Protecting your privacy: iiNet’s stand against mandatory data retention

The Matrix

By on August 6, 2014 at 12:18 pm

Today, Australian Prime Minister Tony Abbott announced that the Government will be pushing ahead with new legislation forcing ISPs to retain data on ALL of their customers browsing activities, without the need for a warrant. (More coverage here, here.)

iiNet has publicly come out against this policy before and still strongly opposes it now. In this guest post below, our CRO Steve Dalby explains why such a scheme is unworkable and why so-called “just metadata” can actually be used to build an incredibly accurate picture of someone’s life.


One of the features of the iiNet Copyright Trial was our strong stand against monitoring our customers. The Hollywood Studios believed we should data-match information provided by third parties who were monitoring our customers, and then send warning notices to alleged copyright infringers, all without lawful warrants, and we said no. The High Court agreed with us.

In iiNet’s view, we should not be forced to collect, store or match personal information on behalf of third parties – our only obligation is to retain the information necessary to provide, maintain and bill for services. iiNet does not keep any web browsing history or download records, for example.

Attorney General George Brandis said the government is now actively considering a data retention regime that could impact on anyone who uses the Internet in this country.

What exactly is proposed?

We don’t know for sure; the Attorney-General’s Department and various law enforcement agencies has floated at least three different suggestions over the past few years, including:

  1. Limited, routine metadata that carriers normally collect for phone billing purposes.
  2. A middle ground that indicates metadata on all communications, but with the metadata processed to remove the content.
  3. A documented specification from government that details every bit of metadata generated by phone or online communications.

We’re confused by the contradictory comments and I expect that our policy makers are, too. We have a formal briefing paper from the Attorney General’s department (provided to us in March 2010) which we will focus on rather than media reports and ad hoc comments.

Law enforcement agencies (like ASIO and Federal and State Police) are proposing private companies, like iiNet, should keep ongoing and very detailed records of customers’ telephone and online activity. We’re not talking targeted surveillance of individuals suspected of a crime, we’re talking about the wholesale collection and storage of data on your online, digital and telephone activity. These records are euphemistically labelled ‘metadata’ – and could include the unfiltered records of your browsing, updates, movements and phone calls, which can be readily matched to the identities in your customer account.

We don’t think this ‘police state’ approach is a good idea, so we’re fighting moves by the Australian Government to introduce legislation that would force us to collect and store your personal information.

At the end of this month, iiNet will front a Senate Committee reviewing telecommunications laws concerning interception and access to communications data or metadata, which could include introducing mandatory surveillance and data retention on the communications activities of the entire Australian population. Our statement to the Committee is summarised, in part below.

Metadata: what is it?

Metadata is information generated as you use technology. It’s generated by your computer, tablet, phone, games console, smart-watch, some cars and even digital photo frames. The telecommunications data collected often contains personal and content-specific details, as well as transactional information about the user, the device and activities taking place, including:

  • The content of posts
  • The content associated with web pages
  • The people and organisations you associate with
  • Your Internet activity, including pages you visit and when
  • User data and possibly user login details with auto-fill features
  • Your IP address and Internet Service Provider (like iiNet)
  • Device hardware details, operating system and browser version
  • Cookies and cached data from websites
  • Date and time you called somebody
  • Locations – like where you last accessed your email, browsed the net or made a call.

But it doesn’t contain any content does it?

People who should really know better have repeated that furphy. When we use freely available tools to check the embedded data about communications like Twitter, Facebook and websites, we see that the ‘metadata’ does include content, and lots of it.

Should I really be worried?

The data collected can be incredibly sensitive – it can reveal who your friends are, where you go and what websites you visit. Indeed, it may even tell more than the content of a phone call or an email. Recent research from Stanford University showed that when analysed this data may create a revealing profile of a person’s life including medical conditions, political and religious views, friends and associations.

Police say “If you have nothing to hide, then you shouldn’t be worried”. Personally I think that if you follow that dubious logic, we’d all be walking around naked. It’s not about being worried, or wanting to ‘hide’ anything. It’s about the right to decide what you keep private and what you allow to be shared. YOU should be the one to make that call, and that decision should stick until a warrant or something similar is issued to law enforcement agencies to seize your information.

