Concerns metadata retention could create a 'honeypot' for hackers

A leading digital privacy group has joined Telstra in warning that metadata stored under a mandatory data retention scheme could become a tempting cache of personal information for hackers.

Claire Reilly Former Principal Video Producer
Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.
Expertise Space | Futurism | Robotics | Tech Culture | Science and Sci-Tech Credentials
  • Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Claire Reilly
3 min read

Image by Alexandre Normand, CC BY 2.0

Both Australia's largest telco and a leading digital privacy organisation have warned that mandatory data retention could create a "honeypot" of personal information that could be compromised by hackers and criminals.

The warning came at a Parliamentary Committee hearing on proposed Data Retention legislation, which is hearing from telecommunications providers, security experts and privacy advocates in Canberra today and tomorrow.

Both Telstra and digital civil liberties group Electronic Frontiers Australia have warned that requiring telecommunications providers and ISPs to store metadata on every Australian for a period of two years would create a massive cache of personal information that would need to be protected with extra security to prevent hacks.

To highlight how much more data could be retained under a mandatory scheme compared to current practices, Telstra Director of Government Relations James Shaw said that, at peak times such as New Years Eve, some data is only retained by the telco for a few hours before it is overwritten -- significantly less than the two-year period that would be required under proposed legislation.

Telstra Chief Information Security Officer Michael Burgess warned that keeping two years' worth of metadata could pique the interest of people aside from law enforcement and security agencies, and that the company "would need to take further steps" to ensure security.

"The internet is a very busy place for people that choose to do harm," he said. "We would have to put extra measures in place...to make sure that data was safe from those that should not have access to it."

Furthermore, Burgess warned that the data retention scheme would require "new functionality" to be rolled out across Telstra's network to ensure the proper storage of the correct information. Compared to current storage methods, he argued that a new centralised system could provide an easier access point for hackers.

"Today they would have to get in...and it would be very complicated for a hacker to move across our network and put the pieces together to track someone's phone in terms of where it's been," he said "You'd probably have to be on the network for months, if not years...figuring out how to do that."

"That new functionality we're putting into our network...[is] of concern to me."

Telstra's concerns were echoed by Electronic Frontiers Australia Executive Officer Jon Lawrence, who went further in arguing that mandatory data retention was an "unnecessary and disproportionate invasion of privacy" that could further lead to personal information being compromised.

"[Metadata] will literally be a honeypot to organised crime, to any sort of person who can potentially access it," said Lawrence. "The scope of risk in terms of, for example, systems administrators who manage this information, is very high."

Beyond hacking, Lawrence also warned that data retention could lead to increased action from parties pursuing civil legal action, such as rights holders who seeking access to metadata to pursue pirates.

"The creation and retention of this information for a two-year period will absolutely enable the expansion of that activity and we don't believe that is in anyone's interests," he said. "I am not aware of how Parliament could legislate away the ability of a court...to enable access to this information.

"These databases will be honeypots -- they will be equally attractive to hackers as they will to commercial litigants."