Brandis and PwC silent on Xmas Eve metadata quiz
No comment on 36-month metadata retention question and timing of consultation
Neither the Attorney-General’s department nor PricewaterhouseCoopers (PwC) will comment on why a questionnaire sent to carriers and internet service providers on Christmas Eve asked about the cost of storing metadata for either 12 or 36 months, rather than the 24 months suggested in draft legislation.
As Vulture South reported on Boxing Day, the Communications Alliance distributed a questionnaire on PwC's behalf, asking carriers to estimate the cost of data retention by January 9th. After negative feedback, that deadline was extended to January 16th.
The questionnaire was, we felt, notable for asking “How would your estimated upfront capital costs change if the mandatory data retention period was different to that currently proposed? (12 and 36 months)”, because all discussion of metadata retention has, to date, mentioned a 24-month retention period.
The timing of the questionnaire's release also seemed worthy of a question or two: what kind of consultation offers just nine working days at a time of year few businesses have a full complement of staff at their desks?
I therefore asked both the Attorney-General’s department and PWC to clarify a few things, namely:
- Who picked the timing of the questionnaire's release?
- Who added the 12 and 36 month question and the question about possible business benefits of retained metadata?
- Whether PwC and the Attorney-General’s department considered the timing of the questionnaire's release to be best practice?
- What weight will be given to estimates submitted during this process, given carriers are working with a draft metadata set that may change?
Neither responded substantively. PwC phoned to say it doesn't comment on client engagements. The Attorney-General’s department sent a statement saying “It would be inappropriate to discuss the details of these consultations while they are ongoing.”
Those are hardly satisfactory responses.
For starters, the use of questions about 36 month retention and business benefits of metadata retention represent new ideas that deserve wider debate. An extra year of retention has not been mentioned previously. Businesses using metadata has never, to your correspondent's knowledge, been on the table. Both ideas present obvious security and privacy concerns.
Secondly, this appears to be a very shabby way to run a consultation. The timing is lousy, there seems little chance of securing a consistent response from carriers with the “put a number in a box” approach and, absent a final metadata definition, it is hard to see how these hastily-developed cost estimates will be particularly useful. For the consultation effort to be genuine, surely carriers will be asked to repeat their estimates once a final metadata set is defined, not the kind of thing one expects from a government so keen to “cut red tape”.
Third, between the timing and the non-response to questions, the consultation does not appear sincere.
Another wrinkle: The Reg was cc'ed on a letter from Queensland ISP Fastel to Attorney-General George Brandis. Fastel is located in, and serves, a region called Wide Bay. As the letter points out, it is not a Communications Alliance member, so did not receive the consultation request. Fastel Director Frank Bujik writes that discussions he's held with other small ISPs suggest they've also received no consultation requests regarding metadata retention.
The government also makes much of its friendliness to small business.
Attorney-General George Brandis has not been anywhere near a convincing advocate for metadata retention, flubbing attempts to define metadata or the regime under which it will be stored. This consultation attempt does not make him look any more sincere.
If this round of consultation is not industry's final opportunity to offer costs estimates for metadata retention, the process may yet be satisfactory. Absent explanations about why this round was conducted in the chosen manner, and chosen times, it's easy to draw conclusions that the effort is token and that the government’s stated aim of helping carriers to meet the cost of metadata retention is not entirely sincere. And if that's the case, what is one to think about its assurances on metadata mission creep? ®
Sponsored: Becoming a Pragmatic Security Leader