Not convinced? Then we suggest you check out the startling website based on information collected on German politician Malte Spitz by Deutsche Telekom over just six months. Zeit Online combined this geo-location data with information relating to his life as a politician, such as Twitter feeds, blog entries and websites, all of which is all freely available on the Internet. It’s really worth a look and illustrates just how informative and personally invasive metadata can be – it is truly scary stuff.

Experts in the US have some equally frightening things to say about metadata. According to NSA General Counsel Stewart Baker, “…metadata absolutely tells you everything about somebody’s life.” General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and frighteningly asserted, “We kill people based on metadata.”

If it helps catch crooks, what’s the problem?

Australia already has systems in place to help catch crooks. The Telecommunications (Interception and Access) Act specifies the circumstances in which interception of customer communications is lawful and when it is permitted for telecommunications companies to disclose communications data.

The focus of this data retention proposal is not crooks; it’s the 23 million law-abiding men, women and children that will go about their daily lives without ever bothering law enforcement. Those 23 million customers include my 93-year-old mum and my 12-year-old niece. We don’t believe that is either necessary or proportionate for law enforcement.

We’ve seen no evidence that justifies surveilling inoffensive customers on the chance that, two years later, some evidence might help an investigation. It’s the equivalent of collecting and storing every single haystack in the country, indexing and filing all the straws, keeping them safe for two years, just in case there’s a needle, somewhere. We don’t know if there’s a needle, but there might be.

I say forget spying on my mother and niece and get on with chasing the crooks.

What will this all cost?

It is hard to measure exactly what this will all cost, but we expect that collecting and keeping every customer’s ‘metadata’ would require the construction of many new data centres, each storing petabytes (that’s 1 billion megabytes!) of information at a cost of tens or hundreds of millions of dollars. There is no suggestion that the government would pay these costs, so our customers will be expected to pick up these costs in the form of a new surveillance tax.

If they need someone to process the full set of metadata down to metadata-minus-content, then there is a significant cost to process the collected metadata and redact it. (Imagine a lot of people with thick black markers, blotting out the content – just like the government does with some Freedom-of-Information requests).

The Government must also consider the privacy implications if Internet providers are to be compelled to collect data on Australians. The vast amount of data stored would prove to be an appealing target for hackers all around the world – creating a risk of information and identity theft in the event that storage of the data is breached.

It’s not right. It’s not Australian, we don’t support it.

You should also read:

This post originally appeared on the iiNet blog.

Tags: ,
65 comments (Leave your own)
Nasty Wet Smear

*Long, weary sigh* Okkkkkkkay. So, when is all this meant to take effect?

 

They’ll need to get the legislation through parliament first, is my understanding. That may or may not happen.

 

How is that even legal? No more privacy I take it?

Are there programs out there that block meta data collection? If not, we should write one.

 

Abbott is really trying hard not to be elected next election.

Privacy really is a thing of the past.

Tim Colwill,

It will pass legislation, Abbott has strong armed scenarios like this before. Just look at the threats he made when the budget dropped, if they didn’t agree he would call early elections.

 

Actually my question is what can we do to back iiNet up? I’ve already shared the original blog on Facebook urging people to spread it.

 
Artful-dodgeR

Well written, scary times we live in.

 

kinkykel,

My first thought exactly.

 

Most stupid thing I’ve read all day, and I did LFR this morning.

 

subw00fer,

Hahahaha

 

I’m with vcatkiller. What can we do to help?

 

I’ve been following this in the news so I’m not as surprised as some others, but that doesn’t make this situation any better.

Part of the legislation should be that if this goes though, all the metadata of all the politicians (and their family) should be publicly available. Just to make sure they are doing the right thing. :)

 

I saw this posted just seconds before yours Tim, mentions iiNet so I guess posting it here isn’t a bad idea.

http://www.zdnet.com/au/abbott-says-australians-web-browsing-history-to-be-retained-7000032356/

Speaking to the Today Show this morning, Abbott confirmed an expansion of data retained indicating that browsing history would be required to be retained by the telecommunications companies.

