : We can certainly take that as a question on notice and go back to our particular units and ask them the question. But I would make an observation around that. It would be fair to observe that the agency requests are probably tempered by their knowledge of what individual providers keep. It might not tell you what necessarily they would like to get, but it may reflect simply that their experience with individual operators is that one operator may keep it for three months and another operator may keep it for six months, and they would adjust their requests accordingly.

Mr NIKOLIC: That makes total sense. They know company A holds the data for this period of time and they will amend their application so they are asking for data that is less than that. That leads me to the next question. I appreciate this is commercial-in-confidence information for the different ISPs. It would be useful for the committee to get a greater level of detail from ISPs about how long they hold information for. I am conscious that ISP A does not know how long ISP B holds this information for. Is there a way—perhaps if the committee was to write to Communications Alliance or a number of different ISPs—that we would be to get more granularity from the ISPs and hold that information in a commercial-in-confidence way so that we understand exactly what is being held now and for what period of time by different organisations?

Mr Stanton : I would be happy to take that request to our members. I guess that I was assuming that PwC, even if it was in an anonymised way, would be able to give at least a snapshot of the samples it has taken at various parts of the sector and provide some information. But I am happy to take that one on notice.

Mr CLARE: Just by way of explanation, one of the reasons I think this is useful is that law enforcement is keen to make sure that there is not a further degradation of data available to them over time. I suspect that information that ISPs might be able to provide might indicate that, given the time frames they are holding data for at the moment, if it is held for a longer period of time than is currently the case there will be additional data that would be available for law enforcement. In order to know if that is correct or not we need that data from ISPs.

Mr Stanton : All right; thank you.

Mr RUDDOCK: I put the proposition, earlier, that once you have established the principle, the length of time may not be all that relevant. The marginal cost of keeping the information for three years or four years—if you have to keep it for two years—is probably not all that significant. Would you like to comment on that?

Mr Stanton : I will ask Mr Froelich to comment on that.

Mr Froelich : I guess the costs are not strictly incremental but more exponential. In terms of the way that data growth is in the industry at the moment, as you start to blow out the time period from two years to three years, four years, five years or whatever you propose, the volume of data usage on an internet-type service is growing at a factor of 10 times. So you will have those exponential growths on top of the basic incremental growth of the length of time you want to store the data. So the costs involved—perhaps I will talk indicatively—are around some of the more mundane things like power and air conditioning, floor space and things like that. That is where the costs will be driven up as we start to store more information, and store it at an exponential rate. Particularly as the growth of access services with higher access speeds goes up those transactions are going up, which means that the volume of data retention and metadata goes up as well. I suppose those are some indicators towards costs and potential do-ability of achieving those outcomes. Does that answer your question?

Mr RUDDOCK: Not really. I assume that the major cost is the capital costs of putting in place a system, and once you have a system then you have the cost of running that system. The point I was making is that if the major cost is the capital cost, just continuing to run the system may mean only a marginal cost. Somebody said it might cost each customer a cent a day. Maybe they said it was less.

Mr NIKOLIC: I think it was 1c to 20c per customer per annum.

Mr RUDDOCK: It was between 1c and 20c per customer per annum. That was just to keep the information and to be able to access it.

Mr Froelich : I am not in a position to answer about specific cost amounts at this point in time. What I was trying to get to was that the capital cost to set up a system initially, the life-cycle costs and the growth of those systems to develop for an exponentially growing industry is not simply an incremental cost. There is a factor of multipliers based on how the industry is growing in those areas. I suppose a simplistic mathematical model does not necessarily answer your question but it is more than just the incremental cost.

Mr CLARE: What you are saying is that the longer the time that you hold the data the more the capital cost, as well. Is that right?

Mr Froelich : It is capital costs, but it is also the nature of the capital that you have invested in the first place to develop perhaps search engines and structures to actually access that information. As the depth of that data increases because of the exponential growth of the industry, it increases the amount of search functions, and the capacity of the systems you put in place to go and find that information becomes more processor intensive and it becomes more costly to do that. So the costs start to mount up as you go longer in a retention period, yes.

