Category Archives: TELCOS

This is how much access Australian police already have to your data

The Australian government now wants further powers to access encrypted communications, but does it need them?

Police and intelligence agencies already have significant abilities to access data about our emails, phone calls and text messages if we’re suspected of committing a crime, although it can be difficult to tell exactly what they’re doing with them.

The government argues existing interception capabilities are inadequate to protect national security. According to Attorney-General George Brandis, backdoor access to encrypted communications would redress the “degradation of our intelligence capability” to prevent terrorism.

Many Australians are unaware of current police and intelligence powers when it comes to accessing our data. As the government lobbies for new levels of access, that needs to change.

‘Backdoor’ access

The government’s proposal to compel technology companies to provide access to encrypted messaging services is modelled on laws passed by other members of the Five Eyes surveillance alliance, of which Australia is a member.

Deputy US Attorney-General Rod Rosenstein recently announced the Department of Justice intends to demand interception of encrypted communications. New Zealand already requires technology companies to grant access. In the UK, authorities may force decryption where it is technologically feasible.

As with our allies, it is unclear if Australia’s laws will require so-called “backdoor” vulnerabilities to be built into messaging applications like Facebook Messenger or WhatsApp.

They could compel access via decryption keys or they might enable remote access to devices for interception of communications “at the ends”.

In response, cryptographers argue it is not mathematically possible to access end-to-end encrypted messages via interception without undermining online privacy for everyone.

The current state of telecommunications surveillance

The government already has various powers to access metadata, the contents of digital conversations and computer networks.

The Attorney-General’s Department recently released its annual report on telecommunications surveillance.

Thanks to the Telecommunications (Interception and Access) Act (TIA Act), law enforcement and other agencies can access stored communications with a warrant. This can include “email, SMS or voice messages stored on a carrier’s network”. In other words, the contents of any communication not encoded via encryption.

Agencies may also apply for “preservation notices” to compel telecommunications companies to preserve data.

During the 2015-16 financial year, there were 712 warrants issued for access to stored communications. Data is not available about the types of offences these warrants were used for. It is also not clear how the telecommunications information was used in investigations.

Applications for stored communications warrants (issued)

Agency 2014-2015 2015-2016
ACC 4 2
AFP 94 80
CCC (WA) 5
DIBP 10 1
NSW CC 3 4
NSW Police 290 345
NT Police 16 11
PIC 7 16
QLD Police 123 132
SA Police 38 19
TAS Police 29 17
VIC Police 40 41
WA Police 38 35
Total 696 712

Source: Telecommunications (Interception and Access) Act 1979 Annual Report 2015–16

The issue of metadata retention

A controversial 2015 amendment to the TIA Act requires telecommunication service providers to retain metadata for two years.

This allows authorised law enforcement agencies warrantless access to information about digital communications such as the recipient or time sent, but not their content.

However, some agencies that aren’t meant to be able to access metadata are still making requests under different legal regimes, according to the Communications Alliance, and there have already been reported breaches where an Australian Federal Police officer accessed a journalist’s metadata without an appropriate warrant.

The 2015-16 financial year was a grace period for service providers to comply with retention requirements. During this time, there were 332,639 authorisations by criminal law-enforcement agencies.

Authorisations occurred most for drugs or homicide investigations. It’s possible this may indicate police are relying on ready access to metadata rather than pursuing traditional investigatory methods.

Telstra launching cybersecurity centres internationally

Telstra is utilising its ‘deep, deep skills in cyber’ by launching security operations centres in Sydney, Melbourne, and across the globe, as well as likely upgrading its existing facility in Canberra.

Telstra will be opening cybersecurity centres internationally following the launch of its security operations centres (SOCs) in Sydney and Melbourne over the next few weeks, CEO Andy Penn has announced.

Speaking during Telstra’s FY17 financial results call, Penn said Australia’s incumbent telecommunications provider is currently looking at locations for international SOCs, but would not disclose the sites.

However, he added that the two new Australian centres will be launching “very soon … in the coming weeks”.

“There’s no doubt that large enterprises and even smaller enterprises today are becoming increasingly concerned by cybersecurity risks that they face,” Penn told ZDNet.

