​ACCS: Telco security reforms could push deeper than metadata regime

One of Australia’s premier academic cyber security think tanks has cautioned the federal government that its proposed new telecommunications networks security reforms need stronger oversight provisions.

The University of NSW Australian Centre for Cyber Security (ACCS) has raised concerns that the proposed new laws will overreach the federal government’s metadata collection regime but with few or any of the checks and balances that apply to the latter.

The new laws are contained in the Telecommunications and Other Legislation Amendment Bill 2016 which was last November referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

The proposed new laws collectively referred to as the Telecommunications Sector Security Reform, or TSSR, would require carriers, ISPs and the communications regulator to take steps preventing Australian telecommunications networks from being subject to unauthorised access and used for crimes.

As CSO reported in 2015, they also require carriers to divulge potentially commercially sensitive information about parts their networks that may have implications for national security to the Attorney-General’s Department (AGD).

At the time, in notes attached to the bill for the proposed laws the government wrote that these “more vulnerable or ‘sensitive parts’ that will be of particular interest to [the Australian Secret Intelligence Organisation (ASIO)] and AGD from a compliance perspective”.

They would also require telcos to hand over information to assist law enforcement authorities to investigate crimes.

However, in a submission to the committee, the ACCS has raised concerns that the wording of the bill was too broad allowing AGD to request from telcos going beyond the limits of the metadata retention scheme without the same level of scrutiny.

That, it argued, could indirectly allow the private information about individuals including web browsing history and other information gleaned through deep packet inspection (DPI) of internet traffic used by web applications to fall into the hands of ASIO.

The key problem with the proposed laws, the ACCS argued is that the wording granted the AGD the power to collect “any information” from telcos and that it can delegate that authority to security and law enforcement.

The ACCS was concerned that it could lead to law enforcement engaging in “forum shopping” to get what it wants.

“The metadata under the TSSR is more information than what is addressed under the Metadata Creation, Retention and Disclosure Regime. However, under the Metadata Creation, Retention and Disclosure Regime new oversight powers have been introduced. This may lead to forum-shopping by the agencies, between the TSSR and the Metadata Creation, Retention and Disclosure regimes,” The ACCS wrote in its submission.

It recommended that the government synchronise the collection and oversight arrangements across the two sets of legislation adding:

“The same metadata is accessed for the same purposes: law enforcement and national security. However, the oversight mechanisms regarding access for security under the two regimes differ vastly. The purpose for this difference in treatment is not made clear. Metadata under the TSSR, which is the vast majority of session metadata and may have greater privacy implications, require no authorisation and notification process, and little independent oversight, unlike the source IP and port addresses under the Metadata Creation, Retention and Disclosure Regime”.

The PJCIS is scheduled to report its findings to parliament in April.

Tags federal governmentmetadataCSO AustraliaAustralian Centre for Cyber Security (ACCS)networks securityParliamentary Joint Committee on Intelligence and Security (PJCIS)

Show Comments