SHAW, Mr James, Director, Government Relations, Telstra Corporation Ltd

VAN BEELEN, Mrs Jane, Executive Director, Regulatory Affairs, Telstra Corporation Ltd

KANE, Mr Darren, Director, Corporate Security and Investigations, Telstra Corporation Ltd

FALK, Ms Rachael, Manager, Digital Privacy, Telstra Security Operations, Telstra Corporation Ltd

Committee met at 09:02.

CHAIR ( Mr Byrne ): I declare open this public hearing of the Parliamentary Joint Committee on Intelligence and Security for its inquiry into potential reforms of national security legislation. Today the committee will take evidence from Telstra, Vodaphone, Hutchison Telecommunications Australia, the Australian Securities and Investment Commission, the Internet Society of Australia, iiNet and the Gilbert + Tobin Centre of Public Law.

Welcome. Although the committee does not require you to give evidence on oath, I remind witnesses that this hearing is a legal proceeding of parliament and warrants the same respect as proceedings of the House and the Senate. The giving of false or misleading evidence is a serious matter and may be regarded as contempt of parliament. The evidence given today will be recorded by Hansard and will attract parliamentary privilege. I invite you to make some introductory remarks before we proceed to questions.

Mr Shaw : We welcome this opportunity to appear today to discuss the potential reforms of national security legislation. As the committee is no doubt aware, Telstra is Australia's largest telecommunications operator and we are a major builder and supplier of telecom networks and services. At the moment, we currently serve around 13.8 million mobile customers, 6.9 million PSTN customers and 2.6 million fixed broadband customers. These customers are at the centre of everything we do at Telstra, and the legitimate interests and expectations of these customers underpin much of our approach to the issues that are before this committee. When our customers provide us with personal information in the course of obtaining services from us, they trust us to ensure the privacy and security of that information, and Telstra takes that trust very seriously.

Against that, as a major builder and supplier of telecommunications networks, Telstra also has a long history of assisting law enforcement and national security agencies within the construct of the existing laws. Through many years of working closely with these agencies, Telstra understands the importance of this work and our legal obligations to cooperate with these agencies. The committee faces a difficult and complex task of balancing the legitimate interests of consumers in the privacy and security of their data and the proportionality of the suggested changes to the legislation with the equally legitimate public interest objectives being pursued by law enforcement and national security agencies.

Further complicating this is the fact that this task must be undertaken against a background of extremely rapid change in technology and our markets. The rate of growth in and innovation in the telecommunications sector is extraordinary, and Australians are connecting with each other more often and in more ways than ever before. Traffic on Telstra's copper network is doubling every 18 months and, on our mobile network, every 12 months. At the same time, new modes of communication, particularly social media and over-the-top communication tools, have made the communications environment far more complex than the days when the home phone was the only way of staying in touch. Given the extent of change in the industry, Telstra supports the high level objectives of the discussion paper and particularly welcomes a public inquiry into the proposals. However, given the legitimate competing interests and the complexity of the technological environment, Telstra submits that it is critical to an informed public debate that the principles underpinning any proposed reforms are clearly set out and any trade-offs between competing legitimate public interests are transparent and appropriate. Our written submission to the committee sets out Telstra's views on the principles that we believe should underpin such reforms.

Further, the sensitivity and complexity of the issues being examined in this inquiry also raise the importance of ensuring that the principles of best-practice regulation are strictly adhered to. This means explicitly outlining the policy problems being targeted, examining the costs and benefits of a range of regulatory approaches to addressing these problems and selecting the regulatory approach with the greatest net benefits. In the current context Telstra believes that such an approach requires a detailed evaluation of the efficacy of the existing regulation, including the recently passed cybercrime package, before considering proposals for further regulation.

With regard to the specific issues raised in the discussion paper, Telstra's high-level views of the proposals in respect of telecommunications interception reform are: in general, Telstra believes that the proposals to streamline processes relating to industry assistance and telecommunications interception are welcome. However, we have serious concerns about proposals for a tiered industry participation model for interception obligations.

Mr RUDDOCK: Could you explain that?

Mr Shaw : In the discussion paper that was put forward there was a proposal that there might be tiering where there would be different levels of obligation applied.

CHAIR: Depending on the size of the carrier?

Mr Shaw : Yes. Essentially what we are saying is that it should be a uniform application of obligations. Given the nature of their targets, law enforcement and national security schemes are only as strong as their weakest link. On an uneven playing field criminals and terrorists will inevitably locate their operations where security obligations are the lowest, leaving larger telecommunication operators to incur the costs of greater obligations for no offset in law enforcement or national security gain.

On the issue of data retention Telstra understands the national security and law enforcement objectives for these reforms but emphasises that both the effectiveness and the costs of these proposals will vary substantially depending on the detailed scope of the proposals. At the broader end of potential schemes the cost of data retention for the telecommunications industry and, ultimately, telecommunications consumers could be high, and the associated security and privacy concerns raised by the proposals are significant. On the other hand, data retention obligations of a more narrow scope may be less costly and raise fewer security or privacy concerns. Without detailed proposals, it is difficult to make informed judgements of these proposals.

On the issue of telecommunications sector security reform, we support an approach that gives carrier and carriage service providers the appropriate incentives to devote the necessary resources to network security. Telstra believes that the proposals set out in the discussion paper could achieve these objectives; however, we submit that these proposals require some modification to avoid unnecessary and costly interference with the efficiency of operators' procurement, network design and operation functions.

Telstra finally submits that specific details of reforms in this area could greatly influence the net benefit of proposals, particularly with regard to the costs imposed on industry and most likely passed on to consumers by regulation. In this context Telstra makes the overall comment that all proposals being considered through this inquiry would benefit from an ongoing, in-depth consultation with industry as the details of proposed reforms are fleshed out. Industry has the greatest incentive to find the most-cost-effective solution to regulatory imposts.

That is our opening statement. We would now like to take questions.

CHAIR: Thank you very much. I have a quick question to start off. I am looking through the Telecommunications (Interception and Access) Act 1979 report for the year ending 30 June 2011. During the course of the evidence that we have taken we have heard this figure of about 250,000 requests to access data held by telcos. In looking at some of the organisations according to this report, I see organisations like the Victorian Taxi Directorate, the Royal Society for the Prevention of Cruelty to Animals Victoria, the Royal Society for the Prevention of Cruelty to Animals Queensland and the Office of Environment and Heritage. You obviously have other major ones like the AFP, the CMC—which, interestingly, had about 8,395 requests for authorisations in the 2010-2011 year—the New South Wales police, the South Australian police and the Victorian police. You also have requests from the Department of Health and Ageing and the Department of Families, Housing, Community Services and Indigenous Affairs. There are a heck of a lot of people here that seem to be coming to you looking for information without warrant, and part of our brief is to look at how many of these enforcement organisations should be able to access that data. I wonder if you would care to make a comment on that.

