OzLog won’t include web history: AG

15

The office of Attorney-General Robert McLelland today denied reports that a controversial data retention policy — dubbed “OzLog” online — being considered by his department could see Australians’ web browsing history tracked by internet service providers.

“This is not about web browser history,” said McLelland’s media liaison Adam Siddique in a brief telephone conversation. “It’s purely about being able to identify and verify identities online,” he added, linking the initiative to the ability for law enforcement to track criminals online.

On Friday the Attorney-General’s Department confirmed it had been examining the European Directive on Data Retention to consider whether it would be beneficial for Australia to adopt a similar regime. The directive requires telcos to record data such as the source, destination and timing of all emails and telephone calls – even including internet telephony.

Siddique’s statement pours cold water on a claim by sources quoted by ZDNet.com.au that the policy could extent as far as tracking the web browsing history of all Australians.

However, the spokesperson declined to disclose any further details of what the department was considering or when any public consultation on the matter might be held, directing further questions to the department, which has already declined to comment on more specific details of the consultation.

ISPs such as iiNet have disclosed they were aware of some aspects of the proposal as early as late 2009, but Siddique said he wasn’t aware that the ISPs had been required to sign a non-disclosure agreement as part of the consultation.

Most of the ISPs who have confirmed they were consulted about the data retention proposal have stated that they do not feel any modification to the current system is required. In addition, groups such as Electronic Frontiers Australia, the Australian Democrats and the Pirate Party Australia have slammed the idea over the past few days.

According to the EU directive, where internet access is concerned, ISPs must retain the user ID of users, email addresses of senders and recipients of email, the date and time that users logged on and off from a service, and their IP address — whether dynamic or static applied to their user ID.

For telephone conversations, this means the number from which calls were placed and the number that received the call, the owner of the telephone service and similar data such as the time and date of the call’s commencement and completion. For mobile phone numbers, geographic location data would also be included.

The chief executive of internet provider Exetel described the proposal as “a nanny state gone totally insane”. The issue is being debated on Twitter under the #ozlog hashtag.

Image credit: Ariel da Silva Parreira, royalty free

15 COMMENTS

  1. So the idea is to have emails and VoIP calls (that will be a fun one since many VoIP companies are offshore) logged in the same way PSTN calls are today? ie. no actual call data retained, just the logs.

    Providing the information is treat the same was as the PSTN calls are (ie. access to them is logged and viewing them without a valid reason is a breach of the privacy act and the person doing so faces heavy fines/jail time) then I honestly don’t have too much of an issue with this.

    • Tezz, if you’re happy for the government to have a record of all of the emails you send then I think you’re in the minority … how, after all, could journalists protect their sources if governments could get access to their email to see who and when they are sending emails to and receiving them from?

      Also, the issue of whether law enforcement authorities (or indeed, other government agencies) would get access to this data only through a warrant and on what terms has not yet been addressed … all of the discussions are currently going on behind closed doors.

      • Renai your reply contradicts your article as well as ignores my reply.

        1/ Your article did not state that emails would be recorded, what was stated was the to/from/subject/time/date fields would be logged, the actual email would not.

        2/ My reply stated that at present all phone calls are logged, not recorded, just the A#/B#/time/date fields are logged. This information is secured under the privacy act and cannot be accessed without authority to do so, and any access to this information is logged, anyone accessing it illegally can be fined and/or face jail time.

        So long the information being kept is solely what is covered in 1/ and is subjected to the same privacy laws as 2/ then I don’t have an issue with it.

        • 1. I think we are both in agreement as to what the Govt is discussing: Storing meta-data about emails and phone calls, not the emails or phone calls themselves. In short, they would know who an email was sent to, from whom, and at what time, and the same for phone calls.

          2. I agree with you that this information is currently secured with relation to phone calls, but I think you are missing the point that it is not secured with relation to email, and that the Government has not said under this new proposal whether the privacy legislation would still occur.

          Can you at least admit, that for a journalist, meta-data about emails and phone calls is dangerous information that we would not like the government to have access to under any circumstances?

          Take for example, the case where I am getting information leaked from within a government department about corrupt police activities. With a warrant, those same police would be able to find out who, within that govt department, has been emailing me (just not the content of the email).

          Say fairwell to your happy democracy.

          • Well that was my point, providing proper privacy laws were in place to prevent misuse of the information than yes I am ok with it, if not then no I’m not ok with it.

            You seem to be missing the point that metadata about phone calls is already logged, and has been for quite some time. It should be noted too for everyone who doesn’t send their CLI to hide their number, this has no effect on the logs, your number is still recorded just not passed on to to the B end. This change would effectively bring email logging into the same realm as phone calls are today, so if you feel safe when your sources give you a call now, then you should feel safe when they sent you an email too.

            This proposal obviously still has a some details to be clarified, before we start with the end of democracy FUD why don’t we wait to see what the full scheme is.

