Metadata retention scheme: Telstra warns data storage plan will attract hackers

Updated

The nation's biggest telecommunications company has sounded a warning about the Government's mandatory metadata retention scheme.

Telstra said an unintended consequence of the plan would be the creation of many highly attractive targets for hackers.

The Federal Government has cited national security as one of the reasons for its plan to force telcos and internet companies to store customer metadata for two years.

A parliamentary committee investigating the bills also heard concerns from Australia's intelligence agency watchdog that ASIO could keep metadata indefinitely.

Telstra is the largest telecommunications company in Australia, serving customers who use more than 32 million telephone, internet and email connections.

As such, it regularly works closely with law enforcement, who have long requested access to the metadata the telco already keeps.

Last year, there were about 85,000 metadata requests from law enforcement agencies to Telstra, a figure that is growing each year.

Data requests received by fax

Shadow Attorney-General Mark Dreyfus was interested in how Telstra received requests for accessing customer data.

"And what actually happens? I'm assuming for illustration, let's say it starts with an email from the Australian Federal Police," Mr Dreyfus said.

A spokesperson for Telstra said requests were largely received by fax rather than email.

"If only we were that electronic," the spokesperson said.

"We live in the dark ages unfortunately."

But it is the technology of the 21st century that has Telstra worried.

Under the metadata retention scheme, Telstra, and all other national telcos and internet companies, would be forced to store customer metadata for two years.

Telstra said the data would be kept in a database, ready to be given to law enforcement on request.

Customer information very attractive

Telstra's chief information security officer said customer information would be very attractive to hackers.

"The issue here is now we're advertising that for a customer of Telstra, there's a whole range of data, depending on what services they have, that we made available, or [which] can be made available upon lawful request for two years," Mike Burgess said.

We would have to put extra measures in place to make sure that data was safe from those who should not have access to it. Mike Burgess, Telstra's chief information security officer

"If [you were] that way inclined as a hacker, you would go for that system because it would give you the pot of gold, as opposed to working your way through our multitude of systems today to try and extract some data."

Telstra said it already kept a certain amount of customer data for business purposes, but the mandatory data retention scheme would require it to keep more data than it currently does.

The telco would have to create a new information system to store, process and send out data to law enforcement, and that would come with risks.

"We would have to put extra measures in place to make sure that data was safe from those who should not have access to it," Mr Burgess said.

There were also concerns raised about how Australia's spy agencies used the metadata that was already available to them.

The intelligence community's watchdog, the Inspector-General of Intelligence and Security Vivienne Thom, said the spy agency ASIO was keeping metadata for longer than it should.

"My concern is not so much [the] material that is actively used in an investigation, but the material [that] is lawfully collected [and] found later to be not of security interest, or no longer of security interest," Ms Thom said.

When asked by Mr Dreyfus, she acknowledged she did not know if this information had been destroyed.

Ms Thom said she believed ASIO could keep information deemed useful to the agencies indefinitely, but suggested Mr Dreyfus should check that with ASIO.

"Well, we'll of course check that," Mr Dreyfus said.

"So that could mean you've got this ever-growing database that ASIO could be cross referencing on an ongoing basis.

"So in a sense, they are storing metadata at ASIO."

The hearings continue tomorrow with the committee due to hear from state and federal police, along with the Attorney-General's department and ASIO.

Topics: internet-technology, information-and-communication, security-intelligence, federal-government, australia

First posted