- Parliamentary Business
- Senators & Members
- News & Events
- About Parliament
- Visit Parliament
Parliamentary Joint Committee on Intelligence and Security
Potential reforms of national security legislation
- Parl No.
- Committee Name
Parliamentary Joint Committee on Intelligence and Security
Ruddock, Philip, MP
Faulkner, Sen John
Danby, Michael, MP
Wilkie, Andrew, MP
- System Id
Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Table Of ContentsDownload PDF
Previous Fragment Next Fragment
Parliamentary Joint Committee on Intelligence and Security
(Joint-Wednesday, 5 September 2012)
CHAIR (Mr Byrne)
Deputy Commissioner Pope
Det. Insp. Seagrave
Det. Supt Bamford
- Mr DANBY
Content WindowParliamentary Joint Committee on Intelligence and Security - 05/09/2012 - Potential reforms of national security legislation
HEALY, Mr Matthew John, National Executive, Industry and Policy, Macquarie Telecom
ZULL, Mr Christopher Matthew, Senior Manager, Industry and Policy, Macquarie Telecom
CHAIR: Welcome. Although the committee does not require you to give evidence on oath, I remind witnesses that this hearing is a legal proceeding of the parliament and warrants the same respect as proceedings of the chamber itself. The giving of false or misleading evidence is a serious matter and may be regarded as contempt of parliament. The evidence given today will be recorded by Hansard and will attract parliamentary privilege. I invite you to make some introductory remarks before we proceed to questions.
Mr Zull : Macquarie Telecom delivers a full range of hosting data of voice and mobile services to business and government customers. Established in 1992, Macquarie was one of the first new entrants when Australia's telecommunications sector was liberalised. Macquarie was publicly listed on the Australian Stock Exchange in October 1999. Later this month Macquarie will officially open its $60 million data centre in North Sydney. In the light of Macquarie's business activities it might be that the Attorney-General's Department, AGD, considers that Macquarie operates a system of national security.
Macquarie Telecom notes that the committee's terms of reference for this inquiry are wide ranging. In its capacity as a carriage service provider, CSP, and as a data centre operator, Macquarie's primary area of interest with regard to the committee's terms of reference is: why the need for telecommunications sector security reforms? We understand from the AGD's discussion paper that these reforms involve an industry wide obligation on all carriers and CSPs to protect their communications infrastructure and data. It involves carriers and carriage service providers undergoing assessments and audits in order to demonstrate compliance with this obligation. It also involves establishing powers to direct carriers and CSPs and a financial penalty regime to encourage compliance with the regime. However, we note the details of the reforms as set out in the discussion paper are, at best, vague.
Against this background, Macquarie wishes to comment on four key areas. Firstly, the justification for these proposed reforms. Macquarie queries whether these proposed telecommunications sector security reforms are sufficiently justified. We think any form of regulatory intervention necessarily involves an imposition of costs. Therefore, it is essential that any regulatory intervention is properly and rationally justified.
Macquarie accepts that the security of Australia's telecommunications network infrastructure is important per se and to take action to protect it is in Australia's national interest.
Mr RUDDOCK: Only that?
Mr Zull : Absolutely.
Mr RUDDOCK: For national security reasons we should only protect—
Mr Zull : Criminal activities—we accept that. We understand the need for security. We have no problem with that.
Mr RUDDOCK: It is broader than just protecting your infrastructure?
Mr Zull : Absolutely. The point to make here is that, at the same time, carriers and carrier service providers and other players in the broader communications sector are highly motivated to ensure the security of their own network infrastructure, their systems and their data. After all, that is the proposition that we put towards our customers. So with a clearer alignment between the interests of industry players and the government on the need for network infrastructure and data security Macquarie queries whether the proposed legislative reforms are necessary—in other words, what is the problem that the proposed reforms are attempting to solve? What is broken that needs to be fixed?
The second point concerns the proportionality of the proposed reforms. Even if the proposed legislative forms can be justified, Macquarie queries whether the powers that would be given—and this would presumably be to the AGD—to issue directions to carriers and CSPs and the proposed financial penalties on carriers and CSPs are proportionate. In other words, is it really necessary for the AGD to be able to be potentially strong and threatening powers to force industry players to do things that they are already motivated to do?
