news Technology blog Gizmodo yesterday published an article regarding the Federal Government’s controversial Data Retention policy which draws false conclusions that could lead those taking the article’s advice to have their data being captured by this and other electronic surveillance schemes.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 passed the Federal Parliament in March this year. For the first time, it forces Australian telcos and Internet service providers to retain comprehensive records on their customers’ Internet and telephone habits for a period of two years.
Even for major telcos such as Telstra, which were already retaining large amounts of data about their customers, the scheme significantly expands the amount and type of data which will be held compared to the telcos’ previous records.
In the article, writer Lance E. McDonald notes that he works as a software developer for an Internet service provider in Australia. McDonald makes a number of claims in the article and draws specific conclusions regarding the legislation.
Notably, McDonald writes that the only information ISPs will retain will be logs pertaining to when customers ‘reboot their modem’ — in essence, data pertaining to their IP address. With respect to web browsing logs, McDonald notes that ISPs are not required to store these kinds of logs, but also claims that it would not matter in any case, because “Most of this data is impossible to retain, though, as most communication services online now are encrypted with SSL, through which your provider can’t see.”
McDonald also makes the claim that “not much is changing” with respect to telcos’ action to record customers’ telephone calls and SMS messages. “The only new requirement is that the data is now kept for two years,” he wrote.
The writer also makes a number of other claims, such as the idea that the data retained under the Data Retention laws will largely only be used in child pornography cases, and that the majority of Internet service providers “already met their data retention obligations years ago”.
However, a number of the claims made and conclusions drawn by McDonald are demonstrably false, and if readers were to follow the writer’s recommendations, would likely lead Australians to have their data retained under the Data Retention policy.
For example, McDonald is correct in that the Data Retention policy requires ISPs to store logs of when their customers were connected to the Internet, at what time, using what IP address, and for how long. It is true that some ISPs were already storing this information.
However, the writer does not make clear that many ISPs, especially smaller ISPs, were not previously storing some or all of this information, and not all ISPs were storing this information for two years. This is made clear by the fact that most Australian ISPs will need to invest substantially in new tracking and storage infrastructure to keep this information. In addition, many ISPs will be storing a great deal more information by default than McDonald’s employer will be.
Contrary to McDonald’s claims, last week industry assocation the Communications Alliance released the results of a survey showing that almost no ISPs are already compliant with the Data Retention legislation.
The fact that all ISPs will now be required to store this information means that law enforcement agencies will now be able to request this information from any company. Most agency requests have previously gone through a major provider such as Telstra; the diversification of the industry is one reason the legislation was drafted.
While ISPs will not be required to store web browsing logs under the scheme, law enforcement authorities will be able to use the information to determine whether a certain customer was visiting a website at a certain time, by using the logs of IP addresses which are kept by default by many websites and matching those to IP addresses now held by ISPs.
Furthermore, some telcos, such as Telstra — have shown that they do store some information about customers’ web browsing habits, and that they have handed over that information to law enforcement agencies upon request without a warrant.
McDonald argues that this information will only be used by law enforcement agencies to tackle child pornography, but this is not true. Law enforcement agencies have openly stated that they use access to metadata in virtually every serious crime case in Australia — and especially those dealing with suspected crimes of terrorism.
In addition, other agencies such as the Australian Taxation Office have already requested that they be given access to the data stored under the Data Retention scheme. The Australian Border Force, which conducts Australia’s Customs and Immigration operations, has already been added to the list of agencies who can access the data. The Department of Human Services — which runs Centrelink — will likely be one agency which will request access to the data in future, as it has used metadata extensively in the past.
Furthermore, McDonald’s claims that all telcos were already storing other types of data — such a data pertaining to customers’ physical location when making mobile telephone calls or using mobile data — is also not true. Most of the major telcos — Telstra, Optus, Vodafone etc — were previously storing this data. However, not all other mobile telcos were storing anywhere near as complete a dataset about customers’ mobile access as the big telcos. Now they will be.
McDonald’s claim that most communications services are encrypted through SSL is false, with SSL encryption continuing to be optional in many cases for many messaging services, and most websites not yet fully utilising encryption technology.
It is believed that the writer’s claim that offshore email services such as Gmail and Outlook.com are not covered by the Data Retention scheme is correct, but whistleblowers such as Edward Snowden have made clear that the US Government is able to extract data from such services on demand and provide it to Australian authorities. The US Government is currently fighting a lawsuit to be able to extract data from such services even if they are based in other countries such as Ireland.
opinion/analysis
Reading the comments under McDonald’s article on Gizmodo yesterday, it is apparent that many people are suspicious of what the developer wrote, and I can’t blame them.
