Data retention acceptable as long as security, access managed: survey

Rising concerns about terrorist threats on Australian soil have increased the acceptability of data-retention proposals to citizens but the majority favour tight controls over its use, according to a recent survey of Australians' attitudes to cybersecurity.

Fully 64 percent of respondents to a survey by consulting firm Protiviti said they support the government's efforts to force telecommunications companies to retain data related to customer communications for up to two years.

The majority, however, favoured strict controls on access to this data, including the requirement that authorities require a court warrant for access – favoured by 78 percent of respondents. Some 88 percent said warrant-less access would only be acceptable in high-risk national security investigations such as terrorism cases (88 percent of respondents) or to serious crimes involving physical or community harm, such as murder or paedophilia (66 percent).

“Retaining customer ‘metadata’ can amount to a significant privacy incursion as it can reveal a great deal about a person’s movements, relationships and day to day lives,” Protiviti managing director Mark Harrison said in a statement.

“Ultimately, they believe that the best way to balance these opposing and competing interests is to ensure law enforcement and intelligence agencies receive Court authorisation through a warrant, before they can access the information.”

Recent figures confirm that Australian authorities are moving to access personal data with increasing regularity: Telstra's latest transparency report, for example, found that the volume of law-enforcement agencies' requests for metadata had increased 9 percent from 2012 to 2013.

The Protiviti survey, however, revealed broad concerns that increased retention of data would create new security risks from the concentration of personally identifiable information (PII). Some 62 percent of those Protiviti respondents believed the creation of PII repositories would lead to an increase in targeted hacking and cybercrime activity, and 87 percent believed companies needed to meet specific security standards to protect such data.

Harrison also noted the contradictory messages being sent by the government – which on the one hand encouraged retention of PII for as short a period of time as possible to minimise the security risk, and on the other was now pushing for broader retention of such data.

“There's no doubt companies are in a difficult situation with government policies appearing to be sending out mixed messages,” he said. “Many companies are concerned that the vast stores of information created by these measure will act as a 'honeypot' for cybercriminals on the hunt for easy targets.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.