“There’s virtually no technology innovation that’s happening today that isn’t intended to be connected. That means it’s across a network, and what’s critical is those innovations and that technology is protected from a cyber perspective.

“We’ve got deep, deep, deep skills in cyber because of our own need to protect our networks, but also we provide a very significant dynamic service for our enterprise customers, and this is really a significant investment in really building that service for our enterprise customers.”

Penn told ZDNet that Telstra will also likely upgrade its existing SOC in Canberra.

“We have a dynamic product offering which is integrated with some of the best data analytics globally and the best access to data globally, so that’s actually the fundamental offering, and then the security operations themselves actually enable ourselves on behalf of our customers, or our customers, to monitor 24/7 effectively the cyber activity on their networks,” Penn told ZDNet.

“You need the data analytics and you need the artificial intelligence and the machine learning capabilities to process what’s actually happening deeply at the network level, and you need the sensors deep within the network, and that’s the dynamic security offering that is already launched. We’ve already got customers on that who are very pleased with that offering, and then we’re supporting that with the security operations centres.”

Penn said Telstra has the “smartest” network in Australia, with the telco currently also upgrading its fibre-optic network to allow for terabit capacity.

“We have commenced the rollout of our next-gen optical fibre and transmission network; Tasmania was the first state to benefit from this upgrade,” the chief executive said.

“This will increase Telstra’s network capacity to 1 terabit per second, and has already done so on each of Telstra’s two subsea cables running across the Bass Strait. We’re already rolling this out to the rest of the country, and there is future potential to increase the capacity to 100 terabits per second.”

In addition, Penn spruiked the company’s Cat-M1 Internet of Things (IoT) network, built in conjunction with Ericsson and switched on earlier this month on the 4GX network.

“Cat-M1 will give us the platform for the significant growth we expect to see in IoT,” Penn said.

Telstra currently has more than 8,600 mobile towers, 5,000 telephone exchanges, 200,000 switches and routers, 240,000km of optical fibre cable, and 400,000km of submarine cable.

Telstra TV 2

Penn also announced the launch of the Telstra TV 2, saying that Telstra remains “committed to Foxtel” despite its dropping revenue and is in discussions with co-owner News Corp on how best to structure and arrange Foxtel in future.

“We’re about to dial it up again,” Penn said, detailing that the Telstra TV 2 will include all streaming and catch-up TV services along with a linked mobile app, making it “a real Australian first”.

“Access to the best content is critically important to us as demand for media continues to grow. At the same time, the media market is changing with new participants and increased competition,” Telstra added.

Telstra’s media revenue grew by 8.2 percent to AU$935 million thanks to uptake of both the Telstra TV and “Foxtel from Telstra”. Foxtel from Telstra made AU$777 million in revenue, growing by 8.1 percent due to 57,000 additional subscribers, and there are now 827,000 Telstra TV devices in the market.

Underpinning Telstra’s SOCs is its suite of managed security services announced in March and launched in July, Penn said, in addition to the company’s 500 “cybersecurity experts”.

The Telstra TV originally launched in October 2015.

Data-retention grants: Telstra gets $40m, Vodafone $29m, Optus $14m, NBN $1m

ISPs are being given 80 percent of their compliance costs, according to the attorney-general, under the government’s AU$128 million data-retention grants program.


Australian Attorney-General George Brandis has announced the recipients of its AU$128 million data-retention grant pool, with Australia’s largest telecommunications providers getting tens of millions of dollars in funding to comply with the federal government’s data-retention scheme.

Under the grants [PDF], Telstra is receiving AU$39.9 million; Vodafone Australia is receiving AU$28.8 million; Optus is receiving AU$14,8 million; Vocus and M2 — now one company — are receiving AU$3.4 million combined; MNF Group is receiving AU$3 million; TPG is receiving AU$2.2 million in combination with its now-subsidiary iiNet; Exetel is receiving AU$1.8 million; and the National Broadband Network (NBN) company is receiving AU$1,067,515.

Also receiving over AU$1 million are Broadband Solutions, with AU$2.2 million; Message4U, with AU$1.3 million; BigAir, with AU$1,042,666; and The Summit Group, with AU$1,032,000.

“Today, I am pleased to announce the outcomes of the AU$128.4 million Data Retention Industry Grants Programme,” Brandis said.