          • Privacy laws are a crock of shit – while they have the best intentions, they do not include the human factor and the laws of unintended consequences. Just google “centerlink privacy breach”. I can’t find the article now, but there is a report (SMH I think) that one in every six Centerlink employees was investigated for breaching internal privacy policy – either way, there is documentary evidence of privacy abuse for many years at Centerlink. Imagine all the stuff that happens at various government agencies/private enterprises that doesn’t get reported or bought into the public? FOI laws will keep the government honest? How about the Bligh government using code names in order to circumvent FOI requests? http://news.smh.com.au/breaking-news-national/officials-accused-of-toon-town-tactics-20100611-y0ri.html

            To all those saying that VPN is the work around – what if this or the next government decides to close that loop hole? The legislation could be worded in a way that if an ISP does not take sufficient steps in order to stop their users from circumventing the monitoring in place, they could be liable. Cue all ISP’s null routing the known VPN services. Or the government could push these sites into the blacklist and stop you from signing up for the service.

            In any case, it doesn’t matter. There will ALWAYS be some way to get around these measures, but they will only be available to technically cluey people and criminals – the average user will not tolerate the performance of off-shore VPN/proxy/tor type service.

            In fact, I don’t see why the AG needs to propose new legislation for this monitoring. The Internet censorship system will be an inline device at every ISP customer network egress – the device is going to have to inspect the URL in the HTTP request, compare to black list and take appropriate action. Why not just log the IP address, date/time and URL at the time of checking the URL against the black list? They could sweep the censorship network appliance every hour back to a centralised database. A good infrastructure and network architect could put it together quite easily. This raises more questions? Who administers the censorship appliance? Does the ISP have any sort of administrative access? Is it built as a highly available, clustered service? Does it fail open or closed (i.e. if the appliance breaks, do users continue to access the web uncensored or does it deny all HTTP requests?) So many unanswered questions about this, so little actual legislation to answer it.

            $10 says that when the solution is finally delivered – it will have some HUGE glaring hole that is open to abuse. I.e. When the black list is updated, the new list is not signed/encrypted in any way and any ISP employee would be able to inject their own sites into the list. Tens of millions of dollars will deliver a flimsy, broken piece of crap and embarrass the hell out of Australia on the international stage – all to satisfy a handful of hypocritical wackjobs from the Christian right. FUCK you religious nutters – who the hell let you set the standards for our country?

            It is a very sad state of affairs for Australia at the moment in terms of privacy rights. Internet censorship & filtering, unified electronic health records, declaring pornography on immigration incoming passenger cards, every week brings something new and thoroughly depressing. There is NO upside to any of these laws except to score some voter points with ACL and the seemingly too common breed of dumbass Australian who thinks it’s a good idea because “if you aint done nuthin wrong u aint got no nothin to be scared of”.

            Maybe in 15 or 20 years when Conroy and Rudd are retired and write their memoirs we will find out the real reasoning for these policy decisions – it would satisfy my curiosity of how Australia went down the shitter.

          • +1 to what Jon said.

            And sorry, you haven’t really addressed the email problem. And no, I’m not just going to sit around and wait for the final proposal. You forget that if it wasn’t for journalists doing investigative journalism, we wouldn’t even know about this proposal and be discussing it. Your stance has you fundamentally trusting the government. That’s fine for you, but my role as a journalist in society is to be suspicious, to poke around, ask questions. The Govt that you trust to enforce privacy legislation routinely screws up, accidentally or deliberately. And like all governments, it does not like to tell its citizens more than it thinks they need to know.

          • Woo Renai hang on a second here.

            “Your stance has you fundamentally trusting the government.”

            No, it doesn’t, my stance is that what is being proposed for email is already in place for phone calls and has been for quite some time without any of the carry on that is going on here. My stance is that I would like to hear the full proposal before I chime a “Say fairwell to your happy democracy.” pun in the middle of a comment. My stance is not to predetermine what is good and bad based on a few loose arguments.

            I would have thought as a journalist getting all your facts together before jumping to conclusions would be fundamental. To clarify for you, I said I agree with the proposal so long as it is restricted in the information it contains and is restricted in who and for what reason that information is accessed.

            Out of interest you do realise that none of your email is private right? Any emails to your work address are not confidential and are owned by the company, any emails to Gmail are scanned by Google for the purposes of advertising, etc, etc. You’re arguing against this proposal on the basis of protecting your sources when in reality they aren’t that protected anyway.

          • “No, it doesn’t, my stance is that what is being proposed for email is already in place for phone calls and has been for quite some time without any of the carry on that is going on here”

            No, sorry, it’s not.
            Phone calls logs record the origin and destination number.
            It does not say “Sally at the Jones’s house picked up the call, they talked about Such and such”

            The equivalent in IP terms to the phone record would be “10.1.2.3 connected to 10.3.4.5 and transmitted 15 bytes”

            The email header information has such a huge capacity for abuse that it’s a fundamentally bad idea to allow ISPs to capture it. The nature of Subject lines is that people describe the email content, so very quickly you can see what people are doing in their personal and work lives. That information can be very valuable, and damaging if released.

            If it were implemented, I’d imagine that pretty quickly all it would capture would be less technically inclined folks and spam.
            Everyone halfway technical would switch to using SMTP over SSL, and cut any form of ISP logging out of the loop entirely.

