Data retention has started in Australia, but carriers aren't ready

Today, October 13th, is the day on which Australian telecommunications service providers are required to start retaining customer metadata in an orderly fashion determined by law, but fewer than ten are ready to do so and some have asked the government if they can store the data without encryption.

The legislation, co-sponsored by attorney-general George Brandis and former communications minister (now Australia's “agile” prime minister) Malcolm Turnbull, officially applies as of today, but a survey of members conducted by industry group the Communications Alliance suggests it remains a shambles.

Out of the 63 providers who responded to a survey conducted by the Alliance, nearly nobody knows what's actually going on: 84 per cent of them aren't yet compliant, just under 58 per cent had submitted their data retention implementation plans (DRIPs) to the department, and of those, nearly 76 per cent don't know if their plans have been rubber-stamped by the Communications Access Coordinator.

So: around nine providers, presumably starting at the top where legal and technical resources abound, are fully compliant.

The government's much-criticised consultation process remains in the spotlight, with two-thirds of providers saying they're “not confident” they know what's required by the legislation. As The Register has previously noted, providers aren't encouraged to leak their DRIPs to each other in case criminals find out what the Department wants retained.

More than 60 per cent of providers have asked the Department to approve variations to the DRIP requirements, including – worryingly – some asking for exemptions so they don't have to encrypt the retained data.

Alliance CEO John Stanton has told outlets such as the ABC that “There are a thousand different nuances that I've seen flying around as to what needs to be retained in respect of a particular service.”

Stanton told The Register those nuances reflect the wide range of interpretations that exist among providers, regarding their understanding of what the legislation demands. Providers, he says, want the status quo to remain in place until they're able to comply.

Small providers have told the Alliance the cost of compliance will fall in the AU$10,000 to $250,000 range, with the survey including estimates as high as $10 million.

Speaking to the ABC's AM radio current affairs programme this morning, the attorney general George Brandis denied that there's confusion about the legislation's requirements, saying “it's been very thoroughly discussed with the industry” through the data retention implementation working group.

“We are working closely with the industry to ensure there is full compliance with the obligation” by April 2017, he added, reiterating the 18 months during which providers can apply for extensions.

The legislation, Brandis said, sets out “with particularity” what needs to be retained, and that its main purpose was to “create a uniform retention standard” in an industry that had “no uniformity” in its data retention practices.

“There is a detailed technical specification which is set out in the legislation” he told the program.

“Many industry participants are already compliant, because many industry participants already retain metadata for two years”, he said.

Brandis added that the government is providing $130 million in support to the industry with a focus on the smaller players, but said given the importance of the “national security obligation” that “we expect the industry to assume a large part of this burden”.

That funding is yet to reach carriers.®