“The programme delivers on the government’s commitment to make a substantial financial contribution to service providers’ upfront costs of meeting their data-retention obligations, with particular emphasis on support for smaller providers.

“Most providers will receive a grant of 80 percent of their implementation costs … service providers will receive 50 percent of their grant immediately upon signing a funding agreement. This will help businesses on their path to compliance. The remaining 50 percent will be paid upon the completion of reporting requirements.”

The AU$128.4 million data-retention grants program, announced in January, was designed to cover the costs caused by upfront compliance with the newly passed data-retention legislation.

It has been divided between 180 ISPs, with the smallest amount being AU$10,000, received by ISP Arris, and the most received by Telstra.

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, passed by the Australian government in March, came into effect last October. It will see customers’ call records, location information, IP addresses, billing information, and other data stored for two years by telcos, accessible without a warrant by law-enforcement agencies.

In April, small operators said they were continuing to do nothing about data-retention compliance due to the costs associated, according to Communications Alliance CEO John Stanton.

“Many service providers — particularly smaller operators — have told us that they are doing very little or nothing to build their compliance capabilities at the moment,” Stanton said at the time.

“Who can blame them — if they start investing in new systems now, without knowing how much of that investment will remain unfunded once the subsidies arrive, they are putting themselves at risk of bankruptcy.

“Other operators have been investing in compliance measures, but are doing so in an ongoing climate of uncertainty.”

Stanton on Monday afternoon welcomed the grants allocation announcement, saying the government has “done a reasonable job of apportioning the limited funds available”.

“Some of the larger players face heavy unfunded expenses to meet their compliance requirements,” he added, however.

“But the lengthy delay in finalising the grants process has put many services providers under immense pressure to complete, on time, the work to enable them to comply with this regime.

“The government should acknowledge that these delays have made compliance more difficult to achieve within the prescribed time frame.

“The Attorney-General should publicly commit that no action will be taken, come April next year, against any service provider that is genuinely working to comply with the regime, but has been disadvantaged by the slow pace of decision making.”

large loan application banners image (5)

Henry Sapiecha

Telcos say two years is far too long for metadata retention

computer numbers & codes image

Little justification: Telcos say metadata shouldn’t necessarily be stored for two years.

The Abbott government should consider shortening its two-year mandatory data retention regime to six months, Australian telcos say.

The government should also rethink its approach of using regulation rather than legislation to define what metadata should be stored, they said. Using regulation to define the data would mean the Attorney-General of the day could widen the amount of data collected without Parliament passing the changes.

In a joint submission to the federal government’s inquiry examining the introduction of a mandatory two-year data retention regime, telco industry bodies the Communications Alliance and the Australian Mobile Telecommunications Association said their members, including Telstra, Optus, Vodafone and iiNet, believed a two-year retention period was too long.

The associations said they were yet to hear from Australian security agencies “a substantive justification for a two-year retention period”.

In the absence of local examples, they noted that in Britain over a recent four-year period more than 74 per cent of disclosures to law-enforcement agencies, where the age of data being sought was known, related to data that was less than three months old.

A majority of their members believed that a period of about six months would “be an appropriate minimum time” for storing internet-related metadata. But they’d like the flexibility to store metadata for up to two years just in case they needed to do so for business purposes.

The Australian Security Intelligence Organisation (ASIO) deputy director-general Kerri Hartland told the inquiry on Wednesday that the agency had wanted more than two years for data retention but had compromised to settle with two years. Without data retention, she said ASIO could not operate effectively into the future.

Of the metadata requests ASIO has made, Ms Hartland said 10 per cent were for data that was 12 months or older.

Andrew Colvin, Commissioner of the Australian Federal Police, added that the longer the data was kept “the better”.

The Parliamentary Joint Committee on Human Rights previously recommended the proposed two-year retention period be re-examined, in light of the fact very few agency requests relate to data more than six months old.

The committee also recommended warrants be required to access metadata. At present all that is needed to access the data is a requesting agency’s senior officer’s sign-off.

According to the Australian Communications and Media Authority, there were 582,727 authorised “disclosures” of metadata during the 2013-14 financial year.

Henry Sapiecha