Macquarie considers the alternative course of action to the legislative reforms proposed by the Attorney-General's Department is industry self-regulation. Such a model could involve, for example, the following measures: a voluntary obligation on carriers and CSPs to protect their telecommunications infrastructure networks and systems and a voluntary commitment for carriers and CSPs to comply with an industry code of practice concerning competent supervision. These measures could be enforced by an industry code or an accreditation scheme promulgated by a representative industry body such as the Communications Alliance or Aus Hub. Macquarie believes this type of industry led intervention would be more effective and less costly to implement than the legislative reforms proposed by the AGD.
The third point concerns the reach of the proposed reforms. Macquarie is concerned that the proposed telecommunications sector security reforms apply only to a limited range of industry players—that is, carriers and CSPs. On the face of it, if the infrastructure, data and services of pay TV, free-to-air TV, radio networks and data centre operators were not subject to the reform proposals, this would appear—to us—to deliver to a significant part of Australia's communications infrastructure potentially exposed to security risks. Rather than starting with the convenient grouping of carriers and CSPs, Macquarie believes that the proposed reforms might be better matched with potential high impact security risks if the focus of the reforms was, firstly, on operators and service providers of sensitive communications infrastructure data and services—irrespective of whether or not they are also carriers and CSPs—and, secondly, on Australian service providers who store sensitive data in data centres which are located outside Australia.
The fourth point I want to touch on is data retention. Macquarie notes that the committee's terms of reference require it to consider:
Applying tailored data retention for periods for up to 2 years for parts of a data set …
There is no further elaboration on this matter in the AGD's discussion paper. It is clear that the volume of data being created by industry is increasing significantly and so too is the cost of storing and approving data. Macquarie expresses its in-principle concern about any data retention scheme that would impose a significant additional cost to industry.
In closing, let me reiterate the four points that Macquarie wishes to bring to the attention of the committee. Firstly, Macquarie queries whether the proposed telecommunications sector security forms are justified. Secondly, Macquarie queries whether the AGD's proposed powers to issue directions to carriers and CSPs and to impose financial penalties are proportionate. Thirdly, Macquarie is concerned that, if reforms only involve carriers and CSPs, infrastructure and data managed by other industry players would be exposed to possible security breaches. Fourthly and finally, Macquarie expresses caution against any data retention scheme which would impose significant costs to industry. That said, we acknowledge that security of infrastructure and data is a shared responsibility between the government, industry and consumers.
CHAIR: I just have a very quick question to start with. How long do you hold data like billing records and stuff like that? What is the longest period of time that you would hold that sort of information?
Mr Healy : Information that we retain is dependent upon two issues. One is the contract that we have with the customer, so we if have a longer term contract with our customer we are likely to keep the information for longer. It also depends on what service the type of billing information applies to. The easiest example would be a mobile phone record where we keep the details of the number that was called, who was called and when and the duration of the call. That is billing information. That is how we bill. We would keep that for more than two years and, in some circumstances, over seven years.
CHAIR: And that information is stored on computer records somewhere, is it?
Mr Healy : That is correct.
CHAIR: What do you do to protect the security of that particular data that you hold?
Mr Healy : That information would be kept securely within Macquarie Telecom's own data storage network, so there would be no third-party access. It is not information that we would keep on a server or that would be retained on a facility that would be able to be accessed by a third party.
CHAIR: Is it a hard copy?
Mr Healy : No. It is literally—
CHAIR: A separate computer bank?
Mr Healy : Yes. It is a virtual filing cabinet, as it were.
CHAIR: You talked about the compulsion. You are aware of the fact that within existing legislation there is the capacity for the government to basically take over the telecommunications carrier. I just want you to flesh that out. Given that that power exists with the government at present and can be used—particularly if the government believes that your telecommunications carriers are not cooperating with the government, particularly with respect to security issues—how are some of the proposed reforms there greater than that power that the government already holds?
Mr Healy : First of all, we are not aware of that power ever being used. At least, I am not aware of it. Perhaps—
CHAIR: No, it has not been.
Mr Healy : No. It was explained to us in discussions with A-G's, going back some time, that it is almost a power to be used in times of war, as an example. So we see that as a different activity than some of the security focus in the discussion paper. Without the detail being there, we saw that there was an alarm bell being rung that would see a greater scope in potential use of those services.
CHAIR: But you would acknowledge that that power—which, as you say, has not been used and may be used in times of war—is an enormous power. I am looking for clarification as to what you have seen in this proposition that is greater than that power that already exists with the government.
Mr Healy : I think it is more opportunity to use it. Directions powers seem to be expanded. Penalties for certain activities are unknown. They seem to be very different than just the reserve power, as it were, to step in and operate in times of crisis.
CHAIR: Like the reserve power of the Governor General? That has been used!
