Scott Ludlam (WA, Australian Greens) Share this | Hansard source

I will speak briefly to this because it does traverse an area that we addressed earlier, to a degree. It does require a bit of careful drafting, and I will just also foreshadow that the Australian Greens have an amendment to similar effect, worded slightly differently from the way that Senator Leyonhjelm has tried to handle it—and it is difficult.

We heard, I think, a variety of views on this matter when Senator Xenophon, Senator Leyonhjelm and I convened a forum of interested parties from across the political spectrum and from industry, digital rights organisations and advocates late last year. One of the guests we had was the then iiNet Chief Regulatory Officer Steve Dalby, and he put forward quite forcefully the fact that ISPs were trying to find the lowest cost option for storing the required data which, in his words, 'at the moment is in China'.

I recognise that not all the costs of the data retention scheme are in storage; in fact, storage gets cheaper by the year. But of course data volume is increasing, and it is a bit difficult to tell whether in the future these things are going to keep pace, because, as fast as technologists work out cleverer ways of storing ever-larger quantities of material in smaller and cheaper spaces, we generate more of the staff. So storage is only part of the cost. I suspect Senator Brandis, if I asked him, could not provide us with a break-up of the roughly $390 million—how much of that estimated cost is storage, how much is retrieval systems, how much of it is compliance administration. I suspect, if those numbers exist, they may well be beyond the reach of the Senate, although I would be delighted to be proven wrong.

The point Mr Dalby was making was not so much that iiNet would take up that option of the lowest cost hosting provider but that perhaps others, with fewer resources than an entity the size of iiNet, might have to do just that. We heard estimates from industry earlier this year that, potentially, half of the smaller end of the spectrum of service providers might go to the wall as a result of this. I think it is spectacular reversal of policies of regulation that, just for a change, you have actually been supported by all sides of politics, and the disaggregation of Telstra from NBN was a part of that—taking the wholesale business out of private hands and bringing that back into public hands, and then letting the private sector let it rip at the retail end. That has actually created what I would argue is a wonderful fragmentation in the RSP end of the market, but it is those smaller and newer players that we will potentially put to the wall. They are going to be seeking the lowest costs. They will not have the legal clout and they may not have the technical clout to embed the kind of security provisions that are going to be required. They do not necessarily have high-powered legal counsel and they are not necessarily going to be able to run sophisticated demands of this government to recover their costs. That end of industry, in particular, who already operate on pretty fine margins, are going to be looking to cut costs wherever they can. Some of that obviously is going to be in storage.

A former ASIO chief whose name has popped up a couple of times, Mr Irvine, who Senator Brandis quite correctly pointed is pro data retention—nothing that I quote of his words is intended to dispute that—was at a defence and national security roundtable jointly held by The Australian Financial Review and KPMG not that long ago, and he said that while the cloud was a 'wonderfully efficient thing' and it was where everyone was going, 'I would rather the cloud hovered over Sydney or Melbourne rather than Shanghai or Bangalore, where it was governed by someone else's sovereign legislative system.' He said he would feel much more comfortable with the data governed by Australian law than by law in some other country. He said:

These days every bit of data is sensitive and I know Telstra stores its data in 13 different places

That is not necessarily 13 different countries or jurisdictions, but Telstra, as a result of its very long history and the huge variety of services that it offers, hosts material on quite different kinds of platforms and systems, and obviously the cloud, almost by definition, is transnational.

This is the speech in which I believe Mr Irvine declared himself a 'cyber nationalist', which is an interesting concept to fold into a medium as borderless as the internet. The reason he put that view is that, although Senator Brandis was at some pains to inform us earlier that Australian material hosted in other countries is still obliged to treated under Australian privacy law, it is difficult in advance to establish whether the protection from data breaches is as robust as we would find here in Australia, and is it is going to be easier to establish, I would argue, that the protections are up to scratch? This is people's personal private material. It is not the personal private material of just criminals and terrorists but necessarily, by the breadth of this bill, of everybody else—people who are not suspected of anything.

There was a remarkable report produced by Mandiant about two years ago, and it is very rare that documents such as this would get put into the public domain. They spent months and months tracking an entity that they referred to as APT1—advanced persistent threat 1—operating out of an office block in Shanghai that they argued was a unit of the Chinese military, and it appeared that its entire sole purpose of existence was industrial espionage on a massive scale. This entity appeared to be entering corporate data systems and government databases around the world using a mix of technical and social engineering techniques to gain access to systems to set up small encampments inside people's databases and then systematically loop and withdraw material, some of it quite sensitive, for purposes that I suppose we can only guess at. This kind of stuff happens on an extraordinary scale, and it is obviously not just the records of ordinary Australians that are going to be stored but everybody all the way up to CEOs of blue-chip corporations and their families will be caught up in this legislation—personal records; private and confidential communications of a presumably very sensitive nature from a business perspective. We are proposing that all that material be hosted and preserved for the first time in a really systematic way, and we are also forcing the providers to make it much easier to access and withdraw and bring it out. I suspect that is where Mr Irvine was heading with his cyber nationalism. It is his view that telcos should be forced to create this data, and obviously that is where we part ways. His view is that, if it is going to be created, we had better make sure we look after it as well as we can and a server somewhere else in the world, goodness knows where, subject to goodness knows what kind of technical protection measures, may not be the best place for it.

The Australian Greens will be supporting Senator Leyonhjelm's amendment. Senator Brandis acknowledged before that the government does not have a closed mind on this issue and that it may be something that is revisited in the course of the review that you alluded to before. In supporting this amendment, and that of the Australian Greens that is to follow, I would also acknowledge that it is likely to increase costs. It is likely to be more expensive; that is precisely the reason that some of the ISPs may well want to outsource this elsewhere. They would be doing that because of cost. That means that if we require them to host this material in Australia that may well have a material financial impact on the bill. I would like to hear from Senator Brandis how costs are being factored in and how he can proclaim confidence about material hosted elsewhere that may well be subject to Australian privacy law but is subject to a much lower standard of technical protection, and whether this would be dealt with in that six-month period where ISPs and telcos are going to be required to submit their implementation plans, whether data security of where they are proposing to host these new categories of material will be a material fact and whether the government is aware that this may indeed increase costs if it is held locally.