For those interested, there are significantly more details below.
Some users have asked us what the recently passed metadata retention laws mean for FastMail, and in particular the privacy of their data. We’ve now reviewed the new laws as passed in the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 and worked with a lawyer to get a confirmed interpretation.
The most important provision in the Bill for our purposes is the new section 187A(3) which defines who the laws actually apply to. There are 3 separate parts that must all apply for an entity to be subject to the metadata retention requirements. Quoting the actual bill:
(3) This Part applies to a service if:
(a) it is a service for carrying communications, or enabling communications to be carried, by means of guided or unguided electromagnetic energy or both; and
(b) it is a service:
(i) operated by a carrier; or
(ii) operated by an internet service provider (within the meaning of Schedule 5 to the Broadcasting Services Act 1992); or
(iii) of a kind for which a declaration under subsection (3A) is in force; and
(c) the person operating the service owns or operates, in Australia, infrastructure that enables the provision of any of its relevant services;
but does not apply to a broadcasting service (within the meaning of the Broadcasting Services Act 1992).
We do meet the requirements for (a), however none of (b) nor (c) apply to us, so the laws as a whole to not apply to us.
Digging into these into more detail:
As an email service, FastMail clearly enables "communications" to be "carried" (as those two terms are defined in the Telecommunications (Interception and Access) Act 1979 ("TIAA").
(i) FastMail is not a "carrier" as defined in section 5 the TIAA because:
- we are not the holder of a "carrier licence" as defined in section 7 of the Telecommunications Act 1997 ("TA"); and
- we are not a "carriage service provider" as defined in section 87 of the TA because:
- the definitions in sections 87(1), (2), (4) and (5) require a carriage service provider to be a person supplying a "listed carriage service", which is defined in section 16 of the TA to mean a "carriage service" between two or more points where at least one point is in Australia – as none of FastMail’s servers are physically in Australia, we only ever connect our servers to a network outside of Australia, and therefore only ever carry communications between non-Australian locations;
- the definition in section 87(3) applies to carriage services that are supplied as a secondary purpose for a network whose principal use is by a defence organisation, transport or electricity providers, or similar – none of these uses are relevant to FastMail’s services;
(ii) FastMail is not an "internet service provider" within the meaning of Schedule 5 to the Broadcasting Services Act 1992, because we do not supply an "internet carriage service" (meaning a listed carriage service (as defined in the TA) that enables end-users to access the internet) to the public; and
(iii) no declarations made under subsection (3A) are in force.
Although the argument regarding FastMail only ever carrying communications between non-Australian networks is quite technical, we’ve not been able to find any cases or commentary which support nor contradict that argument. However, having reviewed the rest of the wording in section 87 (including the definitions of "network unit", "line link", "line" and "designated radiocommunications facility", none of which FastMail seem to have in Australia), it seems unlikely that FastMail could be defined at a "carriage service provider".
In any event, an analysis of part (c) as discussed below, it’s of little consequence whether 3(b) applies or not.
The biggest question here is what "infrastructure" means. Section 5 of the TIAA (see page 29 of the Bill) includes a definition as follows:
infrastructure means any line or equipment used to facilitate communications across a telecommunications network
We don’t have any lines or equipment (servers) in Australia, and therefore do not have "infrastructure" in Australia.
As an additional confirmation, the explanatory memorandum for the Bill makes this point even clearer:
Definition of ‘infrastructure’
417. This item inserts a definition for the term infrastructure into subsection 5(1) of the TIA Act. It defines infrastructure, as it is used in paragraph 187A(3)(c), to mean any line or equipment used to facilitate communications across a telecommunications network.
418. The term infrastructure is used as part of the three limb test in paragraphs 187A(3)(a), (b) and (c) which defines a relevant service. ‘Equipment’ is defined in section 5 of the Act, which states equipment means any apparatus or equipment used, or intended for use, in or in connection with a telecommunications network, and includes a telecommunications device but does not include a line. Section 5 of the Act, defines ‘line’ by reference to the definition in the Telecommunications Act. Section 7 of the Telecommunications Act states a line is a wire, cable, optical fibre, tube, conduit, waveguide or other physical medium used, or for use, as a continuous artificial guide for or in connection with carrying communications by means of guided electromagnetic energy.
419. Servers used to operate an ‘over the top’ service such as VoIP would fall within the definition of infrastructure. However, ‘infrastructure’ is not intended to include business premises. For example the headquarters of a company, taken in isolation, would not satisfy the definition of ‘infrastructure.’
420. Importantly, a piece of equipment or line meeting the definition of infrastructure does not automatically satisfy paragraph 187(3)(c). For instance, a computer used by an employee in a company’s headquarters or marketing office is not directly involved in the provision of a relevant service and therefore does not satisfy paragraph 187(3)(c).
421. This item implements recommendation 11 of the 2015 PJCIS Report by defining the term ‘infrastructure’ in greater detail for the purposes of paragraph 187A(3)(c).
Therefore, it’s clear that part (c) does not apply to FastMail, as the only equipment in Australia is employees and their work computers, there are no servers running any FastMail services or storing any email in Australia.
Therefore section 187A(3), which imposes the metadata retention obligations, does not apply to FastMail.
We had some additional queries regarding the wording of “owns or operates, in Australia”. Since that’s two separate parts, if you take the "own in Australia" part, does that mean "the infrastructure is physically in Australia" or does it mean "the infrastructure is legally owned by an entity in Australia"? It has been made clear to us that the wording of part (c) of section 287(3) applies to the location of the infrastructure, rather than whether the person or entity that owns the infrastructure is Australian. If this wasn’t the case, part (c) would need to phrased so that the reference was to an "Australian person" or "Australian entity" owning infrastructure (or there’d be a definition to bring in this connection). By using the words "in Australia", the reference can only be to the physical location of the lines and equipment
As an aside from actually determining if the law applies to us, we regard the actual need for this law as poorly thought out. There’s no evidence that large scale metadata retention will actually lead to improved policing, and in an insane situation, you actually have the communications minister for the government that’s passing this law recommending ways to work around the law! All this bill does is impose excessive additional regulations and burdens on Australian businesses. It actively discourages us from investing in servers and infrastructure in Australia and encourages us to put them elsewhere in the world to ensure that the law continues to not apply to us. Forcing an Australian company to reduce IT infrastructure investment in Australia and creating an inferior experience for Australian customers, while providing no proven law enforcement benefit for anyone feels like a massive mistake to us.