Mr RUDDOCK: I would just like to get some idea about Macquarie. Are you related to Macquarie Bank?
Mr Healy : No, we are not. We are a separately listed company. We are Australian owned. We have been around about 20 years.
Mr RUDDOCK: What proportion of the market do you believe you represent?
Mr Healy : We target the corporate and government market, so that means we sell services typically to customers that have perhaps 4,000 to 3,000—
Mr RUDDOCK: Would you represent 10 per cent of the telecommunications market? One per cent? 50 per cent?
Mr Healy : I think it is widely known that Telstra has 93 per cent of the profits in the telecommunications sector.
Mr RUDDOCK: I am just trying to get an idea of your scale.
Mr Healy : We have 500 employees. We would say that, in that market—
Mr RUDDOCK: So you are a minor player, are you?
Mr Healy : On a qualitative basis, I think we would see ourselves as a major player.
CHAIR: Well put!
Mr RUDDOCK: I look at the submission that we have from the Attorney, and paragraph 3.1 talks about industry consultation. There are points made there by industry: the desire for a level playing field and clear guidance, the need for certainty and flexibility. It does not suggest opposition. Does that mean you are at variance with the rest of the industry?
Mr Zull : I think the point we made earlier is that we understand the need for security. That is why we have invested $60 million in security.
Mr RUDDOCK: It seems to me that you are interested in security of your organisation. Your submission did not seem to me to have any understanding of broader national security interests that you might need to address through mining data.
Mr Healy : That was not the intention of the submission.
Mr RUDDOCK: With your focus on security, it struck me that you are interested in the way in which you can protect the security of your operation. I am saying national security is something far broader and it is a question of proper participation. If it were protecting national security, which is in the national interest, would you be prepared to acknowledge that, provided it was a level playing field across the industry and you were doing your bit, it would not cause you any problem?
Mr Healy : No, I think the purpose of our submission was to bring it to the attention of the committee that there is an incentive for operators to provide secure networks and to provide security of the information they receive from their own customers, because that is in a sense what we sell. Perhaps I can contextualise. Macquarie Telecom provides the internet gateway services for the Department of the Prime Minister and Cabinet. You could imagine that we would have a significant interest in ensuring that that information is kept secure and that it is retained and dealt with at a high level of security. In that sense we wanted to bring it to the attention of the committee that the market is responding to the need for cyber security. We are not saying that means that the entire Australian network and national security is in perfect hands, but we want to bring it to the attention of the committee that there are market responses going on that ought to be taken into account when thinking about what the broader regulatory arrangements should be that affect all players.
Mr RUDDOCK: But I just want to get to the point: you are not saying that data should not be retained for broader national security purposes; you would be prepared to accede that in the industry's discussion with the Attorney-General's Department there would be a level playing field.
Mr Healy : Certainly we think discriminatory application laws do not constitute a good approach. I suspect the committee would agree with that. But we did want to bring it to your attention that information of a certain type is being retained already and that the security of that information is kept at a very high level in companies like Macquarie Telecom. We make significant investments to protect that. Therefore, the market is responding to these issues, and we thought it was important for you to hear from the operators on that. I note that there are also submissions from industry representative bodies like Communications Alliance and the Australian Industry Association that also make these points, but we wanted to put our particular experiences here before you to assist with your work.
Mr RUDDOCK: If we look at ATV, free-to-air TV and radio networks as distinct from telecommunications bodies, why do you see them as engaging in activities that may require the government to ensure that they keep all of their information for a two-year period?
Mr Zull : We do not accuse them of anything. It is a simple case that there seems to be a convenience—
Mr RUDDOCK: You seem to see them as—
Mr Zull : They have communications infrastructure like we have. It is a digital world these days. What we are saying is that there seems to be a convenience in being able to capture carriers and carriage service providers under the Telecommunications Act. We are saying that there are others in the industry that also have systems that we would think of as national security.
Mr RUDDOCK: I am saying: why would you argue, under the sort of regime we have acting upon an organisation like your own, that these are equivalent? Do you think terrorists might be using pay TV or free TV in a way that would require us to keep the information that they have?
Mr Healy : In some instances pay TV services became more interactive. There is an online real-time interaction between the customer and the provider, and therefore there is the ability to send and receive information. That looks to me a little bit like some of the activities an ISP performs.
Mr RUDDOCK: I would be more interested if they had a capacity to interact with other customers rather than the provider.
