Australian Federal Police Commissioner Andrew Colvin has admitted that the customer data that telecommunications companies will be forced to retain under legislation entered into parliament today could be use by rights holders to hunt down Australians who are alleged to have downloaded copyright infringing TV shows, films, or movies.

Image: Screenshot by Josh Taylor/ZDNet

The mandatory data-retention legislation entered into parliament on Thursday is designed to limit access to customer communications metadata by criminal law-enforcement agencies for investigating crime. However, at a press conference today, Colvin indicated that agencies could access the data for a wide range of purposes, including the civil investigation of online copyright infringement.

"I haven't even touched on some of the other range of crimes. Absolutely. Any interface, any connection somebody has over the internet, we need to identify the parties to that connection," he said.

"Illegal downloads, piracy, cybercrimes, cybersecurity. All of these matters, our ability to investigate them is absolutely pinned on our ability to retrieve and use metadata."

Communications Minister Malcolm Turnbull moved quickly to hose down Colvin's comments, indicating that the data would be less relevant to rights holders, because they generally work to combat copyright infringement quickly.

"If I could just flesh that out in terms of copyright. A lot of internet piracy, downloading, and sharing downloaded materially unlawfully is done through file sharing," he said.

Read this Three-strikes anti-piracy law 'doesn't deter piracy' A study has found that three-strikes policies don't work, even when consumers overestimate which channels are being monitored for piracy. Read More

"The rights owners use different programs ... to participate in the swarm and identify the IP addresses of the computers that are infringing copyright, and then they seek from the ISPs, and they are able to do this with a subpoena, the details of the rights holder.

"Generally, they do this in real time, so the two years of holding this data probably doesn't make a lot of difference. That process of resolving an IP address to an account name is relevant, and it happens all the time."

The claim that the stored data could be used to combat online copyright infringement comes despite the explanantory memorandum of the legislation specifically stating that the stored data can only be used for purposes outline in the Telecommunications (Intercept and Access) Act.

"Importantly, access to all telecommunications data (whether or not captured by the terms of the data set) is strictly reserved for specific purposes under the TIA Act. Enforcement agencies may only issue authorisations enabling access to data where it is 'reasonably necessary' for a legitimate investigation and must consider the privacy impact of accessing telecommunications data. 'Reasonably necessary' is not a low threshold. It will not be ‘reasonably necessary’ to access data if it is merely helpful or expedient."

Attorney-General George Brandis and Turnbull issued a discussion paper on addressing online copyright infringement in July, and in response to the paper, a group of rights holder organisations indicated that they would use the IP addresses they record against files shared over peer-to-peer networks with the IP addresses that ISPs have on file.

"Copyright owners would pay their own costs of identifying the infringements and notifying these to the ISP, while ISPs would bear the costs of matching the IP addresses in the infringement notices to subscribers, issuing the notices and taking any necessary technical mitigation measures," the submission states.

iiNet and a number of smaller telecommunications companies will front court next week , as one rights holder, organisation Dallas Buyers Club LLC, attempts to extract customer details out of those companies connected to IP addresses alleged to have downloaded an infringing copy of the Oscar-winning film Dallas Buyers Club. The company has been known to send "speculative invoicing" to customers, threatening them with lawsuits unless they hand over thousands of dollars in compensation for downloading the movie over peer-to-peer services.

iiNet has also been fighting against the government's proposed mandatory data-retention proposal, indicating that it could cost as much as AU$60 million to implement. The legislation mentions that ISPs will have some financial burden as a result of the mandatory data-retention regime, and Turnbull said on Thursday that the government would cover some of the cost.

"We expected to make a substantial contribution the implementation and operational cost. We understand that we're asking these companies to do things that they don't have a business need to do, and there's an expense," he said.

iiNet's chief regulatory officer Steve Dalby said on Wednesday that telecommunications companies could look for the cheapest cloud storage option for retaining the data for the two years, as required under the legislation. He indicated that this would mean that the private Australian customer data could be kept in cloud storage services in China.

Turnbull said that the responsibility of the security of the data would lie with the telecommunications companies, but additional legislation would be brought in over the next 18 months to outline a carrier's responsibilities under the scheme.

"We are presently preparing new legislation, which will strengthen the security of Australia's telecommunications structure or system. We would expect those new laws or more amendments to be in place before the 18 months implementation," he said.