Mr Althaus : Chair, just as a comment: the indicative growth that we are seeing, if you look at the Communications and Media Authority's numbers released for the year ended 30 June 2014, is that we have an aggregate of 50-plus per cent growth across all categories of data and nearly 100 per cent in mobile over smart-phone devices. But the big growth is in fixed-line broadband, where it has moved from just over 600,000 terabytes to nearly a million terabytes in a year.

Mr CLARE: Chair, I might move into a different area, if the committee is okay with that. I wanted to go to this issue of the 'honey pot'. You were concerned in your submission about civil litigation and how people might use the data for purposes that the data is not proposed to be used for here. I invite Mr Stanton to tell the committee a bit more about that.

Mr Stanton : At the outset, we recognise this may be a difficult issue to tackle, given that civil litigants do have rights to seek discovery for those sorts of data. I guess our concern is that, once it is known—through the requirements of the dataset—exactly what data is being retained by each service provider and for how long, that may generate a tsunami of action in commercial disputes, in marital disputes and in many other cases where the data is being mined in circumstances where we may not be able to recover costs for all sorts of purposes that the data retention bill was not designed to facilitate.

Senator BUSHBY: Currently, a lot of providers hold a lot of that information anyway. Some of them hold it for longer than two years; certainly, in the past they have. Have your members experienced such claims up to this point—and to what degree?

Mr Stanton : Yes. I cannot speak to the degree in a numerical sense. Our concern, I guess, is that this is a high-profile exercise and it will put it very clearly in the public consciousness that a defined set of data is available from every service provider, and we think it may start an industry, if you like, and—

Senator BUSHBY: Okay. So it is not really a problem at this point with the data. It is the same data that is being held; it is just that it will be held for a defined period, if this bill is passed.

Mr Stanton : For most service providers, no, it is not the same data that is being held. It is more data, to meet—

Senator BUSHBY: The evidence we had this morning—

Mr Stanton : the requirements of the dataset.

Senator BUSHBY: The evidence we had this morning from the Attorney-General's Department—correct me if I am wrong—was that they would not be requiring providers to hold anything other than what they would have, even if some providers just hold it fleetingly. I think, basically, the requirements would be that it is only things that the providers would actually be holding at some point.

Mr Stanton : No, that is not correct. There are elements of the dataset that many of the providers do not hold at all today.

CHAIR: [inaudible] there are the six categories that—

Senator BUSHBY: Okay, but that was tested, and she indicated that there was an expectation that it would only be—

Mr DREYFUS: In fairness to the representative of the Attorney-General's Department, what she said—and I am sure that the Hansard will be able to be checked at some point about this—was that the telecommunications data is necessary for the operation of the system and will fleetingly, possibly only fleetingly, be in the possession of the provider, but that in some cases, perhaps in many cases, the data is not kept at all. It exists but it passes. So I would not want to overstate the evidence that was given by the representative of the Attorney-General's Department.

Mr Stanton : Sure. And I am not trying to pick a fight with AGD either! But there are elements of the dataset, for example, that require data to be collected and manipulated in ways that it is not today—historical aggregate records of upload and download volumes, for example. I do not know of any provider who manages to put that material together today. There is no business requirement for it. The feedback from some of our members is that that will be quite difficult to do. So there are elements within the data set that do place creation demands on service providers.

Mr DREYFUS: If we can unpack that for a moment—no pun intended—you have got a fact of a certain volume of upload or a fact of a certain volume of download for a particular customer but it is not kept at all. Nothing in the systems of some providers keeps that information, and they would have to in fact build part of their system in a way that would enable them to capture that data.

Mr Stanton : Yes, that would enable them to bring that data together—to record it in the first instance and to manipulate it in a way to meet the requirement being put by the agencies.