Mr Healy : I think that would be a matter for those network operators. Our point is that if we want to be able to ensure that similar information is kept and retained by similar digital network operators then it may be that the net would have to be thrown wider than the current focus—carriers and carriage service providers.
Mr RUDDOCK: I am really looking for evidence rather than speculation as to why we should look at casting the net wider and what evidence you are giving me that it should be—that pay TV, free-to-air TV, radio and TV networks be seen as equivalent.
Mr Zull : We have had discussions with AGD. I think the point is that there is communications infrastructure out there. To just carve out telecommunications is somewhat arbitrary. The government has had a convergence review. We are still looking at the blurring lines between telecommunications and broadcasting and other forms of digital interaction. We think it is just an arbitrary way of carving that out.
Mr RUDDOCK: I do not think it is arbitrary at all; I think it is very specific. It is looking at those who have a capacity for people to be able to interact in terms of preparing terrorist acts or whatever. Where are you likely to find that sort of information? I am looking to you for evidence as to whether or not you could get that information off a radio network or free-to-air TV. You are saying we should cover them in the same way and I am saying: what is the evidence that suggests that it should?
CHAIR: Do you want to take that on notice and get back to us?
Mr Zull : Certainly.
Senator FAULKNER: I note in your submission, Mr Zull, that you point out—I think, correctly—at the bottom of page 3 the fact that there is no draft legislation; there is not. That leaves you with a practical difficulty in making comments on reform proposals which are not set out in detail, and I acknowledge that. That is a fair comment for you to make. Then you go on to say:
Macquarie understands that draft exposure legislation will be available in a further round of industry consultation …
What leads you to that conclusion?
Mr Zull : Discussions that I have had personally with members of the Attorney-General's Department.
Senator FAULKNER: So you have received commitments from officers of the Attorney-General's Department that your organisation—Macquarie Telecom; I do not mean other organisations—will be able to pass comment on draft legislation when that has been developed?
Mr Zull : I do not know about commitments but certainly we have had discussion to say that there would be exposure draft legislation to come. It seemed to us to be a bit unusual that there was no draft legislation at this point. We asked whether we would expect to have that. The answer was, 'Yes, we would expect that in due course.'
Senator FAULKNER: With respect, your submission says:
Macquarie understands that draft exposure legislation will be available in a further round of industry consultation …
That is what I am focusing on. I may be misunderstanding you, but that is slightly different. I am assuming that you have got some form of commitment that there will be a consultation process with providers such as you once the draft legislation is available.
Mr Zull : That is what I understand to be the case.
Senator FAULKNER: Thank you for that. It is slightly different from what you were saying a moment ago. That is a commitment—I am using the term 'commitment' but you are using the term 'understanding'. That is your understanding. Do you have any understanding of the timing of that?
Mr Zull : No. Sorry, I will clarify that: only to the extent that I suggested, given the timetable for this hearing, that it would probably look like next year rather than this year, meaning next calendar year. The response I got was to agree with my position.
Senator FAULKNER: Sure. The only reason I am asking you this, Mr Zull, is that you know more about it than I do. I thought you might be able to help me in my understanding of what is being proposed. I am sure you know more about it than any other member of the committee. You would hope that is good process if there is draft legislation. With organisations that are affected, like your own, there should obviously be an opportunity for consultation.
Mr Healy : We would like to note that the Attorney-General's Department has been very open to discussions with us on these broader issues. I know there has been significant engagement between AGD and the peak industry group, Communications Alliance; that has been going on for many months.
Senator FAULKNER: To be frank—just so you are clear, Mr Healy—I give Macquarie Telecom credit for making a public submission and fronting up to the committee. I am not going to beat around the bush about that: I give you credit for doing that. I appreciate the fact that that is the approach you have decided to take. I certainly think it is absolutely understandable that you have focused on the possible cost implications of legislative change to your company. Are you able to share with us whether you have done any preliminary work, given the terms of reference of the committee and the areas that are being explored? We know, of course, that some of these are matters that the government wants to progress; some of these are matters that this committee is considering and that the government wants to consider; and some of these are matters that the government wants to hear our views on. But given that the government wants to progress some of these matters—they are outlined in our terms of reference and other categories as I have outlined—have you done any preliminary work about the financial implications for your company?
Mr Healy : We have not gone to the point of trying to directly cost what might be a hypothetical range of activities. What we have tried to focus on is to understand what might be the implications of having to retain records of a kind that we do not retain at the moment. Before we can put any numbers to what that might be, we need to understand what we would need to do. Is it to simplify matters? Do we need to buy certain storage equipment? Do we need to allocate more resources from our security area to protect some information in a certain manner? It is only after we have done that that we can then go and say, 'What's the cost of that?' I am sure that the number would be something—
Senator FAULKNER: Yes, I know, but you have had a preliminary look at it, haven't you? That is the thing. Would that be fair to say?
