Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Wednesday, 22 August 2012
Page: 6043


Senator LUDLAM (Western Australia) (11:18): I know that you were contemplating it because you have referred precisely that for the entire Australian population over to the PJC; however, that is a debate for another day. That may explain why there is no direction in the bill on how carriers should handle such data or the interface standards between industry and law enforcement agencies. That is an extremely important point. If you have left that ambiguous, it means that it is not then incumbent on the telcos to hold onto this material in the first place. That is a very important point. I suspect it will ease their minds.

I would like to quote briefly from one of the people—this fellow works for an ISP—who has been in touch with us about what it means practically from an engineering point of view. This is somebody who has experience. He is obviously working in jurisdictions that have already signed up to the European convention. He writes:

Just because of Article 17 of the European Convention, requires providers to be able to identify the *path* that data travelled doesn't mean that is feasible, cost effective, nor proportionate.

A simple example. There's a technology called a "load balancer" which service providers use to distribute incoming requests for data/information across a wide range of actual computers. Rather than use a single computer to serve a web page, or deliver email, a provider will use hundreds or thousands, and then put a specialised device, called the load balancer, in front of the thousands of individual machines.

From the consumer/public point of view, there's "one computer"—but for the provider, there are a multitude.

The problem here is that MOST load balancers, out of necessity of the technology, must manipulate the data packet as it arrives from the Internet and is distributed to the thousands of computers inside the provider's domain.

What this means is that the *path* the data took at the point where both traffic and content data may be logged and capable for preservation orders to be executed does not *contain* that vital piece of data.

He says:

I ran into difficult issue countless times: The national intelligence service would demand that we provide "thing X" as per the legislation. I would point out that "thing X" did not exist in the Internet context in general, and, for their specific case, the target wasn't using any sort of technology that made that remotely possible. They demanded "thing X" regardless. I said I couldn't deliver as it was impossible. They said (jokingly, I hope) "Fine, we'll just take you out to a field and shoot you then."

I wonder whether that phrase is to be found in the explanatory memorandum. I could not find it. He says:

I am pretty sure they were kidding, but it's the mentality here that I'm trying to capture. As service providers we respond to the whims of our customers as to the technologies we may or may not choose to implement, but at the end of the day, we may change on a time, as technologies are created well outside of our scope of influence and control. Facebook. Twitter. Google+. None of these were invented here, none of these are controllable by service providers.

He goes on further about ongoing collection and retention of data under the European Convention on Cybercrime. He says:

In the case of the Cybercrime legislation, the requirement was for providers to, in essence, take what they currently had about a given target and make a one-time snapshot of all data. Anything on the hard drives of the provider, anything in the customer database, anything in the billing systems, and securely store it for the mandated time period.

The amount of work to generate this snapshot of data was phenomenal. Lawmakers (no offence) often have the perception that providers have a single unified "system" and it's as simple as drag-and-drop to put everything you have about a person/target onto a CD.

In reality, there are dozens to hundreds of systems, none of which may be connected to each other, and none of which may have the same way of indexing the data. For example, the mail servers may use "username" or "username@blah.com" or some other key to find/locate stored data—but the billing system may be a unique number such as … And the customer relationship system may be based on some other parameter.

Point is, it was a phenomenal amount of work to FIND the data, taking hours to days depending on what specifically was requested, and even though the data was securely preserved.

It is not reasonable to request nor expect service providers to perform a preservation AS an interception, and the interception legislation does not typically cover the data that preservation orders do.

I am sharing this in some detail with the Senate in order to explain why we believe it is appropriate to provide telcos with a process that would allow them to say, 'We need more time'. The amendment outlines a clear process that safeguards an oversight to ensure that the telcos are not simply refusing to cooperate.

I ask the minister to again take a look at why we are doing this. This is not a vexatious amendment. This is something that we have drafted after extensive discussion with those in the telco sector who are obviously very keen to uphold their legal obligations to people investigating serious crimes. They are not seeking to avoid those obligations; they are saying, 'What you're asking to do is technically very, very complex.' I would ask the minister to contemplate whether a simple cut-out as we have proposed here, with some checks and balances. It might actually save quite a bit of money. I ask again: does the minister have any idea how much, in addition, it is likely to cost by way of these cost recovery orders, given that you are potentially handballing some very complex and difficult matters to people who may not necessarily be in a position to do what law enforcement agencies are asking?