[LINK] Brandis rushes to release telco metadata for civil proceedings

[Frank O'Connor]

G’day Christian,

> On 23 Dec 2016, at 9:39 am, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:
> 
> Frank,
> 
> On Thu, Dec 22, 2016 at 4:58 PM, Frank O'Connor
> <francisoconnor3 at bigpond.com> wrote:
>> Don’t know about that. Prior to 2014, and even early last year, VPN’s and other security
>> software had pretty average front ends and GUI’s, were fairly technical to set up,
>> impacted heavily on network performance (both in throughput and latency), were
>> relatively expensive ($10-$20 per month), and didn’t offer access to the complete
>> range of protocols that the current ones do automatically.
> 
> These service providers will either consent to the order or close
> down, such as https://lavabit.com/ due to their low cost.

What happens to which provider depends on their patronage, business model, server location(s) and the laws governing same. Lavabit was basically just an e-mail provider, and the keys remained consistent across sessions, so it was much more vulnerable than a service that spontaneously allocated new randomised keys as part of the socket connection process. Finally, Lavabit was geographically bound to one nation state (the US) and relied on the American Constitution for protection, whereas most VPN suppliers have 30 or 40 servers distributed around the world under different jurisdictions that can be used spontaneously and by choice (when initiating the connection) by the user.

(Note: As we’ve seen time and time again, when it comes down to it the American Constitution more often than not is more a statement of good intent that the US Supreme Court feels free to interpret based on the political and other prejudices of the current members of same, than something the average American can rely on to enforce and protect their Rights. That said, time and again, somewhere down the track the US Supreme Court usually revises the more biased/egregious decisions on the provisions of the Constitution to restore the Rights they took away. Doesn’t help those who got nailed in the first place … e.g. the Nisei Japanese, various minority groups, various electorates etc. … but does rectify the situation for those who follow)

Anyway, equating Lavabit with the situation of VPN providers - especially now … is a bit of a chalk and cheese exercise.
> 
> On Thu, Dec 22, 2016 at 4:58 PM, Frank O'Connor
> <francisoconnor3 at bigpond.com> wrote:
>> With VPN and proxy services the user has no idea what the key is. That is simply
>> allocated by the server on a per-session basis … at  the time of establishing the tunnelled
>> (and heavily encrypted) connection/socket.
> 
> What about the passphrase or 2FA token to the VPN?

The passphrase does not equate to the session keys, and the session keys determine what algorithm and variables will be applied when applying the socket’s encryption.

> 
> On Thu, Dec 22, 2016 at 4:58 PM, Frank O'Connor
> <francisoconnor3 at bigpond.com> wrote:
>> And data should only be available from the originators of same (the telcos), and only be
>> available under warrant, subpoena or other court supervised order.
> 
> I haven't read anything that states this will change?

I haven’t read anything that says it will apply (i.e. the telcos providing the information directly to litigating third parties).

Read the Consultation Paper. The government is specifically saying that they want to investigate releasing the data THEY RECEIVE from the Telco to third parties in support of civil actions. They make no mention of a court order being received before the data will be released BY THE GOVERNMENT. (Given that we are not talking the Telco providing the information to a third party, hey additionally make no mention of how they are going to validate and provenance the data for evidentiary purposes, how they are going to identify the data for evidentiary purposes, and how they are going to provide even basic evidentiary substance to the metadata without running into issues of evidentiary substantiation.)
> 
> On Thu, Dec 22, 2016 at 4:58 PM, Frank O'Connor
> <francisoconnor3 at bigpond.com> wrote:
>> The government should not become involved in civil litigation between independent third
>> parties. The moment it does so it falls down on the side of one party or the other. And the
>> moment it does that it contravenes so many provisions in the Judiciary Act, so many
>> Rules of Evidence, and so many simple rules of fair play and procedure established for
>> good reason through thousands of years of history - that it becomes a bad government.
> 
> This isn't changing as the court registrar and magistrate will only
> allow subpoenas for metadata for very specific periods in order to be
> allowed into evidence.
> 
Read the Consultation Paper.

> You may also want to reference in your submission
> http://www.smh.com.au/digital-life/digital-life-news/me-and-my-metadata-how-i-beat-telstra-after-my-22month-legal-battle-20150504-1mz91c.html
> which significantly expanded the amount of information that Telstra
> have to retain and disclose to the government now.

All I did with my feedback was reference the security agency implications of pursuing this ‘relaxation of the rules’ that the government is proposing.

Others can pursue other objections at their leisure … well, as much leisure as they can in the two weeks the government is allowing for feedback.

Just my 2 cents worth ...