[AusNOG] Metadata retention... it's now (almost) a thing

Scott A. McIntyre scott at howyagoin.net
Thu Oct 30 15:51:19 EST 2014 

Having been at the forefront of all of this in Europe, it's like waking 
up from a nightmare only to still be inside a nightmare to see this 
happening again..

Anyway, this is quite a salient point:


On 30 Oct 2014, at 15:40, Matt Perkins wrote:

> I would be interested to see paragraph 187A(4) of the act.  It seems 
> to indicate that
>
> This item will only apply to the service provider operating the 
> relevant service: So does that mean we need to know who chatted to who 
> on facebook for example but facebook is the service provider so they 
> would be the people that would need to get the info. Not the ISP. The 
> ISP could not be expected to break an encryption do get the info.
>
> So im thinking a lot of this will be "who is the service provider" .  
> Is it skype, Is it facebook, Is it the guy providing the copper ?
>

The way we interpreted this in Europe was NOT to include the 
copper/fibre/mobile access provider.  The access service provider 
provided just that.  Access.  RADIUS in most cases was the tangible data 
artefact.

For those providers who don't operate their own email infrastructure, 
there was no expectation that they'd have any role to play with email.  
Same for VoIP, same for chat, etc.

However, if the provider offered a SMTP service, then, yes, there was 
some level of expectation of the IP of the MUA, the time, the date, and 
the Envelope-FROM and SMTP-TO would be retained.  Things got fuzzy with 
BCC and it depended to a certain degree on the specific MTA a provider 
had.  If it generated the log entry as a matter of its standard course 
of operation, the expectation was that it would be retained for X 
months.

The expectation was NOT that $Provider.de would capture NetFlow or any 
other data, or attempt to deep packet inspect, or do anything other than 
retain the logs for the services which they *already had* -- if you 
don't operate that endpoint service, the thing on the other end of the 
TCP connection (for the most part) then you wouldn't be expected to have 
nor retain logs for Facebook, XMPP, Twitter or anything else.

Now, if you were a provider who thought it was a cunning plan to operate 
an in-line/invisible/transparent proxy, well, now you're just making 
things difficult on yourself.

At any rate, it was very much the eventual (when nerds talked to nerds) 
understanding that if you didn't deliver the actual application level 
service that had logs which contained the type of data mentioned in the 
legislation, you weren't expected to magic it up and retain it.

We live in quite depressing times...

Scott

More information about the AusNOG mailing list