“Let’s be clear about what this so-called metadata is. It’s not the content of the letter, it’s what is on the envelope,” he said.

“It’s not what you’re doing on the internet, it’s the sites you’re visiting. It’s not the content, it’s just where you’ve been, so to speak. We’re talking to the internet providers to ensure this so-called metadata is kept.”

Abbott went further on ABC’s AM program, stating that any data generated by the telcos about their customers would be kept.

“My understanding is that if it is generated by you, it is content, and that won’t be kept. If it is generated by the service providers, that’s metadata, and it will be kept,” he said.

Promising so far

Abbott rejected claims that the scheme would cost iiNet up to AU$100 million in the first two years to implement, stating it was something the company already had factored in to pricing.

“I don’t know why they would be saying that because this is information that is already kept,” he said.

“It’s embedded in the current price, it’s already factored into current pricing structures.”

Abbott showing how up to the times he is, and that he understands all those techo-gadgets.

 

I will be the first to say I am a Liberal supporter….but when I heard this policy all I could was “What are they doing?”. Even if you put aside the ethics of the situations, it stupid to think you could store all the ‘metadata’ of everything for 2 years…..either its going to cost the government a fortune, or it going to cost the ISPs (and hence customers). And for what? So that one day maybe that information could potentially be used to help solve a crime? The cost for the worth just isn’t there. Put that with the moral and ethical issues and it just doesn’t make sense.

I’m sure the American government used the same threat of “we need to record everyone because terrorists” and it really hasn’t helped more then the rest of their procedures, it just given them more data on their own citizens.

 

It’s legal only if consent is given, but at no point is it lawful.

 

The Universal Declaration of Human Rights

http://www.un.org/en/documents/udhr/

Article 12
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

And just to top it off the other two articles.

Article 18
Article 19

 

can VPN help this?

 
Nasty Wet Smear

tit:
can VPN help this?

I’m sure the government will be much happier and safer when we’re all driven to Onion net, where you can order a home delivery of hookers, hit men AND cocaine all in total privacy once you’ve waded, knee deep, through the criminal pornographic networks! :D

Safe!

 

Police say “If you have nothing to hide, then you shouldn’t be worried”.

I say “If I have nothing to hide, you shouldn’t be watching me in the first place. Go watch someone else who is hiding stuff”.

 

tit:
can VPN help this?

Yes it’ll bypass it completely. That is unless the ISP\Government does a man in the middle attack, otherwise all they will see is encrypted traffic. They will be able to tell where you’re connecting (the vpn host) and how long you stay connected and amount of traffic you use. But in theory they won’t be able to decrypt it.

Im unsure on the exact nature of the system they’ll put in place but i assume it’d be some sort of web\email\”Common Traffic” parser that then put’s it into a database for each user\IP address. To my understanding it’d have to be unencrypted traffic.

This system will be 100% useless for active criminals with a modicum of intelligence.

 

Will iiNet see it as an issue if the data being demanded to be retained is the same as currently being retained by the ISP?

How long does iiNet currently retain this data?

 
Leave a comment

You can use the following bbCode
[i], [b], [img], [quote], [url href="http://www.google.com/"]Google[/url]

Leave a Reply

PC Gaming Calendar 2014

Follow Games.on.net

YouTube

Steam Group

Upcoming Games

Community Soapbox

Recent Features
Heroes of the Storm

Heroes of the Storm: We talk to Blizzard about new heroes, rage quitting, and why they want you to spend money on Stimpacks

What's up with Stimpacks? And how about those Goblin Techies spotted in the game files? We ask Blizzard for details.

the crew-580w-4

The Crew: A gorgeous open world, if you can handle the interruptions

Alex drives across the United States and back to bring you his thoughts.

Game of the Year 2014

Win a PS4 in our Game of the Year 2014 Competition!

Think you know who should take home the crown? Share your thoughts and win!

Streaming Radio
Radio Streams are restricted to iiNet group customers.

GreenManGaming MREC

Facebook Like Box