Australian universities drop tech services to dodge metadata retention obligation

Secondary campuses – and your alumni email account – fail 'immediate circle' test

When Australia's federal government finally revealed who had been given money to help pay for metadata retention efforts The Register was surprised to see eight Universities on the list.

So we've asked around and figured out why.

Universities have a metadata retention obligation thanks to the Section 187B(a) of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 which explains that service providers other than carriers and ISPs don't have to retain metadata the comms service they provide: (i)  is provided only to a person’s immediate circle (within the meaning of section 23 of the Telecommunications Act 1997); or (ii)  is provided only to places that, under section 36 of that Act, are all in the same area; and

“Immediate circle” includes staff and students, so WiFi for students doesn't create a metadata retention obligation for the university, although of course the University's internet service provider does have that obligation.

Anne Kealley, CEO of the Council of Australian University Directors of Information Technology (CAUDIT), told The Register that entities like a campus bookstore or privately-funded research outfit with on-campus offices fall outside the immediate circle. That kind of outfit often resides in university buildings and has little alternative other than to use university-provided telephony services. Contractors and charities are also beyond the immediate circle. And so are services like email accounts provided to alumni.

Hence Universities' metadata retention obligations.

Kealley told The Register that once universities realised they had an obligation, some felt they were already compliant so did not need to apply for a grant to build retention infrastructure. Others said “we have an obligation but we are going to change who we are providing the services too, therefore we will remove our obligation.”

“If they provided it to a shop on campus they could well say we are going to close out that service and ask the shop to arrange its own phones from now on.”

Australia has 43 accredited universities. It is unclear how many had no metadata retention obligations and how many found ways to avoid those obligations.

Universities also had to figure out if their secondary campuses created metadata retention obligations. Universities operate multiple campuses for a host of reasons: they may need more space, want to target a different area or need facilities that can't be located on their main campus.

Whatever the reason, some universities found that their secondary campuses created metadata retention obligations.

Kealley said Universities negotiated with the Attorney-General's Department over those obligations and “did our best to broaden our broaden definition of immediate circle and same area.”

“There was some frustration,” she said.

And perhaps some frustration for Australian taxpayers as metadata retention grants to Australian universities are at least AU$3,121,270, even though their ISPs also have that metadata collection obligation. And of course the grants are not designed to cover the full cost of retaining metadata.

The Register asked Australia's attorney-general George Brandis whether, if the stated intention of the metadata retention legislation is to assist investigations, it was intended that Universities incur an obligation? Brandis' media team did not address that question directly in its reply, explaining the "immediate circle" and other exemptions in the legislation and pointing out that "The Office of the Communications Access Co-ordinator has been engaging with universities to assist them to become compliant with their obligations, including considering legislated exemptions where appropriate. ®

Sponsored: Detecting cyber attacks as a small to medium business


Biting the hand that feeds IT © 1998–2020