Mr Kane : I will take that question. My role at Telstra is to have accountability for front-of-house delivery of that information to the agencies that make a lawful request. Those agencies you have given as examples usually make the requests under section 178 of the Telecommunications (Interception and Access) Act. As part of the telecommunications act it sets out that if an agency is able to verify that it undertakes investigation of a criminal offence, protects the public revenue or has the ability to impose a pecuniary penalty—one or all three of those—then they have the right to request that information lawfully from the Telcos. Blacktown antidumping squad, RSPCA, Melbourne City Council, parking fines—

CHAIR: Sorry to cut across you, but what would the RSPCA be looking for if they were looking for interception on metadata?

Mr Kane : With metadata they might look for call charge records or information that makes an association between someone they are investigating and others who fail to feed a horse or have treated animals badly.

CHAIR: I think people would be—as I was when it was drawn to my attention—surprised that the RSPCA could get access to data like metadata, particularly in the context of the inquiry we are conducting about people accessing this. As you know, it has become quite a topical point. One of our briefs is to look at the number of enforcement agencies that actually can access that, so my question is: would it be helpful for you if there were fewer organisations that were calling upon you to provide that sort of information?

Mr Kane : I will choose my words very carefully. We at Telstra have had a long commitment to work with agencies that, as per the act, are lawfully allowed to access the data. There are a large number of agencies or owner codes that we provide information to. It would be more helpful if that were simplified.

CHAIR: Thank you.

Mr WILKIE: I have a follow-up question. Do you share metadata with any commercial entities?

Mr Kane : Unless they are lawfully able to require the information under the act, the answer is no. Where it is billing data belonging to the commercial entity—so it is a party calling as part of the bill—we sometimes do provide information. Secondly, where we have a subpoena or a court order requesting data in a civil matter, we also provide information in that regard.

Mr WILKIE: More broadly, do you share what I might call processed metadata with commercial organisations? Do you sell the consumer information to other commercial entities?

Mr Kane : My area does not. I manage the release of data upon lawful request. I do not sell that data.

Mr WILKIE: Okay.

Mr Shaw : More broadly, we might have to take that one on notice. My suspicion is no, but we will take that on notice to confirm. Do you have—

Mr WILKIE: No, I do not have anything in mind in asking that question. It is more to tease out this very interesting issue that we have come across where there is so much focus on metadata being shared with security agencies—and people have legitimate concerns about that—but it turns out it is being shared with everyone for all sorts of reasons anyway. I am wondering how broad that sharing is.

Mr Shaw : It is not beyond the realm of possibility that in some way information is processed in a way that might be useful commercially, but I could not see how we would release it in a way that would be able to identify individuals.

Mrs Van Beelen : We could not do that because of our privacy obligations.

Mr WILKIE: Thank you.

Senator MARK BISHOP: I welcome the representatives from Telstra. I want to talk about costs a bit. You currently retain data for a period of time.

Mr Shaw : Correct.

Senator MARK BISHOP: Is that both content data and metadata?

Mr Kane : Some content we would retain for a limited amount of time. We rely on metadata for all sorts of reasons, including billing the customer.

Senator MARK BISHOP: How long do you currently keep that?

Mr Shaw : It depends on the data set. It varies across the network of the platform, the product and the service. There is no simple answer to how long do we keep data. It would have to be a specific question about a specific set of data and, even then, depending on what is happening in our network at any point in time, it is a transitive sort of environment. Some is kept for certain purpose: legal purposes and other reasons; other sets are kept in the network for network management reasons and then is dropped off as the capacity of the network requires us to do so. I am afraid it is not a simple answer.

Senator MARK BISHOP: In terms then of the source and the place people go to—

Mr Shaw : The which sector?

Senator MARK BISHOP: The source of the platform that is used in the first place, the amount of time it might be used, where the platform connects to, the IP addresses and that type of material?

Mr Shaw : I am still not quite with you when you talk about the source platform.

Senator MARK BISHOP: The particular phone, the particular computer—

Mr Shaw : That could depend on whether it is on our fixed network, our cable network or our mobile network.

Senator MARK BISHOP: Industry and companies in particular have been complaining far and wide and lobbying extensively on the cost involved of metadata retention. Let's not kid ourselves here. The committee is interested in your complaint. We cannot be seriously interested if you choose not to tell us the form of how you retain the data.

Mr Shaw : It is not that I am refusing to answer. I apologise if it has come across that way. What I am trying to say is it is a very complex answer to what seems to be a simple question. I think a part of the issue the committee has here is the further you get into this particular matter it might as seem simple that there is a proposal that carriers keep this data for a period of time. But because the data in our case is generated from about 14 different sets within our organisation, we would have to bring it, aggregate it and then put it into a form the agencies could then access to use for their investigations—

Senator MARK BISHOP: Is the company able to identify where it retains the data from the various sources and the cost of doing so?

Mr Shaw : We know where the data sets are now. We know what happens with that data in general and how it is treated within the network. And we know we would have to access it in certain ways in order to put it into a data set that could be used by the agencies. We do not have a cost for that. What we know is it would cost several million dollars just to scope out the cost of preparing the data sets for the agencies under a data retention proposal.

Senator MARK BISHOP: In that case, could you answer on notice—and respond in as much detail as you choose—the variables that are involved in the retention of the data, the interrogation of the data when lawfully requested and the provision of that information to those agencies who request it. If this cost argument is something that the company and your competitors seriously pursue—as has been my understanding today—we would be interested in that, within the normal bounds of commercial in confidence. Tell me this: if you have retained data for a range of reasons, some commercial, some otherwise, over a period of years—and you said in your introductory remarks that the amount of data that was going over your networks was effectively doubling every 12 or 18 months both on fixed line and on mobiles and presumably is going to continue to increase—is the cost of maintenance of the retention of that data other than a marginal cost going forward or is it a sunk cost or what?