Senator BUSHBY: That is not inconsistent with my understanding. It goes through—

Mr DREYFUS: No. I don't think it is, «David» . I am just trying to get this clear, because I do not think, with all respect, that there is a difference of opinion between what Mr Stanton is saying and what the Attorney-General's Department expressed today.

Senator BUSHBY: I was interpreting the witness's evidence, and maybe incorrectly, that you need to go out and find stuff, that it does not actually pass through the providers hands at all. You would have to go off and find information that has nothing to do with what you are actually doing. I think Mark has clarified that.

Mr CLARE: Can I follow that line of questioning with an additional question about what difference this makes for a big ISP as opposed to a small ISP. They come in all shapes and sizes. Doing that additional work would be different for a Telstra or an Optus as opposed to a rather small ISP. Can you explain to me what the difference would be. If we are dealing with a regime where it is not a full cost recovery but government is paying either a reasonable or a substantial amount of the cost, this is probably quite relevant for small businesses.

Mr Stanton : We have asked some of our members who represent small service providers to do some research on this. There are a couple of factors that bear on it. One is the extent of flow-down, if you like, of data from a wholesale service provider to an aggregator or to a small retail service provider. In traditional telephony, for example, a lot of that can happen through the distribution of core records. It is much less certain and much more varied in the IP world, where it is not clear whether the small providers will be able to rely on their upstream provider to give them those sorts of data, because often they will be effectively buying a pipe and what they do with the pipe is what gives them the ability to add value and sell to their customers.

It is fair it to say that all of the smaller providers are resellers, and that typically means they are operating in a narrower margin environment than those further upstream. It would also appear likely that they would tend to move in the direction of manual workarounds as opposed to putting in place new systems for which they typically will not have capital. I am awaiting some further advice from those who operate in that part of the market. I think it is a legitimate question to ask as to whether the impost of the regime would make life sustainable for some of those smaller players.

Mr CLARE: Just following on from that, as part of the PwC work and the working group's work in stage 2, there is an anticipation that they will look at that, because the last thing you would want is a new impost that puts businesses out of business.

Mr Stanton : There is a very clear indication that PwC will look at that. We have been told by AGD that they will take samples from the various parts of the sector curve—small, medium and large—and will try to get a representative idea of what the regime means in terms of cost impost for those different categories of player.

Senator CONROY: John, do you think that the Commonwealth should cover 100 per cent of any of the extra expenses? Is that the industry's position?

Mr Stanton : We certainly were warmed by the PJCIS recommendation along those lines the last time the committee looked at it. There are a number of considerations around whether these are data that are already being retained for business purposes or whether they are being created or collected for the first time just for the regime. Mike, do you want to add to that?

Mr Elsegood : First of all, we need to break it down into the sorts of data that we are talking about. There is usage data, which is just how the customer uses the service, and there is more static information about who the customer is. On the consumer side of our businesses—who the customer is and what sorts of services they have—we keep most of that sort of information for two years or so. That is for a range of reasons. Firstly, it is to deal with the customer themselves. Secondly, it is to deal with any complaints they might have through the industry ombudsman scheme and those sorts of things. That might vary, though, on the business side—servicing corporate and government customers. For some of those customers, there is no business reason to retain the information if you do not have that customer any longer. On the usage side is where I think there is probably a greater discrepancy. Some service providers might be billing on a fairly bulk basis and would not be collecting fine-detail information about the customer's services. In that sense, they may not have the detailed usage records that might be required out of a data retention regime. On the mobile side, any information about mobile location may not be being stored in systems at all because there is simply no business reason to keep track of where your customers are. From an operational point of view, you may keep that for a very short period of time to deal with customer complaints or technical complaints about the operation of your network. So you might keep some short-term records about how your network has been performing. But in the long term you would not be keeping that sort of stuff.

