Inside Australia's data retention proposal

Inside Australia's data retention proposal

Summary: Telecommunications industry sources have called the claims by Attorney-General media relations that web browsing history would not be recorded in a controversial data retention proposal "a bit cute" and a question of terminology and semantics.

SHARE:

Telecommunications industry sources have called the claims by Attorney-General media relations that web browsing history would not be recorded in a controversial data retention proposal "a bit cute" and a question of terminology and semantics.

ZDNet Australia broke the news on Friday that the Federal Government Attorney-General's Department was considering how it could best implement a data retention regime in Australia.

"The Attorney-General's Department has been looking at the European directive on data retention, to consider whether such a regime is appropriate within Australia's law enforcement and security context," the Attorney-General's Department had said. "It has consulted broadly with the telecommunications industry."

Data retention requires telecommunications providers, including internet service providers (ISPs), to log and retain certain information on subscribers for local enforcement agencies to access when they require it.

The regime sees certain data logged before any suspect is identified, meaning that every internet users' online activities are logged by default.

Europe has one

Such a system currently exists in Europe, and has been adopted by select states. The call for the European directive on data retention came after the 2004 Madrid train bombings in Spain.

Importantly, the EU directive requires ISPs to retain data necessary to trace and identify the source, destination, date, type, time and duration of communications — and even what communication equipment is being used by customers and the location of mobile transmissions.

According to the EU directive, where internet access is concerned, ISPs must retain the user ID of users, email addresses of senders and recipients, the date and time that users logged on and off from a service, and the IP address (whether dynamic or static) applied to their user ID.

Importantly, the EU directive requires ISPs to retain data necessary to trace and identify the source, destination, date, type, time and duration of communications — and even what communication equipment is being used by customers and the location of mobile transmissions.

For telephone conversations, this means the number from which calls are placed and the number that received the call, the owner of the telephone service and similar data such as the time and date of a call's commencement and completion.

For mobile phone numbers, geographic location data is also included. The data is retained for periods of not less than six months and not more than two years from the date of the communication.

The proposed Australian regime

The information that the Australian system, if implemented, would get ISPs to log and retain is yet to be set in stone by the Attorney-General's Department. ZDNet Australia reported various ISP sources' claims that it could extend as far as each individual web page an internet user had visited. This was echoed by an industry source that was quoted in the Sydney Morning Herald newspaper on Saturday.

Attorney-General Robert McClelland's media advisor on Monday denied "web browser history" would be logged. "This is not about web browser history," said McClelland's media liaison Adam Siddique. "It's purely about being able to identify and verify identities online," he added, linking the initiative to the ability for law enforcement to track criminals online.

Yesterday, the Attorney-General's Department said that the Australian Government was "still considering and consulting on this subject and as such it would be inappropriate to comment at this stage", and did not rule out logs of URLs being retained.

Industry sources remain adamant that draft documents they have been given show the proposal could stretch as far as web browsing history, and argue the government was denying it would require ISPs to log "web browsing history" in the media as a way of quashing privacy fears.

Robert McClelland

Attorney-General Robert McClelland (Credit: Attorney-General's Department)

"The major problem here, and as it was explained, [is] that all information in the handouts [suggested] that any information which is logged must be retained," said an industry source close to the consultations with the Attorney-General's Department. "Therefore any ... proxy logs would fall under this category."

A "proxy" is often used by ISPs to cache internet traffic to save on bandwidth. Proxy logs are relevant because they record each individual URL an internet user visits. The source said that if the logs were turned on and the Australian proposal, as explained and shown in draft documents to the source, was implemented, ISPs would need to retain the data contained in the logs.

"This becomes even more of a problem should a [mandatory internet filter] system be put in place as it is capable of logging all users' normal HTTP activity," the source said, pointing to the Federal Government's proposed mandatory internet filter that intends to block access to refused classification material. "Providers may be able to turn off the log feature; however, if they do not — or require this user data for other billing or service requirements — then they will be required to retain the data under the proposal as explained," the source said. "So to say URL history will not be retained is not accurate."

Another industry source told ZDNet Australia it was "a little bit cute" for the Attorney-General's media advisor to say that the Federal Government wasn't looking at a proposal to require ISPs retain "web browsing history".

"I think they're being a little bit cute when they say they want the source and the destination IP addresses for internet sessions [while] saying 'we're not really asking for web browsing history'," the source said.

"Now sure, if you go into Internet Explorer you can go into internet options and you can get your 'history', but you know, carriers don't really use URLs, they use IP addresses, and it's the IP address that translates to a URL and vice versa. They're one and the same."

