Defence Business: Data retention proposals muddy the security reforms | ADM October 2012

One of the more competent and intelligent ministers in the present administration, Attorney-General Nicola Roxon issued for general discussion some reforms of national security legislation in July.

These cover a package of national security ideas covering proposals for telecommunications interception reform, telecommunications sector security reform and Australian intelligence community legislation reform. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has commenced an inquiry into these and a discussion paper, Equipping Australia against Emerging and Evolving Threats was issued that outline why these proposal are worthy of some debate.

However the Government’s case and its approach disclose a poor grasp of the political or technical implications of the proposals. The paper’s main argument is that the time is ripe to clarify, strengthen and reinforce laws regulating interception of communications.

Not surprisingly, the most controversial of the data retention proposals are in the third category. These include expanding the criteria for lawful interceptions, establishing an offence for failure to assist in decryption of communications, and requiring ISPs to retain data for periods for up two years with powers to schedule industry response times as well as extending ASIO’s warrant and search powers.

While the paper attempts to justify these powers as essential in its counterterrorism investigations and in preventing planned terrorist attacks, its evidence for the more controversial proposals dwells more on convenience rather than its practicality or effectiveness.

Even the Attorney-General Roxon, herself distanced herself from these elements.

‘’The case has yet to be made’’ for a controversial plan to force internet providers to store the web history of all Australians for up to two years, Roxon was reported in an interview published in the SMH 21 July 2012. She also acknowledged the financial and privacy costs of such a scheme.

Shortly afterwards, hackers operating under the banner of Anonymous defaced a string of Queensland Government web sites in protest against Australia’s proposed data retention policies. Later Anonymous broke into middle level ISP, AAPT and began releasing redacted version of details of user’s accounts. The Anonymous attacks were counter-productive, and helped, if anything, to make the Government’s broader case for improved powers or that at least something must be done.

However the Government’s rationale of treating access to phone records with Internet or social media as part of data retention regime was notable for its ducking the technological and logistic problems involved.

Telecommunications writer, Richard Chirgwin offered an excellent critique in the online Register site. A key issue is modelling data retention on what’s retained in phone records, governments and law enforcement either don’t realize or don’t care about the differences between the Internet and the telephone, he reports.

If the Australian government sticks with its previously-expressed enthusiasm for retention modelled on the European Data Directive, then the retained data would include the user ID, time of day, source IP address, and destination IP address for their Internet interactions.

Users are not always in control of every IP address their Web browser visits. Unlike conventional phones with a fixed and identifiable line between sender and recipient, the internet protocol operates a packet switching network. This means you can have several different sessions at once. The log files do not indicate which IP address(es) a user intended to visit.

If a user wants to browse an online newspaper, the site owner imposes all sorts of additional data tracks that users may also view the story: there’s the trackers (Google Analytics, IMR Worldwide and so on), the ad servers (Doubleclick, Google), the videos which might come from a different IP address to the story, and all the affiliate links which might also come from a different IP. It only takes one visit to a compromised Web server, and a user can make contact with an IP address that ASIO or the AFP doesn’t like – without knowing they’ve done so.

A phone bill is human-readable. People can recognize telephone numbers; 02 9555 5555 makes sense. Even if Joe ends up needed a lawyer to help him, they can communicate on common ground

“Honestly, I can swear on the witness stand that nobody in my house ever called 9555 5555!”

On the other hand, an IP v4 address like 144.140.108.23 is not meaningful to the ordinary user. It resolves to Telstra.com resolves, but most people don’t know what that means. So when a Chief Inspector leans across the table accusing someone using an IP address accessed a sub-domain on a given IP address, and that the sub-domain was host to an extremist Web page showing bomb-making instructions … what exactly do you say?

By regarding Internet transactions as akin to telephone calls, law enforcement is creating a huge asymmetry that doesn’t exist when we discuss telephone call records.

“I have no idea what you’re talking about, officer.”

“Tough luck, mate, you can’t argue with the logfiles.”