[AusNOG] From the AGD - Data Retention - Starts October 15 2015

Paul Brooks pbrooks-ausnog at layer10.com.au
Tue Jul 21 15:25:00 EST 2015 

On 20/07/2015 2:32 AM, Paul Wilkins wrote:
> Am I the only one that spotted that this advice is not even internally consistent?
> For the intents and purposes of the act, there is no difference between email and
> usenet. Either both qualify for logging or both don't. It's early days, but already
> the legislation is coming unstitched. Happy days...

For their purpose, email and usenet is very very different. You need to think of the
service from a user  experience/user purpose view, not the technical aspects. Sure,
they are both transported as messages, but thats only material for working out how to
retain, not whether or not data needs to be retained in the first place.

Usenet is more like broadcasting (which is exempt) - its one-to-many, publicly
available, and the AGD can get their hands on usenet feed messages - metadata AND
content - without having to get an ISP to do data-retention on it. They may also be
thinking 'usenet' as being a receive-only news service (sort of like subscribing to a
RSS feed), and they may not have considered that a user might also post usenet
messages out.

Email is one-to-one(-ish), there is no record of sending or receiving outside the
originating and terminating ISPs, so they need ISPs to retain data about the email
messages to be able to construct a trail of comms.

Also, related to EMAIL (SMTP, POP3, IMAP, etc) - a strict interpretation of the data
retention requirements differs from the AGD description you have been given.

The CAC seems to think the email message headers (excluding subject line) are required
to be kept. - this indicated they are thinking of the 'From:, To:, CC:' etc headers
that are displayed by email client programs.
However, for SMTP protocol , all the email message headers (From:, To:, CC:, Subject:)
are contained within the DATA block, between the DATA directive and a line containing
a '.'.
Arguably to comply with the data retention requirements, your email server should be
logging the SMTP commands ( HELO/EHLO, MAIL FROM:, RCPT TO:,  and the far end response
lines, and NOT the email content within the DATA block, which is clearly content as
far as SMTP is concerned.

It might all come down to how you have described your service definition. Are you
providing 'email service', or are you providing 'SMTP, POP3, and IMAP service'. It
also comes down to what your server software can log - can it log the SMTP  commands
and response lines? can it log the message header information within the DATA block?



>
> Paul Wilkins
>
> On 19 July 2015 at 18:00, Noel Butler <noel.butler at ausics.net
> <mailto:noel.butler at ausics.net>> wrote:
>
>     wow missed so much in my absence, there is way too many posts to catch up on and
>     no doubt the fanbois/fangirls will all be scrambling to dispute what I said
>     (like I'm sure the usual suspects will at this post as well), so I wont bother
>     catching up on all of em.
>
>     This is from the C.A.C. it does clarify that what the AGD told me earlier is
>     incorrect as far as the usenet server goes, but the hosting statements remain valid
>
>      
>
>     /Data retention obligations apply only to ‘relevant services’. A service is a
>     ‘relevant service’ if:/
>     /(a) It is a service for carrying communications, or enabling communications to
>     be carried,/
>     /(b) It is a service operated by a carrier, carriage service provider or
>     internet service provider, and/
>     /(c) The person operating the service owns or operates, in Australia,
>     infrastructure that enables the provision /
>     /of any of its relevant services./
>
>     /Based on the information you have provided, including the knowledge that you
>     offer an email service, it is likely /
>     /that you are a CSP. The definition of a carriage service provider (CSP) is
>     contained within s87 of the /
>     /Telecommunications Act 1979. Carriage services include services for carrying
>     communications, for example telephone /
>     /services, email services, Internet access services and Voice over Internet
>     Protocol (VoIP) services./
>
>     /The services that you have mentioned in your email, being the Usenet news
>     server and the email server, are to be /
>     /considered as two separate services for the purpose of data retention./
>
>     /The email server you have described will likely be captured by data retention
>     obligations unless an exemption is /
>     /sought and agreed to. In applying the data set to an e-mail service, data
>     retention obligations will include all /
>     /information contained in the ‘header’ of the email, excluding the subject line.
>     No content is to be retained for /
>     /data retention purposes./
>
>     /Based on the information you have provided, we consider that UseNet does not
>     appear to be a ‘relevant service’. /
>     /If the service is not considered a relevant service then no data retention
>     obligations will be applicable./
>
>      
>
>      
>
>     The Dept of Comms  has confirmed that as a hosting provider we are classified as
>     a CSP.
>
>     So after that, if you, or anyone expect me to take the word of a bunch of
>     mailing list "bush lawyers" over the CAC, you're all clearly on some kinda weird
>     and wonderful drugs, and no amount of "bush laywer" ignorance will change that
>
>      
>
>     Don't think for a moment I'm a proponent of this law - I'm far from it, but its
>     a reality, so time to get your heads out of your arses and live with it, rather
>     than trying to find far flung reaches of piss poor excuses as to how you're not
>     going to have to comply, ignorance wont save you, or your employers.
>
>      
>
>     Enjoy your weekend
>
>      
>
>     On 16/06/2015 13:07, Justin Clacherty wrote:
>
>>     No Noel, I think you've misinterpreted the AGD's response.
>>
>>     You are only obligated to retain data if you fall under 187A 3(b) of the Act.
>>     That is, you are a carriage service provider, or an ISP. The Minister can add
>>     other providers to be ratified within 40 days by Parliament, but this has not
>>     yet occurred.
>>
>>     If you do fall under 187A 3(b) of the Act. Then you have to retain data for all
>>     services you offer, this would include web hosting and email.
>>
>>     If you only offer web hosting, you are not an ISP and do not have data
>>     retention obligations.
>>
>>     Justin.
>>
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150721/6cc89224/attachment.html>

More information about the AusNOG mailing list