Mr Healy : That would be fair to say, and the preliminary view is that this is a very different circumstance to our ordinary business activities of the kind that I used before when I talked about the retention of mobile phone records, where we keep them for business reasons. They are the sorts of information that we have kept for many years, and it is part of doing business. In the world of retaining information about internet services and ISP services—records around traffic flows between some of our customers—we do not retain a lot of that detail, because we do not need it for doing business. What our customers want is a connection—a pipe—that they can use to access the internet or access communications between offices. So we have very specific, detailed records about the operation of that pipe—its performance, its speed and the latency involved. We are highly detailed around that, because that is what we sell. We do not sell the usage of that pipe, as it were. We do not sell individual emails to customers, so we do not keep that information. The networks runs off looking up, in a real-time sense, tables of routing information and code. Again, that is only used at the time of the transmission of the email. That sort of information has no need, from our business perspective, to be kept. So, whilst we have no detail around what retention arrangements might be being proposed, it just stands to reason that, if they move outside the area of our current business activities, there would need to be a cost associated with being able to do that work.
Senator FAULKNER: I have asked this because I had assumed that at there would be the government's intentions, which are clear in some areas, and then there are some other proposals and considerations, if you like, in some other areas. But the government's intentions are clear, and I wondered whether, in an organisation such as yours, this would be impacting upon any of your financial planning. I was not going to go to a dollar figure, but just in the broad I am trying to understand what those implications might be.
Mr Healy : I think I can point to the industry representative body submission where they do talk about a wide range of figures and they do talk about a number between tens and hundreds of millions of dollars for the sector.
Senator FAULKNER: Yes, but it is one thing to have a representative body of industry, and of course I respect that, but it is another thing to have before us an actual provider who makes the point in their submission about the need for the equitable sharing of costs. That is the principle I think it is fair to say that Macquarie Telecom does depend on and that is loud and clear in the submission that you make to us.
Mr Zull : It would certainly need more detail about what type of data would need to be retained in order to work out what its impact on the business would be and what services it would apply to et cetera.
Senator FAULKNER: I accept that and I understand that completely, so let me acknowledge that again. But nevertheless in an organisation like yours you need to take account of these sorts of vagaries in terms of your future financial planning. That is not unusual for any entity such as yours, I would have thought, but correct me if I am wrong. Hence I was keen to understand as much as I could what planning, if any, you had done without asking you what the detail of the planning was. I do not want in any way to suggest that you should find yourself at a disadvantage because you happen to appear before the committee and some others may not. So you cannot give us any more information on that?
Mr Healy : No. As I say, we are trying to identify what we currently do, as it were, for business reasons and what might be asked of us for activities that we currently do not do. It is once we understand the scope of that, if anything, that we can start to work out what the costs of that are. Our point is that if that cost is incurred for doing things that are outside of the ordinary course of business activities then I think we have to be saying to you that we think the cost associated with that is something that needs to be borne by the community.
Senator FAULKNER: If I could specifically ask you one other thing as I am interested in this and I do not know if you were present in the room when I asked witnesses before you from the Office of the Victorian Privacy Commissioner about the two year data retention scheme. You touch on the issue of data retention in your submission. What is Macquarie Telecom's preliminary view about this proposal understanding that there is a need for more detail to be provided?
Mr Healy : In a sense it is the cart before the horse, if I could put it that way. We retain records sometimes, as I indicated at the start, for more than two years for the purposes of being a competitive operator in the telecommunications sector. There is also information that might be required potentially from the information we have at the moment around doing activities of our business of a kind that we do not keep records of. So we really cannot have a view until we know what the detail of the scheme and arrangement is. We thought it might be helpful for the committee to hear from an operator about how it does retain certain information and how it keeps that very secure and that in fact the scale of a business like ours and the focus of our customer market are such that we place a very high premium on our ability to deliver secure services to a range of customers that really want those and to protect that information. That might be contrasted with other operators in the sector that do not have those business concerns, if I can put it that way. They might be focusing on another section of the market, the cheaper residential end of the market. If those operators were required to maintain certain records, there would be a concern, I think, that they may not be able to do that in a manner that is going to actually secure that information without huge costs and exits from markets. Potential competition issues might flow from that. We are talking about our approach to security issues, network issues as well as retention issues, but we think that that probably needs to be contrasted with many other parts of the market where maybe those concerns are not as strong. So, in looking at what the regulatory arrangement should be, it would not be appropriate just to think that everyone can turn on their services and have them as secure as a Macquarie Telecom.
