THE nation’s top spies are concerned Australians’ metadata may be exposed to hacking and espionage, with the Turnbull Government making the extraordinarily admission it has no idea where it is stored.
Attorney-General George Brandis’ most senior security officials have fessed up to the Federal Intelligence and Security Committee that they have zero oversight of how much of Australians’ metadata is stored offshore by telecommunication and internet providers.
Metadata is the electronic footprint or record from IP addresses, phone calls, internet searches and other online activity.
The data retention legislation does not apply to web browsing history, which was an early concern.
It’s understood ASIO wants to know exactly where offshore Australians’ metadata, which now needs to be kept for two years under data retention legislation, is stored as Telstra told The Daily Telegraph some of its data was kept in secure premises overseas.
“This is something we do not know because there is no obligation for industry to tell us,” the Attorney General’s First Assistant Secretary of the National Security Division Sarah Chidgey told the Federal Intelligence and Security Committee.
“I think offshoring, in and of itself, is not necessarily a security risk but it could be.”
Intelligence Committee Deputy Chair Anthony Byrne said intelligence agencies had warned the committee that offshore storage of metadata was a security risk.
He said there had already been significant issues of data being ”susceptible to infiltration” when stored offshore.
“Do you think Australians would be comfortable, given the concern about the metadata regimen, that a lot of their metadata could be stored offshore and, worse than that, that the security agencies and the Attorney-General’s department do not know how much data is being stored offshore?” he said during the hearing.
“It was one of the concerns of the committee that if you did allow offshore storage that it did impact the capacity of the agencies and the Attorney-General’s Department to protect the data.”
Telstra admitted some of its data was stored offshore.
“As outlined in our privacy statement, we may store information in hard copy or electronic format, in storage facilities that we own and operate ourselves, or that are owned and operated by our service providers, and this may include offshore locations,” Telstra’s spokesman Steve Carey said.
iiNet has previously not ruled out storing metadata in China, saying it would try to find the lowest cost option.
The Prime Minister’s Cyber Security Special Adviser Alastair MacGibbon said the security agencies were not seeking a ban on offshoring, but needed to know the location of data to manage the risk.
“Vulnerabilities exist whether data is offshore or onshore so the issue is about enhancing cyber and network security. Ultimately the location of data will be a risk management exercise,” he said.
Brandis’ office told The Daily Telegraph new reforms were being introduced to “remedy security risks posed by offshoring”.
“The offshoring of data has been happening for many years prior to the introduction of the data retention legislation,” Brandis’ spokesman said.
“However the telecommunications sector security reforms are specifically designed to remedy security risks, including risks posed by offshoring, and protect Australian networks from vulnerabilities. These important reforms are to address network security vulnerabilities regardless of where the data is stored.”
Attorney-General’s department’s National Security Division’s Assistant Secretary Anne Sheehan said the current legislation does not give the Government the capacity to compel the companies to say what they are doing with their offshore metadata.
“We do not have a complete picture of every company’s offshore storage of data. In conversations with some industry members, we may have some visibility, but not across the board,” she said.