Wednesday, August 06, 2014

Data retention is not business as usual

The announcement yesterday that the Government still intends to bring forward a data retention regime is unsurprising. The stand out feature, however, remains that it is still a piece of work for the future.

It is now over four years since Ben Grubb first broke the story that Government was discussing with ISPs a data retention regime. From that point on one of the biggest questions is what is in scope and what is out of scope - with one of the key questions being exactly what was to be captured, including whether web browsing history would be retained.

Four years down the track and there is still no greater clarity. Today, trying to explain the policy, Tony Abbott got himself caught up in knots. Someone had told him the idea was really easy to explain using snail mail - the metadata is only the address written on the outside of the envelope, not the letter inside.

The first problem - as explained by iiNet in a Senate submission -  is that the dividing line is nowhere near as clear as that. Technically, as you go up each level in the ISO stack the metadata changes. At the IP level the metadata is the IP address, at the application level the metadata may be the email address or website URL.

The difficulty for the PM became worse when he went beyond the simple analogy to say on the Nine Network "''It's not what you're doing on the internet, it's the sites you're visiting, it's not the content, it's the sites that you've been." That is consistent with his analogy, because a website URL is just the address of the communication, it is where you have been. But it does mean that as far as the Prime Minister is concerned the proposal includes browsing history!

The line that has everyone confused is "My understanding is that anything generated by you is content and anything generated by the ISP is metadata." When you go browsing, you generate the URL because you type it into your computer - when you send an e-mail you create the e-mail address. Now both e-mail addresses and URL's contain domain names which at some point were "created" by ISPs - in the sense they got loaded into DNS servers.

At the core of all this is a deceptive line that is embedded in the PM's media release yesterday "The Government also intends to introduce further legislation to ... update Australia’s telecommunication interception law which predates the internet era and is increasingly ineffective." This is first and foremost a lie, because the interception regime has been updated to cover data interception. It is secondly deceptive because it carries the implication that there is data about voice services retained for law enforcement purposes and the same should happen to other data.

Way back in 1960 the PMG made a decision on automatic switching that Australia would adopt a regime known as multi-metering rather than event based charging. Under mutli-metering the PMG retaine no information about the numbers dialled.

The move to event based charging followed from the advent of SPC (stored program controlled) switching - it was not imposed by a national security or law enforcement regime. However it did create a benefit for those agencies because now Call Charge Records existed and had to be retained for charging and billing purposes. These have proved extremely useful for many investigations.

This is perhaps the point to go into the long digression about how the relevant legislation works. This has been well explained in an article by Sharon Rodrick. There are three ways various agencies can access communications information - interception of live traffic, accessing stored communications and access to telecommunications data. The first two are only available to law enforcement and national security agencies and require a warrant.

The third kind - and the area that would be expanded under a data retention regime - can be accessed by a much larger list, including "any body whose functions include administering a law which imposes a pecuniary penalty or which relates to the protection of the public revenue." The Attorney-General's Interception Act Annual Report 2012-13 shows that this latter category is a wide list. The tables below are the Commonwealth and State agencies who have accessed telecommunications data. This access is authorised by an officer of the agency, not by warrant.

The other big lie that the agencies tell the politicians and that the politicians then tell us is that the ISPs "already keep this data." By which they think they mean that the ISPs already keep it for a limited period. The origin of this appears to be a conversation between a law enforcement rep at a large telco and an agency contact that, in relation to some unidentified piece of information, "we had that information but you need to ask us to keep it."

Now, in fact, the existing regime already covers prospective telecommunications data - a telco can be required to keep data before it comes into existence - but only by warrant and only for the law enforcement and national security agencies. So, yes ASIO can access your browsing history - but only if they get a warrant and tell the ISP before you browse (like interception).

There is also a great difference between data existing and data being even accessible. For example, the details that agencies access on telephone calls come from Call Charge Records created for the purposes of billing - these are not the actual event logs generated by the switch. One telco I know received so many call detail requests it made a copy of the call record data and a query toll to facilitate response (the telco's get to charge a cost based fee - by automating they reduced the real cost but not the fee).

One classic case is simply the dynamic IP address assigned to a user during an internet session. The ISP has no need or use for this data - so it can exist only for the duration of the session in a network element, not in any queriable business system. This fact already compromises a co-operative law enforcement program - the Australian Internet Security Initiative (AISI) - which seeks to identify and rectify "bot" infested computers. A December 2012 report from the ACMA found "More than a third of the providers interviewed experienced at least some difficulties identifying computer compromises where customers had allocated dynamic IP addresses."

The allocation of IP address to user is one of the lowest levels of data that the agencies could find useful, because from that they could, for example, identify users who had visited websites they were watching (which in turn could be derived from a prospective telecommunications data warrant issued to ISPs for DNS look-ups of the relevant domain name).

It is not unusual in law for a person to be required to keep and maintain records to assist law enforcement. An example I use frequently is the requirement for traders in second hand goods to record the identity information of vendors as part of controlling property theft. The requirement on telcos to obtain identification details for pre-paid phones is another. But in those cases the extent of the imposition is well targeted at the task. (see note)

Ultimately the agencies and the Attorney-General's Department have made a complete hash of the exercise by assuming that by clicking their fingers and saying "terrorist" they will be granted new and intrusive powers. Ultimately the decision to implement the Blunn review recommendation to take the Department of Communications out of the activity has backfired badly.

There was another way to increase the amount of data retained and hence of use to agencies, which was to review retention practices for other reasons. For example, it would seem that the ACMA has a case to make for requiring ISPs to retain dynamic IP address allocation data to make AISI more effective. A direction from the Minister to the ACMA to review telco and ISP data retention policies to validate their appropriateness to guarantee the security of networks and the resolution of customer complaints would have easily justified a modicum of extension on data collection. But that was a strategy - by definition an action that takes into account the reaction of those affected by your action.

Ultimately the biggest lesson from the data retention saga is that we have learnt that the agencies we rely upon to protect us are not very strategic.

No comments: