Australian ISPs Not Ready For Mandatory Data Retention

ferrisoxide.com writes: October 13 marks the day Australian ISPs are required by law to track all web site visits and emails of their users, but according to an article on the Australian Broadcasting Corporation's news site the majority of ISPs are not ready to begin mandatory data retention. The article's author, Will Ockenden, had previously released his own metadata to readers in an experiment to see how effectively this kind of data reveals personal habits of online users. The majority of Australians appear unconcerned with this level of scrutiny of their lives, given the minimal reaction to this and proposed tougher legislation designed to deal with the threats of crime and terrorism.

Really bad idea

[fragMasterFlash]

While I'm certain the politicos who came up with this idea had nothing but the best intentions in mind they have in fact mandated sites keep a trove of data that will prove irresistible to blackhats. How many people will be blackmailed or have their lives turned upside down ala Ashley Madison over retained data that falls into nefarious hands before this ill conceived plan meets its Waterloo?

Re:Really bad idea

[MrKaos]

That being said the law does require the data to be 'encrypted',

Not quite. Section 187BA.a specifies that the data is to be encrypted, then in the compliance section later 187F.2.a it lets the provider off the hook with the whole encryption mechanism if it can't get the system to operate with it.

Encryption is optional in the context of this act and was one of the things I suggested amending to be mandatory with the private key being held by the TIO. I did a detailed analysis of the legislation before it passed and whilst I won't include the letters I wrote to the senate, these are the sections of part one I thought needed to be amended to protect the population from fraud and slashdotters will probably get this immediately:

Criticisms of specific sections in Part one:

187AA.3A,3B remove because it introduces the possibility that any e-commerce business that is not a telecommunications provider can be forced to retain data and bare the cost of limiting their business throughput and capacity for expansion. For business this represents a rising linear cost that increases with additional customers.

187B.2 Needs definition of who a CAC (Communications Access Controller) role answers to, which department, and limits to retention demands

187B.2A change 'may' to 'must'

187B.3.c Remove. Additional requirements from the CAC impose incremental infrastructure and capacity restraints on business coupled with forcing them into I.P cost and approval cycles every time infrastructure upgrades are required as a result of demands from the CAC. The business is forced to write for approval for mandatory upgrades to meet retention requirements demanded by the CAC.

187BA.a Specify an minimum standard for encryption of data. Governmental should mandate minimum encryption standards revised regularly to protect consumers from fraud, organised crime, identity theft, harassment and so on. The same standard should control access to the data from all parties.

187BA.c add allow encrypted access to the data by the entity or person that generated it.

187E.2.b,c service providers must never be exempt from section 187BA when storing entity or personally generated data 187F.2.a add ensure adherence to encryption standards in 187BA; and

187F.2.b add: whilst still complying with 187BA

187F.2.f remove for the same reason as 187B.3.c

187G.1 Law enforcement uses a secured access standard under 187BA.a to access the data

187G.2.d change 'may' to 'must'

187G 4,5 Define a criteria for the ACMA's collection requirements

187K.1.d add: not approve an exemption from 187BA

187KA.4 define the ACMA's relation to policing here

187KA.4.f add: input from the PC and T.O

187KA.5 remove: ACMA considerations have nothing to do with policing for terrorists

187LA Should provide protection from abuse from government employees

187M add: Section 187BA(a)(b),

To clue you all in Section 187AA is the meat of the 80 page bill that defines what is captured. Section 187BA(a)(b) define, weakly, how the population will be protected from fraud. Whilst the single word change of 187B.2A is the critical change required to protect people from harassment. 187G.2.d give ISPs an out for complying with 187BA which further weakens the public's protection - as previously mentioned.

Also, if you are an ISP and the CAC says 'hey - collect this as well' the ISP must create a new project plan, submit it for approval, for which can take an unknown time, then once approved the ISP has a limited time to comply or be fined. The insanity of the compliance process for ISPs is truly breathtaking.

I feel sorry for my country and it's people. I work in IT, I understand how people will be defrauded because I've seen it and now I think it is inevitable that these cases will be more common. Our constitution says Australians are guaranteed 'responsible government' however I see this bill as a very

Re:Lol

No, you need to make 800GB of random web page requests. I suggest google searches for
a list of 'interesting' keywords...