Data retention to involve 'petabytes of data' for Vodafone

Scheme likely to create tempting targets for hackers, Telstra tells inquiry

Recording data that will allow IP addresses to be matched to individual customers will involve Vodafone storing petabytes of information it would otherwise be unlikely to keep, the telco has said.

Matthew Lobb, general manager industry strategy and public policy at Vodafone Australia, yesterday told a hearing of the inquiry into data retention that "IP identifiers are not like a static customer telephone number."

"It will be unique for that particular data session," Lobb said. "Generally different IP identifier numbers are allocated each time a customer accesses the internet or sends an online message. This results in a significant increase in stored information. Our expectation is that we would be required to store several petabytes of data."

Lobb reiterated the telco's concerns, which were also outlined in Vodafone's written submission to the inquiry, about the two-year retention period for metadata that is required under the proposed scheme.

"The proposed two-year requirement for metadata retention is at the higher end of the storage requirements being contemplated around the world," Lobb said.

"We note that the European Commission’s Evaluation report on the Data Retention Directive, April 2011, found that most data requested by enforcement agencies is less than six months old.

"This is consistent with our experience in Australia."

According to Vodafone, law enforcement requests for information mostly involve data that is less than six months. Three quarters of the data requested by law enforcement agencies is less than six months old, 85 per cent is less than 12 months old and over 90 per cent is less than 18 months old.

"We think that this profile will be even shorter for IP identifier metadata," Lobb said.

"IP information is more sensitive data than traditional telephony metadata," Lobb said.

"It is perceived by consumers that IP-identifier information could be used for surveillance activities.

"[I]t is unlikely that IP identifiers that are several months old will be as useful for law enforcement agencies as traditional telephone numbers. This is because it is highly unlikely that you would revert back to the IP identifiers of a rogue website that was under surveillance two years ago."

Marrying an IP address to an account "and doing it over many, many data sessions" is a key challenge for implementing the proposed data retention scheme, Lobb said.

"Setting the capability up to do that and then storing [the data] and protecting it is not without its costs."

Lobb confimed that the regime would involve storing data that the telco would not otherwise keep.

"We do store some marrying of accounts to IP identifiers but it's not at the capability that is being contemplated here," Lobb said. "And again, we do that for systems purposes or for billing purposes. And nothing as robust as being contemplated."

The telco is also concerned over potential changes being made to the scope of the scheme without sufficient scrutiny.

"The current proposal, if implemented, will see data collection and storage requirements determined by regulation," Lobb said.

"Because requirements can be changed by the minister via regulation there is the possibility of more changes occurring with less public scrutiny and more commercial uncertainty. This might create concern in the minds of consumers and potentially increased costs for industry."

Appearing before inquiry, Telstra representatives said any changes to the data set to be retained once the scheme had been established would incur significant costs.

Implementing the scheme will impose a "new regulatory burden" on Telstra, "creating both capital costs and operational costs", ‎director, government relations, James Shaw told the hearing

"The impact on our business comes not just from new data we must collect but the requirement to extract, index, store and retrieve upon request from the data set, as well as security measures needed to protect the data."

The government has indicated it will contribute to the costs incurred by telcos in complying with the requirements of the scheme

"The existence of a large data set with a lot of personal and other information contained within in" could be an appealing target for hackers, Shaw said.

The inquiry into the proposed data retention scheme continues today. Optus appeared earlier this morning. Representatives from the NSW, Victorian, and South Australian police forces are scheduled to appear later this morning.

This afternoon the Attorney-General's Department, ASIO and the Australian Federal Police are scheduled to appear before the committee examining the legislation.

Follow Rohan on Twitter: @rohan_p