Defence Business: Data retention proposals muddy the security reforms | ADM October 2012
By John Hilvert | Canberra | 12 November 2012
One of the more competent and intelligent ministers in the
present administration, Attorney-General Nicola Roxon issued for general discussion
some reforms of national security legislation in July.
These cover a package of national security ideas covering proposals for
telecommunications interception reform, telecommunications sector security
reform and Australian intelligence community legislation reform. The
Parliamentary Joint Committee on Intelligence and Security (PJCIS) has
commenced an inquiry into these and a discussion paper, Equipping Australia against Emerging and Evolving Threats
was issued that outline why these proposal
are worthy of some debate.
However the Government’s case and its approach disclose a poor
grasp of the political or technical implications of the proposals. The paper’s
main argument is that the time is ripe to clarify, strengthen and reinforce laws
regulating interception of communications.
Not surprisingly, the most controversial of the data retention
proposals are in the third category. These include expanding the criteria for
lawful interceptions, establishing an offence for failure to assist in
decryption of communications, and requiring ISPs to retain data for periods for
up two years with powers to schedule industry response times as well as
extending ASIO’s warrant and search powers.
While the paper attempts to justify these powers as essential in
its counterterrorism investigations and in preventing planned terrorist
attacks, its evidence for the more controversial proposals dwells more on
convenience rather than its practicality or effectiveness.
Even the Attorney-General Roxon, herself distanced herself from
these elements.
‘’The case has yet to be made’’ for a controversial plan to
force internet providers to store the web history of all Australians for up to
two years, Roxon was reported in an interview published in the SMH 21 July 2012.
She also acknowledged the financial and privacy costs of such a scheme.
Shortly afterwards, hackers operating under the banner of
Anonymous defaced a string of Queensland Government web sites in protest
against Australia’s proposed data retention policies. Later Anonymous broke
into middle level ISP, AAPT and began releasing redacted version of details of
user’s accounts. The Anonymous attacks were counter-productive, and helped, if
anything, to make the Government’s broader case for improved powers or that at
least something must be done.
However the Government’s rationale of treating access to phone
records with Internet or social media as part of data retention regime was
notable for its ducking the technological and logistic problems involved.
Telecommunications writer, Richard Chirgwin offered an excellent
critique in the online Register site. A key issue is modelling data retention on what’s retained
in phone records, governments and law enforcement either don’t realize or don’t
care about the differences between the Internet and the telephone, he reports.
If the Australian government sticks with its
previously-expressed enthusiasm for retention modelled on the European Data
Directive, then the retained data would include the user ID, time of day, source
IP address, and destination IP address for their Internet interactions.
Users are not always in control of every IP address their Web
browser visits. Unlike conventional phones with a fixed and identifiable line
between sender and recipient, the internet protocol operates a packet switching
network. This means you can have several different sessions at once. The log
files do not indicate which IP address(es) a user intended to visit.
If a user wants to browse an online newspaper, the site owner
imposes all sorts of additional data tracks that users may also view the story:
there’s the trackers (Google Analytics, IMR Worldwide and so on), the ad
servers (Doubleclick, Google), the videos which might come from a different IP
address to the story, and all the affiliate links which might also come from a
different IP. It only takes one visit to a compromised Web server, and a user
can make contact with an IP address that ASIO or the AFP doesn’t like – without
knowing they’ve done so.
A phone bill is human-readable. People can recognize telephone
numbers; 02 9555 5555 makes sense. Even if Joe ends up needed a lawyer to help
him, they can communicate on common ground
“Honestly, I can swear on the witness stand that nobody in my house ever called
9555 5555!”
On the other hand, an IP v4 address like 144.140.108.23 is not
meaningful to the ordinary user. It resolves to Telstra.com resolves, but most
people don’t know what that means. So when a Chief Inspector leans across the
table accusing someone using an IP address accessed a sub-domain on a given IP
address, and that the sub-domain was host to an extremist Web page showing bomb-making
instructions … what exactly do you say?
By regarding Internet transactions as akin to telephone calls,
law enforcement is creating a huge asymmetry that doesn’t exist when we discuss
telephone call records.
“I have no idea what you’re talking about, officer.”
“Tough luck, mate, you can’t argue with the logfiles.”