“They don’t get it”: Huston slams “Village Idiot” approach on Data Retention


news Global Internet networks expert Geoff Huston this week said Australia was at risk of being positioned as the “Global Village Idiot” courtesy of the Data Retention legislation passed by the “bureaucrats” in the Government, alleging that none of the organisations in support of the policy actually understand technology.

Huston is currently Chief Scientist at the Asia Pacific Network Information Centre, where he is regarded as one of the world’s global authorities on the phenomenon of IPv4 address exhaustion, but he has also held a variety of other important roles in the history of the development of the Internet in Australia.


From 1995 to 2005, Huston was the Chief Internet Scientist at Telstra, where he helped develop the big T’s Internet offerings. Before that, he was one of the main driving forces helping to construct AARNet — the Internet network between Australia’s universities which represented one of the first actual IP-based networks with access to the Internet in Australia.

On his Potaroo blog this month (click here for the full article), Huston slammed the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which passed in late March this year after a protracted debate which saw the bill amended a number of times at the behest of the Australian Labor Party and substantial amendments by the Greens and a number of crossbench Senators rejected by both major parties.

The bill formally enshrines the collection of Australian telecommunications data including details of telephone calls, email and some Internet data into law, although a number of Australia’s broadband providers are still attempting to implement its detailed provisions.

On his blog, Huston wrote that with the previous Internet filter legislation pushed by the previous Labor Government, he had believed that “if the Internet represented a new Global Village then Australia was trying very hard to position itself as the Global Village Idiot.”

“And the current situation with Australia’s new Data Retention laws may well support a case for reviving that sentiment,” Huston wrote. “Between the various government agencies who pressed for this legislation, the lawyers who drafted the legislation, the politicians who advocated its adoption and the bureaucrats who are overseeing its implementation, then as far as I can tell none of them get it.”

“They just don’t understand the Internet and how it works, and they are acting on a somewhat misguided assumption that the Internet is nothing more than the telephone network for computers. And nothing could be further from the truth.”

Chief amongst Huston’s complaints regarding the legislation is what he said was its conflation of IP addresses with old-style analogue telephone numbers. The network expert noted the complexity of modern IP-based networks, and the uselessness of treating IP addresses as identification units.

“But the Australian Data Retention Laws say something has to be stored, and the bureaucrats running the Attorney General’s Office of Data Retention say something has to be stored, and the industry players are trying to understand what exactly should be stored, because in shared address-based networks there is nothing around that meets the intended requirements of this law.”

I would encourage you to read Huston’s full argument before commenting on this article. He goes into quite a bit of technical detail which informed readers will find useful to take in.

I partially agree with Huston’s comments about data retention.

On the one hand, clearly he is right — IP addresses are not the universally useful identifiers that old-style telephone numbers are. Law enforcement agencies will find it very difficult in some cases to tie individuals to these kind of “ephemeral shared tokens”, as Huston puts it. The Internet is a complex place, and not always easily simplified down. I also agree with Huston’s point regarding broadband providers being technically able to store details of your web browsing history.

However, I would also note that often, for law enforcement purposes, the Internet can be much more simple than Huston posits. It is very easy, for example, for law enforcement agencies to tie an IP address to a certain mobile phone browsing a cell tower at any given point, and IP addresses on home broadband routers often don’t change for months. Huston lives in a world of complex IP addresses — but the practice in reality of how those addresses are used can often be quite simple, even archaic.

Law enforcement organisations are very easily able to mine telecommunications data for useful outcomes — in fact, these days they depend upon it. This may get more difficult as time goes on, but I suspect this kind of data will always be useful in solving and preventing crime to some degree.

I do agree, however, with Huston’s overarching point. Often the parties to this kind of technology-related legislation don’t understand the legislation they are enacting. That much has been very clear throughout the data retention debate, and I personally believe it has resulted in a huge overreach — a policy which is disproportionate to law enforcement needs, and does not take into account significant privacy concerns. Data retention is, to some degree, needed to ensure positive law enforcement outcomes. But it should be targeted and proportionate. The current policy is not.


  1. However, I would also note that often, for law enforcement purposes, the Internet can be much more simple than Huston posits. It is very easy, for example, for law enforcement agencies to tie an IP address to a certain mobile phone browsing a cell tower at any given point, and IP addresses on home broadband routers often don’t change for months.

    If ISP’s have the right Deep Pack Packet Inspection devices in their networks and have them configured “correctly”, the amount of information they can gather about their customers internet habits would shock and surprise most ppl. Many of the ISP’s here in AUS that own DPI boxes will not admit to having them as they are afraid of getting inundated with requests from copyright cartels and law enforcement for information they’d rather ppl didnt know they can get.