Another thing that comes into play is compliance cost. There is a cost involved in going through all of your services to make sure that you are meeting the legislative requirement once it comes into place. And there is an associated cost in just building a search process—and Peter alluded to that before. There is no point in having this data if it cannot be searched. You have got to make sure that you have indexed it on the searches that you know are going to happen, and you have got to have a machine that can search through data in a reasonable period of time so that you can respond back to the agencies. So you have got to have that to go with it. It is not just a matter of sticking it on drives that you buy from Dick Smith or Officeworks and just storing data on disks. It is a more complex situation than that.

Mr CLARE: Following on from that, I have a series of questions about the timetable that the department expects for getting some accurate information on how much this will cost industry to comply with the legislation. Can you provide us with any thoughts that you have on how this process will work over the Christmas break and through January? This is part 2 of the working group's activities, isn't it?

Mr Stanton : We know that PwC has reached out and is working with a whole range of service providers at the moment—including the two on my right. I do not have overall visibility as to how successfully that is proceeding and whether they are asking the right questions and drawing out the data they need. I am not sure if Michael or Peter would like to comment.

Mr Froelich : In terms of developing those costs, from an industry perspective there is still a fair bit of work to do to work through our standard engineering processes to do requirements and solution definitions to get to a fairly solid business case in our internal models. From a larger industry perspective, it will take us a further six months worth of work to develop those really detailed costings. Everything we are doing at the moment is a very rough order of magnitude costing, and over a two-year build period. So it is very rough stuff at the moment.

Mr DREYFUS: Are we likely to get those costings any time soon?

Mr Stanton : I honestly cannot be certain. I know that the working group has that as its next phase of work and has an objective to provide material in a timely fashion for the committee and before the bill is next debated.

Mr Stanton : I honestly cannot be certain. I know that the working group has that at its next phase of work and has an objective to provide material in a timely fashion for the committee and before the bill is next debated. Certainly as we have said in our submission, we would be quite concerned if the bill was finding its way into law before we have answered the riddle of what the costs are and what the shortfall is.

Mr CLARE: That would be a concern for us, too. We are expected to report by the end of February and I would expect then that legislation would be debated sometime after that. What I am hearing is that it is possible that we may not know what the total cost of this scheme is at that time or, because the government is proposing to fund part but not all of the cost of the scheme, at that time when we are considering our own recommendations but the parliament is debating the legislation, it is possible that we will not know how much of that cost will be passed on or what the total quantum is of total costs that will be passed on to consumers.

Mr Stanton : I wish I was in a position to make a strong prediction about when it will arrive, but I am afraid I am not.

Mr CLARE: Right. I might just turn to a different topic. I think one of your first recommendations was about how much of the dataset can should be embedded in legislation. I am interested in just exploring that in a bit of detail in terms of the certainty that provides for industry. The government has been doing some work in red tape repeal in the communications space in a very cooperative way with industry, and it has had, by and large, support from both the telco sector and consumers.

Mr Stanton : Yes.

Mr CLARE: One of the advantages I would think of embedding as much of the dataset as possible in legislation is that the certainty provides for industry as well has the ability of industry to be able to adapt to any changes in a more methodical way rather than having to deal with quick changes to regulations and scope creep that can emerge. Can you tell me: what is the difference for industry, from an industry point of view, of having the dataset in legislation as opposed to regulation?

Mr Stanton : I think it provides a greater level of certainty about what is going to be required and a degree of assurance that changes cannot be made in a less than disciplined way. We certainly recognise the good intent behind the way that the dataset has been created. We have had concerns about the use of open-ended language in the dataset and the general concern I guess that, a few years down the track when the passage of this legislation is a matter of history and service providers are dealing with agencies, if it is possible to change the regulation and expand the scope of the regulation quite quickly and without proper oversight, then the beast we are creating might look very different and might impose much larger imposts on industry without necessarily there being a commensurate addition to security. So we have raised the general point in our recommendation. To be honest, looking at the dataset we find it a bit hard to see how you would split it up and put some in legislation and some in regulation, but we have a general preference for it being in the bill.

