[LINK] Senate committee probes AGD's data retention activities

Craig Sanders cas at taz.net.au
Wed Nov 3 20:27:38 AEDT 2010 

On Mon, Nov 01, 2010 at 07:55:57PM +1000, rene wrote:
> That was largely about law enforcement panic about the need for ISPs
> to retain data else the end of the world would come, etc. Somewhere
> in Hansard back then there's a transcript of evidence by, IIRC, a
> woman from Ozemail(?) representing IIA, pointing out/explaining the
> difficulties and costs and privacy issues for their customers of
> storing "telecommunications data" for 12 months or whatever.

this mention of customer privacy issues and ozemail (who were one of
the first australian ISPs to be hacked for their customers' credit card
details) reminds me of something that seems to be being ignored in all
the (valuable and necessary) discussion of WHAT kind of data is to be
retained - and that is HOW the data is to be stored and protected.

massive data retention archives would be an attractive target for
spammers, scammers, and identity thieves. as well as plain old marketing
vermin. and spooks and industrial espionage agents. etc. etc.

what, if any, kind of access protection is being proposed for the data? 

are the ISPs just supposed to store it on disk somewhere, so that it's  
available when an appropriate request/warrant is submitted?

if ISPs are going to be required to store all this data, then they must
also be required to protect it - AND keep an audit log of every access.


which, of course, impacts on the "who's going to pay for all this?"
question. with the added fun of "who's going to be liable if there's
an unauthorised access?". also, what happens when several months worth
of data just vanish due to a server or disk dying - should the data
be backed up, and if so who's going to pay for the staff, equipment
and media to perform the backups? and is/will there be a documented
procedure for secure wiping & disposal of old servers and media?

since it seems to be fashionable demand these days, let's have a
cost/benefit analysis of all this data retention - what are the actual
benefits, *who* benefits, how much is it going to cost, and who pays for
it all?

craig

PS: there are also FOI implications - can an individual request a copy
of some/any/all data retained? *should* they be able to? what if the
data isn't really "theirs" (i.e. the usual "an IP address does not
identify a person" problem).

-- 
craig sanders <cas at taz.net.au>

More information about the Link mailing list