  2. In the security and intelligence space, this sort of legislation only catches the lowest common denominator, the “dumb” criminals. Anyone with a passing familiarity (sheesh, high school students can bypass this) is not going to be caught by this legislation or the mechanisms that are implemented at the coal face to catch them.

    The internet is a complex place, but it’s pointless listening on an IP addrss that doesn’t change if the destination exit point for the encrypted VPN tunnel resides in another country outside of the Five Eyes (Australia, Canada, NZ, US and UK). Congratulations to our government, you’ve just deduced that this person is using a VPN … and nothing else. Have fun with that intelligence.

    In the meantime, these mechanisms foster our security and “law enforcement” (and I use that term as loosely as George Brandis likes to apply it to his list of organisations with the capability over honest Australians to be guilty until proven innocent.

    A quote relevant about metadata from Citizenfour documentary … “It tells a story about you which made up of facts, but is not necessarily true.”

    This damages honest Aussies more than it does the criminals.

  3. I’m waiting for an Ashley Madison style hack on our meta data repository.

    Imagine: Hey Renai, I can see that you’ve been visiting some seedy establishments in Sydney area that you don’t want anyone else to know about. But we know because we’ve been watching your GPS coordinates on your phone. Oh, and how about those websites you’ve been looking at for “inspiration” for some new tech stories? I’m sure that it’s not you, but it’s going to be someone’s name in there.

    I don’t have any reason to be paranoid, but that doesn’t mean that people in our society can expect anything (including geographical whereabouts) to be private anymore. Especially after the Ashley Madison hack.

    • As has been observed before, the data retention legislation mandates the creation of massive repositories of metadata that will be intensely attractive to criminal hackers.

      And, of course, as we’ve seen over the last few years, there’s no such thing as absolute security. In other words, sooner or later our metadata WILL be stolen.

    • Front page news on one of Murdoch’s papers, Murdoch who just happens to be in partnership with Telstra with Foxtel…

      …the link is too close, his publications have been proven to abuse such data in the past.

      What protections do we have?

  4. I would have thought canceling a FttP rollout in favor of going backwards with a FttN patchwork would have already positioned Australia as the “Global Village Idiot” complete with a “Village Idiot” for Prime minister but whatever…

    • I think we actually became the village idiot when Abbott walked into the PMs office.

  5. My feeling on this is growing problem is that bad information is actually useful in creating misinformation. Garbage in, garbage out. The data will be useful for catching children and naive people. We can fill up our court system with minor players. Meanwhile, we have a feeling like we are somehow safer, despite putting valuable resources into this effort that would be better spent on research and development or at least reducing our Internet bills. The hundreds of millions of dollars per year for retention alone could be used reduce crime; instead, it will be used to generate data that requires high paid analysts to justify the huge expenses whose only job will be to make more Australians appear guilty, thus justifying further reductions of civil liberties. This data will be much more useful for things like determining voting preferences than criminal intentionality, with great potential for misuse.

    • Exactly.

      Metadata is useless without context. That’s why HUMINT (Human Intelligence) is so valuable in law enforcement. It can provide both data and context. Metadata gathering on it’s own cannot prove criminal activity which in itself could also be argued that you don’t need to “prove” anything, just convince a jury. See where this leads? Guilty until proven innocent. Justify tighter controls. If abused, it can be a classic tool to create and foster a fear mentality.

      Frightening (wry cynical humour intended).

      • It seems like you’re both devoting an awful lot of effort to thinking of creative reasons why data retention can’t work, and almost no effort to thinking of creative ways to solve those problems. Do you really think that the police, intelligence agencies and prosecutors who argued for data retention aren’t aware of the limits and value of metadata to their investigations?

        To give a single insanely obvious example: HUMINT is obviously incredibly risky and expensive to pull off. How do you think they decide a) who might be worth targeting for a HUMINT operation and b) how to approach that operation? It just might be the case that the police can use metadata to figure out who is who inside a criminal gang, and whether they can or can’t just tap their phones to get the evidence they need, before they decide to try to spend years infiltrating the gang…

        • Let me clarify then.

          I have never stated that data retention isn’t useful. It is. But you have to question it’s usefulness when even the average person knows enough to get around it easily. It becomes a solution that everyone knows about and circumvents … which doesn’t make it a solution (or even a useful tool) at all.

          Data retention can work. But data retention on those not suspected of any criminal wrongdoing is not law enforcement. Data retention as a tool, specifically a scalpel, is valuable. Particularly so when coupled with more traditional means of gathering intelligence like HUMINT. Data retention under this implementation … as a shotgun, is wide open to abuse from the agencies using it, due to the lack of oversight that this scheme allows.

