Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Intelligence and Security
29/01/2015

LOBB, Mr Matthew Randell, General Manager, Industry Strategy and Public Policy, Vodafone

[14:52]

CHAIR: Welcome. Although the committee does not require you to give evidence on oath, I remind witnesses that this hearing is a legal proceeding of parliament and warrants the same respect as proceedings of the House itself. The giving of false or misleading evidence is a serious matter and may be regarded as contempt of parliament. The evidence given today will be recorded by Hansard. Do you wish to make some introductory remarks before we proceed to questions?

Mr Lobb : I do. Vodafone Hutchison Australia is Australia's third largest telecommunications company. We are owned by Vodafone Group Pty Ltd and Hutchison Whampoa, two of the largest telecommunications companies in the world. So we do bring to the committee an international perspective that we hope you will find useful. Consistent around the world, our starting position as a telecommunications company, is that our customers have a right to privacy. It is something that is enshrined by international human rights law and this is enacted through national laws. Respecting the right to privacy is one of our highest priorities. It is integral to the Vodafone code of conduct, which we all follow at our organisations. However, in every country in which we operate we abide by the laws of those countries which require us to disclose information about our customers to law enforcement agencies and other government authorities. We acknowledge that these laws are designed to protect national security and public safety.

We therefore have to balance our responsibility to respect our customers' right to privacy against our legal obligation to respond to the authorities' lawful demands, recognising our broader responsibilities as corporate citizens to protect the public and to prevent harm. We have a proud history of doing so. That is of course the issue we are here to discuss today. You may be aware that in June last year Vodafone Group released a law enforcement disclosure report, which we have included in the submission. It provides a global country-by-country analysis of law enforcement requirements that we hope the committee finds useful.

In starting to discuss what is proposed in legislation today, the assessment of that report and our own assessment is that Australia's current regime for law enforcement and access to telecommunications data strikes one of the better balances internationally between the need for effective law enforcement and the need for privacy protection and also, importantly, independent oversight of the operations of the investigative regime. From our point of view, our paramount focus must be to ensure that our law-abiding customers have a right to privacy.

There has been a fair amount of ambiguity about the policy intent of the proposed regime for mandatory data retention. At times the justifications have been that we need to establish a mandatory data regime to consolidate and standardise current arrangements. As you are aware, the metadata for traditional telephony has been something that telecommunications companies have been providing to companies for many years. Agencies have said that they want to protect current law enforcement activities because there are concerns that communications providers are starting to stop retaining that data. In our view, while we do not see a significant risk of a loss in the current metadata capabilities for law enforcement agencies, we do see policy merits in a more standardised set of arrangements to give certainty for agencies, industry and citizens. So the policy intent of the overall framework we do think is an appropriate and worthwhile activity.

On other occasions, though, the argument for the new regime is that technologies and methods of communication are changing and so we need a mandatory data retention scheme to allow governments to extend their metadata investigative capabilities. We understand that, as technology changes, regulations need to change to take into account different ways that consumers undertake communications, but our concern and our interest is that the proposed mandatory data requirements go well beyond traditional telephony billing information, which has been the less technical term for the old-style metadata that has been available up until now. A number of facets of the new requirements go well beyond the data retention activities that we would undertake as telecommunications companies for our normal commercial and billing purposes. So this represents a significant change from what we currently provide. This is really the nub of the policy focus that we think the committee needs to look at: those expanded data retention requirements into the new technologies.

As government policy has developed over the last six to 12 months, the details of important improvements to the proposed regime have been introduced. Firstly, we welcome the government's commitment to make a contribution to the capital costs of the new requirements. We agree with the rest of the industry that the cost of setting up this new capability should be paid for by government and that these government contributions should be provided in a competitively neutral way. We also welcome the proposal to reduce the number of agencies that can access the metadata information that has been proposed. As in the discussion the committee just had before with the Privacy Commissioner, we would also like the committee to consider whether there should be offence thresholds for which data can be accessed. Under the interception powers there is a threshold about the seriousness of the offence for which you can then get a warrant. We think the committee should consider whether there should be a threshold for access in particular to the new metadata. I understand but I am new to the idea that the Attorney-General's Department has introduced, which is that there may be restrictions on that, but we do think that is worthy of some focus of the committee to see whether that is worthwhile particularly for the more sensitive new aspects of the data retention measures.

We also welcome the increased oversight by the Ombudsman that has been proposed by this regime. We think that that new role is welcome, but we would also like to see the Ombudsman clearly have a role in reporting their findings from their ongoing annual investigations. Certainly the metadata debate has raised a great deal of public interest about when and how this information is used by the security and law enforcement agencies. It is not to say that should interfere with investigations. Rather, I think the public does need to understand when and how the information is used and whether there is independent oversight of those arrangements being carried out appropriately and consistent with legislation.