Senator FAULKNER: It would be fair to say that that issue, at the moment—it may not end up this way, but at the moment—is the most contentious proposal that this committee is examining. I do not think committee members would argue with that at this point. But your approach on that issue or the perspective you are coming to on that is largely one of the business and technical concerns that that proposal raises—that is my interpretation of what you are saying—whereas the Privacy Commissioner, for example, had a whole range of other concerns. Would that be fair?
Mr Healy : That is correct. There are obviously public policy issues here that are really a matter for policymakers and not for, we do not think, individual corporations like Macquarie Telecom. But we can assist you in trying to give you an understanding of the different level of sophistication within the markets, the levels of investment, the implications of a public policy consideration of privacy and how that might play out in, as it were, the commercial real world. We are here to help be that filter. That is why I note that there would be some operators that would find it very difficult to have document retention and secure arrangements of a kind that, say, a Macquarie Telecom can do. So, when looking at the response that the market might have to any measures, we just ask that the committee take that into account. In fact, it might be an unintended consequence that there would be less secure information and a greater ability for those with nefarious purposes to access information under a potential new arrangement.
Senator FAULKNER: Thank you.
Mr DANBY: On page 3 of your submission you say that the reforms, and you do not identify which ones:
… leave a significant part of Australia’s communications infrastructure potentially exposed to higher security risk.
What do you mean by that statement?
Mr Zull : That was the issue that Mr Ruddock raised earlier. It seems to me there is a carve-out of carriers and carriage service providers. They are the target here and our point was that there are others in the broader communications industry that also have infrastructure which we believe would be worthy of being protected. We agreed earlier to take that point on notice and come back to you on it.
Mr DANBY: You heard the submission of the Privacy Commissioner before. Isn't it possible that the proposed data breach legislation, if they brought that forward and it was legislated, would be an expensive proposition as far as your company is concerned and for other players in the telecoms area?
Mr Healy : On this matter, I would just like to make it clear we are speaking on behalf of our company and not a broader position, because I do not have that. But I am glad you asked because actually we favour the use of breach notifications to customers for data breach. In fact, we would undertake to do that voluntarily as a company to our customers. So, if we become aware of a breach of information by one of our customers, we undertake to provide details of that breach. That has not happened over the last years.
Mr DANBY: You mean even before legislation is passed?
Mr Healy : Yes. We do not necessarily think legislation needs to be in place; it can be voluntary codes where operators undertake to provide a breach notification to a customer on the occurrence of a hack or a breach of the data. We think that that would go a long way to giving greater confidence to consumers about using online services. There will be a better informed market that is going to operate in a more sophisticated manner if people are aware that if something goes wrong they will hear about it from their provider rather than just waiting until, one day, when they look at their credit card records and find that they have bought something that they know they did not.
Those examples we used previously about Sony PlayStation customer information being hacked and made available on the internet included credit card information, I understand. So, in those sorts of circumstances, we think the operators really do customers a disservice if they do not tell them that something might have happened and then work with them to take whatever measures are needed to protect the information or to protect financial records.
Mr DANBY: That is a very good business practice and is proactive.
Mr Healy : Yes. Again, it demonstrates that the market is responding to the concerns of the community about the risks associated with the digital economy. The other way in which we are trying to educate, and in which we think there is a role for government, is to say that information should be onshore wherever possible. Data about Australian citizens and private information about Australian citizens really ought to be retained by businesses and government onshore as the default position so that, if there are issues around a breach or concerns about privacy, Australian citizens have the right to exercise Australian law and they can go to a privacy commissioner for redress and can use the Australian legal system. If data is kept offshore, especially if it is of a private or personal nature or is around governments taking information offshore, the ability for a citizen to exercise their rights and seek redress are greatly minimised.
Mr DANBY: I am not sure that issue is canvassed very widely in the Attorney-General's paper. It does sound like a very important and good idea which, perhaps, ought to be part of the Attorney-General's consideration of the legislation.
CHAIR: What would be your position on offshore cloud computing?
Mr Healy : I will take a step back; I think you have just touched on what I was trying to elucidate. Macquarie Telecom sells cloud computing services and we see them as a fantastic opportunity for Australia in a couple of respects. One is the lower cost of doing business. There are also benefits around lowering power costs and giving faster compute times, and it works with the National Broadband Network. So cloud computing is a real centrepiece of the digital economy in Australia.