Mr Shaw : There are significant costs involved in all of this. There is a variety of costs. There is the cost of collating the data: collecting it off the network to begin with. Then there is the cost of putting it into storage. Then we have the cost of putting the security around that such that we have the integrity of the data in terms of the privacy of the customers and also the integrity of the data for evidentiary reasons for the agencies. Then we have the cost of making that data available to the agencies in a form that they can use for their investigations. Then, not to be overlooked—and it can be a significant cost—at the end of the whole life cycle of this we have the cost of construction of that data in a way in which the customers and others can be sure that we are looking after their interests. Equally, on the other side—and I do not think that this is a point should be lost in the debate here—is that the agencies themselves will face significant costs in that they will have costs of accessing that data and then manipulating and investigating it in a way that makes it usable for them and also their own destruction costs at the end of the process.

So the whole life cycle of data information and data collection in a data retention scheme is quite significant if you break each of those down. As I say, we have identified those cost elements and then we have identified that it will cost us several million dollars to scope that out into a fully-fledged proposal to implement a data retention scheme.

Senator MARK BISHOP: In that case, has the organisation engaged in any discussions or negotiations as yet with the relevant department? Is the Department of Broadband, Communications and the Digital Economy the relevant department?

Mr Shaw : The Attorney-General's Department manages this issue.

Senator MARK BISHOP: Have you as yet have any discussions or negotiations with A-G's as to the form of the regime which might be applied, in terms of those matters you have just identified but really going forward for the next 10 or 15 years?

Mr Shaw : We have been in discussions with Attorney-General's for a number of years over a whole range of issues around interception and national security issues, and the data retention issue has come up from time to time. In terms of the form of the proposal, we have talked in general terms about what it might mean, but we have no specifics from them other than the letter that the Attorney put to the committee recently, which pointed us all to the EU directive as being their current thinking around this particular proposal.

Senator MARK BISHOP: In that case, would it be reasonable to say that your company and others might have a set of alternatives that would be appropriate for A-G's to consider, as opposed to a blanket, one-model-fits-all-players-in-the-telco-industry proposal?

Mr Shaw : We do not have a fully-fledged alternative proposal at the moment, but we would want have discussions with Attorney-General's about what might be alternative proposals if their decision is to proceed down a data retention model. We think that we have a good insight into what can and cannot be collected off the network in the most cost-efficient way and then delivered in a way that the agencies might be able to use, but we have to get through that threshold point first net—whether the parliament wants to implement a data retention scheme—and then clearly we would want to talk with A-G's.

Senator MARK BISHOP: Are you doing that preparatory work at a company level or an industry level or both?

Mr Shaw : We are not doing preparatory work around the implementation of the scheme; we are having discussions with them around the issue of data retention. We have not started to talk about alternative models in any substantive way, but there are discussions with Attorney-General's at both industry and company level on a range of issues, including national security matters.

Senator MARK BISHOP: They go to data retention?

Mr Shaw : Correct.

Senator MARK BISHOP: If A-G's and the government in due course decide to go down the path of mandating a form of metadata retention for a specified period of time, wherever it might be, how long then would it take your company and, more widely, the industry in which you participate to put a hard proposal on the table for consideration by the relevant agencies?

Mr Shaw : In terms of putting a firm proposal—and that would involve looking at the costs as well as the technology side—we think that it would take at least a year, and then the implementation of the scheme would be rolled out over the years from that point in time when there was a decision about what the final form would be.

Senator MARK BISHOP: We have had a lot of discussion about exact costs, and the figure is somewhere around $100 million to $300 million. You indicated earlier that you had not really started thinking about scoping. Do you have any ballpark figure you can put on the table?

Mr Shaw : I am afraid not, no.

Senator MARK BISHOP: It is too early.

Mr Shaw : As I say, the only number we have is just looking at what might be involved: several million dollars to kick it off before we could come to—

Senator MARK BISHOP: For your scoping study?

Mr Shaw : Yes.

Senator MARK BISHOP: Thank you, Mr Shaw.

Senator STEPHENS: I have a follow-up on Senator Bishop's questioning. We met with industry representatives at an earlier hearing. They advised the committee that the proposition for data retention had been discussed a little over two years ago and that there had been significant negotiations and conversations. It would be helpful for us to know how far you got in terms of considering costings or scope and whether or not you think the situation has changed since the last serious conversations that you had with A-G's in the current environment. That would be helpful.

Mr Shaw : I think the situation has changed in that the Attorney has made it clear that she has an open mind on this issue. Their latest advice in the letter to the committee indicates that the European directive might be something that we can look at in implementing a scheme. I was not party to the earlier discussions with Attorney-General's, but I might pass to my colleagues.

Mrs Van Beelen : I was not party to those conversations either, but one point I thought this was worth making is that the scope of the dataset that is being sought has implications for cost. As Mr Shaw has outlined, the network is quite ephemeral. It disposes of data at various points. Some things like billing data we obviously keep for billing purposes, but other data is just there one day and gone the next. The network is not set up to retain that data and the costs, therefore, depend on the scope of the dataset that is being sought and we are really only starting to get some clarity on that now.

Mr Kane : I have been involved in discussions with the departments over a number of years. The issue with this is that it is such a moving feast that there could not be agreement from the departments around the datasets. Each time a dataset was agreed upon, the complexity and the evolution of the network meant that that was expanded upon or contracted. The issue over many years has been exactly what datasets the departments and the agencies require from the industry.

Senator STEPHENS: We have heard some evidence that, if a data retention scheme is not mandated, the challenge is that Telstra when it was the monopoly provider kept the data anyway. But the whole landscape has changed and therefore new providers will not have any obligation and will not put systems in place to save data to assist law enforcement agencies and those seeking to use the telecommunications interception act provisions. We have heard very strong arguments from the agencies about the need for the data, so I guess the question is: frankly, is this a wicked problem that is not solvable or is it industry push-back that says, 'We don't want to play in this space'?

Mr Shaw : It is a wicked problem, but there might be a position we can all come to that gives us some comfort in all of this. Firstly, the industry generally does have to put interception capability plans in place with the Attorney-General's Department, so there is that obligation on all players. The other part that gets a little lost in all of this is that some of the information that agencies may want is not something that the carriers themselves can provide because it is information that is contained within the applications that over-the-top players, for instance, on the network are providing.

Senator MARK BISHOP: What is an over-the-top player?

Mr Shaw : Google, for instance. It is an application that sits above our network. It is not provided by us; it is between the user and the applications provider and all we are is the pipe between the two.

Mrs Van Beelen : Voice over the internet is another example.