I would like to turn to two broad concerns that Vodafone has with the legislation in its current form. Of most concern, as we flagged in our submission, is the proposed duration of the metadata retention. In particular, we are concerned about the length of time proposed for the storage of the IP identifier metadata. This is the data that is essentially analogous to a telephone phone number, where a customer, when they access the internet, gets assigned an IP identifier so that they can carry out access to the internet. We agree with many other stakeholders that the data storage requirement should be no more than six months, particularly for this IP identifier metadata—and we offer some comments about why we think that is appropriate.

Firstly, the proposed two-year requirement is at the upper bounds of the storage requirements being contemplated around the world. We note the European Commission's evaluation report on this which found that most data requested by law enforcement agencies is less than six months old—and you would certainly be aware of that. That is consistent with our experience in Australia. At Vodafone, our experience is that, generally speaking, around three-quarters of information is less than six months old and around 85 per cent is less than 12 months old. So it sounds like it is consistent across telecommunications providers.

We think that the time lapse will be even shorter for IP identifier information. This is because IP identifiers are not like static customer telephone numbers. Each time you set up a data session, you are generally assigned an IP identifier for that session. It is a dynamically allocated number. It would usually be used, we believe, when a particular rogue website is under an interception order—for example, a terrorist site or a paedophile site—and agencies will notice that there is an IP identifier that has accessed the site. At that point, the agencies will ask the telecommunications companies who had that IP identifier assigned to it. So the idea that you would be looking at a website of two years ago and then asked two years later, 'Who was that particular IP identifier?,' we think is much rarer than the circumstance where an investigation might find a telephone number when they have raided an office and they want to understand who had that telephone number, because telephone numbers are obviously assigned for a longer duration.

Secondly, IP information is much more sensitive data than traditional telephony metadata. Traditional metadata is generally account information and phone numbers, and often that information is in the White Pages and so on. The feedback we are getting from consumers is that that kind of information is less sensitive than IP identifier information.

The other area of concern—and I think this has been raised in the discussions this afternoon—is that we do think that it is important that there is certainty about the data retention obligations. As it stands, the current proposal is a regulation based list of metadata requirements. Along with other stakeholders, we think that there needs to be significant oversight of that. Certainly, the minimum would be that if any changes are made there needs to be a requirement of consultation with industry, relevant agencies, such as the Privacy Commissioner, and that that be subject to parliamentary oversight, and, also, that when those considerations are made there is also due consideration for the amount of time the new arrangements can be put in place. That concludes my opening statement.

Mr RUDDOCK: You suggested that the measures we are now enacting go well beyond—and you kept on asserting 'well beyond'—the extent to which existing data provision requirements operate. What are those elements that are well beyond what is now retained, for instance by Telstra?

Mr Lobb : It is the metadata identifier information. That is the new measure. Currently, as other industry players will say, that the capability to marry IP identifiers with account holders is a capability that is certainly in its infancy, and it is generally something that telecommunications companies do not have the capability to do it at the moment.

Mr RUDDOCK: I suppose I would ask myself this question in relation to metadata and new capability: if it becomes known to terrorists that you can communicate and that information will not be kept, then that is the only source they would use. What you are really saying is that, if there is a metadata element that is not now covered but is in fact new, but it would give them cover, we should not go after it.

Mr Lobb : Not at all. What I am saying is that that is a new capability and will be a new requirement. We do perfectly accept that that is a new communication capability and does warrant consideration for metadata requirements. What we are saying is that that is sensitive information—

Mr RUDDOCK: So, if we think it is justified you would be prepared to accept it?

Mr Lobb : I think we accept that people are undoubtedly communicating via IP means and, given so, it warrants consideration.

Mr RUDDOCK: I have struggled in these hearings with people who assert privacy, because we are told that everything has to be proportionate. I try to have some understanding of what proportionality means, and I find it very difficult, conceptually. I was interested in a quote I had not seen before from the Office of the High Commissioner for Human Rights suggesting that where you have to weight up other rights—for instance, the right to life—all that has to be shown to justify the waiver of privacy is that there is 'some chance' of achieving that goal. I noticed somewhere else—perhaps I should take it up when we come to it—that there was a reference to a 'just in case' test. I do not think it is a 'just in case' test; it is a 'some chance' test.

