Turnbull admits limitations of data retention proposal

More holes appear in the government's mandatory data retention proposal as Communications Minister Malcolm Turnbull admits the tech-savvy will know how to avoid having their IP addresses logged against sites they visit, while the scheme may still be costly and impractical.

While recording IP addresses may be costly and impractical for telcos, those customers who know what they're doing will have no trouble getting around a mandatory data retention regime that logs IP addresses assigned to an ISP's customers, Communications Minister Malcolm Turnbull has admitted.

Image: Screenshot by Josh Taylor/ZDNet

The Australian government last week struggled to define its plans to implement a mandatory data retention regime in Australia that would force the telecommunications companies to retain so-called "metadata" for up to two years.

Attorney-General George Brandis and Prime Minister Tony Abbott both struggled to define what data the telcos would be required to retain, with both indicating early last week that a list of websites visited by telco customers would be retained in addition to the traditional call logs.

On Thursday and Friday Morning, Turnbull moved to clear up some of the confusion surrounding the scheme, explicitly ruled out retaining a log of the sites customers visit, and insisted only the IP addresses assigned to customers by their ISPs would be retained under any proposal.

Telecommunications companies were kept in the dark about the proposals until the government finally arranged industry meetings late last week.

Speaking at the GovHack awards in Brisbane on Sunday, Turnbull departed from his set speech after facing a number of questions from the audience on the proposal. He again clarified that web browsing history would not be retained and it would simply be the IP addresses for user accounts.

But he admitted that there were "costs and practicalities" that still needed to be addressed with the internet service providers, in particular with ISPs that have very rapid allocation of IP addresses to users.

He joked, however, that the tech-savvy audience members for the GovHack awards would have no trouble circumventing any data retention scheme that would be established by the government.

"Your web surfing history is a matter for you. You've all got VPNs [Virtual Private Networks] anyway, so all of you appear to be somewhere in Iowa when you go online, I know that. Anyway, I won't go on," he said.

People frequently use VPNs to mask their IP address or make it appear in a different location for the purposes of avoiding geo-blocking of services that are specific to a particular country, such as Netflix in the United States, or BBC iPlayer in the UK.

The government, in seeking to exclude browsing history, would need to obtain a list of IP addresses that had visited, for example, a terrorist website, from the host service of that service, and then match those IP addresses and time of access up with those recorded by the Australian ISPs under the data retention regime.

If a user is accessing the site through a VPN, the IP address assigned to them by their Australian ISP will not be recorded at the website they accessed.

Turnbull's admission that the data retention regime is likely to be easily circumvented, and may be costly and difficult for ISPs to implement comes as the government begins discussions with ISPs over how best to implement the scheme. A formal policy and legislation for the regime is expected to be made public before the end of the year.