What is mandatory data retention?

All Australian telco and internet service providers are required by law – specifically it sits under the Telecommunications (Interception and Access) Act 1979, but it’s more commonly referred to as the “Mandatory Data Retention” laws – to keep hold of the metadata around user communications in order to make them potentially available to Australian law enforcement and security agencies, as well as a number of other government bodies. 

The broad approach here is one around security and allowing approved entities to more absolutely track online activity, especially criminal activity online, or activity that might imperil Australia’s national security. 

There have been instances of metadata requests from other agencies that have led to criticism of the regime, as well as the potential risks around the storage of that data in light of recent data breaches and the precise wording of the act is currently under review and reform, though it’s unlikely that those reforms will see large scale rollbacks of the broader data retention approach.

Under the act, telecommunications providers – that’s the telco that provides your mobile phone service as well as ISPs that provide broadband services – are required to retain telecommunications data for a period of not less than two years, specifically:

1. the subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service
2. the source of a communication
3. the destination of a communication
4. the date, time and duration of a communication, or of its connection to a relevant service
5. the type of a communication or of a relevant service used in connection with a communication, and
6. the location of equipment, or a line, used in connection with a communication.

Not exactly. What the data retention scheme looks for is what’s called “Metadata”. 

This isn’t the same as the actual data you’re using in your everyday activities, but instead more the surrounding information about how and where and when the data travelled. There are specific exclusions in play too, laid out as following:

Service providers are not required to retain:

1.  information that is the contents or substance of a communication
2.  in the case of internet access services, information that states an address to which a communication was sent on the internet (that is, internet browsing history)
3. information that the service provider is required to delete because of the Telecommunications (Service Provider — Identity Checks for Prepaid Mobile Carriage Services) Determination 2013, or
4. information about the location of a telecommunications device that is not information used by the service provider in relation to that service.

(Source: Dept of Home Affairs Data Retentions Guidelines PDF)

So what does that all mean in real world use?

Let’s say you decide to watch a movie on Netflix. The data retention obligations of your ISP isn’t designed to store the fact that you’re binge watching episodes of Cobra Kai, but instead that your IP address connected through your ISP to Netflix’s servers at a specific time, and that data was transferred to an IP address associated with your service and the particulars of the location of equipment used. 

The act does not empower ISPs or the government to track web browser history or the contents of what you watched; merely that you watched it (or at least that the data was sent to your device or devices) in the case of our example. 

It’s often referred to as “envelope” information, with the idea being that it’s more to do with the information on the outside of a letter rather than the letter itself, but who sends letters any more?

So why does that have value in a legal sense? Because in context, that kind of metadata can absolutely deliver legally important data about an individual’s activities; if you’re always using your phone to call another individual at a given time, it’s clear that communications are happening. If that individual is identified as a wanted criminal for some reason, then your activity might also be criminal in nature, for example. 

It is worth noting that the data retention scheme only applies to that metadata; what your ISP tracks about your ongoing usage is a matter for the contract between you and your ISP, though the practicalities of that kind of logging and the wider use of encrypted HTTPS websites means that in most cases it’s financially impractical for your ISP to do so. In theory, given all the data has to go through the ISP’s services it’s feasible, however.

Under the act, providers must store data for a minimum of two years. That does include if you cancel a service, but there’s no specific obligation under the act for a service provider to store data for any longer than a 24 month span.

However, if the ISP or Telco does opt to store that data for longer for business purposes – say, for example, to give it a longer-term view of how data usage trends are evolving across all of its users – then the act does allow for suitably authorised government bodies or organisations to request that older data if it exists. 

Not entirely. While a VPN does encrypt your traffic making it harder to discern the nature of your online usage, and many do sell on the idea of “keeping you safe from prying eyes” online, the reality when it comes to metadata is that a lot of what you do would still be collected under the data retention act. 

The reason for this is pretty simple. When you connect to a VPN service, you’re doing so by going out on the public Internet via the service provided to you by your ISP. 

You then connect to your VPN which assigns you an IP address based on its own internal networks – this is how VPNs are commonly used for dodging content geoblocks, for example, by assigning you an IP address in a different country to view content available in that region. 

All well and good, but in order to get to the VPN, you’ve still got to route through your ISP, and your ISP is still required to capture that metadata information for traffic going in and out from your connection. It’s still being recorded that you’re going online, and that data is flowing to and from your devices. The data retention act doesn’t cover the content of that communication (whatever you’re using the VPN for, essentially) anyway, so a VPN isn’t protecting you in this case.

In broader tracking terms, it’s also worth checking the precise logging policy of your chosen VPN, because they’re not all the same. VPNs are not subject (at the time of writing) to Australia’s data retention laws, but if they’re keeping logs of your usage information through their services, whether indirectly, such as counting data usage or directly by tracking your actual data, that may be available to third parties. This does also get into messy areas of international laws depending on where your VPN operates from and is somewhat outside the scope of this article – but it’s worth knowing what your VPN does in this respect before considering your online activity to be “invisible”… because it almost certainly isn’t.