Law raises issues around privacy, security and effectiveness: CipherCloud
With the government’s data retention law coming into effect, CipherCloud global director of Cloud security, Willy Leichter has commented from on the privacy and security risks that could be introduced.
“The new extended data retention law in Australia raises issues around privacy, security and effectiveness. As providers are required to hold more metadata for longer periods of time, there are broad new targets for hacking," Leichter said.
"It also appears that many ISPs are not ready for the short compliance timelines and may rush out storage solutions with inadequate security. And as this data is shared with the government, it becomes exposed to a broader set of security risks.
"There also seem to be major gaps in coverage that could significantly reduce the programme’s effectiveness. While Australian ISPs are required to collect and retains large amounts of metadata, foreign providers including Gmail, Hotmail, Facebook, and Skype are exempt.”
As the Data Retention Act comes into effect, a survey by telco industry body, Communications Alliance, has indicated some service providers aren’t prepared for the changes.
Legislation was passed in March, which requires all service provider to maintain metadata on all customers. Telco companies have until April next year to comply with the new piece of legislation.
The Data Retention Act standardises the timeframe and type of data held for law enforcement and national security agencies.
The survey involved 63 service providers, and indicated that two thirds were not confident at all or only somewhat confident that they understood exactly what is required from them, even though 81 per cent had lodged a Data Retention Implementation Plan or had indicated they still need to do it.
It also indicated that only 16 per cent were ready to retain and encrypt data as required.
Communications Alliance CEO, John Stanton, said the results highlighted the magnitude of the challenge ahead for all stakeholders if the industry was to achieve compliance with the new laws.
"It is no surprise that many service providers won't be compliant when the legislation comes into force - many of these because they are still waiting to hear from Government as to whether their implementation plans have been approved," he said.
So far, the Government said it has committed more than $131 million towards the upfront capital costs of the scheme, but it has been previously reported that maintenance costs will stretch between $188 million to $319 million.
The Attorney-General’s Department is finalising details of a grants program, which expects to make payments early next year before the April cutoff.
Some providers (58 per cent) estimated that their one-off set up costs to comply with regime will be between $10,000 to $250,000; while 24 per cent estimated it would cost them more than $250,000 with about half them realising it would cost more than $1 million and some indicating ranges above $10 million.
About 61 per cent said they had lodged an application for exemption/variation or indicated they will still do so.
"All providers are still waiting to hear from Government as to how it will apportion the $131.3 million that has been pledged in assistance to partially meet the set-up costs that service providers - and ultimately their customers - are facing as a result of the regime," he said.
"The Government has indicated it will consult with industry in coming weeks on how to apportion the subsidy and this remains an urgent task, as service providers are now having to commit to investment decisions without knowing how much of that spending will remain unfunded."
Stanton said in light of the survey results, the onus remained on the Government to work constructively with industry and not rush to enforcement over coming months to help providers come into line with what is proving to be a very challenging and somewhat confusing impost on the industry.
The type of metadata that service providers will have to keep includes:
- Source and destination of a communication
- Date, time and duration of a communication
- communication type
- location of communications equipment
The data set also includes subscriber and service-level account information.