There was more material in a data set the Attorney-General's Department gave telecommunications companies that the source found a "bit frightening". "They want allied personal information with that account, including, [the department] said, passport numbers."

"Why the hell an ISP would ask anybody for a passport number is beyond me," the source said. "And I am not aware of any telephony requirements that ask for passport details.

"So they're asking for all details of the customer that we would hold on record, which includes anything, like multiple email addresses."

Industry consultations

A consultation in March this year, just three months ago, was held with industry to discuss the data retention proposal. It's understood that this was the first formal consultation with the telecommunications industry, with a number of telcos in attendance.

Representatives from telecommunications companies Telstra, Optus, iiNet, Internode, Nextgen and the Comms Alliance were in attendance, among others, according to an industry source.

The briefing in March saw industry members involved given hand-outs discussing the proposal. Each document handed to industry members was marked in red with a message stating: "This document is provided in-confidence to telecommunications industry participants for consultation purposes and is not for further distribution outside your organisation," according to one source.

ZDNet Australia yesterday requested the release of those documents to allow greater transparency and a public debate on the matter. However, the department refused access, stating documents provided "in-confidence" were not able to be released.

Meeting notes taken by one industry source at the March briefing, and seen by ZDNet Australia, show questions asked by industry in attendance. The notes show industry representatives raising issue with the proposal, arguing for the government to say what was wrong with current arrangements, where local enforcement agencies are required to get a court order to begin tapping a connection.

"People pointed out numerous flaws with the proposal at a conceptual and technical level, which [the Attorney-General's Department] didn't seem to care about," the meeting notes said.

The notes said industry could not be provided with any statistics on the number of information requests that had failed due to telcos not retaining their logs for long enough.

"Several industry participants said that the government hasn't made a case that such a system is needed," the notes said. "It was suggested that they collect such statistics via the existing reporting obligations of [Carriage Service Providers] and [local enforcement agencies], which got a smirk out of the guy from the [Attorney-General's Department], but he rejected out of hand."

The notes also showed the Attorney-General's Department pointing out that the law enforcement agencies were asking for data to be retained for five or 10 years. According to the notes, the industry was told it "should be grateful" that the government was only going to require a retention period of two years "at this stage".

As for who would wear costs for logging and retaining data, it appeared clear from the notes that industry would. "Industry must wear the cost of capturing and storing the data," the notes said. "Agencies who make requests for data will pay the incremental cost of answering those requests only".

The major problem here, and as it was explained, [is] that all information in the handouts [suggested] that any information which is logged must be retained

Industry source

An industry source close to the consultations said they would rather not do this, as it would be costly, and said that there were many ISPs out there that may have "lax" security, meaning that the data held had the potential to leak.

"It will be expensive," the source said. "Today we can pretty much count on the fingers of one hand simultaneous taps that are in place. There's not massive amounts of it going on. And the leap from that to all customers continuously is two orders of magnitude, probably.

"If we're going to have all that data on you, me and my mum stored somewhere, well maybe you can trust us, maybe you can trust [other telcos], but what about the 300 other odd ISPs? And that's why I think that if this goes through and the Parliament decides it's what Australia wants, which I doubt, then I think it should be stored somewhere centrally by the Federal Police or the Attorney-General's Department, or someone else. Not a bunch of private enterprise operators that are all focused on keeping their costs down."

Conclusive evidential certificates were also proposed by the Attorney-General's Department, which are used to prevent any challenge to the accuracy of data provided to law enforcement, according to the meeting notes. Such a certificate requires a carrier to sign off on data handed over, pledging it is accurate.

Asked to clarify whether the Attorney-General's Department expected a telecommunications provider to perform deep packet inspection (DPI) to collect all the data that is in the proposed data set — which includes email addresses of sender and recipient, session initiation protocol identifiers and instant message screen names — or whether those only applied to the actual providers of email services, Voice over IP (VoIP) services and instant messenger services, the department's response, according to the notes, was to the effect of "if you don't like the data set you'll be able to ask for an exemption from the parts you don't like".

Erosion of privacy

Another source close to the consultations told ZDNet Australia that telecommunications providers currently only retained data necessary for operational and financial purposes, which is often stored for years. The current proposal, even forgetting whether web browsing history would be recorded, went much further than that, the source said.

The Attorney-General's Department doesn't get it. They don't get it that ... a proxy log isn't just a [network] switch. They think [that], because it is a computer, to say 'Retain the data' is a minor step.

Industry source

"[They're] asking us to retain data for law enforcement purposes that, under existing privacy laws, we would be breaking the law if we retained for any longer than for operational purposes," the source said.

The industry, according to sources, has tried to draw a distinction between retaining data that they already put on their operational systems versus retaining data that might exist on network infrastructure, but to no avail.

