Telcos in Australia Could Be Offshoring User Data and AGD Has No Clue of Its Whereabouts
Australian telecommunication companies could be storing all of their user information overseas and AGD doesn't know where exactly they are storing it, Sarah Chidgey, First Assistant Secretary National Security Division at AGD, told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) Thursday morning.
Telcos are required by the government under the data retention scheme to store customer data that includes their call records, location information, IP addresses, billing information, and other relevant data. However, these companies could be storing this information overseas, and the Attorney-General's Department (AGD) that is charged with overseeing this system, doesn't know exactly where this data is stored.
Australia is clueless where telcos are storing user data
Offshoring data prompts concerns for the intelligence agencies of that information being subject to foreign legislation. In the United States, the tech companies (not telcos) have refused to provide data that has been stored overseas, since that is subject to local laws.
In a parliamentary committee hearing into the telco security reforms today, Chidgey said that the department doesn't believe if storing metadata overseas is a security risk, but also admitted that the department had no insight into the level of offshoring currently in use under the national data retention regime.
AGD's Chidgey said the existing legislation does not require telcos to inform the department of offshoring. It simply demands them to protect the data in accordance with the Privacy Act and Telecommunications Interception Act.
"That's something we don't know because there is no obligation for industry to tell us," Chidgey said.
"The whole precursor to the [metadata] Bill was that they would tell us," Labor MP and committee deputy chair Anthony Byrne said in response. "What you're telling me is that they will not even tell you whether or not they are storing the metadata offshore."
Australia's data retention laws came into work in October 2015, and require telcos to store customer personal data, their traffic data, and upload and download volumes, for two years. However, they don't force telecommunication operators to store this data inside Australia. The law - or the omission of this particular requirement, to be exact - raised concerns about data security and privacy. Reports suggest that at least one telco (iiNet) indicated it would find the cheapest option for storage, which was in China, at the time.
AGD argued telcos were required under the data retention legislation to adequately protect the consumer data. This essentially means that the government is relying on the private companies to securely store data outside of the country when they could just be going for the lowest cost options.
Byrne said the lack of departmental insight was "ridiculous" and "completely unacceptable". "You're a government agency that is responsible to oversight this and you cannot answer a question about how much data is being offshored, that is just ridiculous," he said.
It is completely unacceptable that you don't know how much data is being stored offshore ... you need to be aware of that, because you cannot make informed decisions, in my view, or the intelligence agencies can't, or offer the appropriate protections if you're not being given this information.
Byrne called on the AGD to "make it a priority" to find out the whereabouts of the nation's telecommunications metadata. Under the new security reforms bill that entered parliament last November, telecom companies will be required to notify AGD of new outsourcing or offshoring of sensitive parts of their networks. It will also be a requirement to notify the department when telcos move equipment outside Australia, buy equipment that is located outside Australia, or enter into new outsourcing arrangements. However, it doesn't make any mention of the existing data retention regime.
"This bill would introduce a notification requirement, and one of the kinds of changes that would have to be notified is information that is being stored offshore," Anne Sheehan of AGD said.