There are many grains of truth in McDonald’s words. He clearly has a good technical grip on many aspects of the Data Retention legislation. However, he has comprehensively missed the bigger picture with relation to the legislation, painting it as something that won’t impact Australians.
The truth is that the way that the Data Retention policy was written is that — when combined with the efforts of the US Government — it will allow Australian law enforcement authorities effectively access to key pieces of data about all Australians’ telecommunications on demand. Accessing web browsing history will not be as easy as other forms of data, but it will still often be possible.
The only way to protect yourself from being indiscriminately targeted by this access is to actively take steps such as avoiding the use of SMS messages, funnelling your web browsing through a virtual private network and avoiding major corporations for your email providers. And even these steps will not comprehensively protect you … at a bare minimum, it is very difficult to protect the details of your mobile access or telephone calls from being logged.
It’s also important to note that you absolutely do not need to have something to hide to worry about being tracked by the Data Retention legislation. There have been many cases documented in Australia and overseas where law enforcement agencies have conducted ‘fishing’ expeditions on retained metadata to determine what completely innocent people have been up to.
One of the most ludicrous examples in Australia have included cases where a police academy has accessed metadata to try and determine whether cadets were engaging in sexual liaisons. We’re sure to see more examples of this nature as the scheme is implemented over the next few years.
Then, too, there are specific situations — such as the confidentiality of the relationship between a lawyer and a client, or a psychologist or sexual health practitioner and a client — that need to be protected for privacy reasons. The Data Retention legislation will not provide any protection in these situations.
It is for all of these reasons that the Data Retention policy was opposed almost universally, by hundreds of different organisations ranging from lawyers’ societies, to the Institute for Public Affairs. The only organisations supporting the legislation are law enforcement agencies.
I would urge McDonald to take a closer look at the reality of the Data Retention situation. He may find it quite a bit more disturbing than he had previously thought. I would also urge Gizmodo to think carefully before publishing this kind of article again.
Was read it too even though there are some grain of true to it. But then there are some facts which appears he hasn’t even listen to Turnbull or Brandis talking about or even read the document
Wow. Look at the comments. So many people DEFENDING this BS!
One thing that I have never had explained to me is this:
I have my email client open. [Thunderbird]
I have a VPN already on.
I send an email through the client using my ISP’s email.
Is my email encrypted and what can my ISP see of it etc? I have trawled through dozens of privacy forums and articles and I’ve never had that answered. Could I get an answer, please?
No, your email is not encrypted, and your ISP can see everything.
Your email goes through your ISP mail server eg BigPond old server was mail.bigpond.com now try use outlook servers. The only way is to use gmail or yahoo which all the ISP can see eg that you have connected to yahoo or with a vpn only where you have tunnelled to.
Andrew, in your scenario regardless of the encryption you use in transmission, the ISP can “see” all your email while it is stored on their Server, in the case of POP and SMTP – when executing the sending and receiving processes. Even if the ISP uses encryption on their mail storage, the mail servers still need to be able to unencrypt your email to be able to process it so that means the ISP can see it.
2 important encryption concepts here; the encryption of data in transit (DIT) and data at rest (DAR). By using a VPN or using encrypted settings for POP/IMAP/SMTP you are only encrypting the information as it leaves your computer and arrives at the end of the VPN tunnel or at the mail server respectively.
Since we know encryption of DAR doesn’t matter regardless of Australian ISP, to avoid data retention, you will need to use an email platform outside of Australia, such as Gmail, etc – keeping in mind that some of these companies have legal (and somewhat in the grey) agreements with the NSA or other National Intel org to provide information upon request.
More to the point – why care?
Do a proper analysis: You have 4 potential security levels to classify your email as:
– totally innocent
– potentially embarrassing
– private, confidential, commercially valuable
– revolutionary, criminal, terrorist plans
1. Who cares if it’s encrypted and who sees it? Nobody.
2. Ensure nobody else can log into your email account. Ensure your ISP has reliable security/privacy practices
3. Ensure it is encrypted from the client end all the way to the server. Do not use ToR, VPN or any other service where you introduce an unknown, anonymous, and very likely dodgy foreign middle-man who will have access to it and who will readily make it available if leaned on by their government/criminal gangs or if they skimp on security and get hacked a la Ashley Madison. Ensure your ISP is reliable, secure, and constrained by proper security and privacy laws, ie, is based onshore not in some dodgy foreign country.