"The Attorney-General's Department doesn't get it," the source said. "They don't get it that ... a proxy log isn't just a [network] switch. They think [that], because it is a computer, to say 'retain the data' is a minor step."

The source said the privacy commissioner had already "given the tick" to the proposal.

"Representation that the [Attorney-General] has made to industry is that it has consulted the Privacy Commissioner, and the Privacy Commissioner has advised that [the proposal] doesn't breach the privacy act. Not that there is not an erosion of privacy, but that it merely doesn't breach the privacy act."

ZDNet Australia asked the Privacy Commissioner if it had given a "tick of approval" to the proposal, and received this statement:

"My office was consulted by the Attorney-General's Department on this proposal last year as part of initial consultations including with industry. At this stage, we understand the government is still considering the matter and we look forward to providing further comment as the proposal is developed. In general, limiting the amount of information collected and the length of time it is retained is good privacy practice; however, under our legislation it is important to balance other community interests such as public safety and national security with privacy considerations. My office would also expect that any proposed legislation would have the appropriate privacy safeguards built-in."

The status quo

According to the meeting notes, one law enforcement agency in attendance at the briefing raised concerns with the increasing use of encryption, off-shore service providers for email, VoIP and uptake of IP-based services that have less logging than telephony services. Also raised by that agency was that some telecommunications companies didn't log the data they wanted.

Details of how many requests the Australian Federal Police (AFP) made for telecommunications data — without interception warrants — between 2008-2009 was also revealed at the briefing.

The AFP, according to the meeting notes, made more than 16,000 requests to over 50 telecommunications companies for data during that period. According to the note, the AFP told the briefing that it wanted to automate the process of requesting and obtaining access to telecommunications data.

If you have any information please don't hesitate to contact us, your identity will remain anonymous.

Front page image credit: Twyfelfontein Binoculars image by M0Rt3s, CC BY-SA 2.0

Topics: Government, Big Data, Government AU, Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Once again political proposals relating to the internet are undertaken in secret. What is it about the internet that scares politicians and public servants. The general public and those most affected are deliberately excluded from any consultation. Smacks of having something to hide and politician's fear of a medium they make no effort to understand.

    It seems to be that cutting internet users out of the loop indicates that Labor are as technically incompetent as the Coalition were before them.
    ilago-43fec
  • Most politicians seem to have forgotten that they are working in a position of trust for their constituents. What is with all this fascist nonsense that seems to be coming out of Can'tberra these days.
    Who in their right mind thinks that such a scheme is necessary?
    The current government will keep digging that hole that they are in. It's a pity that the opposition are just as bad.
    We really need some new blood in politics. Some people with honour who actually understand the job that they have been given by the people who voted them in.
    thEGA
  • +1 for both comments above.

    As has been pointed out elsewhere, the two/ten year rule, in conjunction with Conboy's filter, will mean that a future govt will have the means to trace and take action to silence any sources of political or other opposition.
    gnome-8be8a
  • Today they're saying it's just for tracking terrorists, but you can bet it would be used for copyright policing, etc., once it exists. If you don't want terrorism, treat people nicely; then no one will want to kill you or harm your country. Any other measures against terrorism are just garbage.
    sswam-7a630
  • Totally agree with previous comments and it doesn't take into account the savvy crim who encrypts everything and uses VPN's to OS to do all their work through thereby totally bypassing our stupid gov!
    Zxek
  • So can public expect the Open Access to Government Data as well, every single transaction!!??
    crossbeam
  • You take a walk down the street:

    1. A police officer may stop and demand your identification.
    2. A police officer may physically search you and any items in your possession.
    3. If a police officer decides anything you're carrying could be a weapon, or otherwise dubious, you're in trouble.
    4. A police dog detects some unquantifiably small amount of drug residue in your vicinity. Now the police can search you.

    You use the internet:
    1. Conroy doesn't want you visiting certain sites. You visit them, expect the police to come calling.
    2. You figure out which sites are being blocked, expect a visit from the police if you disclose those sites.
    3. The Attorney General wants all internet traffic logged. You do anything, no matter how innocent, that might be considered dubious (by the AG) expect a visit from the police.

    The presumption of innocence has been lost and, replaced by a presumption of guilt (eg. you're either a terrorist or a paedaphile).

    Welcome to the police state of Australia!

    Anyone with an IQ above that of a burnt piece of toast should be able to recognise the direction the government is taking. Time to elect someone else, hopefully before the right to vote is revoked.