Mr Shaw : And Skype. We do not collect that sort of data. That data is just on our network. We do not have billing records for people using Skype or that sort of thing. It may well be that you could put in place quite an expensive and onerous data retention scheme with a large window. That is why we talk about having to balance all these things up in terms of the net benefits and costs of any scheme.

Mr Kane : I might add that over many years now Telstra has had a long history of commitment to support. You mentioned that we are a former government agency. As an artefact of that, we have provided ongoing support. With my own background, I am very, very sympathetic to the agencies' positions, but it is the technology, the state of the network and the constant evolution of the network that have made this wicked problem.

Senator STEPHENS: You make the point in your submission that the National Interception Technical Assistance Centre could perhaps overcome some of the practical problems. Can you just talk to us a little bit more about that. Do you think that that centre could actually address the issues of Google, Skype and VoIP?

Mr Kane : We think it could assist the agencies and departments to better understand the evolving technology and where it might go. Basically, the NTAC is an example of an organisation in the United Kingdom that has been set up with the support of industry, where you have a spoke model. You have representatives from various police forces and constabularies who are available in one place to support their home force. They have access to industry best practice and technology engineers. Where there is a request from their home force, it comes to the person who is their representative. He or she gets the most information that is the most relevant, and then that is fed back out, and it is done in a lawful process. We think that is something that should be looked at in this country. We think that there might be an opportunity to better educate the departments and agencies and help them understand exactly where technology in the digital world is taking us.

Mr Shaw : We are not convinced that the agencies are necessarily always well informed about what they can actually get now by way of information, and we think an institution like that could make better value of the current arrangements before we perhaps go on to look at further arrangements.

Senator STEPHENS: Okay.

Mr RUDDOCK: My questions really go to the area that we have been discussing. I really want to get a lot more detail, if I can. Can I first thank you for your very comprehensive submission. It is very valuable. My questioning will not suggest that I am dissatisfied; I am really looking for more. It relates in part to the tiering issue you raised, so I want to try and understand the market. I know that Telstra was a monopoly supplier, that the arrangements were such that the information that government needed was able to be obtained, that you are now in a competitive environment and that there are other market players. I am persuaded that whatever we do it ought to be a level playing field, so the tiering argument does interest me, but I need to understand your organisation. You obviously still keep the billing data for your traditional telephone services. You have gone into other market areas where the competition suggests that you have to operate differently, so in those areas you are not now keeping information that traditionally you would have kept.

Mr Shaw : It could be a number of factors that drive us to that, Mr Ruddock. It may not just be competition; it may just be the technology that is involved. We might charge for things in a different way, so—

Mr RUDDOCK: I understand that, but I am trying to understand what we are dealing with here. Are we still getting 50 per cent? Are you 50 per cent of the market or 60 per cent of the market?

Mr Shaw : We are over 60 per cent in terms of fixed line, but when we get mobiles we are down into the 40s, and in fixed broadband I think—Jane?

Mrs Van Beelen : Late 30s.

Mr Shaw : Late 30s as a percentage of the market.

Mr RUDDOCK: I am trying to get an idea: how many organisations are we likely to impact?

Mr Shaw : We have over 100 carriers.

Mr RUDDOCK: What is the nature of the market? How many are billing in a way which you have traditionally done, as against the new mediums which do not require you to keep a lot of information? It seems to me that we cannot look at these cost issues on the basis of generalised statements that you have put to us without some understanding as to where those costs are going to be generated, what percentage of your organisation it applies to—I have no understanding of the market. Then I come to this issue of tiering. I understand the point you are making. If you are going to be required to keep it, so should everybody else. But I am trying to relate that to what you have described to me as being the issue of your subcontractors, people whose information you carry. You do not keep their billing records or whatever.

Mr Shaw : For our wholesale customers, that is correct.

Mr RUDDOCK: I think we have got to have some understanding of what that means as well. I have got no understanding. If an organisation tells me that they need information in order to be able to deal with a potential terrorist act, I am not terribly interested in you telling me that it involved a significant cost if we were able to prevent such an activity occurring. I do not think you can look at a terrorist act and say, 'It might have cost some organisation a million dollars to prevent it.' I would say, 'It is $1 million well spent.' Perhaps you want to argue that those costs are prohibitive. The other thing I need to understand is the billing data. I do not understand how much of it is there, but the billing data that is requested is probably protecting a significant part of the revenue, I assume.

Mr Kane : We might use the terrorist threat as an example to help you better understand this issue. In relation to the tiered situation it is just not a competitive playing field, it is relevance. If, for example, a very well organised terrorist threat was threatening this country and the agencies tasked with investigating that came to us, we have a long history of working with the agencies under the current law. So we would provide retained billing data we have at the moment. Under the act basically if we have got it we must provide it. That would include call charge records, reverse call charge records, cell tower dumps, subscriber details and so forth. What happens now when we get to—

Mr RUDDOCK: Some of the things I understand they are looking for are where people are making their calls from, to ascertain that people are perhaps together at a particular point in time.

Mr Kane : That is known as location-based services, and we do provide that as requested if we have the data.

Mr RUDDOCK: The problem is that the data is now not being kept, even in your organisation.

Mr Kane : It is because of the volume. It used to be kept there is more and more on the volumes on the network, which is making it more and more difficult to retain that data because we are not billing or charging on that data. When these matters get to an open court there is a group that works within my area that provides expert evidence to assist the courts understand what the agencies are relying on in a prosecutorial service. In that open court we actually have reporters, media, defence barristers and potentially members of the same terrorist cell who are listening to what we are saying we are providing. As a result of that, they may very well not use Telstra's services next time; they may use a smaller provider. Under the tiering system, if it is only Telstra, Optus and Vodafone that are going to retain this data, many of these very well organised terrorist threats, organised crime syndicates, will obviously use a smaller ISP, a smaller carrier, that does not have the mandatory requirements that we may have.

Mr DANBY: Are you saying that they are doing that already or that they will in the future?

Mr Kane : I am saying that at the moment there are organised criminal gangs that are not using our services. I have made a note here that Telstra is probably a victim of our own success in relation to this. As I said, we have a long history of support for law-enforcement and national security agencies and as a result they know the quality of the reporting we are able to deliver and expert testimony in court. Common sense says they probably would not use our services.

Mr RUDDOCK: You have given suggestions as to the sort of costs; $1 million to investigate I think is what you were saying. I have got no idea of the potential costs but I am certainly the view that whatever you are required to keep all of your competitors should have to keep as well. For me that seems an elementary proposition.

