1. Was read it too even though there are some grain of true to it. But then there are some facts which appears he hasn’t even listen to Turnbull or Brandis talking about or even read the document

  2. One thing that I have never had explained to me is this:

    I have my email client open. [Thunderbird]
    I have a VPN already on.
    I send an email through the client using my ISP’s email.

    Is my email encrypted and what can my ISP see of it etc? I have trawled through dozens of privacy forums and articles and I’ve never had that answered. Could I get an answer, please?

    • Your email goes through your ISP mail server eg BigPond old server was mail.bigpond.com now try use outlook servers. The only way is to use gmail or yahoo which all the ISP can see eg that you have connected to yahoo or with a vpn only where you have tunnelled to.

    • Andrew, in your scenario regardless of the encryption you use in transmission, the ISP can “see” all your email while it is stored on their Server, in the case of POP and SMTP – when executing the sending and receiving processes. Even if the ISP uses encryption on their mail storage, the mail servers still need to be able to unencrypt your email to be able to process it so that means the ISP can see it.

      2 important encryption concepts here; the encryption of data in transit (DIT) and data at rest (DAR). By using a VPN or using encrypted settings for POP/IMAP/SMTP you are only encrypting the information as it leaves your computer and arrives at the end of the VPN tunnel or at the mail server respectively.

      Since we know encryption of DAR doesn’t matter regardless of Australian ISP, to avoid data retention, you will need to use an email platform outside of Australia, such as Gmail, etc – keeping in mind that some of these companies have legal (and somewhat in the grey) agreements with the NSA or other National Intel org to provide information upon request.

    • More to the point – why care?
      Do a proper analysis: You have 4 potential security levels to classify your email as:
      – totally innocent
      – potentially embarrassing
      – private, confidential, commercially valuable
      – revolutionary, criminal, terrorist plans

      1. Who cares if it’s encrypted and who sees it? Nobody.
      2. Ensure nobody else can log into your email account. Ensure your ISP has reliable security/privacy practices
      3. Ensure it is encrypted from the client end all the way to the server. Do not use ToR, VPN or any other service where you introduce an unknown, anonymous, and very likely dodgy foreign middle-man who will have access to it and who will readily make it available if leaned on by their government/criminal gangs or if they skimp on security and get hacked a la Ashley Madison. Ensure your ISP is reliable, secure, and constrained by proper security and privacy laws, ie, is based onshore not in some dodgy foreign country.
      4. Do not use any Telecommunications service whatever to send this kind of material. Nothing you do will save you. Do not even wander around with a mobile in your pocket, because they will use that to track you and send in the drone strike.

      • And just as an addendum to that, we also have non-criminal email that should be classified as Level4 – eg, journalists communicating with sources, whistleblowers.
        Most material I have read by journalists on this issue reveal the vast majority of them do not understand how to properly secure their communications.
        Here’s the thing: unless you are highly trained in techniques used to secure your comms, then assume everything you do is observed. So do not use email or the telephone to communicate with whistleblowers.

  3. As soon a i read that your IP address is only recorded when your modem connects, i stopped reading. It was my understanding that every time you send a data packet, the IP address is recorded. This information might be condensed to simply an IP address, time and length of connection. In some cases the location is recorded too. You can get a pretty good idea of what people are doing just on this information.

    If this isn’t the case, as that article seems to argue, then what have Brandis and Turnbull been talking about this past year?

    • It’s totally unfeasible to capture packet level logging (individual IP interactions) across all users. The sheer volume of data couldn’t be managed in any workable sense. For an ISP to store, maintain and provide access to this much data for all users won’t be happening.

      Nothing to say this can’t be done in a limited sense (target a specific IP for a shorter duration of time) though.

      • Its not actually as much data as you would think. Instead of recording the time and destination of every packet, they simply condense the data. So for example, they record the initial time, location (if mobile) and address, then each subsequent packet to the same destination simply adjusts the duration data. So you end up with a couple hundred bytes of data per accessed address. There’s probably all sorts of things that can be done to further condense the data. As Brandis so eloquently pointed out this is already implemented to varying extents in many ISPs (they use similar processes to track your metered usage of data).

        • The concepts of “packets” and “duration” are not compatible. Your imagination does not reflect any reality.
          Data Retention does not mandate or sanction logging of packets, and no ISP could afford to do so anyway.
          Packets *are* logged however if you are the target of an Interception warrant.
          A lot of the confusion stems from people mixing up Interception with Data Retention.

    • He is obviously trying to simplify it. He obviously means every time you “reconnect” – that is, every time you get an IP address (the same one as before or a different one).

      All ISPs can supply the details of the customer who was using an IP address when given a date and time – and have been supplying this information to agencies for many years (the IP address having been obtained in some other investigation.

      And no – they have never needed a warrant to obtain this information.

      • Spot on.
        Despite being worded to appear as if it is taking an opposite stance to Lance McDonald’s piece, this article in fact confirms that what he wrote is correct.
        And one of the openeing sentences in this article is both incorrect and clearly designed to promote FUD:
        “For the first time, it forces Australian telcos and Internet service providers to retain comprehensive records on their customers’ Internet and telephone habits for a period of two years.”
        This is completely wrong. There is no “first” about this, as many of the subsequent links in the article demonstrate: ever since the 1979 Telecomms Act, Data Retention in the same form as this new Act has been a reality.
        It is also clear that this new Act is no different to the 1979 Act in terms of *NOT* having anything to do with “internet…habits”, because Data Retention is nothing to do with “habits”, only about connections to your service. (Unless your weekly router reboot is a “habit” – either way, using the word “habit” clearly implies that your internet traffic is being targeted which is a deliberately false implication).

  4. I feel he has totally missed the point & doesn’t see the danger this system will bring in.

    To me the risk for scope creep, issues from things being taken out of context or just general misuse are far too high to justify the benefits. How will people be covered against ISP mistakes? (ISP logging error means somebody is caught up in a copyright lawsuit), how will people be covered against things being taken out of context? (research illegal drugs for a school project, get a visit from police), what’s to stop the data being used for additional purposes? (credit score affected by online habits)

    If the government was serious about doing this properly they would have done it properly. Explain it properly, set it up with proper funding and run it independently & transparently. To me the fact they haven’t done this is quite telling of their intentions.

    • It’s the standard “if you have nothing to hide” red herring defence.

      It lost all credibility for me when the opinion piece started to say “oh it’s only used for ‘x’ scenarios anyway on his experience”.

      Sorry mate I’ve been in a country under marshal law before the country eventually got back to having a semblance of a democracy and I shudder to think the extent of scope abuse if they had this system back then. I’m not prone to tin-foil hat thinking but at the same time I am realistic enough to realise just how stupidly optimistic it is to assume that such a huge system will never ever be abused ever…

      • Data Retention has been a reality in Australia since the 1979 Telecomms Act.
        Tin-foil hat on or off will make no difference: bet you can’t demonstrate any sinister “scope-creep” over that 36-year period.

  5. Internode had UDR and already implemented since internode was born

    Which does pretty much what the article says

Comments are closed.