The more I deal with Data Retention the clearer it is the Federal Government have bought themselves a disaster. Over the years public servants and politicians have not understood the difference between hosting content on the Internet and connections to the Internet. As a result companies that provide hosting of websites on hardware that belongs to others (like AWS) and no other access to the Internet fall into a peculiar gap.
To be required to ‘Retain Data’ under the new Part 5-1A of the Telecommunications (Interception and Access) Act (which is so new AustLII doesn’t have it consolidated yet) an entity must be at least one of:
- A Licensed Carrier under Part 3 of the Telecommunications Act of 1997
- A Carriage Service Provider (CSP) under Part 4 of the Telecommunications Act
- An Internet Service Provider (ISP) defined in a rambling way under Schedule 5 of the Broadcast Services Act (BSA)
What ordinary people think of as an ISP is really a Carriage Service Provider because the interweaving of the definitions mean a business that isn’t a licensed carrier providing services using services provided a licensed carrier almost always becomes a CSP.
So what does that make a pure web hosting business?
Web hosting services are definitely Content Services under Schedule 7 of the BSA.
They are also defined as ‘Internet Content Services’ under Schedule 5 of the BSA.
So the question is ‘are they Internet Service Providers’?
The definition is “For the purposes of this Schedule, if a person supplies, or proposes to supply, an internet carriage service to the public, the person is an internet service provider.”
Parsing that we need to understand the words.
- Person – a person at law i.e a company
- “internet carriage service” means a listed carriage service that enables end-users to access the internet.
- end-users – not actually defined in the BSA but we can take it to mean users of the internet
- public – the Act contains this “Note: If a company makes internet content available for access on the internet, and an individual obtains access to the content using an internet carriage service, the company and the individual are end-users in relation to the carriage of the content by the internet carriage service.”
So it looks like the Parliament put a nice clear indicator of their intent right in the Act. On the face of businesses that operate websites are end-users of the Internet.
But if the owner of the website pay a hosting business, who allocates IP addresses to its customers and carries IP packets from an upstream ISP to the web server, that is ISP-like behaviour that a reasonable person would think would be captured by Data Retention, but the connection to the Internet is happening entirely within the web server which only looks like a carriage service if you squint very hard.
Squinting at Section 87 of the Telco Act:
Carriage service providers – Basic definition
(1) For the purposes of this Act, if a person supplies, or proposes to supply, a listed carriage service to the public using:
(a) a network unit owned by one or more carriers
And the definition of Listed Carriage Services is in Section 16:
Listed carriage services
(1) For the purposes of this Act, the following carriage services are listed carriage services:
(a) a carriage service between a point in Australia and one or more other points in Australia
So is the same Ethernet port, CPU and memory two distinct points or one point? If they are two distinct points then Data Retention would apply, if not it wouldn’t.
And if the server is a WEB server, what part does the claimed STRONG prohibition in the new Part 5-1A of Act against retaining web browsing history play?:
(4) This section does not require a service provider to keep, or cause to be kept:
(ii) was obtained by the service provider only as a result of providing the service
Note: This paragraph puts beyond doubt that service providers are not required to keep information about subscribers’ web browsing history.
If you were cynical you would conclude that the only reason Internet access providers don’t have to record web browsing histories is because Internet content providers are required to record it already. But only if the web hosting operator is considered to be a carriage service provider.
At some point this is likely to be tested in the Federal Court and High Court. That will be fun to watch.