Mr DANBY: But it is not just from the point of view of fairness but also from the point of view of—

Ms Falk : Exactly.

Mr RUDDOCK: Adequacy: seeking other agencies in order to evade lawful surveillance. That was certainly one of the points I focused on in your submission—the tiering; the need for a level playing field. But we are not going to be able to deal with these issues adequately without a far better understanding of the nature of the market we are dealing with. We are going to see Vodafone later—I don't know what they are!—and maybe it is all commercial-in-confidence; maybe we are not meant to know. But how many small suppliers? You have a lot of people who use your networks. Are we talking about 40, 50, 100?

Mr Shaw : I think the Australian Communications and Media Authority has issued over 100 carrier licences, to start with, and there are several hundred ISPs. I think the best way of getting a handle on those numbers is the members of the Telecommunications Industry Ombudsman scheme, because it is a legislative requirement that ISPs and carriers be members of those schemes. That would give you an indication of the number of players. Then I think the Australian Communications and Media Authority, in their communication report, has an outline of the size of the industry—the number of players and, I suppose, the demographics of the market. I could point you to there as a potential resource for understanding more about the telecommunications sector and what constitutes it.

The types of products, services and networks vary between the various players. In all there are fixed-line communications, HFC cable, fibre, copper and mobiles, we run different products across the different platforms or we run the same product across different platforms.

Mr RUDDOCK: For what percentage of your activities now would you not be keeping the sort of data that the security and police organisations are wanting? Would it be 30 per cent? Or 40 per cent?

Mr Shaw : Do you mean in terms of what they are after at the moment?

Mr RUDDOCK: Yes.

Mr Kane : It really just depends on what they are after. This has been the issue for some time: they cannot confirm exactly what they are after.

Mr Shaw : How many current requests?

Mr Kane : It is only a very small percentage. Of the percentage of requests we provide data for, the ones for which we say we cannot assist are only a very, very small amount.

Senator BRANDIS: That is a very misleading figure, though. I am not saying that you are misleading us, but the figure is misleading, because presumably the police will become sufficiently familiar with your practices that they will not ask for what they know you do not have.

Mr Kane : You are absolutely right, and if we were to touch on something that would be valuable for the agencies and the department to better understand, it would be their responsibility to better educate themselves on what is available now and what could greatly assist them. One would ask a law enforcement agency how much time they are spending on educating their investigations teams on this issue. For some time now I have been pushing that issue—that you need to better understand the evolution of the digital world. It should greatly assist you in your investigations.

Mr RUDDOCK: But I would like some further information, if you can put that together.

Mr Shaw : We will take that on notice and will do what we can to provide you with that.

CHAIR: Perhaps I could also flag that, notwithstanding the publicised hearing program, if you are amenable to us having a further conversation with you, this is one issue Mr Ruddock is absolutely correct in saying—as are Senator Bishop and Senator Stephens—is a process that has generated enormous controversy. The brief for this committee is enormous, and we want to make sure we get this right. So if we need to get you back we will get you back for a further conversation, if that is okay.

Mr DANBY: I would just like to pursue Senator Bishop's and Mr Ruddock's questioning by asking you for a bit of further detail on your last answer. That is, how do the current requests from law enforcement agencies get handled? In response to Senator Bishop, you were talking about the different sets of data that you would have to acquire, and, in an answer to Mr Ruddock too, the cost of them. What happens with, say, the New South Wales police, who appeared here yesterday, or the AFP, who appeared yesterday, when they apply for data now?

Do you do this on a case-by-case basis manually? Do they give them to you in 100-request lots? Do you charge them? How does it work?

Mr Kane : There are examples I can provide you with. We have the management or custodianship of what we call the Integrated Public Number Database. We put an 'E' on the end so it is an enquiry database. We have rolled those terminals out to the New South Wales Police Centre and all major regional stations where, with the rightful officer's authority, they can go online and recover data. For example the IPNDE loads up Voda, Optus and all the smaller carriers including Telstra into the IPNDE and it gives you the subscriber detail. That subscriber detail will identify that Jane is a subscriber of Telstra. That will allow the New South Wales Police to immediately know that Jane's details are in the database and that she is a subscriber of Telstra. To confirm that those details are current, they will then make a subscriber request to us. At the moment, that is provided by fax to Telstra because of our legacy systems. To other carriers, it is provided by way of electronic request. I will then recover the subscriber details and provide those to the New South Wales Police by an electronic means, which is called a subscriber check. We then might get a request from New South Wales Police for call charge records on Jane's mobile phone in relation to an investigation they are conducting. Again, that is not by way of warrant but by way of authority—a legal instrument called section 178 under the Telecommunications (Interception and Access) Act.

Mr DANBY: So an authorised police officer of a certain rank is allowed to make these requests?

Mr Kane : Yes. He will then make a request of me that they have got an interest in Jane over three billing periods. So I will cover the three billing periods, which show all calls made by Jane's telephone outgoing, which will identify a loose location as to where the phone call has been made from, duration, time and the destination of the call. They might say, 'This is very interesting. We would like to know who she has been calling because it is around that time we are interested in.' They would then make a reverse call charge record request of me under section 178 to recover the subscriber details and all calls made in to Jane's mobile telephone. As a result of that, they will go back to the IPNDE and have a look at all of those numbers. They will then identify the subscriber details of all of those numbers. If they are with Voda or OPTUS they will go through the same process. They build up a picture of the association, volume of calls and where Jane is making the calls from. That is basically the metadata we speak about here. All that data is available at the moment to police. There are specific intelligence officers in most of the agencies that have a good understanding of what they can and cannot get from the carrier.

What I have said before is it is really important that knowledge is far wider spread. So instead of only having small pockets of very smart officers in the agencies who can understand this issue, I think there is an onus on the agencies to spread that knowledge a little more. For example, under the act and with a stores com warrant they can get not just metadata but they can get some SMS content. But we only keep that for a very small period of time. It used to be longer but we have had to contract that because of the volume.

Mr DANBY: So now I have lost all my SMS messages that are crucial to a political event. I was just about to transcribe them and suddenly there was a change of policy.

Mr Kane : It is really important for the agencies to understand what our current situation is so that they can move a little quicker. That goes back to my issue about education and awareness. I hope that helps.

Mr DANBY: It does. Your answer said that you are partially automated and partially you are sending messages by fax. In a potential new system with a two-year data retention for more complicated forms of technology that you do not have records on now, you say you would have to move to a fully automatic system. Again, can you explain what that means?

