New laws will be introduced to prevent internet companies from storing user information on cheap overseas servers. Photo: Brent WinstoneThe Abbott government will introduce new laws to stop internet companies storing customers’ records for two years on cheap overseas servers vulnerable to hacking by criminals and foreign governments.
The government introduced legislation this week requiring telecommunications companies to store customer metadata for two years, sparking concerns that internet service providers would cut corners on security.
“If as an industry we are forced to do this we will be looking for the cheapest, lowest-cost option. That means cloud storage and the lowest cost storage today is in China,” iinet chief regulator officer Steve Dalby said this week.
Earlier this year, Apple began keeping some user data on servers in mainland China, a departure from companies such as Google, which refuses to store data there because of censorship and privacy concerns.
Under the data retention scheme, companies will have to store names and addresses, the IP address allocated to an internet account, billing information, download and upload volumes, and the duration and locations of phone calls and internet sessions; so called metadata.
Mark Gregory, a senior lecturer in computer engineering at RMIT, said the data would be a “real target” for hackers.
“This information is a goldmine,” Dr Gregory said.
“Small organisations don’t have the wherewithal to properly secure this type of information.
“The networks are losing an arms race with organised crime and foreign government espionage.”
Once companies are compelled to store the data they will be inclined to onsell it or use it for internal marketing, Dr Gregory said.
The government will address these concerns by introducing new telecommunications security laws before the data retention scheme takes effect.
Telecommunications companies will have to show the government that they have “competent supervision and effective control” over the customer data they store.
The laws, based on reforms originally proposed by the Gillard government, will allow companies flexibility to decide how they store the data, including on overseas servers.
“We are aware there has been an explosion of new ISPs that don’t have the same security infrastructure that larger companies have built up,” a government source said.
“Any arrangement in which another company – or government – could access or tamper with the data couldn’t possibly meet the requirements.”
Communications Minister Malcolm Turnbull flagged the new telecommunications security laws in a speech to Parliament this week.
Mr Turnbull and the Australian Federal Police on Friday sought to hose down expectations that authorities could use metadata to prosecute Australians who illicitly download movies and music.
“The government’s not going after people who infringe copyright online,” Mr Turnbull said.
Neil Gaughan, the AFP’s head of counter-terrorism, said: “We will only use this for serious crimes. We don’t have the resources to focus on things like mum and dad downloading Game of Thrones.”
Mr Gaughan said metadata was crucial to anti-terrorism operations. It had recently been used to establish a link between terrorism suspects arrested in Brisbane and those arrested in Sydney in last month’s major raids.