There are issues around customers putting their private information in the cloud and finding that it is then going offshore. I refer to those circumstances I mentioned before where you have a breach with credit card details. You use your credit card to buy a service via a cloud computing service. Maybe you are buying music, or maybe you are buying something from one of the auction sites offshore. When you provide that information, it may be being retained in a foreign jurisdiction and, therefore, all of the Australian rights pretty much go out the door at that point and the Australian consumer is not able to exercise their rights. So, personally, I would have concerns about using an offshore cloud provider for a whole range of activities. I certainly think that a government department or agency would have real concerns about using an offshore cloud provider to retain records about Australian citizens, whether or not it is personal information. We think the default position should be that governments, agencies and departments ought to keep their information onshore but use cloud for providers, because there are great cost savings to government by using cloud, using digital storage and accessing the digital economy, being a model user of things like the NBN, data centres and cloud computing. We think there is a real leadership role for government, but it needs to be done within something of a risk minimisation strategy, which means that you keep the data onshore and you do not look to send it offshore to a jurisdiction that you do not know about.
Mr DANBY: I want to come back to the two-year issue. You have already told us that you retain some records for up to seven years. We have already received quite extensive information, across the various companies that might be incorporated in such a scheme, that they have various policies at the moment, many including the retention of records beyond two years. I have two questions for you: for what percentage of your business would you not have retained records beyond two years; and what is the situation, as you understand it, of most of your competitors—do they retain data beyond two years? Is it 70 per cent or 30 per cent of their business, or is it too hard to tell?
Mr Healy : I do not think we can speak on behalf of our competitors. What we can say is that we do retain records in the ordinary course of business, and there were examples I used at the start. For instance, if we win a customer on a three-year deal, having sold them a call plan, we will keep the records of their mobile calls or their fixed line calls for three years or longer. If we continue to service that customer for years to come, we will probably keep the records for the entire time that we are contracted to provide services. We keep that information because we generate it for billing purposes. It is critical to our business that we are able to charge people for the service we provide them, and we need that evidence of when a call started, when a call finished, who it was to, whether it was a long-distance or local call. The variety of calling plans is such that there are different tariffs according to who you call. Whether it is someone in your own office or external, or from a mobile to a fixed line, the plethora of calling tariffs means that we retain that information so we can bill the customer correctly.
That is a very different set of information from some of the traffic information that is generated in relation to an email, and, as I said earlier, we do not retain all aspects of that—or, at times, any aspects of that—because it is not a service that we sell; it is not attached to the business that we provide. Ordinarily, in the data world, an ISP like us more and more just provides a broadband connection to the customer, who uses that connection as they see fit. We charge them for the bandwidth, for the time that they have the service and for some of the security and capacity around it, but we do not charge them per email—and, therefore, we do not keep that record—in the same way that we charge per call in the voice world.
Mr DANBY: So it is difficult or impossible for you to identify the percentage of your business that is keeping data for more than two years?
Mr Healy : Yes. I would need to take that on notice to give you any real answer.
Mr DANBY: Again, is it difficult or impossible for you to say generally what your competitors do? I am not asking you to denigrate their business or anything like that, but do you know of other telcos that retain data beyond two years? Is it, like you, mainly in the call area but not in the email area? How does it work?
Mr Healy : I would suspect that was the case. Again, our competitors, as far as I am aware, do not sell a per-email service. They generally price like we do—they provide a broadband connection.
Mr DANBY: Thank you.
Mr WILKIE: Chair, we are running out of time, so I will be very brief and I suggest we need very short answers. It has been very interesting to learn that you do keep calling data, or billing data, for mobile phones at least for some time. Is any of that data kept offshore or is it all kept onshore?
Mr Healy : It is all kept onshore.
Mr WILKIE: How hard, or how easy, is it for you to tell me if a certain customer called a certain number a couple of years ago—that is, how easy is it to mine the data you do keep?
Mr Healy : I do not know the answer to that, but we can take that on notice.
Mr WILKIE: People say this mining is too hard. It would be interesting to know whether or not it is too hard. I know you do not keep this data currently but is it technically possible to keep a record of who is sending emails to who and at what time—if not the content then at least the identity of the sender and the recipient? Is it technically possible to know what is going through the pipe that you described?
Mr Healy : You would need to interrogate every single packet, every digital piece of information to put that together. There are sophisticated software products. I think they are called 'deep packet interrogation'.