Mr Kane : We would probably use what you might refer to as a virtual private network, a VPN pipe, where it is encrypted on one and it is encrypted on our end. When we would get a request in from agency, we would send it back electronically. So we would purpose-build something that would be universal into the agency and then we would hope that the industry would take up something similar. We would do that on the basis of knowing what sort of datasets and what sort of information we would have to provide. One of the reasons that we have not progressed this at the moment is simply that we do not know what we might have to put back across the pipe.

Mr Shaw : Incidentally, given the volumes that we are talking about here and the number of customers that we have on our network, if we were in a position where we had to retain material that the agencies are after—if we are looking, for instance, at the EU director—just the sheer volume of information would require us to automate that process.

Mr DANBY: That makes some of the submissions from the organisations perhaps more urgent. Some people would say we already need complementary legislation which is not in this area but in the privacy area that would enable members of the public to seek redress of data breaches. I realise that in the public discourse that mainly refers to people who have commercial interests who take this material from them that they do not want to share. But what would your reaction be to data breach legislation? Do you think it would be made more urgent by the potential changes that this discussion paper is looking at? Do you think it should exist now? Do you think it should not exist now?

Mrs Van Beelen : There is already privacy legislation which prevents us from disclosing customer details. Certainly in our own customers' interests we do not want to that. Our reputation rests on our ability to protect the trust that customers have placed in us. Your question highlights that, if he were to establish a data retention regime, we would then have to create a means by which data which is not currently retained could be retrieved from the various systems in our network and be available in some kind of central repository. That in itself of course creates costs and risks associated with protecting that data, and those costs would not be significant. They are an aspect of the cost that Mr Shaw referred to.

We have an incentive, and we would continue to have a very strong incentive, to protect the data in our customers' interests and in the interests of her own reputation. But there is of course a risk that, having created such a central database, it would be attractive to some people to wrongly access it or misuse it. We would have to manage that risk.

Mr DANBY: Presumably that danger already exists because you retain large silos of data in some areas, and so do other companies. Do you have concerns about data breaching by people outside your organisation?

Mr Shaw : We do have concerns. That is why we have significant protections across our network at the moment to prevent intrusions into the network and to manage those sorts of risks. It is true that we currently face that kind of risk, but we perceive that there could be a heightened risk as a consequence of having a more attractive target.

Mrs Van Beelen : That said, I do not think regulation is necessarily the answer to that. As I said, we are intended to protect it, but the risk can never be completely eliminated. It is one of the things that needs to be taken into account in considering this.

Mr DANBY: This is my last question. With police, security agencies and the security personnel employed at large organisations like Telstra, have you ever been dissatisfied about a request your organisation considered a breach of privacy of customers that was not justified? Have you ever acted on that if you did feel that way?

Mr Kane : The short answer is no. We are very, very closely monitoring the lawful requests. If they do not meet the standard of the act, they do not get processed. But we do have a very healthy, ongoing working relationship with all of the agencies, particularly the 17 intercept agencies, to help them better understand how they might best request the data and better understand what they have requested.

Senator BRANDIS: Mr Kane, can I take you back to your description of the different categories. I am sorry I was late in arriving, so if you have already answered this to one of my colleagues please tell me. As I understood you, there are broadly four categories of data: subscriber details, call charge records, which are information about outgoing calls, reverse call charge records, which are information about the source of incoming calls, and SMS text messages. Is that broadly right?

Mr Kane : Traditional? That is absolutely right.

Senator BRANDIS: Let's put aside the SMS text messages, which are content, and concentrate on the first three categories, which I think we would agree are what has been called metadata.

Mr Kane : Correct.

Senator BRANDIS: What I would like to know is what your current practices are. In relation to the subscriber details, who are your subscribers—names, addresses, numbers, billing details and so on? For how long do you retain those at the moment?

Mr Kane : I would like to take that on notice and provide a table back to you to help you better understand the different categories of metadata that we have.

Mr Shaw : It is beyond just those three that Mr Kane talked about.

Senator BRANDIS: I was going to ask a further question, but let us just focus for the moment on the categories that Mr Kane identified. Then I will explore further.

Mr Kane : There are examples where we have kept that data for many years because they are ongoing customers, but most of us—and, I am sure, all of us around the table—

Senator BRANDIS: What about when a customer ceases to be a customer? For how long after that do you retain the subscription?

Mr Kane : Again, I will take that on notice and provide you a more accurate summation.

Senator BRANDIS: And I have the same question in relation to the call charge records. What is your current practice for the length of time that you retain that data?

Mr Kane : My suspicion is seven years, but again I would like to take that on notice so that I can provide you a more accurate summation of exactly what we are doing.

Senator BRANDIS: All right. And reverse call charge records?

Mr Kane : Yes. I will provide you with a table. To pick up on Mr Shaw's point and to answer your probable next question, there is now a trend obviously to IP address, location based services—

Senator BRANDIS: Before you go on, staying with reverse call charge records, is it the same answer to call charge records—you think it is seven years but you want to confirm that?

Mr Kane : Yes.

Senator BRANDIS: Then you were going to go on to identify certain other categories, please.

Mr Kane : That is correct. What I would be able to provide the committee is a table identifying what metadata we have available at the moment and how long we keep it.

Senator BRANDIS: That is absolutely core to our interests here, particularly since you are the biggest carrier service in the country. If your hunch is right—that you keep the call charge records and the reverse call charge records generally for about seven years and the subscriber data for the currency of the subscription or perhaps a little longer—those are going to be the main types of metadata that the law enforcement and national security agencies are interested in, aren't they?

Mr Kane : Yes.

Mr Shaw : Moving into the IP world, I suspect that there will be a move to other platforms. Equally, those people who may want to undertake malicious acts may well seek to use applications which do not generate the metadata.

Senator BRANDIS: What I would like you to identify, Mr Kane, is each category of metadata and your current practice in relation to its retention.

Mr Kane : I can do that for you.

Senator BRANDIS: Thank you so much. May I take it, particularly from something you said, Mrs Van Beelen, that there is a distinction between retention and retrieval?

Mrs Van Beelen : Indeed.

Senator BRANDIS: I got the impression—perhaps I am wrong—from something you said earlier that you are actually more concerned with the burdens of retrieval than retention.

Mrs Van Beelen : Certainly in relation to costs. The storage of data is one of the lesser elements of the cost, although it does give rise, as I have said, to the privacy and security risks to protect that data and, not least, to protect its integrity also. But, certainly, the costs—for the system to retrieve it and to then create a way of retaining it and then making it accessible and then on the other side, the agency side, creating the ability for them to access, understand and use it—would be substantial, in our view.