Mr CLARE: Thank you. This is my final question, Chair. In your submission you explore the possibility that you could have a different time frame for the retention of telephone data as opposed to internet data. I am interested in a bit more information on that. I know that that is certainly the case in other countries. From industry's point of view, that would not create any problems for different telcos, if that were to be the case?

Mr Stanton : No, albeit that at least one of our larger members has stated a preference for having a single duration of retention across all services for planning and system simplicity. The majority of others have said that they would prefer a shorter period for IP related data. So that was the basis of our suggestion that, if the government agrees to a shorter duration for IP data, there still be the ability to retain for a two-year period that internet related data without infringing the privacy act.

Mr CLARE: Thank you.

Mr DREYFUS: I see from the schedule to your submission that different countries have opted for, in some cases, radically different periods for telephony data as distinct from internet related data. Are you able to explain why there is a preference for a shorter period for internet related data?

Mr Stanton : It relates mainly—as far as we have seen from looking at the EU countries, in particular—to the same sorts of issues we have identified. There are storage, maintenance and other costs associated with IP data, which is typically growing at a much faster rate than telephony data; the longer you need to store it the more it is going to cost. Also, there is a general recognition in many of those jurisdictions that it is the younger data, overwhelmingly, that is useful to the pursuit of serious crime and national-security issues.

Mr Froelich : As a slight extension to that, you might also consider the maturity of the product. The traditional public switched telephone network is obviously a much more mature technology product, and the billing functions and cycles around that are already well in place. You will hear that law-enforcement agencies already access that information. They get very good access to billing records from traditional public switched telephone network metadata or billing data. It is less problematic, perhaps, than the volumetric type billing exercises we do in internet data.

Mr DREYFUS: And presumably no one has to build a new system to produce traditional telephony data, if I can call it that.

Mr Froelich : Yes, because a lot of the billing systems already enable those sorts of functions, traditionally anyway.

Mr Stanton : Our own telecommunications consumer protections code, which I do not think was mentioned this morning, explicitly requires retention of billing data for six years to be able to provide it back to customers.

Mr DREYFUS: You probably cannot answer this question. How much impact does a retention period of two years as distinct from six months have on the cost?

Mr Froelich : Again, it depends on the maturity of the products. As we just discussed, a PSTN has zero impact. You have the data anyway. For internet products I think the discussion before was about there being fleeting or transient information on the network. You have to build systems to take that fleeting or transient information to put it into a centralised location to be able to sift, sort and deliver that information. So the difference in cost, as I tried to allude to before, is exponential based on the number of transactions. As Chris mentioned, that exponential growth in data means an exponential growth in transactions which, again, adds to the storage and security functions—the boring stuff—around housing it with power and air conditioning and floor space, all those sorts of things that are not very sexy to talk about in this type of environment but are real costs and actually drive up the end-cost to the telcos.

Mr DREYFUS: I wanted to ask you about something you mentioned at page 16 of your submission, under the heading 'Efficacy'. It is the part of your submission where you talk about over-the-top secure-messaging apps and the use of VPN, and you put it forward in the context of whether use of VPN or secure messaging apps or encryption of various kinds might render mandatory data retention ineffective. It is a fairly short part of your submission. Are you able to elaborate on that?

Mr Stanton : Certainly we think the technological means available today, to get around the data-retention regime will by definition make any regime less effective. There are many circumstances where things such as VPNs, encryption on various types of mobile phones and other techniques are being used by the 'clever' bad guys to effectively remove themselves from the reach of many—I am sure not all—attempts to detect their communications.

For us, this is something of a double-edged argument to put in a submission because you could argue on the one hand that, for the effectiveness you gain via a data retention regime given the inherent holes not just in Australia but all around the world, it may not be worth the additional cost. Equally you could make the argument that because there are holes you should make the pieces you can cover as absolutely stringent as possible. That is not an argument we are advancing, but we think it is an issue worthy of considering in the overall picture.