4. Do not use any Telecommunications service whatever to send this kind of material. Nothing you do will save you. Do not even wander around with a mobile in your pocket, because they will use that to track you and send in the drone strike.
And just as an addendum to that, we also have non-criminal email that should be classified as Level4 – eg, journalists communicating with sources, whistleblowers.
Most material I have read by journalists on this issue reveal the vast majority of them do not understand how to properly secure their communications.
Here’s the thing: unless you are highly trained in techniques used to secure your comms, then assume everything you do is observed. So do not use email or the telephone to communicate with whistleblowers.
As soon a i read that your IP address is only recorded when your modem connects, i stopped reading. It was my understanding that every time you send a data packet, the IP address is recorded. This information might be condensed to simply an IP address, time and length of connection. In some cases the location is recorded too. You can get a pretty good idea of what people are doing just on this information.
If this isn’t the case, as that article seems to argue, then what have Brandis and Turnbull been talking about this past year?
It’s totally unfeasible to capture packet level logging (individual IP interactions) across all users. The sheer volume of data couldn’t be managed in any workable sense. For an ISP to store, maintain and provide access to this much data for all users won’t be happening.
Nothing to say this can’t be done in a limited sense (target a specific IP for a shorter duration of time) though.
Its not actually as much data as you would think. Instead of recording the time and destination of every packet, they simply condense the data. So for example, they record the initial time, location (if mobile) and address, then each subsequent packet to the same destination simply adjusts the duration data. So you end up with a couple hundred bytes of data per accessed address. There’s probably all sorts of things that can be done to further condense the data. As Brandis so eloquently pointed out this is already implemented to varying extents in many ISPs (they use similar processes to track your metered usage of data).
The concepts of “packets” and “duration” are not compatible. Your imagination does not reflect any reality.
Data Retention does not mandate or sanction logging of packets, and no ISP could afford to do so anyway.
Packets *are* logged however if you are the target of an Interception warrant.
A lot of the confusion stems from people mixing up Interception with Data Retention.
He is obviously trying to simplify it. He obviously means every time you “reconnect” – that is, every time you get an IP address (the same one as before or a different one).
All ISPs can supply the details of the customer who was using an IP address when given a date and time – and have been supplying this information to agencies for many years (the IP address having been obtained in some other investigation.
And no – they have never needed a warrant to obtain this information.
Spot on.
Despite being worded to appear as if it is taking an opposite stance to Lance McDonald’s piece, this article in fact confirms that what he wrote is correct.
And one of the openeing sentences in this article is both incorrect and clearly designed to promote FUD:
“For the first time, it forces Australian telcos and Internet service providers to retain comprehensive records on their customers’ Internet and telephone habits for a period of two years.”
This is completely wrong. There is no “first” about this, as many of the subsequent links in the article demonstrate: ever since the 1979 Telecomms Act, Data Retention in the same form as this new Act has been a reality.
It is also clear that this new Act is no different to the 1979 Act in terms of *NOT* having anything to do with “internet…habits”, because Data Retention is nothing to do with “habits”, only about connections to your service. (Unless your weekly router reboot is a “habit” – either way, using the word “habit” clearly implies that your internet traffic is being targeted which is a deliberately false implication).
I feel he has totally missed the point & doesn’t see the danger this system will bring in.
To me the risk for scope creep, issues from things being taken out of context or just general misuse are far too high to justify the benefits. How will people be covered against ISP mistakes? (ISP logging error means somebody is caught up in a copyright lawsuit), how will people be covered against things being taken out of context? (research illegal drugs for a school project, get a visit from police), what’s to stop the data being used for additional purposes? (credit score affected by online habits)
If the government was serious about doing this properly they would have done it properly. Explain it properly, set it up with proper funding and run it independently & transparently. To me the fact they haven’t done this is quite telling of their intentions.
It’s the standard “if you have nothing to hide” red herring defence.
It lost all credibility for me when the opinion piece started to say “oh it’s only used for ‘x’ scenarios anyway on his experience”.
Sorry mate I’ve been in a country under marshal law before the country eventually got back to having a semblance of a democracy and I shudder to think the extent of scope abuse if they had this system back then. I’m not prone to tin-foil hat thinking but at the same time I am realistic enough to realise just how stupidly optimistic it is to assume that such a huge system will never ever be abused ever…
Data Retention has been a reality in Australia since the 1979 Telecomms Act.
Tin-foil hat on or off will make no difference: bet you can’t demonstrate any sinister “scope-creep” over that 36-year period.
Internode had UDR and already implemented since internode was born
Which does pretty much what the article says
Comments are closed.