Senator BRANDIS: I do not have any sophisticated understanding of this technology at all, but I am guessing that there is a degree of automaticity in retention of data but that the retrieval of data is a much more labour-intensive activity.

Mrs Van Beelen : I think it would have to be automated, but, as Mr Shaw has already indicated, we have got at least 14 systems that would contain the kinds of metadata that we are talking about, many of which currently would hold data only on a transient basis, so you would need to be retrieving that data in order to then be able to retain it.

Senator BRANDIS: Related to this is an issue that you identify on page 11 of your submission, where you say words to the effect of: 'We don't consider we should be burdened with the interpretation of data that is retrieved.' Is there a grey area between what constitutes retrieval and what constitutes interpretation?

Mr Shaw : That would depend on how the proposals were finally put together. The point we are seeking to make there is that, if there is a decision to implement such a scheme, then there should be no manipulation in any way of the data on our side of the equation. That is something that is done by the agencies. We would simply be responsible for the delivery of data as it comes off the network.

Senator BRANDIS: But presumably that issue could be reasonably satisfactorily addressed by the development of what you might call identification protocols between you and the national security agencies, so that you do not have to interpret their requests. They might say you, 'This is the nature of the metadata we want'—it could be reduced to a mathematical formula, I guess, or even a descriptive formula—and there would be no need for you to interrogate them further about what they were looking for.

Mr Shaw : If the request is simply for a set of information out of the dataset, then that is what we are seeking to get. Mr Kane described the NTAC arrangement in the UK, where they have got this centralised arrangement which makes this information available to the agencies, with skilled and expert professionals on the agency side then interrogating the databases. That would be an ideal arrangement from our perspective.

Senator BRANDIS: Further to that same point: I entirely understand your concern about the costs to you and other carriage service providers if proceedings were brought against an individual subscriber which involved reliance, from an evidentiary point of view, on your metadata. There could very well be a cost in terms of the requirement for your technical officials to attend court and be cross-examined, I suppose, as to the accuracy and reliability of your data retention and retrieval arrangements.

Mr Shaw : Correct. We appear in court now, just around the current arrangements. Mr Kane is a regular attendee down at Melbourne courts.

Senator BRANDIS: You do not say this in your submission, but I am going to put something to you and invite you to adopt it if you want to. One of the concerns that have been expressed by a lot of people, including the civil liberties people, is the risk to privacy of a breach by third parties of your retained data. Do you think, if the parliament required you to retain data for a statutory period of time and develop a retrieval system, and that were to be breached, that you should have some sort of statutory immunity from suit by the person whose data was wrongly breached?

Mr Shaw : We certainly believe that we need some protections in that sort of environment, yes.

Mr RUDDOCK: Have you been sued for privacy breaches?

Mr Shaw : We might have to take that one on notice. I am not aware of it, but we will make some inquiries.

Mr WILKIE: Mr Kane, that table you are going to prepare will be very helpful, thank you. I am sure you will anyway, but can you make it clear in that what metadata, or what data generally, you keep in regard to the web? My understanding is that you would not currently be keeping a record of who is sending an email to whom and when, in broad terms. Is that correct?

Mr Kane : In broad terms that would be correct. We might have some subject header data, we would definitely have session logs and so forth but not down to that granularity of content across the network. There might be occasions where some of that content is available but, again, there might be occasions where it won't be. So I will absolutely include that in the table.

Mr WILKIE: Am I right in assessing that there is quite a lot of metadata out there in general terms to do with telephony, either landlines or mobile phones, but the area where there is relatively little, if any, metadata is to do with the web?

Mr Shaw : I think you have to take it down to a further level as well. Within the IP world there is the data that carriers might have but then there is the issue of these over-the-top players. That is another category again of information in the IP world which is removed from the carriers and which, arguably, is not going to get caught by a scheme if you were to adopt the EU directive

Mr WILKIE: This is important; can you talk some more about that? Who are the other players?

Mr Shaw : These are the Skypes, YouTubes, Googles—the applications that sit above the network that Telstra does not provide. Therefore, we do not have the information around those types of applications.

Mr WILKIE: So am I right in assuming that, in your view, for the recording and metadata to be a robust system to capture all the sort of information that intelligence and law enforcement agencies might want, that those other commercial entities would need to be included in any reform?

Mr Shaw : In a perfect world you would say, yes. But I am not sure I get the practicality of that, given that a number of these organisations and entities are located offshore and given the scope for the Australian law to capture them. I am not an expert in that area so I could not offer a view. But you would have to take it into account. Over and above that, if you cannot start to capture that sort of material, then that is part of the cost benefit that needs to be taken into account in terms of imposing obligations on the traditional area of the market to collect the sort of data if we have other areas where it is not being caught.

Mr Kane : The simple evolution of technology would mean that we could not capture or provide any metadata or any content around something like Gmail, because it is Google owned, it is offshore and it is over the top on our network. The real value of what we might have in our data-retention scheme would be greatly diminished as soon as the good, organised criminals and potential terrorist cells knew that we were not capturing that data.

Mr WILKIE: This phone is on Telstra—it works very well, thank you. When I am travelling around on this, I rely on my Gmail account for my email. Is it possible that we might create this, apparently, very comprehensive system in Australia that no-one would know to whom I am sending emails and to whom I am receiving emails from, even though they are going across your network?

Mr Kane : I am reliably informed that, as of recent times, Gmail is now encrypted so, even where we may be able to intercept your iPad because people are concerned about what you are up to, we may not be able to actually provide the security agencies or law enforcement the details of your content.

Mr WILKIE: I just want to add to what a witness yesterday referred to as black—the 'dark net'. It seems that if these reforms were implemented there is a risk that serious criminals would still have resort to any number of ways of communicating that would not be recorded? Is that true?

Mr Shaw : Regrettably, not all the intelligence rests on the good side of the equation. There are some smart people out there who want to do bad things and they will, invariably, find ways to utilise technology for their benefit.

Mr WILKIE: So we end up having a good system for petty criminals and a less than perfect system for arch criminals.

Mr Kane : For a short time. Then the petty criminals will understand that what we are able to provide in court is only some of the stuff which has caught them, so next time they will not do it.

