Government's Data Retention Law Allows Telco’s Metadata to Remain Unencrypted

One of Australia's leading telcos, Optus, is keeping its legacy systems free from encryption. And it is doing so in accordance with the country's Data Retention Act.

The Act came into being in April, 2017, and is considered by many to be one of the most intrusive data retention policies in the western world. It requires telecommunications companies to store customer metadata - phone calls, text messages, emails, and internet activity - for at least two years. The information is available to not only the government, but intelligence and law enforcement agencies.

When it comes to protecting metadata, the Act states, among other things: "A telecommunications provider must protect the confidentiality of information that, or information in a document that, the service provider must keep, or cause to be kept" ... "encrypting the information" ... "protecting the information from unauthorised interference or unauthorised access."

Even though 'encrypting information' is mentioned, it also points out that "a service provider may be exempt from data retention obligations either generally or in so far as they relate to a specified kind of relevant service."

In its submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), Optus wrote: "Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemptions from the encryption obligation. Without these exemption provisions, additional cost and complexity would have resulted, because the encryption obligation was otherwise incompatible with the operation of the exempted legacy applications."

Further to Optus' submission, the Department of Home Affairs lodged their own with the PJCIS, in which it said the Data Retention Act had led to better protection for the data of telco customers. Since the exemption was granted, Optus say there have been no 'security incident or breaches' in relation to the data.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.