Now, we go to this period of two years and your suggestion that most of the requests are for relatively short periods. But even if you have one major terrorist organisation that you did not become aware of—they are not registered and they are not out there—that you become aware of at some point in time, wouldn't you want to be able to go back beyond six months to see who had been in touch with them and might be getting the information about how they could carry out a terrorist act? Wouldn't that meet a 'some chance' test?

Mr Lobb : I think this is the key issue that we need to discuss and assess. I think that, generally, threat to life investigations would be much more immediate than that. It would be within days and weeks. But, you are right, there are conceivably longer periods than that and we have to weigh up the various rights and interests and activities. And I suppose what we are putting forward is that when we talk about IP identifier metadata the chances of that being used in those situations is less than with traditional telephony and also that IP identifier information is substantially more sensitive information and may warrant a different consideration to more traditional account-holding and billing information that has been available to date.

Mr RUDDOCK: I understand that for a local government there are all sorts of other issues that relate to money, although we had some people talk to us about the extent to which people's savings might be denuded by fraud, that they are proper investigations to undertake. But I am dealing with right to life. Once you have established that there is some chance of a terrorist act, then the information has to be kept. You cannot say, 'We'll only keep it for terrorist investigations.' You have to have access to the information per se, don't you?

Mr Lobb : Yes, and I think the length of time that is stored is a judgement that needs to be part of the considerations of this committee.

Mr BYRNE: You have an offshoot in the United Kingdom.

Mr Lobb : A very important one.

Mr BYRNE: Yes, indeed—Vodafone. How are they going with the 12-month data retention regime over in the United Kingdom?

Mr Lobb : I must say I am not sure of the status of the requirements, but I think 12 months is a fairly typical amount of time in Europe. I know that the European Commission has made some assessments that require that to be looked at in more detail. But I am sorry, I do not know—

Mr BYRNE: Do you know what the cost would have been to Vodafone UK to enable them to keep the dataset that the government required?

Mr Lobb : No, I do not.

Mr BYRNE: Is it possible that you could take that on notice? Do you have a fairly close relationship with Vodafone UK?

Mr Lobb : Yes, I can take that on notice, and we can provide some experience, where regimes have been set up, about what the requirements have been. They will be very similar to Australia's—

Mr BYRNE: Yes, they are very similar.

Mr Lobb : in the sense that we have always held the traditional telephony metadata—billing records, account holders—for certainly longer than two years. And that is for both business reasons and regulatory reasons. So, that is established. The difference with IP traffic and data flows is that the way that is billed is not necessarily about where the customer has gone. And because the IP identifiers are dynamically allocated, it is a very complex and very data-rich database where we have to marry identifiers with accounts. So, that capability is one that has needed to be developed universally.

Mr BYRNE: And just in terms of Vodafone UK, is that doing relatively well over there?

Mr Lobb : The organisation?

Mr BYRNE: Yes.

Mr Lobb : Yes, it is doing very well. Obviously it is one of the largest telcos in the world. Regarding the status of the—

Mr BYRNE: So, how long have they been subjected to the European data directive? It would have been 2006 when you started being required to keep the data for a 12-month period.

Mr Lobb : I do not know the status of the United Kingdom. I had better get back to you, but I think there might be elements that are still a work in progress.

Mr BYRNE: But would they be a group that you would consult with in the implementation of your data retention regime, should that come into law?

Mr Lobb : Yes.

Mr BYRNE: And do you have a rough costing as to how much that would be?

Mr Lobb : Not at this stage. We provided assessments to the PWC. I do not know whether you are privy to that commercial-in-confidence information.

Mr BYRNE: No, they have not been brought to our attention.

Mr Lobb : When we made those assessments it was not as clear what the requirements were as it is now. That said, the requirements are pretty much the same. The key challenge is going to be marrying the identifier to the account and doing it over many, many data sessions. Our estimate is petabytes of data, which is a significant amount. And setting the capability up to do that and then storing it and protecting it is not without its costs.

Mr BYRNE: But you would be importing some of that expertise, software from—

Mr Lobb : We would certainly talk to them about it. I think technically we do understand what we would need to do.

Mr BYRNE: How many times has Vodafone been consulted since data retention was raised?

Mr Lobb : We have had a number of meetings with the Attorney-General's Department about our capabilities and what we think about the metadata list. I think it is fair to say that the list is consistent with the European requirements. There was obviously some ambiguity about whether URL addresses were part of that, but that is now clear. There has been ongoing discussion about whether we have to log every single event. There are ways we can reduce the amount of data we need to store and that might reduce costs. There will be discussions about that. There does need to be some flexibility about delivery. Obviously we have a long history of working with the law enforcement agencies about what works for them, and that discussion will be ongoing.