Mr WILKIE: And, not irrelevant, every 9/11 terrorist I seem to recall entered the US lawfully under their own name or their own passport? No system could pick up some arch criminals. Finally, we heard from a witness about a case where someone was wrongly prosecuted—I will not go into any detail. They were thought to be doing something on the web that they were not supposed to be doing and an investigation, at least, commenced but it was found that they were actually in the clear. There was an error in the records—something to do with IP addresses, which raises the question: how accurate are your metadata records and how real is the risk that we will have an imperfect database with errors in it?

Mr Kane : That touches on a number of the things that we provided in our submission and here this morning. The complexity of the digital world, the way our own networks are evolving and those networks around those that actually work across the top means that it is an imperfect system. These things used to support law enforcement and national security and provide evidence beyond reasonable doubt. You may now get occasions where they are relying on information that is very difficult to understand and prove so it offers reasonable doubt.

Mr WILKIE: Can you guess at the error rate in your current billing records?

Mr Shaw : No, not here. I do not know whether we have an estimate within the organisation. We will endeavour to find that. But let us just say that if you were to go to the telecommunications industry ombudsman you would find that they log numerous complaints from customers of all of the carriers about billing issues where they believe there have been errors.

Senator BRANDIS: I just want to explore briefly one other issue with you, which goes to the heart of this scheme and where we are all constrained by the fact that the discussion paper is reasonably vague. But, broadly speaking, the plan is, as I understand it, to have a statutory obligation on the carriage service providers to retain metadata for two years and then to enable the law enforcement and national security agencies, either by warrant or some other process, to require the carriage service providers to provide to them certain identified data from that database. Is that broadly what you understand to be the idea that we are exploring here?

Mr Shaw : Yes.

Senator BRANDIS: It seems to me that, if that is so, both the law enforcement and national security agencies and the carriage service providers would have an incentive built into that system to make it more efficient by allowing the law enforcement and national security agencies, rather than asking you to provide to them metadata, to be given direct access to the databases so that they could themselves access your database without any involvement by your staff. You would have a commercial incentive for that to happen because it would cost you less money and the law enforcement and national security agencies would have an obvious incentive to do that because they would have a much more hands-on control of the retrieval of the data. I know that is not what is being suggested in this proposal and, although I am generally wary of slippery-slope-type arguments, it would not take very much to go from the current proposal to a proposal whereby you are, effectively, merely a keeper on behalf of the law reform and national security agencies and all of the retrieval is being done by them?

Mr Kane : That is quite correct. In some ways, we now do it with the Integrated Public Number Database. The terminal sits within the police station or a security agency. That is not an uncommon thing. But the problem still remains, though, that we would still have to build the database internally within our networks from the 14 different destinations of the data at the moment, compile it, make sure it is accurately stored and can be accurately searched and that we can destroy it and, if required, that we can testify to the integrity of the data. Just because the agency recovers it does not necessarily mean that defence barristers and the likes will not want to know where it came from.

Senator BRANDIS: Of course.

Mr Kane : The problem would still remain that the database sits within Telstra and it is just being accessed at the end point by the agency. But one would think that the end product of whatever comes from this, if it is to be agreed that a database be built, would be a method of delivery that would be favourable to us.

Senator BRANDIS: I do think that a lot of citizens who might not have a problem with a statutory requirement that the carriage service providers retain data that in fact a lot of them, including you, apparently already retain and which is accessible by the police or national security agencies on request—and having undergone some procedure governed by statutory requirements and limitations—might have a problem with the idea that, not technically but in substance, this data is in effect being held by or on behalf of the police and the national security agencies themselves.

Mr Kane : It is a reasonable assumption, and again it comes back to the tiering and the level playing field issue. If all of our competitors and industry companions were required to do the same, it does make sense.

Mr DANBY: I just want to follow up again a point that you made in your submission. The law enforcement agencies have given us the impression that they do not want a vast expansion of their powers—that they do not even want to access the number of intercepts greater than they do now. They want to just do it in a different way, because of changes in technology. Do I understand from your answer regarding Skype and Google et cetera that even with warrants and authorised officers in law enforcement agencies that they would not be able to access these new technologies—Skype, Gmail—because they are encrypted, because offshore agencies would not permit them or because organisations like yourself have no access to the circulation or interchange of information?

Mr Kane : I think a really basic example of what we can provide is that, if there is an African terrorist cell that is being targeted by both the national security and national law enforcement AFP, and they are speaking in Swahili amongst themselves and typing in Swahili, we intercept the pipe and provide that intercept to the agency and the onus is upon them to have that transcribed into a usable form. They usually use a NEPI Level 3 interpreter who speaks Swahili to translate that into English. That helps the agencies understand what has been said. We are saying that if data has been encrypted across the pipe using Gmail, we will separate and intercept the pipe for them. We will deliver that to the agency, and the onus is on them to work with Google, Microsoft or Skype or whoever owns the encryption key to unlock that encryption so it is usable data. We do not think it is reasonable that that onus be put on us.

Mr DANBY: So if bikie gangs were exchanging information via eBay, would you be able to help with a technology system like that?

Mr Kane : What we could probably do, and do now—and that is why the agencies do not want to necessarily change the current regime—is intercept the pipe between the Odin's Warriors in Adelaide and the Gypsy Jokers in Perth and identify what is being sold in the way of Harley-Davidson parts on eBay. But if they are doing that in code and they are using PayPal, hypothetically, or eBay, Skype or other encrypted keys to actually ensure that their coded conversations cannot be de-encrypted, it is probably the responsibility of the agencies and government departments to work with eBay, PayPal and Skype to recover the encryption key. The onus should not be on Telstra to do that.

Mrs Van Beelen : In fact, we do not have the key.

Mr Kane : That's right.

Mr DANBY: What I was interested in is that it can be done if you have an agreement with them.

Mr Kane : They will need to work with those application providers.

Mr Shaw : We could not offer a view of whether it can be done within those products. That is something you should take up with them.

Mr DANBY: Fair enough.

Senator BRANDIS: But I do agree with you, Mr Kane, that, in the circumstances you have postulated, the burden should not be cast on the carriage service provider.

Mr Shaw : I would just like to clarify one point that was made during our discussions. We mentioned a couple of times the 14 datasets across our network. What we are talking about there is that, with at least 14 IT systems across our network, it would involve thousands of networked units that would need to be interrogated in terms of pulling datasets together under a data retention scheme. So it is a little bit more complex than just 14 pre-existing datasets; it is those IT systems, which have a number of elements below them.

CHAIR: If we have any further questions a secretary or write to you. Thank you very much for your evidence, and we look forward to receiving the information we asked for.