Home Affairs floats making telcos retain MAC addresses and port numbers

Although it is not formally making moves to extend the reach of Australia's data retention regime, the Department of Home Affairs is not outright dismissing the idea either.

In a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the mandatory data retention regime, Home Affairs floated the idea of extending the retained data set to include MAC addresses and even port numbers.

"Including media access control (MAC) addresses and devices which identify serials would provide better information as to which device was being used at the time of an offence," the department said.

"MAC data is not currently retained under the Data Retention Act, but is a form of data that will become increasingly important to law enforcement and intelligence agencies. Where providers do retain this information, it is a significant investigative tool."

DHA pointed to a case in Victoria where a stolen phone was able to be recovered thanks to using a "shopping centre's security infrastructure" to track a MAC address and gain footage of possible offenders, which resulted in charges being laid.

The idea of tracking port numbers, meanwhile, was restricted to a simple sentence.

"Similarly, including IP addresses and port numbers to attribute data accessed on mobile phones, would allow agencies to make better use of mobile phone data," it said.

The department also declared victory over those that said the creation of a warrantless scheme that forced telcos to store customer call records, location information, IP addresses, billing information, and other data for two years would create honeypots -- including now director-general of the Australian Signals Directorate Mike Burgess who appeared in hearings at the time in his former role as Telstra CISO, warning that a "pot of gold" was being created.

"However, risks to customers' privacy existed prior to the implementation of this legislation. Providers already had in place sophisticated security frameworks to protect the customer data retained for commercial purposes," Home Affairs shot back in its submission. 

"Given this, it did not follow that the proposed data retention scheme presented an unmanageable level of risk to customer privacy.

"The evidence to date supports that the existing data security arrangement have been effective."

Home Affairs also said there has been "no reported security breaches of data stored by industry for the purpose of the scheme".

An August 2018 report from the Australian National Audit Office found the design of a grants program by the Attorney-General's Department to help telcos comply with the requirements of the metadata law was not fully effective and its implementation "not to an appropriate standard", after it supplied "substantially" more funding than was decided reasonable by the government.

Home Affairs said in its submission that because any providers that received a grant have not been able to deny a request due to a lack of capability, the program was a success.

"This indicates that the money granted to providers to make the necessary implementation arrangements, and the scrutiny of providers' planned security arrangements, represented reasonable value for money," it said.

The department said to date that almost AU$128 million has been granted to 175 telcos.

Home Affairs warned that raising the threshold for access to the personal data held by telcos on Australians for two years -- such as a warrant -- could mean agencies use "intrusive powers, such as physical surveillance and search powers".

In another submission, Optus confessed it received an exemption to keep its legacy systems free from encryption when complying with its metadata obligations. 

"The legislative provisions which allow for certain exemptions to be granted were an important factor in Optus achieving compliance in an efficient and timely manner," Optus said.

"Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemption from the encryption obligation." 

Related Coverage

Australian enforcement agencies angling for metadata review on telco cost recovery

Agencies are very happy with Australia's data retention scheme, with one using it in 90% of investigations.

Services Australia has six weeks to work out what exactly it's meant to do

Canberra appoints Australian media and technology executive cum public servant the task of setting the strategic plan for Services Australia.

Encryption laws are creating an exodus of data from Australia: Vault

Detrimental effects are both real and perceived, according to Australian cloud provider.

Commonwealth Ombudsman singles out Home Affairs over stored communications and metadata handling

Continues trend of former Department of Immigration agencies dragging the chain.

Australian governing parties hosed in digital rights election survey

Liberal and Nationals parties get lowest score in every category.