Australia’s controversial metadata retention scheme could be pruned back as one of the ways the federal government seeks to defend the country against cybercrime.
The government will review the scheme, which requires telecommunication companies to retain details such as the time, data and form of communication from their customers, as part of a broader look at federal legal data retention requirements.
On Wednesday, the Albanese government released its 2023-2030 Australian Cyber Security Strategy. Nestled among promises in the $586 million plan — including improving infrastructure, creating a guide for businesses on how to respond to ransomware, and a “cyber awareness” education campaign — is a commitment to “streamline data retention requirements”.
“The review will consider any unnecessary burden and vulnerabilities that arise from entities holding significant volumes of data for longer than necessary … the government will explore options to minimise and simplify data retention requirement,” the report reads.
One of the most notable and largest data retention schemes is the 2015 metadata retention regime that forced telecommunications companies to retain two years of customer metadata for use in serious criminal and national security investigations.
At the time, both the industry and cybersecurity experts warned that introducing the scheme would create a highly valuable “honeypot” target for hackers that would be a huge risk for providers, among other critiques.
Tech advocacy group Electronic Frontiers Australia chair John Pane welcomed the review, telling Crikey that the risk presented by metadata had only increased over the years with new advances in technology: “Policy has stayed the same but tech keeps marching forward,” he said.
Pane says that, beyond mandatory retention, the voluntary retention of data by businesses and organisations also presents a large threat to cybersecurity.
“Too many organisations are collecting too much information for their purpose, and they’re keeping it too long. In the middle, sometimes, there’s a failure to protect,” he said.
Earlier this year, the federal government committed to a number of reforms to the metadata retention scheme following a review that found that a range of organisations beyond the law enforcement agencies were accessing the scheme, “including the RSPCA, Victorian Institute of Education, Taxi Services Commission and local councils”.