Australian ISPs Not Ready For Mandatory Data Retention

ferrisoxide.com writes: October 13 marks the day Australian ISPs are required by law to track all web site visits and emails of their users, but according to an article on the Australian Broadcasting Corporation's news site the majority of ISPs are not ready to begin mandatory data retention. The article's author, Will Ockenden, had previously released his own metadata to readers in an experiment to see how effectively this kind of data reveals personal habits of online users. The majority of Australians appear unconcerned with this level of scrutiny of their lives, given the minimal reaction to this and proposed tougher legislation designed to deal with the threats of crime and terrorism.

Really bad idea

[fragMasterFlash]

While I'm certain the politicos who came up with this idea had nothing but the best intentions in mind they have in fact mandated sites keep a trove of data that will prove irresistible to blackhats. How many people will be blackmailed or have their lives turned upside down ala Ashley Madison over retained data that falls into nefarious hands before this ill conceived plan meets its Waterloo?

Re:Really bad idea

[MrKaos]

That being said the law does require the data to be 'encrypted',

Not quite. Section 187BA.a specifies that the data is to be encrypted, then in the compliance section later 187F.2.a it lets the provider off the hook with the whole encryption mechanism if it can't get the system to operate with it.

Encryption is optional in the context of this act and was one of the things I suggested amending to be mandatory with the private key being held by the TIO. I did a detailed analysis of the legislation before it passed and whilst I won't include the letters I wrote to the senate, these are the sections of part one I thought needed to be amended to protect the population from fraud and slashdotters will probably get this immediately:

Criticisms of specific sections in Part one:

187AA.3A,3B remove because it introduces the possibility that any e-commerce business that is not a telecommunications provider can be forced to retain data and bare the cost of limiting their business throughput and capacity for expansion. For business this represents a rising linear cost that increases with additional customers.

187B.2 Needs definition of who a CAC (Communications Access Controller) role answers to, which department, and limits to retention demands

187B.2A change 'may' to 'must'

187B.3.c Remove. Additional requirements from the CAC impose incremental infrastructure and capacity restraints on business coupled with forcing them into I.P cost and approval cycles every time infrastructure upgrades are required as a result of demands from the CAC. The business is forced to write for approval for mandatory upgrades to meet retention requirements demanded by the CAC.

187BA.a Specify an minimum standard for encryption of data. Governmental should mandate minimum encryption standards revised regularly to protect consumers from fraud, organised crime, identity theft, harassment and so on. The same standard should control access to the data from all parties.

187BA.c add allow encrypted access to the data by the entity or person that generated it.

187E.2.b,c service providers must never be exempt from section 187BA when storing entity or personally generated data 187F.2.a add ensure adherence to encryption standards in 187BA; and

187F.2.b add: whilst still complying with 187BA

187F.2.f remove for the same reason as 187B.3.c

187G.1 Law enforcement uses a secured access standard under 187BA.a to access the data

187G.2.d change 'may' to 'must'

187G 4,5 Define a criteria for the ACMA's collection requirements

187K.1.d add: not approve an exemption from 187BA

187KA.4 define the ACMA's relation to policing here

187KA.4.f add: input from the PC and T.O

187KA.5 remove: ACMA considerations have nothing to do with policing for terrorists

187LA Should provide protection from abuse from government employees

187M add: Section 187BA(a)(b),

To clue you all in Section 187AA is the meat of the 80 page bill that defines what is captured. Section 187BA(a)(b) define, weakly, how the population will be protected from fraud. Whilst the single word change of 187B.2A is the critical change required to protect people from harassment. 187G.2.d give ISPs an out for complying with 187BA which further weakens the public's protection - as previously mentioned.

Also, if you are an ISP and the CAC says 'hey - collect this as well' the ISP must create a new project plan, submit it for approval, for which can take an unknown time, then once approved the ISP has a limited time to comply or be fined. The insanity of the compliance process for ISPs is truly breathtaking.

I feel sorry for my country and it's people. I work in IT, I understand how people will be defrauded because I've seen it and now I think it is inevitable that these cases will be more common. Our constitution says Australians are guaranteed 'responsible government' however I see this bill as a very

Unconcerned with this level of scrutiny?

[DrNico]

I don't know that we Australians were "unconcerned with this level of scrutiny of their lives" so much as constantly distracted by horror at the continual appalling actions, stuff ups and general inability to govern of the Abbott government. Given a few moments to think about things other than government officials chartering helicopters to go to party functions, rape and other abuses of asylum speakers in our care, blackmailing of the academic community to support legislation, an incompetent Minister for Defence amongst many others ministers, bashing of the Muslim community, awarding Prince Philip a knighthood, abuse of the Royal Commission system to go after political adversaries, attacks on the state broadcaster for not towing the line, and on and on every week for 2 years, then perhaps we'd have had time to kick up a fuss about data retention. Now that Abbott has been kicked out by his own party we'll have a chance to have a proper think about data retention and what it means, though it's probably too late.

Re:Tracking only the stupid people

[sd4f]

This isn't even for monitoring. It's so that they have data to sift through after the fact, in other words, if you come to the attention of the police. Maybe at a later date they'll start to automate thingsand go through the metadata as it comes in, but at this stage, it's just requiring ISP's to store it for an extended period of time.

Bottom line is, there's bipartisan support in parliament, so the public literally have no say on the issue.

Re:Lol

No, you need to make 800GB of random web page requests. I suggest google searches for
a list of 'interesting' keywords...

Disaster waiting to happen

[Gumbercules!!]

The biggest problem is shown in the ABC article in the summary. At this time, ISPs are starting to do it but in a grace period (until April 2017). 84% of ISPs are storing data in plain text, right now, because of the "costs" of encryption. 61% of ISPs have applied to be permanently exempt from encrypting this data. Just looking at this, you already know this shit is going to get stolen. You just know it. Some ISPs will certainly have this data directly accessible from their corporate LANs and some will even have it accessible from the internet. You know it without even needing to be told. Because this shit happens all the time. Many of these ISPs will not have done much to get ready and they'll have shoddily made, inhouse systems that were made as quickly and cheaply as possible. So it's a certainty that this data is going to get stolen. And when that happens, who knows what information will be leaked, that someone really didn't want leaked. It'll make Ashley Madison look trivial.

Small ISP

[jellomizer]

My real issue is globally the loss of the small ISP. Back in the dialup days even outside major cities, we had access to dozens of ISP's we could pick the big global names just as AOL, Prodigy and Compuserve. But we we had access to a bunch of smaller ISP's who may have offered less services, but also were more affordable. 56.6k dial up for $8.50 a month was a good deal, or $20 for 100 Megabytes with no backout, there was also pricing like $25 for 50 hours. There were a lot of options and we could pick a style that was best for us. The ISP could offer these low prices (at the time) because they needed to cover the cost of a T1 line (about $1,000 a month) and x amount of LAN Lines, usually between 8-24. They could run the ISP with a small business of 1 person. They were not responsible for what their users did, or what they viewed. Nor did they really care to try, as logging all such traffic would fill up expensive Drive storage, which they often would rather keep for email and personal web hosting.

Today ISP also own the infrastructure and have increasing requirements which makes them more expensive and worse customer experience.