Mr BYRNE: You mentioned as part of that conversation that URLs were actually being contemplated by the agencies. When would that have been, in terms of your consultation?

Mr Lobb : It would have been when the Attorney-General announced that there were going to be consultations. I cannot remember the exact date. It was the end of last year.

Mr BYRNE: So the Attorney-General's Department basically suggested to you that URLs might constitute a data set?

Mr Lobb : No. I think it was more about what data you need to keep and also what would be required to bring it back to an account holder—did it need to be the full address or could it just be the IP identifier? It was more a technical discussion rather than a policy discussion.

Mr DREYFUS: I want to ask you some questions similar to those that Telstra dealt with this morning. Vodafone is the third largest telecommunications provider, after Telstra and Optus, in Australia?

Mr Lobb : Yes.

Mr DREYFUS: Vodafone at present keeps data for its business purposes?

Mr Lobb : That is right.

Mr DREYFUS: And also in compliance with the Australian Consumer Code administered by the Department of Communications?

Mr Lobb : Yes. And obviously for law enforcement purposes—if, under the Interception Act, we are required to provide reasonable assistance, we would do it for warrants and so on.

Mr DREYFUS: Of course. And you, along with the other telecommunications providers, receive thousands of requests from Australian law enforcement agencies every year and comply with those request to the extent that you are able?

Mr Lobb : Yes.

Mr DREYFUS: Does the data retention requirement that this bill would impose on Vodafone, along with every other telecommunications provider, call on you to store data that you currently do not keep?

Mr Lobb : Yes, that is right. That relates to the IP metadata. And certainly the duration of the storage of the data would be shorter. Generally we store data for billing purposes—

Mr DREYFUS: You said you now keep that data that you use for billing purposes for two years and longer.

Mr Lobb : Yes. Telephony we store for more than two years—call records and account details. For metadata, we do store some marrying of accounts to IP identifiers but not at the capability that is being contemplated here. Again, we do that for systems purposes or for billing purposes, but nothing as robust as is being contemplated.

Mr DREYFUS: And there will be a capital expenditure imposed on you to create the capability that Vodafone Australia does not presently have?

Mr Lobb : That is right, yes.

Mr DREYFUS: In lay terms, that is to build a system that will enable Vodafone to store, in particular, IP identifier numbers, which you do not presently retain?

Mr Lobb : Yes.

Mr DREYFUS: And that is because you do not have a business purpose for retaining those ever-changing IP identifier numbers?

Mr Lobb : That is right. There would be three costs from that. We would need to establish a capability to connect the IP identifier to the account. Then there would be the costs of storage. Another significant cost would be from having the ability to retrieve the data from the very substantial database.

Mr DREYFUS: And you have provided estimates of those costs on a commercial-in-confidence basis to PricewaterhouseCoopers?

Mr Lobb : Yes.

Mr RUDDOCK: Just on the same matter—I am very ignorant of these matters—Skype is a telephone you use on a computer. You are using IP identifiers. Does that mean somebody can have the equivalent of Skype on the IP identifier?

Mr Lobb : That is right.

Mr RUDDOCK: So the equivalent of a telephone call could be made on an IP identifier?

Mr Lobb : Yes. Skype is what is known as an over-the-top service. It goes over the top of the underlying IP—

Mr RUDDOCK: So traditionally we have access to telephone calls. You are saying that an IP identifier is something new. In fact, it is a substitution for a telephone.

Mr Lobb : That is right. As flagged, there is no doubt that technology is changing. We recognise that the new technologies require—

Mr RUDDOCK: I just wanted to satisfy myself that my understanding was not too far in error.

Mr Lobb : No, that is exactly right.

Mr DREYFUS: Just to go on with that, the IP identifier number changes during the course—to take Mr Ruddock's example—of a Skype call.

Mr Lobb : The phone number you might have in a Skype account is assigned by Skype, and that will not change. The underlying IP identifiers will change each time a call is made.

Mr DREYFUS: Yes, and that is the issue about matching it to account holders.

Mr Lobb : That is right. In might be better to understand it in fixed terms. You would have a fixed DSL provider leased out to a telco and then a customer would establish a Skype account with potentially a phone number in it. That component is managed by Skype. The IP identifier, the data stream, is managed by the broadband service provider. That is what we were talking about with the different IP identifiers.

Mr DREYFUS: To what extent is Vodafone a broadband service provider?

Mr Lobb : Around the world, we are a major fixed provider. In Australia, we are considering when we may enter the market.

