Government's Data Retention Law Allows Telco's Metadata to Remain Unencrypted

Giulio Saggin
Giulio Saggin
Tuesday, 28 November 2023

One of Australia's leading telcos, Optus, is keeping its legacy systems free from encryption. And it is doing so in accordance with the country's Data Retention Act.

The Act came into being in April, 2017, and is considered by many to be one of the most intrusive data retention policies in the western world. It requires telecommunications companies to store customer metadata - phone calls, text messages, emails, and internet activity - for at least two years. The information is available to not only the government, but intelligence and law enforcement agencies.

When it comes to protecting metadata, the Act states, among other things: "A telecommunications provider must protect the confidentiality of information that, or information in a document that, the service provider must keep, or cause to be kept" ... "encrypting the information" ... "protecting the information from unauthorised interference or unauthorised access."

Even though 'encrypting information' is mentioned, it also points out that "a service provider may be exempt from data retention obligations either generally or in so far as they relate to a specified kind of relevant service."

In its submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), Optus wrote: "Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemptions from the encryption obligation. Without these exemption provisions, additional cost and complexity would have resulted, because the encryption obligation was otherwise incompatible with the operation of the exempted legacy applications."

Further to Optus' submission, the Department of Home Affairs lodged their own with the PJCIS, in which it said the Data Retention Act had led to better protection for the data of telco customers. Since the exemption was granted, Optus say there have been no 'security incident or breaches' in relation to the data.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203