Mr DREYFUS: Are you able to tell me anything about best practice for storage of sensitive personal information in the industry? I ask in the context of a recommendation made by this committee in its 2013 report. The precise wording of the recommendation was, if there were to be a mandatory data retention regime, that:

the data should be stored securely by making encryption mandatory …

Would that be something you would favour—that the government mandate encryption at the same time as mandating retention?

Mr Stanton : The service providers already need to comply with the government's Information Security Manual and with the Protective Security Policy Framework, which are both pretty stringent requirements that need to be met today. Peter, perhaps you might be better placed to address the question directly.

Mr Froelich : I think the two documents, the PSPF and the ISM, that John has raised are trigger documents. In fact, whenever we go through any cost-recovery exercise with the government those are part of the compliance objectives the government puts in front of us. So we have very stringent requirements around security. But, beyond that, as an industry, we have every reason and every intention to protect the privacy and security of our customers. For our industry members, there would be no reason why we do anything less with their data under this regime than we do under anything else. All of those security structures and tools available to us—firewalls, physical security and encryption—we would put in place to ensure that our customers' privacy and security is maintained along with the interface with government as well. Those are standard practices now in the way we deal with law enforcement and national security and the way we deal with customers' data.

Mr DREYFUS: There have been a series of high-profile data breaches in recent years. How well can the industry guarantee the security of the stored personal telecommunications data that we are talking about here?

Mr Stanton : In this day and age, I guess it is impossible to provide any absolutely ironclad guarantee that there could not be a successful attack on a network. I think the industry in Australia is very security capable and certainly would pay very diligent attention to its obligations in that regard, as it does today, but I do not think it is possible to guarantee the integrity of any network anywhere in the world. As you say, there have been high-profile breaches recently, not so much in Australia but overseas, that demonstrate that even very hard networks are not impregnable.

Mr Elsegood : I will just add an observation to that. In meeting these data retention obligation we need to recognise that particularly law enforcement liaison units within businesses will be accessing that information and so we need to put security around that for the reasons that Peter has mentioned. One of the options that may be considered is putting all of this data onto its own system, its own separate database, so that the only people who can access that system are the law enforcement liaison unit staff and it is not available for other people in the business and so, therefore, it is not linked out into the wide world where people can attack it from. That is one of the options that providers could give very serious consideration to. We would not regard that as gold-plating; we would regard that as perhaps reasonable business practice in the circumstances, given the need to protect the interests of the agencies in terms of the things that they are asking us to do, as well as the privacy impacts et cetera, from our business point of view, of that information not getting out into the public domain.

Mr CLARE: I have a final question perhaps to representatives of Telstra and Optus. You could use the case that the cost of the scheme is not fully funded by government, and, as you say, there is an exponential growth in data that will be retained over time. To deal with or address that gap in cost, will Telstra and Optus pass the cost of administering and operating this scheme onto their customers?

Mr Froelich : It is a difficult question to answer, but I guess in terms of how we run a business, everything gets paid for somewhere. There would be an expectation, I guess, that there would be transactional costs in dealing with law enforcement and national security and that those transactional costs should cover somewhat towards the life cycle of running a system like this. That is not particularly clear at this stage. I do not have any clear direction from the proposals at this stage how that could run if we were to call that day 2 operation of a system like this. I do not really have a clear indication—

Mr CLARE: So you are looking for clarification about cost-recovery for opex, effectively?

Mr Froelich : Those transactional costs down the track, yes—clarification around that.

Mr CLARE: But, if there is a cost gap in capex, can you rule out passing that cost onto customers?

Mr Froelich : I am not in a position to rule in or out anything at this stage. I can compare it, perhaps, to the way we run interception functions in cost-recovery in interception, and those incremental costs on interception, up to a point, are borne by law enforcement and national security, and so my expectation is—

Mr CLARE: Through a cost-recovery mechanism?

