[LINK] Senate committee probes AGD's data retention activities

Rick Welykochy rick at praxis.com.au
Mon Nov 1 21:33:37 AEDT 2010 

Stilgherrian wrote:

> On 01/11/2010, at 7:11 PM, Kim Holburn wrote:
>> On 2010/Nov/01, at 6:00 PM, Rick Welykochy wrote:
>>> I wonder what the EU is retaining these days?
>> I think only a few countries do this.
>
> http://en.wikipedia.org/wiki/Telecommunications_data_retention#European_Union

Good read. My Summary pertaining to some of the points raised this evening
in the Australian context. Hey, shouldn't the AGD be doing this?


The EU data retention directive is implemented piecemeal by each nation
state. And mostly not at all.

uk: voluntary retention recommendations
     interesting: username authentication (not password) is retained
     web access: hostname only, no private URL data *** retain for 4 days only **

de: ** the law was rescinded ** in 2010 due to privacy violations

it: ISPs must maintain "current data" for ** 6 months **
     interesting: only current ISP data retained, the law has no provisions
     for what the ISP must retain

dk: internet (TCP/IP) sending IP,port,protocol and receiving IP,port are retained
     (dunno how they determine the protocol sans deep packet inspection!)
     if retention is not feasible en masse, every 500th "package" is retained


The AFP or AGD can hardly maintain that the "EU has already implemented
data retention" given the above. Only Denmark (dk) has implemented anything
approaching what is being proposed for Australia, and then only at a sampling
level (500th "package") when the amount of data is overwhelming.

This last point raises an interesting question. A TCP/IP connection consists
of a stream of packets. Is the ATG proposing to log just the instance of a
stream being initiated and subsequently dropped (a matter of a few dozen bytes
of logging information) or are they interested in logging the entire "package"
in the language of the Danes. In the latter case, 1 GB download would
require many MBs of log information to be retained. And to what purpose?

I would like to point out that the data retention law was rescinded in
Germany (de) for constitutional reasons. Has any law *EVER* suffered a similar
fate in Australia? How strong is our constitution in protecting its
citizens from "unconstitutional" legislation?

To conclude, an interesting quote from the above article, regarding the
common use of dynamic IP addresses, assigned at random over time in many
instances to incoming connections at an ISP:

   "In calculation: if 1 million users at an ISP connected and disconnected
    every minute and did this 24/7 an ISP would need 11 terabytes of storage,
    for 365 days of retention, if they sign a 4 byte field for logon/logoff
    time, a 4 byte field for customer number and a 4 byte field for IP address used."

The 11 TB of storage in the quote is just the information required to be
stored for linking a connection to a specific user. The amount of storage
for actually *LOGGING* what each connection gets up to would be many times
that amount.


cheers
rickw


-- 
Rick Welykochy || Praxis Services

When choosing between two evils, I always like to take the one I haven't tried before.
      -- Mae West

More information about the Link mailing list