Telstra begins preparing for data-retention regime

Telstra has pledged to store its customer data in Australia as part of the new mandatory data-retention regime, despite not being required to do so under the legislation that passed the Senate on Thursday.

The legislation, which will need a final pass with the amendments in the House of Representatives, passed the Senate with Labor and the Coalition teaming up to vote it through, 43 votes to 16.

Telecommunications companies will be given 18 months after the final passage of the legislation to develop systems to store customer call records, assigned IP addresses, billing information, location data, and other personal information for two years for warrantless access by law enforcement.

The Greens, and independent Senators David Leyonhjelm and Nick Xenophon, spent more than a day attempting to move a number of amendments on the legislation, ranging from limiting the storage to three months to forcing law-enforcement agencies to obtain a warrant before accessing the data.

All of the amendments were shot down by the government with the support of the Labor opposition.

Australia's largest telecommunications company, Telstra, had long warned of the dangers of the scheme, including the fact that it would create a "honey pot" for potential hackers. Telstra currently stores some but not all of the data required under the legislation on 13 different systems. Under the new regime, Telstra will pool all of this data into one system to make access easier for agencies.

In a blog post on Friday, Telstra's chief information security officer Mike Burgess said Telstra had already decided to store the data, encrypted, within Australia.

"With the legislation having passed through the parliament, we wanted to assure all our customers that we take data security very seriously, and we will be protecting any data collected as part of this new regime," Burgess said.

"There is a two-year period to implement the scheme and we will be using this time to make sure we have the right protections in place. We are still developing our implementation plans but we have already decided to store our customer metadata encrypted at facilities located here in Australia. While geography alone is not a good measure of security, storing the data in Australia should help allay the concerns of some customers.

"Any security strategies we implement for data retention will build on the existing measures we have already have in place to secure our networks and customer data, including intrusion detection systems and other active network monitoring of our network to detect, analyse, and respond to identified security incidents."

The Greens attempted to move amendments to require telecommunications companies to store the data in Australia, but Labor and the government shot down these amendments.

ZDNet has sought information from other telecommunications companies on whether they also plan to store the data in Australia.

iiNet CTO Mark Dioguardi said iiNet is not in a hurry to comply with the legislation.

"Data will be stored in Australia, but we should also add we are not rushing to implement it as a high business priority, especially without understanding the cost contribution from the government," he said in a statement.

Optus also confirmed that it would develop a data-retention implementation plan before the legislation comes into force.

The legislation passed on Thursday despite the public not knowing the full cost of the scheme for the telecommunications companies, nor the amount of funding that the government plans to contribute to the establishment of the scheme.

On ABC radio on Friday morning, Attorney-General George Brandis confirmed that the cost range in the PricewaterhouseCoopers report was between AU$188 million and $319 million to set up the scheme.

"The midpoint of that is around AU$250 million to which the government has said it would make a substantial contribution," Brandis said.

The government has made no commitment on the costs it will provide to the telcos, which is expected to be detailed in the Budget in May, but Brandis said the costs will be insignificant for the industry.

"This is a AU$43 billion a year industry, so whatever cost there may be across the entire industry will be negligible," Brandis said.

Brandis again sought to claim that the legislation is about "freezing the status quo", despite Telstra confirming that it will be required to store data it has not previously stored and does not need to store for its own purposes.

Brandis also downplayed comments from Communications Minister Malcolm Turnbull on how the data-retention regime could be circumvented through the use of apps and other over-the-top services.

"Smart criminals devise ways to get around the law," he said.

"The fact is, in investigations, you have to pursue every source, and this is a very important source of investigative data. And just because smart criminals might be able to find ways around it doesn't mean that it ceases to be a useful, or indeed an important source of investigative data."

Greens Communications spokesperson Scott Ludlam said on Thursday night that the Greens would make Labor's support of the legislation an election issue, and said he would seek to have the "Abbott-Shorten" legislation repealed.