In a recent article on ZDNet, Stilgherrian took a tilt at Australia Attorney General George Brandis and the new telecommunications data retention laws.

We’ve summarised the article below (minus some of the vitriol). If you’d like the unedited version, you can read the original article here.

Last week, the new telecommunications data retention laws were in the news for all the wrong reasons. Whether you support the move toward increased digital surveillance or not, one thing is clear. The legislation has been poorly conceived and is being poorly implemented.

As of October, telcos are required to create and retain the full customer data set as specified within the legislation. What’s more, they are required to store this data securely.

The problem is, telcos aren’t quite sure exactly what they should be doing. A third of them admit to being “not confident at all” that they understand what data they should be collecting and how long they should be keeping it for.

Here’s where it starts to get ugly. Brandis claims the legislation is explicit and contains a detailed technical specification. Critics point out that a specification should include a detailed list of protocols and data fields for inclusion; not nebulous descriptions with terms like “such as” or “may include”.

As for the security of the data, Dr Suresh Hungenahally (CISO for the Department of Economic Development, Jobs, Transport and Resources) stated recently that each organisation is responsible for securing the data it creates.

Without any additional guidance or safeguards in place, this places the responsibility with already over-worked information governance or data privacy departments who have their hands full managing the aftermath of regular data breaches.
Stilgherrian summarises “the government has outsourced surveillance to organisations that don’t know what they’re meant to be doing with no proper oversight”.

Senetas High-Assurance Security Comments

While Telcos and ISPs quarrel about meta-data retention and security, they should already be encrypting sensitive data – both at rest and in transit.

All they need to do is add the meta-data capture and storage to their list. It is the same as all Big Data (including data centre back-up, storage, disaster recovery etc.), only in this case meta-data security is specifically legislated.

At the heart of the issue is the lack of specific requirements for meta data during transmission. It doesn’t look like there is a suggestion of introducing new systems, just more storage and an emphasis on security or meta data to ensure compliance with what appears to be a vague law.

It is apparent that data must be encrypted while at rest but nothing to suggest “at all times”, which would include during transmission for backup, DR etc.

Senetas high-speed encryption technology is used to provide critical data security without impacting on network performance for cloud and telecommunication service providers in more than 30 countries worldwide.