    Look, there's a Japanese whaling vessel! Ignore the erosion of basic human rights.
    Scott W-ef9ad
  • More blood in politics? I think that's what they want.
    Scott W-ef9ad
  • Expect a new 'police force' to be announced soon. You'll know when they are around when people start disappearing...
    Scott W-ef9ad
  • Just wanted to bring attention to WebSpy’s latest blog: Government sanctioned ISP Filtering & Monitoring – Is Australia going Orweillian? at http://www.webspy.com.au/blogs/index.php/government-sanctioned-isp-filtering-and-monitoring/

    WebSpy provides reporting software for organizations and highlights how the proposed regime is different and why there’s need for concern.
    Asa Davidsson-0ab79
  • These politicians just don't get it. People will always find a way around things like this. One can surf invisible using an anonymous proxy server all that will be seen is the proxy server URL and it doesn't have to be in this country. Even e-mail, all one needs is an overseas hosting account with its own email server and that's where the mail goes from. I haven't even mentioned encryption or will that be made a crime as well.

    It would seem more to make this a police state rather than really catch the crims and pedophiles. Slow encroachment is how we got Hitler.
    wstaton
  • Clean *your* backyard first.
    1. Use https://www.google.com SSL. The results are also encrypted - the destinations of course are not, but it is a start. Give your habits to Google rather than government.
    2. Use truecrypt in hidden volume mode (http://www.truecrypt.org/) so they don't need to torture your password out of you. You give them the non-hidden password of course!
    3. Use SSL on your POP3 email. This one is THE biggest surprise for all you "would be" IT Experts. Check out this: http://secureinternettips.blogspot.com/ You might come away with egg on your face!
    Enjoy your clean backyard!
    NTSTATUS
  • To summarise, anyone with criminal intent can and will employ simple tactics to avoid detection, meaning that almost all data being collected is that of innocent citizens. Meanwhile, guess who's ultimately paying the cost of collecting, filtering and scanning massive amounts of (mostly irrevelant) data?
    splinters
  • If the isp 'insider's' report of the meeting with the AG's paper pushers is accurate it would appear the current regime's naievety, arrogance and disregard for personal privacy has filtered down to its minions. Hollow persons indeed.
    btone-c5d11
  • Europe doesn't have data retention. It's certainly policiy of the EU's megalomaniacs, but implementing it in law is impossible in e.g. Germany where such a thing was ruled unconstitutional earlier this year. Germany's constitution prohibits the systematic surveillance of the population and protects the sanctity of the home.

    Perhaps those who drafted the Federal Republic's Basic Law (Constitution) in post-WW2 Germany had recent experience with the consequences of government surveillance.
    berfel
  • This is very worrying for so many reasons its hard to list them. Unfortunately so many of Joe/Jo Public is swayed by the spurious saying "If you're doing nothing wrong, you have nothing to worry about". Well, I'm worried.
    OpusEd
  • I have a GREAT IDEA, why don't they finger-print everybody, take blood samples, keep photographs of us on file, monitor when we leave our houses and record all our conversations with everyone? It'd be great for law enforcement and the war against terrorism and for the Cold-war.

    Just because Spain got some fascist violation of their human rights pass it's legislature just NOT mean that we have to follow suit.
    Person-2cfca
  • I have a GREAT IDEA, why don't they finger-print everybody, take blood samples, keep photographs of us on file, monitor when we leave our houses and record all our conversations with everyone? It'd be great for law enforcement and the war against terrorism and for the Cold-war.

    Just because Spain got some fascist violation of their human rights pass it's legislature just NOT mean that we have to follow suit.
    Person-2cfca
  • I use (free) gmx.com servers based in Germany for my email (connecting with SSL). I use your-freedom.net servers in Hong Kong or Singapore for web and P2P proxies - it costs about AU$48 per year. Don't forget to make sure your DNS look-ups are done by the proxy server.
    DaveKimble
  • As someone who is been in the industry for a while, I think the intention is valid, which is about trying to enforce the law against a common group of criminals in the same way as if they were committing a crime in the traditional sense - such as walking into a bank and holding the teller up. The problem is, you can normally solve those crimes by traditional crime fighting methods. In the case of the online environment it is more complex than that and is these forms of regulatory environments are implemented, the law needs to catch up - ultimately, it will come down to a series of precedents set out by the courts. That said, this discussion MUST have a long way to go before an attempt at even draft legislation is put up. I for one believe in freedom within the internet – but then I also believe that there are some sectors of society that are committing crimes online. The key will be a balance. At the one end, legislators can’t just set aside individual freedoms for the sake of the criminality of the few, and then those of us who enjoy these freedoms need to understand there are some amongst us who are criminals, thieves and vagabonds. Somewhere in the middle is where the debate needs to start.
    mtukaki