Telstra says that non-law enforcement organisations accessing telecommunications metadata via a legislative loophole ask for too much data, sometimes don’t pay for it, and may be storing it in an unencrypted form.
Though warrantless access to telecommunications metadata was only ever intended for 22 law enforcement and security agencies defined in the Telecommunication Interception Act (TIA), many more organisations are using the separate Telecommunications Act to skirt that limitation.
The result is up to 100 - and potentially more - organisations demanding access to metadata for a range of different uses, leading to calls for the Section 280 loophole to be closed.
In a submission to a parliamentary review [pdf], Telstra accused some of the loophole users of issuing data demands that far exceed those of intended law enforcement users - and their actual needs.
The telco also suggested that some of the scope creepers may not be treating the data they receive from telcos to the same standards as law enforcement agencies do.
Telstra stopped short of demanding the Section 280 loophole be closed.
However, it suggested those availing themselves of it should be required to meet the same standards as regular law enforcement agencies.
“For clarity, we are not proposing these agencies be added as law enforcement agencies; rather, they be required to follow the same process, making them subject to the same obligations and constraints (test of proportionality, contribution to costs, etc.) as the listed law enforcement agencies,” Telstra stated.
Telstra said that “in some cases, these [scope-creeping] agencies and bodies are ... not contributing to the cost recovery of the regime” - meaning telcos wear the full cost of the data provision."
“In our experience, non-enforcement agencies and bodies often request large amounts of data and are sometimes not able to properly interpret the data provided,” Telstra said.
Additionally, “Under the [data retention] regime, service providers are required to encrypt and securely protect retained data,” Telstra said.
“We are concerned that agencies and bodies not listed in Section 110A of the TIA Act may not have sufficiently strong security measures to protect received data.”