          It’s the classic argument of “If you’ve got nothing to hide, you shouldn’t mind being under surveillance.”. Let me quote a splendid fella, who also happens to be one of the eminent cryptographers.

          “Too many wrongly characterize the debate as “security versus privacy.” The real choice is liberty versus control.” – Bruce Schneier

        • i would suggest the data retention laws will actually result in hindering law enforcement agencies as everyone is now aware that their communications are being monitored & stored as well as the growing wealth of info online this has generated on how to defeat this surveillance.

      • I don’t think you’re aware of how much actual data they’re harvesting. You can use meta-data to provide context to other meta-data. Hey you were on “XYZ” website and then you made a trip to the red light district. No specialist law enforcement HUMINT to provide context on that one.

        But hey, why are we collecting that information on ALL individuals anyway? Go use your HUMINT to get a warrant.

  6. The whole data retention thing, especially when combined with the debacle of the Border Farce operation that wanted to turn Melbourne into Budapest c 1935, should alarm people.

  7. You’re very bold (and either arrogant or naive) if you claim to know how the Internet works better than Geoff Huston does, or that he “lives in a world of complex IP addresses”. The addresses he deals with (actually he doesn’t really deal with them, that is what other people at APNIC do – he just measures them), are just as simple or complex as the ones the rest of us deal with.

    So here is a test to see if you’re in Geoff’s league (or are even in the league of many others who aren’t in Geoff’s league). Describe what a CGN does and why it makes metadata retention much harder.

    • That said, Geoff’s own argument is a bit tricky – his entire argument on CGN rests on this assumption: “in order to retain something the temptation will be to retain the complete log from the network address sharing unit.” In other words, in order to comply with their limited duty, carriers will voluntarily go far further and commit far greater privacy intrusions than they are legally required, or even technologically obliged to.

      I’m not sure you can pin that on the Government.

    • Mr Shark I know I know what it is
      CGN or Cingulin, a human gene located on Chromosome 1
      Did I pass……

  8. As Parliament was debating meta data retention and allocation of IP addresses I did wonder how it would work with CGNAT and smiled to myself at the volume of data thinking ‘careful what you ask for’.

    However, reading the data set its not explicitly stated which IP address is to be retained. Does it mean the public or private ISP network address in the case of CGNAT. It simply refers to the one allocated to the customer. I guess that would be straightened out when ISPs had to submit their plans in August

    If CGNAT logs are to be kept then won’t this add further impetus to ISPs rolling out IPv6 in order to reduce IPv4 traffic load for both CGNAT resources and meta data acquisition and storage.

    Geoff Huston didn’t discuss the diminishing need for CGNAT as time goes on. Nor the desirability of end to end global addressing to enable full participation. Client server is restrictive. Participation of peers is the original internet concept that has been obstructed by NAT/PAT. We have forgotten that the internet was broken with NAT/PAT since it was introduced so early in most peoples experience. The opportunity that IPv6 brings for global addressing of every device will set us free…… That may be a digression, but a glaring omission from the view of Geoff Huston as expressed for the ‘no need’ of identified end points.

  9. As with the opinion/analysis I partially agree with Huston’s comments about data retention.

    For your ‘average’ lawbreaker its a generalization but they are normally not the sharpest tools in the toolbox so they are VERY easy to track down, match their IP with their activity’s ect.

    however the people this legislation is suppose to be there to track (terrorists/paedophiles ect) are generally much more tech savvy. Terrorists are not a bunch of uneducated men sitting in a Cave with RPG’s they have highly skilled hackers and engineers building systems that make it near impossible to track their online activity under the data retention scheme. So while it will work in some cases in others its as useful as a screwdriver when you have a nail.

  10. Geoff Huston’s technical analysis is good. Where it does not stand up is assuming the motive behind this is to catch criminals. In fact it is a part of an election campaign.

    Australian politics in the last decade has been all about getting elected at all costs. Just look at how many proposals there have been that are easily worked around. Labor had its filter against porn that even school children had the technical skills to bypass. The Coalition has had a series of schemes supposedly to stop copyright theft, to catch terrorists, etc. Again, hardly any skill needed to bypass them.

    The proof that these proposals are not serious are that the ministers involved have acknowledged that they can be easily bypassed.

    Instead, they are policies that look good to the media and the vast majority of untechnical (and unthinking) Australians. It does not matter whether they work, whether they are practical, or whether they severely impinge on the privacy of Australian citizens. If they increase uncertainly and create fear, that’s great, especially for the conservative side of politics. Witness, for example, the request from a Coalition committee for a security-related press release every week until the election.

    So yes, Geoff is right technically, just wrong in assuming they mean what they say.

Comments are closed.