Mr DREYFUS: You have provided, as I understand it, on an in-confidence basis the details about the age of data requests received by Vodafone in 2012, 2013 and 2014. To what extent can you put any of that on the record?

Mr Lobb : I did, just before. Around three-quarters are less than six months old. Around 85 per cent are less than 12 months old. As you can see from that information, it is fairly static. It has not changed over time. From information in other discussions, that sounds consistent with other industry players around the world.

Mr RUDDOCK: But 15 per cent is beyond that?

Mr Lobb : Yes.

Mr DREYFUS: And that is all data requests?

Mr Lobb : Yes.

Mr DREYFUS: Is there a distinction or difference that you can draw between requests for telephony data and requests for, say, IP identifiers or other data forms?

Mr Lobb : Certainly telephony metadata has been very useful in investigations. Given that we retain it for two years, I think a case could be made that telephony data could be held for a longer period. Certainly our view is that IP identifier metadata would be of most use more immediately than telephony metadata. That is because it is ever-changing. I think it is going to be potentially useful in regard to IP telephony. I think there are other ways of overseeing that. But when you are talking about an 'under surveillance' website, an agency will be looking at a dodgy website, an IP identifier accesses the website and the agency wants to find out who that person is, it is unlikely that that will be in two years hence. It is much more likely to be an immediate event.

Mr RUDDOCK: But not always?

Mr Lobb : Then the issue is proportionality and assessments of other issues.

Mr DREYFUS: Is Vodafone Australia proposing to reduce the data that it currently keeps in the foreseeable future, absent this legislation?

Mr Lobb : No. With respect to traditional telephony, we will continue to retain the call event: who was it, where did it go to? That will continue. We generally deliver itemised billing for calls and we do not have an intention to change those arrangements. So at this stage they will continue to be part of our data retention.

Mr DREYFUS: Are you able to explain to the committee what are the commercial-in-confidence or commercial sensitivities about public revelation of the cost? And I ask that question in the context of the Commonwealth of Australia using taxpayers' money to pay for this scheme.

Mr Lobb : I think there are potentially two. One is that we have not done detailed assessments of what the costs are, so we are reluctant to put forward a number when it could be incorrect. Obviously, as you know, the estimates have been hundreds of millions of dollars. I think that estimate was much more when content was potentially part of the scheme. That is where the substantial storage requirements would be, certainly less so with just IP identifiers. Another is that it might reveal differences in capability of our networks. Those would be the main two. But certainly we would be happy for you to see, in confidence, our assessments if the Attorney-General's Department thinks that is appropriate.

Mr DREYFUS: It is more if this committee thinks it is appropriate.

Mr Lobb : I would expect you would trump that, so yes, that is right.

Mr DREYFUS: Through the chair, we would accept that offer. Thank you.

Mr Lobb : As I said, it was an estimate and we have not done a full—

Mr DREYFUS: It will be taken exactly in that light. Thank you.

Mr NIKOLIC: Just a point of clarification: if I understand what you said, new technology data retention is for six months and, for old technology such as telephony, two years. Is that right?

Mr Lobb : That would be the way things would end up, with a six-month requirement. As I said, we will continue to hold the telephony data for two years.

Mr NIKOLIC: My question relates to how you settled on six months. It seems sort of arbitrary for the new stuff. Is that a cost issue? What drives the decision making to six months?

Mr Lobb : It is really customer feedback about their concern about the amount of data that we would be storing. Certainly, for billing purposes, if we were to ever have a capability we would not keep it for six months. We would keep it for less than that.

Mr NIKOLIC: But customer feedback on the old technology, telephony is not—

Mr Lobb : No, this is on the new technology. Certainly, as debates continue, the feedback from customers is: 'We're uncomfortable with IP identifier information being stored for significant periods of time.'

Mr NIKOLIC: Thank you. Thanks, Chair.

Senator FAWCETT: While on the same topic, can I clarify that one of the concerns you have expressed was that you felt that the usage of IP identifier information would be far more immediate and that you did not think it would stretch back as far and that was one of the reasons you thought six months was appropriate.

Mr Lobb : That is why we think it is reasonable that it is a shorter period, married against the fact that it is substantially more sensitive information in the consumer's mind.

Senator FAWCETT: Sure. I am conscious of the things we can and cannot talk about in briefs we have received, but one of the things I can highlight in the public space was that the Queensland task force Argos in 2006 started a paedophile operation, and 2010 was when they finally had the global bust all around the world. It is in the public space. I can say that is indicative of the length of time of a number of operations that use IP data. Given that information is available to indicate the length of time, does that change your position that six months is appropriate?