            It also won’t (can’t) work for anyone using Webmail services without cooperation of Webmail service providers.

          • I’ve gone back and reread this article and the previous one and I stand corrected on one of my previous comments, unfortunately that correction also throws cold water on your key complaint.

            “The directive requires telcos to record data such as the source, destination and timing of all emails and telephone calls – even including internet telephony.”

            According the articles right here on this site, there is no proposal to keep the subject field, and there is no proposal to keep the entire email header, it would just be sender/receiver/timestamp, that is it, and as I’ve said previously this is exactly the same information that is recorded for a phone call.

            “According to the EU directive, where internet access is concerned, ISPs must retain the user ID of users, email addresses of senders and recipients of email, the date and time that users logged on and off from a service, and their IP address — whether dynamic or static applied to their user ID.”

            This (to me at least) reads more or less exactly the same as the Australian proposal, only the time lines for how long the information will be kept differ.

          • Hey Tezz – mate I totally understand you trying to keep a cool head and point of view here. In fact in my inital comment I went a bit off the rails and went on a total anti-govt rant. I hate the sensationalist bullcrap and hence would like to try and respond to your comments in a clear and rational manner. :)

            Let’s compare apples and apples. Under existing laws, the gov can request logs from telco providers that provide the caller, the callee, date, time, duration.

            Under the laws going through consultation, the gov can request logs for emails sent by x, to y, on date / time, and possibly with a subject containing ‘blah’.

            The question here is not if an email and phone call being logged is the same thing, it is if an email should be *treated* the same as a phone call. Does the inclusion/exclusion make any difference to the context if it’s email or phone? Does that fact that people tend to be more forthright and less reseved when communicating via email affect the debate?

            I can assure you – I have expressed feelings/opinions via this forum in a text format (closer to an email than a face to face) that I would probably be able to effectively argue in a 1-on-1 meeting.

            It really comes back to the Internet censorship debate – the censorship crowd argues: “This stuff is already banned on TV, radio and movies – all we are doing is bringing the Internet medium up to the same standard”. And yes – that is correct, if the Internet was a simplex, one-way broadcast style medium. But it’s not! The fact there has been an article to start this discussion, censorship argues we should or should not see this article, thus encouraging or stifling any debate over it. With that concept, email is not the same as a phone call and thus should not be subject to the same regulatory logging/monitoring.

            There is already more than sufficent provisions in place for any investigative government agency to obtain “tapping” powers on people they suspect and have inital evidence for commiting a crime – and this is the way it should be rather than assuming all are guilty and “combing the population” for those who may have comitted a minor or major infaction.

            As someone who has been involved in the ISP industry, I can honestly say, all the government needs for successful investigation and prosecution is a log of which customers of thiers was allocated which IP address at which date and time.

            Quite simply, the Internet is a unique beast and cannot be held to the same standard as our existing laws and the concepts that were used to form those laws.

  2. One thing the AG needs to identify is if this is only for emails/VoIP calls using the ISPs own infrastructure, or for all emails/VoIP traffic passing through their network?
    And how does it quantify webmail type services where the SMTP Traffic only happens in some remote network?

    For example, if I use GMail, then the only data travelling through the ISPs network is an SSL HTTP connection.

    If I use my work email, then all our SMTP Traffic is routed over a VPN from our office to a US based spam/virus filtering service.

    In both cases, the ISP has no idea that an email has actually been sent, let alone what any of the information required (sender, recipient, etc) is.

    As for “It’s purely about being able to identify and verify identities online” – nothing to date shows how this might be achieved.
    The information an ISP can capture would only identify the account holder, not the person using the service.

    The AG needs to get the story straight, and understand the technical parts of this before he goes any further, or he risks being tarred with the same ignorant-luddite brush as Senator Conroy.

  3. I completely agree with this, Will. Of course, we have not seen any real substantive information from the Government about what they are considering here, but the EU Directive does not really seem to address the idea that email is a bit more complicated these days than simply downloading it from your ISP.

  4. How do they think they are going to track secure email transmission protocols like SMTPS, POP3S and IMAPS? I run a small hosting company (now out of the US, where it’s 20c/GB rather than $2.50/GB here) and force all customers to use secure protocols.

  5. The directive requires telcos to record data such as the source, destination and timing of all emails

    This would be funny if it wasn’t so facepalm. It’s a perfect example of security theatre, proposed by people who know nothing about security, terrorism, or technology.

    Here’s one trick I remember reading about on a security mailing list back in, hell, 2004 at the latest. Terrorists and nasties can bypass email source/destination checks by never sending email. They just share the password for a common account that has had its password cracked, like “johnsmith@hotmail.com” and use the Drafts folder as a maildrop. Communication among the group takes place via messages created, saved, read, and deleted in the Drafts folder. No email is ever SENT, so no source/destination/timing data is ever recorded.

    You think the Attorney-General has ever thought of this? You think he’s on any security mailing lists? No, me neither.

Comments are closed.