news Technology blog Gizmodo yesterday published an article regarding the Federal Government’s controversial Data Retention policy which draws false conclusions that could lead those taking the article’s advice to have their data being captured by this and other electronic surveillance schemes.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 passed the Federal Parliament in March this year. For the first time, it forces Australian telcos and Internet service providers to retain comprehensive records on their customers’ Internet and telephone habits for a period of two years.
Even for major telcos such as Telstra, which were already retaining large amounts of data about their customers, the scheme significantly expands the amount and type of data which will be held compared to the telcos’ previous records.
In the article, writer Lance E. McDonald notes that he works as a software developer for an Internet service provider in Australia. McDonald makes a number of claims in the article and draws specific conclusions regarding the legislation.
Notably, McDonald writes that the only information ISPs will retain will be logs pertaining to when customers ‘reboot their modem’ — in essence, data pertaining to their IP address. With respect to web browsing logs, McDonald notes that ISPs are not required to store these kinds of logs, but also claims that it would not matter in any case, because “Most of this data is impossible to retain, though, as most communication services online now are encrypted with SSL, through which your provider can’t see.”
McDonald also makes the claim that “not much is changing” with respect to telcos’ action to record customers’ telephone calls and SMS messages. “The only new requirement is that the data is now kept for two years,” he wrote.
The writer also makes a number of other claims, such as the idea that the data retained under the Data Retention laws will largely only be used in child pornography cases, and that the majority of Internet service providers “already met their data retention obligations years ago”.
However, a number of the claims made and conclusions drawn by McDonald are demonstrably false, and if readers were to follow the writer’s recommendations, would likely lead Australians to have their data retained under the Data Retention policy.
For example, McDonald is correct in that the Data Retention policy requires ISPs to store logs of when their customers were connected to the Internet, at what time, using what IP address, and for how long. It is true that some ISPs were already storing this information.
However, the writer does not make clear that many ISPs, especially smaller ISPs, were not previously storing some or all of this information, and not all ISPs were storing this information for two years. This is made clear by the fact that most Australian ISPs will need to invest substantially in new tracking and storage infrastructure to keep this information. In addition, many ISPs will be storing a great deal more information by default than McDonald’s employer will be.
Contrary to McDonald’s claims, last week industry assocation the Communications Alliance released the results of a survey showing that almost no ISPs are already compliant with the Data Retention legislation.
The fact that all ISPs will now be required to store this information means that law enforcement agencies will now be able to request this information from any company. Most agency requests have previously gone through a major provider such as Telstra; the diversification of the industry is one reason the legislation was drafted.
While ISPs will not be required to store web browsing logs under the scheme, law enforcement authorities will be able to use the information to determine whether a certain customer was visiting a website at a certain time, by using the logs of IP addresses which are kept by default by many websites and matching those to IP addresses now held by ISPs.
Furthermore, some telcos, such as Telstra — have shown that they do store some information about customers’ web browsing habits, and that they have handed over that information to law enforcement agencies upon request without a warrant.
McDonald argues that this information will only be used by law enforcement agencies to tackle child pornography, but this is not true. Law enforcement agencies have openly stated that they use access to metadata in virtually every serious crime case in Australia — and especially those dealing with suspected crimes of terrorism.
In addition, other agencies such as the Australian Taxation Office have already requested that they be given access to the data stored under the Data Retention scheme. The Australian Border Force, which conducts Australia’s Customs and Immigration operations, has already been added to the list of agencies who can access the data. The Department of Human Services — which runs Centrelink — will likely be one agency which will request access to the data in future, as it has used metadata extensively in the past.
Furthermore, McDonald’s claims that all telcos were already storing other types of data — such a data pertaining to customers’ physical location when making mobile telephone calls or using mobile data — is also not true. Most of the major telcos — Telstra, Optus, Vodafone etc — were previously storing this data. However, not all other mobile telcos were storing anywhere near as complete a dataset about customers’ mobile access as the big telcos. Now they will be.
McDonald’s claim that most communications services are encrypted through SSL is false, with SSL encryption continuing to be optional in many cases for many messaging services, and most websites not yet fully utilising encryption technology.
It is believed that the writer’s claim that offshore email services such as Gmail and Outlook.com are not covered by the Data Retention scheme is correct, but whistleblowers such as Edward Snowden have made clear that the US Government is able to extract data from such services on demand and provide it to Australian authorities. The US Government is currently fighting a lawsuit to be able to extract data from such services even if they are based in other countries such as Ireland.
Reading the comments under McDonald’s article on Gizmodo yesterday, it is apparent that many people are suspicious of what the developer wrote, and I can’t blame them.
There are many grains of truth in McDonald’s words. He clearly has a good technical grip on many aspects of the Data Retention legislation. However, he has comprehensively missed the bigger picture with relation to the legislation, painting it as something that won’t impact Australians.
The truth is that the way that the Data Retention policy was written is that — when combined with the efforts of the US Government — it will allow Australian law enforcement authorities effectively access to key pieces of data about all Australians’ telecommunications on demand. Accessing web browsing history will not be as easy as other forms of data, but it will still often be possible.
The only way to protect yourself from being indiscriminately targeted by this access is to actively take steps such as avoiding the use of SMS messages, funnelling your web browsing through a virtual private network and avoiding major corporations for your email providers. And even these steps will not comprehensively protect you … at a bare minimum, it is very difficult to protect the details of your mobile access or telephone calls from being logged.
It’s also important to note that you absolutely do not need to have something to hide to worry about being tracked by the Data Retention legislation. There have been many cases documented in Australia and overseas where law enforcement agencies have conducted ‘fishing’ expeditions on retained metadata to determine what completely innocent people have been up to.
One of the most ludicrous examples in Australia have included cases where a police academy has accessed metadata to try and determine whether cadets were engaging in sexual liaisons. We’re sure to see more examples of this nature as the scheme is implemented over the next few years.
Then, too, there are specific situations — such as the confidentiality of the relationship between a lawyer and a client, or a psychologist or sexual health practitioner and a client — that need to be protected for privacy reasons. The Data Retention legislation will not provide any protection in these situations.
It is for all of these reasons that the Data Retention policy was opposed almost universally, by hundreds of different organisations ranging from lawyers’ societies, to the Institute for Public Affairs. The only organisations supporting the legislation are law enforcement agencies.
I would urge McDonald to take a closer look at the reality of the Data Retention situation. He may find it quite a bit more disturbing than he had previously thought. I would also urge Gizmodo to think carefully before publishing this kind of article again.