Mr Froelich : Yes, there is a partial cost-recovery mechanism in place for lawful interception components.

Mr CLARE: But we understand, in relation to the way this scheme will be established, that government will provide funding for either a substantial amount or a reasonable amount but not the total amount, so there is a gap.

Mr Froelich : But there is also a lack of clarity around opex but also a lack of clarity around if there is an alteration to the recommendation or the regulation in day 2 or day 102—if that alters our business model, will government come back and re-address those as well? So we do have a lack of clarity around the ongoing structure of the legislation.

Mr Stanton : As a general point, it is fair to note that at least one of our larger members has publicly stated its opinion that, in those circumstances, there would be a cost passed through to end-user customers. That was not Mr Froelich's organisation but another one among the top 10 in Australia. So that certainly is in the minds of some providers.

Mr CLARE: So it would not be misrepresenting the industry to say that some members of industry have said they will pass it on; others at this at this point cannot rule it out?

Mr Stanton : Some have certainly said that their assumption is that it would end up being passed on. I do not think they have made a formal commercial decision at this point, but they have said that their assumption is that that is the way it would go.

Mr DREYFUS: This is a technical question. The Attorney-General has suggested that we could think about metadata as the envelope that can be entirely distinguished from the content of the letter inside. Since that analogy was offered, quite a number of technical experts and industry representatives have raised serious doubts about that analogy and suggested that there are some very significant challenges that exist in separating the content of some communications from the metadata relating to the transmission. Are you able to speak to the committee about the technical challenges in maintaining what is, according to this bill and according to the second reading speech and according to the explanatory memorandum, a critical distinction between content and data? Perhaps to go on and flesh it out, how would that separation be maintained in practice?

Mr Stanton : I will let Mr Froelich open the batting on that one.

Mr Froelich : In terms of the comparison with the envelope, yes, I have heard that. But perhaps if we talk about more specific case points; perhaps email as a case point. The to address and the from address on an email are quite clearly pieces of information that are in scope; the subject line on an email is considered to be content, but it sits within the addressing information of that piece of technology. We would have to do post processing of each email to just pull out the to and the from email addresses and the time stamping, and I think the size of the email is still in the structure perhaps—I am not sure on that. We would have to actually create that piece of data retention information by pulling apart the email, pulling out the pieces that are relevant and storing those in a separate file function, a searchable file function, elsewhere. There is what we call in a technology sense—you would have to pass that information to extract the pieces you want and do a packet inspection to pull out the parts you need.

Mr DREYFUS: That phrase you have just used, 'packet inspection'—just pause for a moment on the email example. We have hundreds of millions of emails being sent in Australia every day, all of which are going to be captured by a mandatory data retention requirement. What would have to be done in order to maintain the distinction between content and the telecommunications data that is being retained?

Mr Froelich : Effectively, we would have to build a quasi-interception machine to actually intercept each email and pull out the information we want, and then send that off to a separate storage function. If you will, it is a quasi-interception function to do that. A full interception function is more simplistic in that you just take everything that is there, under warrant, and pass that on, whereas this data retention regime would require us to unpick it and put aside the pieces that are required. The technology is perhaps not overly challenging from an engineering function—given enough time and money we can build anything—but the concepts of actually unpicking it and putting it aside are certainly a little bit more challenging than perhaps meeting the standard TIA Act interception obligations.

Mr DREYFUS: But the same problem does not arise, presumably, with traditional telephony?

Mr Froelich : There are some components of traditional telephony that are a little challenging under data retention. There are functions called uncompleted calls where we do not create billing records. Those sit as transient pieces of information within the outlying parts of our network, so you would have to actually drag all of that information into a central location as well. We keep completed calls and we bill a customer for those. Those functions are pretty simple. That is available now. It is uncompleted calls that cause some extra work in pulling those out of the network and storing them.

Mr DREYFUS: And what about with texts?