Mr DANBY: If you were given a certain day, three years ago, from a certain customer of yours, it is possible that this email might be tracked?
Mr Healy : No. I do not believe that that can happen.
Mr WILKIE: That is historic data. I am assuming it is technically possible. For example, internet filters are interrogating all the information, all the data, that is coming and going.
Mr Healy : There are usually some key words or certain sites that are listed that are blocked. That is very different from capturing every single piece of information and retaining it in some of sort of form that can be accessed later on. The filter is very much that: knock some things off, let some things through. It does no retention in that function.
Mr WILKIE: You are not aware of whether it is technically possible at this point in time to capture that data, to at least record addresses or know whose emails they are?
Mr DANBY: You are talking about emails.
Mr WILKIE: Yes.
Mr DANBY: You are not talking about telephone calls—
Mr WILKIE: No; emails.
Mr DANBY: You have established that that can already happen.
Mr WILKIE: That sounds pretty straightforward.
Mr Healy : We are not here to provide technical information—
Mr Zull : We would have to refer that to the technical people.
Mr Healy : We are going into the realm of technical engineering.
Mr WILKIE: You mentioned that you have not—quite understandably—been able to cost what these reforms might mean to Macquarie Telecom. But if you cannot cost them, how are you able to say already that they would be overly burdensome?
Mr Healy : I think the little discussion we have just had will hopefully help to elucidate that. We certainly do not do anything in our current business that seems to be able to meet the potential need of some of these measures in the retention side. It is not as if we have a switch where we can go, 'Flick that,' and then all that information will be kept in a bucket and that is not an issue. We suspect that we are looking at having to do a whole series of new activities of a kind that are not attached to our ordinary course of business.
Mr WILKIE: I am not having a go at you, because it is understandable, but it is necessarily a somewhat subjective assessment that the burden would be unreasonable for the industry.
Mr Healy : We think there would be a burden. It stands to reason that, if we are asked to do something that we do not currently do, there will be a cost.
Mr WILKIE: What is the basis for saying that you think it would be unduly burdensome?
Mr Healy : We are flagging at the higher levels. If we were expected to do what we do with the mobile phone area in the internet world with email, we think that would be a big issue.
Mr WILKIE: Relevant here is your profit. I assume that is on the public record—your profit for the last financial year?
Mr Healy : Our profit announcement was about two weeks ago. I will be embarrassed if I cannot remember the exact number. I think it is in the realm of $40 million.
Mr Zull : Around $40 million.
Mr WILKIE: And a turnover of roughly?
Mr Healy : $240 million.
Mr WILKIE: That sounds like a pretty good return on the investment.
Mr Healy : It is great. It was the largest profit since our float. In the 20 years that we have been around it is the largest.
Mr WILKIE: Is it a profitable industry?
Mr Healy : No. The profits in the industry are not shared in any manner that you would see in a competitive market. Telstra has 93 per cent of the profits across the telecommunications sector. It does not have 93 per cent of the market; it has less than that. There are real issues around competition and activities like a national broadband network, the wholesale only and open access. We think the promotion of retail competition will go a long way to making the sector more competitive. We operate in a certain part of the sector where it is relatively more competitive. Many Australians in regional areas and residential customers do not have much choice of a service provider—it is Telstra, Telstra or Telstra.
Mr WILKIE: The reason I am asking so much about the financials is I am keen to know the capacity of the industry to pay for these reforms if they are implemented.
Mr Healy : Just on the profitability that we mentioned—the $40 million—we have only made a profit in the last three years since our float. Prior to that we have been investing and trying to grow the business, and there has not been a top-line profit.
Mr WILKIE: That partly answers my final question. How much profit is returned to shareholders as opposed to money that has to be turned back and re-invested to keep up with technology, to grow and to stay competitive? Again, I am drilling down into the capacity of the industry to pay for these sorts of reforms.
Mr Healy : It is a highly technically driven sector. We have just invested $60 million into a new data centre so that we can keep up with cloud computing and the digital economy and be competitive in a National Broadband Network world. The vast majority of our profits is ploughed back into the business. I could provide you with the recent snapshot of our financial report.
Mr WILKIE: I think that would be very helpful to inform this part of the issue.
CHAIR: Thank you both for appearing before the committee and, to amplify Senator Faulkner's point, for appearing publicly before the committee. We hope that a number of your fellow telcos will take note of your great endeavours and do so in the course of this hearing.
Pr oceedings suspended from 10:41 to 10 : 52