Mr Lobb : I am obviously not an operational expert, so I am not privy to that. I think it would be best to discuss that with the agencies. What I would say is that if you are surveilling a website, if you are getting information about what is happening at that website, and an IP address identifier comes to that site, it would be best for the investigation to identify who that person is quickly rather than a year or two years hence. In our view, practically, the six months allows the agencies to determine who has accessed those websites.

Senator BUSHBY: Mr Lobb, you indicated that the six months was a period which you put forward based on feedback from your customers. To any extent, did you then temper that with the desirability of law enforcement and security agencies being able to access that information, or is it purely formulated on the basis of feedback from your customers?

Mr Lobb : The six months is consistent with the Communications Alliance and the Australian Mobile Telecommunications Association recommendation. That was put forward as an industry consensus view. Certainly that is the judgement of Vodafone and others in the industry.

Senator BUSHBY: Following on from Senator Fawcett's questions, you indicated that it would be ideal to act quite quickly. I am quite sure that the law enforcement and security agencies, when they get wind that a crime may have been committed and that the identifier is available, would be acting very quickly to find out who is behind that. It is quite possible that our law enforcement agencies might get notified—and a good example is a child exploitation ring, where they work very hard to try and keep all that under wraps. Somewhere in the world they might crack into it somehow. Having done that, they will have all of these identifiers. They will contact Australian agencies and say, 'These are identifiers that we have in Australia.' But they may be, and are likely to be, historical. It is only then that our law enforcement agencies have the ability to go back and have a look and try and work out who the people are who are behind that. In that sense, the evidence that we have received from law enforcement and security agencies is that they would love to go back many, many years, but two years is where they have settled as the appropriate place to be able to capture most of those more egregious types of activities and to be able to get behind those people. We have had a lot of evidence here that, certainly when the law enforcement and security agencies identify a person of interest—criminal activity, terrorism, whatever it might be—there are other mechanisms that they have available to them which they can then employ, usually more intrusive. The metadata is good for helping identify who the persons of interest are when they get wind that something has gone on. They have a small crack and this allows them to open it up and find out who is behind it. In that sense six months is not necessarily sufficient.

Mr Lobb : I think that is something that will need to be discussed with the agencies. What I would say is that, certainly with a traditional telephone number, going back to beyond 12 months would be more likely because it is a static number that would endure through a number of years. In a situation where you retained the IP identifier detail 18 months ago and then you say, 'There is an IP identifier here. We want to know who that is. Do they marry?' that would occur substantially less frequently. So what we are saying is that, weighing up against that factor, we think it would be less often, and also as this is substantially more sensitive information, a shorter period would be appropriate.

Senator BUSHBY: But the sensitivity is only highly relevant to the extent that it is accessed.

Mr Lobb : That's right.

Senator BUSHBY: For the law enforcement and security agencies, there is a pretty clearly defined set of circumstances under which they can access that information.

Mr Lobb : Yes.

Senator BUSHBY: There are issues, and I think the committee will work through those in terms of the security of information that is stored by providers and how you maximise that security. But it comes back to my question: it is only sensitive if it is accessed and how is that a problem for your customers?

Mr Lobb : It is the fact that it is every single customer's IP identifier as opposed to a small subset. For example, an arrangement could be put in place whereby, if there are websites that are being identified, you could regularly provide a list of the IP identifiers for those websites within the six-month period to enable agencies to have a list for future investigation. I think you are right. It is about accessing the information and protecting it appropriately. Where the bad people are accessing the bad websites is where the operational focus should be. What we are talking about here is the requirement to retain a substantial amount of data on everyone's metadata information. So the proportionality is: is there a way of avoiding that but also ensuring that very important investigations are effective? This is a new capability, and so what we are talking about is an enhancement. What we are not talking about is the traditional use of metadata, which from established practice is less sensitive information. At this stage, we do not have plans to alter the way that is being stored and retained—

Senator BUSHBY: The traditional metadata?

Mr Lobb : For the traditional metadata.

Senator BUSHBY: This probably does not apply so much to Vodafone but I will ask you the question anyway. The evidence that we have received from the law enforcement and security agencies is that their main concern is that changing business practices and models means that providers are less likely to retain a lot of the information that in the past they had and were able to access as required. Does changing business models mean that Vodafone is changing what it stores?

Mr Lobb : I should flag that there is the traditional 'maintain a status quo', and I think there are legitimate policy requirements about establishing that and making sure that it remains effective. At this stage, we do not think there is a risk for traditional metadata, but undoubtedly technology—

Senator BUSHBY: For Vodafone?