Mr Froelich : I think text messages are not particularly onerous in that there is a to and a from field and a billing function for those. We discreetly bill for those and the actual text line does not exist in the billing function. That one I do not think is particularly onerous for us.

Mr DREYFUS: Good to hear of something that is simple! And what about internet more generally?

Mr Froelich : This is where it starts to get a bit overly technical. Perhaps you have heard people talk about IP version 4 and IP version 6 in terms of addressing space—the length of the address field? It depends on the type of network you are running, but then even if you are running the latest version of IPv6 addressing, where each thing can be uniquely addressed, the way networks are structured you might do tunnelling and send an IPv4 communication stream within another IP structure and so it starts to get overtly complex in how those are done. Because of the way the IPv4 addressing space is run out, they are reused; IPv4 sessions are reused typically hundreds of times.

Mr Froelich : Yes. So dynamic address allocation happens now and that will be, I guess, a difficulty for the law enforcement side of things to produce a disclosure request with fine enough granularity to ask for a particular IP address down to millisecond, to ensure they get the right information in their disclosure request because those transactions are happening at a very fast rate.

Mr Stanton : At the carrier level, there is also a big difference between providing an IP access service and the way you can collect data about that service, as opposed to an over the top service which may be operated by another entity who may not even be in Australia. There are elements of IP that are either difficult to collect or are essentially uncollectable at least from a service provider point of view.

Mr Froelich : Perhaps I can be a little bit more confusing—

Mr DREYFUS: You are doing quite well so far!

Mr Froelich : I am trying to put it as simply as I can but it is a difficult topic. When you are looking at those overseas transactions and you see an IP address coming from Australia that is not actually the IP address the customer is using. The customer is using a private IP address that is allocated to them by the carrier and the carrier translates that to a public IP address to use in the public internet. I apologise: it is a very confusing topic, but there are those ways of using the same IP address multiple times to deal with all of the customer base we have in Australia.

Mr Stanton : So either side of the router there will be a different IP address being used. The service provider cannot necessarily see beyond the router to which device is being used by which IP address on the customer side of that barrier. It does create additional complexities.

Mr DREYFUS: And is that a function of over the top generally which is not even calling for any use of any kind of security devices or masking or encryption—it just is a feature of the system?

Mr Stanton : Yes. The last point is it is just a function of the need to try to make a finite number of IP addresses to serve the world.

Mr DREYFUS: What is that number? Is it in the order of about four billion?

Mr Froelich : Four billion.

Mr DREYFUS: And that is the finite number of IP addresses under the current system, which is why we have dynamic identifiers.

Mr Stanton : That is right. IPV6 is arriving.

Mr DREYFUS: Forgive me: I'm a lawyer.

Mr Stanton : Chairman, I am wondering whether I could make one offer to the committee, which is to provide some further information about an element discussed in testimony this morning which may be confusing—around the comment made several times that there is a real problem in moving to Voice over IP because once you move to Voice over IP on the NBN or elsewhere suddenly there is no data to retain in the traditional telephony sense. The reality is that at the product and application level a Voice over IP is not a homogeneous technology. There is over the top VOIP like Skype applications and those sorts of things. There is also carrier grade Voice over IP which many service providers have been using successfully for years. There will at some point be mobile Voice over IP once we start using Voice over LTE on 4G networks.

So the suggestion that the onset of Voice over IP means disaster for the data that agencies will be able to access was somewhat overstated. I wonder whether it will be useful for us to prepare a one-pager on the different types of Voice over IP and the data that these throw up and make available, just as a matter of clarity.

CHAIR: I am sure, if you want to provide some additional material, you would be more than welcome to do that.

Mr Stanton : Thank you.

CHAIR: Thank you for giving evidence at the hearing today. You will be sent a copy of the transcript of your evidence to which you may suggest corrections. If you have been asked to provide any additional material please forward it to the secretariat as soon as possible. If the committee has any further questions, the secretariat will write to you. Thank you for coming this afternoon.

Committee adjourned at 15 : 14