The Australian Securities and Investments Commission (ASIC) says that although it believes the “overall design” of the data retention regime is sound, it continues to face technological barriers to some of its investigations.
The data retention regime commenced in October 2015. ASIC is one of the agencies authorised by the data retention legislation to access certain kinds of telecommunications ‘metadata’ without a warrant. (ASIC was one of the agencies that made the cut when the law was introduced; prior to the data retention bill being passed a much wider range of government bodies could access ‘metadata’.)
The dataset covered by the regime includes subscriber information (such as customer billing information, details of services assigned to a customer, and any IP address or addresses associated with a service), the source and destination of communications (such as a phone call, email or text message) as well as its date, time and duration, and the type of a communication and relevant service.
The rules, which require the retention of the relevant data for 24 months after its creation, only apply to Australian telecommunications providers.
The amended Telecommunication (Interception and Access) Act 1979 (TIA Act) includes a requirement that the Parliamentary Joint Committee on Intelligence and Security (PJCIS) prepare a report on the operation of the scheme by 13 April 2020.
In total, since the rules came into effect, ASIC has issued 4982 authorisations for the disclosure of data, the commission has revealed.
In a submission to the PJCIS inquiry, ASIC said that it continues to face challenges from advances in the use of technology that aren’t covered by the TIA Act or the data retention regime.
“While ASIC’s investigative techniques have evolved to keep pace with the technological advancements employed by those contravening the law, the datasets that are required to be retained by the TIA Act remain limited,” ASIC said.
One example given by the corporate watchdog was a “recent decrease” in the number of authorisations ASIC has issued for the disclosure of IP addresses. In 2015-16, it issued 59 authorisations under the TIA Act for IP address information. In 2016-17 that figure declined slightly to 54. In 2017-18, the figure dropped sharply to 27.
ASIC said that increasingly it had encountered the use of VPN services offered by overseas-based providers that aren’t captured by the TIA Act regime.
While in the first two years covered by the data retention regime, ASIC did not issue any requests to overseas providers for IP addresses, in the period July 2017-December 2018 it issued 13 such requests.
The commission noted that when it “accounts for IP address requests from overseas providers our overall requests for this type of data has significantly increased in line with the decrease in authorisations to domestic ISP providers under the TIA Act.”
The government last year passed legislation intended to give Australian law enforcement agencies greater access to online services. However, ASIC is not an agency authorised to issue notices under the so-called ‘encryption’ legislation. The legislation was passed in December, so it's not clear whether the increased use of overseas-based VPNs is part of a reaction to the new law.
The legislation not only covers Australian telecommunications carriers but extends to overseas-based providers that have one or more customers in Australia. The government argued that the new rules are a response to the increased use of encryption, although it has also argued that protections in the legislation will prevent it from undermining the security of online services that rely on encryption.
ASIC said that it had increasingly encountered the “use of encrypted and internet-based communication methods” that aren’t covered by the TIA Act. In two recent investigations, ASIC said, it seized mobile devices that revealed the use of an encrypted IM application to send messages related to the “suspected offending”.
The ASIC submission also noted that some Australian telcos are leasing numbers to overseas ‘Direct Inward Dialling’ (DID) providers, which enables someone based outside Australia to appear to be calling from a domestic phone number. Australian carriers tend not to retain associated subscriber information, instead directing inquiries to the overseas provider, ASIC said.