[LINK] ozlog, there's more

Kim Holburn kim at holburn.net
Thu Jun 17 13:05:06 AEST 2010 

 From slashdot.

> the Attorney-General's Department did not rule out logs of URLs  
> being retained.
>


http://www.zdnet.com.au/inside-australia-s-data-retention-proposal-339303862.htm

> Inside Australia's data retention proposal By Ben Grubb,  
> ZDNet.com.au on June 16th, 2010 (21 hours ago)

> Telecommunications industry sources have called the claims by  
> Attorney-General media relations that web browsing history would not  
> be recorded in a controversial data retention proposal "a bit cute"  
> and a question of terminology and semantics.
>
> ZDNet Australia broke the news on Friday that the Federal Government  
> Attorney-General's Department was considering how it could best  
> implement a data retention regime in Australia.
>
> "The Attorney-General's Department has been looking at the European  
> directive on data retention, to consider whether such a regime is  
> appropriate within Australia's law enforcement and security  
> context," the Attorney-General's Department had said. "It has  
> consulted broadly with the telecommunications industry."
>
> Data retention requires telecommunications providers, including  
> internet service providers (ISPs), to log and retain certain  
> information on subscribers for local enforcement agencies to access  
> when they require it.
>
> The regime sees certain data logged before any suspect is  
> identified, meaning that every internet users' online activities are  
> logged by default.
>
> Europe has one
> Such a system currently exists in Europe, and has been adopted by  
> select states. The call for the European directive on data retention  
> came after the 2004 Madrid train bombings in Spain.
>

...

> Importantly, the EU directive requires ISPs to retain data necessary  
> to trace and identify the source, destination, date, type, time and  
> duration of communications — and even what communication equipment  
> is being used by customers and the location of mobile transmissions.
>
> For telephone conversations, this means the number from which calls  
> are placed and the number that received the call, the owner of the  
> telephone service and similar data such as the time and date of a  
> call's commencement and completion.
>
> For mobile phone numbers, geographic location data is also included.  
> The data is retained for periods of not less than six months and not  
> more than two years from the date of the communication.
>
....

> The proposed Australian regime
> The information that the Australian system, if implemented, would  
> get ISPs to log and retain is yet to be set in stone by the Attorney- 
> General's Department. ZDNet Australia reported various ISP sources'  
> claims that it could extend as far as each individual web page an  
> internet user had visited. This was echoed by an industry source  
> that was quoted in the Sydney Morning Herald newspaper on Saturday.
>
> Attorney-General Robert McClelland's media advisor on Monday denied  
> "web browser history" would be logged. "This is not about web   
> browser history," said McClelland's media liaison Adam Siddique.  
> "It's purely about being able to identify and verify identities  
> online," he added, linking the initiative to the ability for law  
> enforcement to track criminals online.
>
> Yesterday, the Attorney-General's Department said that the  
> Australian Government was "still considering and consulting on this  
> subject and as such it would be inappropriate to comment at this  
> stage", and did not rule out logs of URLs being retained.
>

> Industry sources remain adamant that draft documents they have been  
> given show the proposal could stretch as far as web browsing  
> history, and argue the government was denying it would require ISPs  
> to log "web browsing history" in the media as a way of quashing  
> privacy fears.
>
> "The major problem here, and as it was explained, [is] that all  
> information in the handouts [suggested] that any information which  
> is logged must be retained," said an industry source close to the  
> consultations with the Attorney-General's Department. "Therefore  
> any ... proxy logs would fall under this category."
>
> A "proxy" is often used by ISPs to cache internet traffic to save on  
> bandwidth. Proxy logs are relevant because they record each  
> individual URL an internet user visits. The source said that if the  
> logs were turned on and the Australian proposal, as explained and  
> shown in draft documents to the source, was implemented, ISPs would  
> need to retain the data contained in the logs.
>
> "This becomes even more of a problem should a [mandatory internet  
> filter] system be put in place as it is capable of logging all  
> users' normal HTTP activity," the source said, pointing to the  
> Federal Government's proposed mandatory internet filter that intends  
> to block access to refused classification material. "Providers may  
> be able to turn off the log feature; however, if they do not — or  
> require this user data for other billing or service requirements —  
> then they will be required to retain the data under the proposal as  
> explained," the source said. "So to say URL history will not be  
> retained is not accurate."
>
> Another industry source told ZDNet Australia it was "a little bit  
> cute" for the Attorney-General's media advisor to say that the  
> Federal Government wasn't looking at a proposal to require ISPs  
> retain "web browsing history".
>
> "I think they're being a little bit cute when they say they want the  
> source and the destination IP addresses for internet sessions  
> [while] saying 'we're not really asking for web browsing history',"  
> the source said.
>
> "Now sure, if you go into Internet Explorer you can go into internet  
> options and you can get your 'history', but you know, carriers don't  
> really use URLs, they use IP addresses, and it's the IP address that  
> translates to a URL and vice versa. They're one and the same."
>
> There was more material in a data set the Attorney-General's  
> Department gave telecommunications companies that the source found  
> a  "bit frightening". "They want allied personal information with  
> that account, including, [the department] said, passport numbers."
>
> "Why the hell an ISP would ask anybody for a passport number is  
> beyond me," the source said. "And I am not aware of any telephony   
> requirements that ask for passport details.
>
> "So they're asking for all details of the customer that we would  
> hold on record, which includes anything, like multiple email  
> addresses."
>
....

> The notes also showed the Attorney-General's Department pointing out  
> that the law enforcement agencies were asking for data to be  
> retained for five or 10 years. According to the notes, the industry  
> was told it "should be grateful" that the government was only going  
> to require a retention period of two years "at this stage".
>
> As for who would wear costs for logging and retaining data, it  
> appeared clear from the notes that industry would. "Industry must  
> wear the cost of capturing and storing the data," the notes said.  
> "Agencies who make requests for data will pay the incremental cost  
> of answering those requests only".
>

....

> Asked to clarify whether the Attorney-General's Department expected  
> a telecommunications provider to perform deep packet inspection  
> (DPI) to collect all the data that is in the proposed data set —  
> which includes email addresses of sender and recipient, session  
> initiation protocol identifiers and instant message screen names —  
> or whether those only applied to the actual providers of email  
> services, Voice over IP (VoIP) services and instant messenger  
> services, the department's response, according to the notes, was to  
> the effect of "if you don't like the data set you'll be able to ask  
> for an exemption from the parts you don't like".
>

....

> "[They're] asking us to retain data for law enforcement purposes  
> that, under existing privacy laws, we would be breaking the law if  
> we retained for any longer than for operational purposes," the  
> source said.

....

> Details of how many requests the Australian Federal Police (AFP)  
> made for telecommunications data — without interception warrants —  
> between 2008-2009 was also revealed at the briefing.
>
> The AFP, according to the meeting notes, made more than 16,000  
> requests to over 50 telecommunications companies for data during  
> that period. According to the note, the AFP told the briefing that  
> it wanted to automate the process of requesting and obtaining access  
> to telecommunications data.
>

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list