Mr Lobb : And also the industry. Undoubtedly, technology is changing. IP communications are going to become more and more significant. Switch based telephony will, over the next decade or so, become less and less. Undoubtedly, we do need to manage the technological change. To be clear, what is being proposed is an extension of metadata capability, and it is more sensitive information. As we move into the IP realm, we are saying, 'Let's be cautious about the amount of time that it should be stored.'

Senator BUSHBY: When you say it is 'an extension', you are not saying that the law enforcement and security agencies aren't already accessing that data where it is available?

Mr Lobb : Under the legislation, if there is a reasonable request, we are required to comply.

Senator BUSHBY: And you have it?

Mr Lobb : If we have it.

Senator BUSHBY: That is the issue as we understand it.

Mr Lobb : That's right.

Senator BUSHBY: It is about how we ensure that there is consistency and data available—

Mr Lobb : Undoubtedly, this will be a discussion that will be continuing, but the key issue is protection of consumers' privacy as the technology changes. That is why we are flagging what we are flagging today.

Senator BUSHBY: I understand that Vodafone and other providers provide a business in which people who are involved in criminal activities, people who are planning terrorist type activities, make use of your services.

Mr Lobb : Yes.

Senator BUSHBY: So, in a sense. you are innocently involved, but what you do is accumulate data which is of immense importance to law enforcement and security agencies. So you are the meat-in-the-sandwich in that respect but—

Mr Lobb : Yes. We recognise that we play a very important role for law enforcement agencies. We have a very good working relationship with them—high levels of trust—and we also have a very proud record of being involved in some very challenging investigations. We are not saying that that is not an important activity. We were just saying it has to be measured against the fact that, for the 99.99 per cent of customers, we want to make sure that we can say to them that we are protecting their privacy and that the information that we have stored is protected and used appropriately.

Senator BUSHBY: Whatever data you do end up storing, are you confident that you can store that securely?

Mr Lobb : We will establish that, consistent with our security standards. They are the standards that are well established internationally. You are probably aware the Attorney-General's Department is working up a compliance framework in this area, and we will meet those requirements. Consistent also, I think, with the Privacy Commissioner's comments, this will be data that we would treat very much as data consistent with our privacy requirements, and I think the Privacy Commissioner's role in that regard is very important.

If it is okay, I might just comment on the roles of the Ombudsman and of the Privacy Commissioner, just thinking about the discussion today. Undoubtedly, there are our obligations—privacy obligations and data retention obligations—and the Privacy Commissioner can play that role. But it not must not be overlooked that we see the role of the Ombudsman as ensuring that the law enforcement agencies' activities are consistent with the legislation; and we think it is important that the Ombudsman play a role in telling the public that they can trust what the law enforcement agencies are doing. I think that is a very important role, particularly as we expand that function.

One other comment I would make is that, at the moment, Australia is a good reporter of law enforcement numbers and activities. The Attorney-General's Department provides a report about that. We also have an ACMA report, where the industry self-reports to the ACMA, and the number for that same data is up to three times the Attorney-General's Department number. One is about 300,000 and the other is about 800,000 for the same information.

Mr DREYFUS: (inaudible)

Mr Lobb : That is because we get asked by the ACMA, 'How many requests did you have,' but the law enforcement agencies often have a single request that goes out to a number of operators. So, when you give it all to the ACMA, it is often multiples of the same event. We think that is inaccurate and that what should be looked at is a reporting framework that says, 'Here are the activities,' so we are being transparent about that and the customers understand the context in which the data is being used. We would like to see a bit more oversight, where an independent person could say, 'We're confident that this regime is working well.' I think that is a very valuable component of this.

Mr DREYFUS: This is something that has troubled a number of members of the committee. From your point of view, the ACMA number is a—

Mr Lobb : Misleading.

Mr DREYFUS: better reflection?

Mr Lobb : No, we think the Attorney-General's Department—

Mr DREYFUS: Worse than the Attorney-General's Department?

Mr Lobb : is the accurate number.

Mr DREYFUS: Okay.

Mr Lobb : And we think the ACMA report is unnecessary.

Mr DREYFUS: Because the Attorney-General's Department is reflecting a request from an agency in respect of a particular event or subscriber that might go to more than one company?

Mr Lobb : That is right.

Mr DREYFUS: But it is, nevertheless, more useful to think of it as a single request for the purposes of that investigation.

