1. So even though no ISP is recording and storing said metadata, all of these agencies want access to it already. Get a warrant!

    • “So even though no ISP is recording and storing said metadata, all of these agencies want access to it already.”

      Preparing for a rainy day …

  2. Isn’t it funny just how many people want to open Pandora’s Box. Scope Creep is alive and well.

    Access is wanted because “we think you are a bad person” is considered sufficient cause; they need the data to try and prove enough to make actual legal proceedings stick. If you haven’t done anything wrong, there’s nothing to be afraid of. Right?

    I would very much like to see “get a warrant” as the AGs’ de-facto response. It should be; IANAL but virtually all of these requests likely exist because a judge would otherwise have laughed at an equivalent warrant request missing any probable cause, evidence or some other legal reason to permit it.

    • only if those VPN providers are hosted/owned in Australia.

      Take for example the US based ones they only protect US citizens privacy any foreign customer will typically have their details handed straight over. Mileage probably varies depending where else the VPN is based.

      • Stick with any first world VPN provider outside the Five Eyes of UK, US, Canada, Australia and New Zealand (yes, it’s a term) and privacy focused laws and use that as your VPN exit point as a starting point.

        Do NOT use a VPN provider hosted within Australia.

        • VPN Providers are not subject to data retention laws, irrespective of where their servers are located.

          I use two providers, with servers located around the globe. It makes no difference if I connect to their US or Hong Kong based servers or their Australian ones, they have no legislative requirement to keep my metadata, nor do they.

          The government cannot ‘force’ them to keep logs or data under this legislation for their servers located within Australia.

          • That’s correct about the data retention laws, but there is precedent for providers (not just VPN) operating within those countries to be legally coerced into giving up the keys to their encryption, therefore opening their clientele to interception (see the Lavabit case for an example of this).

            That’s why you seek exit points in countries where it is difficult even for the government of that country to obtain this.

            Also keep in mind that the Five Eyes share information, therefore, for example, the NSA is prohibited from spying on US citizens, that doesn’t stop GCHQ (UK) from doing it, and sharing that information with the NSA. Likewise with Australian Intelligence organisations as well.

            That’s the scary part about this, the metadata retention only enhances that apparatus where governments can sidestep the laws of their own country by getting other friendly countries to do it for them.

  3. What are the rules the AGD is using to evaluate these requests? What is their likelihood of success? What do/would they need to do to in order to be successful, and is the AGD providing such feedback, or are rejections simply a canned statement? What kind of processing cost is involved for each application and what is the overall cost to the public for all of this?

  4. Hi I’m from the corner shop deli and I want your meta data…
    Well that was easy.

  5. It’s funny that in defending the policy, the Liberals and Labor assured their constituents that data retention would actually formalise the process, giving it even more oversight. It would also limit the accessibility of metadata to law enforcement only.

    It is quite clear it was all lip service. Anyone who had access under the old system will get access again, they just need apply. It wouldn’t surprise me if all local, state and federal government departments / agencies simply get it by default after a while.

    • I wonder if journalists would also be able to get access to it? Some interesting connections might come out of it.

      • Individuals can get hold of their own metadata. It was part of the legislation that it would be treated as personal information therefore for a fee someone can request their own. From there you could pass it on to a journalist.

        I have absolutely no doubt that when people start requesting metadata, what they get is a LOT more than the legislated data set. It is simply easier for an ISP to collect MORE rather than strip out unnecessary revealing info which requires manual remediation and it’s very expensive to do. Minimal to no funding support by gov = cutting corners.

        You can be assured the agencies requesting the data are going to get a lot more than the minimum required to keep :)

  6. VPN isn’t a get out of jail free card. The assumption that someone else’s network that doesn’t terminate in AU is inherently more secure because no data retention is a very flawed one.

    It’s useful to sidestep retention here, but that doesn’t preclude access details and activity being entirely untraced or untraceable. It doesn’t work that way. I am quite sure most operators intend for the service to provide some degree of secured service and partial anonymity; but it’s still effectively someone else’s network your data is being carried over.

    People tend to do dumb things when there is perceived safety (as apposed to actual). ;)

    Again, it is beholden on the AGDs’ department to stick to the policy terms and virtually all of these requests should be met with the department equivalent of “get a warrant”. It’s not upholding the concepts of law if it doesn’t. It would be entirely against the purpose of the entity.

    • I agree that it isn’t a get out of jail free card however the assumption there is that it’s being used for nefarious purposes in the first place. I value my families’ right to privacy therefore all our devices operate via a VPN. I simply disagree with the government that my personal information should be available to them on demand without without any judicial oversight. I’m also uncomfortable with said personal information over 2 years being made available to incompetent public servants and I would imagine, passed on to overseas Five Eyes partners under standard information sharing arrangements.

      As soon as the data is passed on by the ISP there is absolutely no oversight on it’s destruction. Duplication, misplacement, incorrect usage. All of these things will happen and without any recourse or oversight. There will certainly be no avenue of complaint for a end user who may / may not even be aware their data has been accessed.

      VPN isn’t perfect but I would much prefer the information my ISP has on me be thousands of timestamped connections to my VPN’s IP address rather than what it could be without it. I shiver at what the potential content collected could be without any VPN at all. Most ISP’s are going to do this on the cheap, cut corners with absolutely no consideration to customer privacy at all, because there is nothing legislated in forcing them to.

  7. Can you imagine the meggaterrafloppabytes of woeful crap that they will collect. I wonder if a storage provider put them up to this?

Comments are closed.