Mr Lobb : That is right. At the moment, if an agency comes across a phone number and wants to know who it is but does not know which provider it is, it usually will ask the three main ones and, potentially, a number of others. So the self-reported number is misleading. In fact, when the Vodafone Group put their report out, The Guardian newspaper went to the ACMA because it looked like there were an enormous number of metadata requests and we had to explain that there was probably a more accurate number. I think that confusion is something that is minor in the scheme of things, but it is certainly something worth looking at.

Mr DREYFUS: That is helpful, Mr Lobb. In relation to the establishment of this capability, which came out of Senator Bushby's questions, on the last page of your actual submission, not the attachment—in the last couple of sentences, actually—you said:

Generally, different IP-identifier numbers are allocated each time a customer accesses the internet or sends an online message and so each time a customer accesses the internet. It is our assessment of is that it will take some years to firmly establish a standard industry capability to store this data. In particular, before we introduced the capability we would need to be confident that we could protect every customer’s privacy.

This bill, as I understand its framework, envisages that the absolute compliance requirement—that is, the requirement to store from now on—commences two years after the bill commences. That is because the operative provisions do not commence until six months after the bill receives royal assent and then there is another 18 months bound up in the introduction of the data implementation plants. I am sure I have not done it justice, Mr Lobb. My question is: on the basis that this is a framework which allows two years for telecommunications providers to comply with the retention requirement, is that long enough, given that you have said it will take some years to firmly establish a standard industry capability?

Mr Lobb : We think that that two-year period will establish a capability. During that period of establishing it, there is going to be a discussion about the evidentiary quality of that information and that is the unknown.

Mr DREYFUS: Can you help us with what that term means—'evidentiary quality'?

Mr Lobb : Okay. Because it is a marrying of two pieces of data and the significant number of events in any one day, there may well be a discussion about what is the confidence that the marrying has occurred accurately. All technical things can be resolved. I suppose I am prefacing that certainly there will be a bedding down period.

Mr DREYFUS: So that you can adduce it as evidence in court for the purposes of the crossbench?

Mr Lobb : Potentially and if somebody flags with the department in passing that until we know what the requirement is and then how the law enforcement agencies are going to use it, that is going to be an ongoing discussion over that period of two years.

Mr DREYFUS: It might be that the agencies want to use it to give them a lead.

Mr Lobb : That is right.

Mr DREYFUS: It might be that they want to use it to eliminate a suspect and it might be they want to use it to adduce evidence in court with it and they are all different.

Mr Lobb : For the first two, I think the two-year period is reasonable. We liken this issue to ONA evidence. The legal process needs to have growing confidence about its accuracy for evidentiary purposes. That would be an implementation issue and I do not think it is insurmountable. That is why we flagged it. It will take some time to bed it down because it is a new complex capability.

Mr DREYFUS: Thank you, Mr Lobb.

Mr RUDDOCK: Maybe I should ask this question of the Attorney-General's Department but I will ask you just to help me. Given some of the news reports which suggest that people are claiming they are still getting rid of data, even though there is a bill there, because they believe the privacy obligations have primacy, I assume the legislation will ensure that the privacy obligations will not mean that we cannot use, that we cannot acquire the data for up to two years.

Mr Lobb : I do not believe so. That would be a drafting issue.

Mr CLARE: Thank you for the data you provided the committee on the age of requests. That is a combination of telephony metadata and internet metadata, I think.

Mr Lobb : No, that is the metadata requests to date. So that would be on telephony.

Mr CLARE: Is that telephony only?

Mr Lobb : Yes.

Mr CLARE: Are you able to provide the same data for IP?

Mr Lobb : We do not have that capability.

Mr CLARE: You do not have that capability at the moment.

Mr Lobb : We have some limited—for systems issues over very short lengths of time we might do it. In a really serious event we might be able to do it but we certainly do not store it in any way the same way we do for telephony. Obviously our systems have to marry up the two to enable the call to work. So, in that very immediate time, we might have that capability, but that data is telephony traditionally.

Mr CLARE: It is telephony only.

Mr Lobb : Yes.

Mr CLARE: You said in evidence that you hold telephony data for two years.

Mr Lobb : Yes.

Mr CLARE: Does that include SMS?

Mr Lobb : Yes, it does. There are some components of the new requirements that we would have to introduce into our capability. There is another table that I have provided in confidence where there are some limitations on our SMS capability, consistent with the proposed requirements. But, generally, in that metadata and those numbers, SMS was included.

CHAIR: Thank you for giving evidence at the hearing today. You will be sent a copy of the transcript of your evidence, to which you may suggest corrections. If you have been asked to provide any additional material, please forward this to the secretariat as soon as possible. If the committee has any further questions, the secretariat will write to you.