[AusNOG] Warrant-less Info Requests / Cost Recovery

Mark Cheeseman mark-lists at cheeseman.org
Wed Mar 18 16:43:25 EST 2015


...which is an important and not insignificant step.

Having previously worked in government answering these sort of requests 
(not related to this current scenario but involving sensitive data, in 
that case data relating to children) it took a lot of work, planning and 
many peoples' time to answer not only the question of the applicant but 
also the questions of "are they entitled to receive those data (which is 
different from being entitled to ask for it), and for what purpose can 
they use that data?" Many of those requests came from other departments 
in various levels of government. The processes we implemented weren't 
cheap; neither were they speedy. Lots of legislation involved; lots of 
of lawyers; time and money involved.

And in the meantime, everybody had to do their day job. Just like the 
ISPs (carriage service providers - whatever the legal term is these 
days) have to do.

-Mark

On 18/03/2015 3:44 PM, Mark ZZZ Smith wrote:
> You forgot a step. 2, verify the requester has the right to ask for 
> what they're asking for, to catch both errors and overreach.
>
> In fact, as you're unlikely to be a lawyer, it'd other be best to pass 
> all the requests through a lawyer, or get a lawyer to define a strict 
> set of common request definitions and who can ask for them, and then 
> punt every non-matching request to your lawyer.
>
>
>
> ------------------------------------------------------------------------
> *From:* James Hodgkinson <yaleman at ricetek.net>
> *To:* ausnog at lists.ausnog.net
> *Sent:* Wednesday, 18 March 2015, 15:24
> *Subject:* Re: [AusNOG] Warrant-less Info Requests / Cost Recovery
>
> It WILL take much more than 60 seconds to:
>
>   * verify the requestor’s identity,
>   * the parameters of the request,
>   * do the lookup,
>   * format it appropriately
>   * send it
>   * generate the bill
>   * manage payment receipt, when it inevitably goes wrong
>
> … should I go on?
> This doesn’t include the sunk costs of the infrastructure to host it 
> on, and recovering that cost.
> Is there mention of penalties for when your $system goes bye bye 
> (fire/flood/hacker/MTBF of hdd’s) and you can’t respond?
> James
>
>
>
>
>
>
> On 18 March 2015 at 2:17:21 pm, Paul Brooks 
> (pbrooks-ausnog at layer10.com.au <mailto:pbrooks-ausnog at layer10.com.au>) 
> wrote:
> They'll tell you you're dreaming.
>
> counter-view...
>
> Remembering that Telstra recently announced they'll charge $25 to 
> process a simple request - the same amount they charge a LEO.
>
> If you've built even a dodgy lookup system, should it really take more 
> than 60 seconds to type in an IP address, a start date/time, an end 
> date/time, and have the lookup system (that the Gov will help 
> contribute to your reasonable costs to build *cough*) decrypt the 
> RADIUS database for the time window, and extract a dump of records for 
> that IP address?
>
> If you think you'll be able to charge $500 - $1000, you'd better be 
> prepared to explain to the CAC why you have to have a live person 
> ruffling through a set of filing-cabinet of printed-out A4 sheets of 
> paper with your records printed on them. They might be the Gov't, but 
> even they know we have computers do do this sort of database lookup 
> these days.
>
>
> On 18/03/2015 1:27 PM, Andrew Yager wrote:
>> Hi Terry,
>>
>> We are taking the view that this is an exercise that is equivalent of 
>> up to 2 hours technical services, and given the costs of verifying 
>> and ensuring compliance, our standard cost for a request will be $500 
>> per request.
>>
>> For greater time periods (e.g. reporting on two years), our charging 
>> rate will extend to $15 000 for this service.
>>
>> More complicated requests (such as access logs from a web server) 
>> will also attract higher rates.
>>
>> I’d encourage everyone to ensure that their costs are reasonable 
>> relating to the amount of work - and the opportunity cost associated 
>> with complying with this daft legislation.
>>
>> Andrew
>>
>> --
>> *Andrew Yager, Managing Director* /(MACS Snr CP BCompSc MCP JNCIA-Junos)/
>> Real World Technology Solutions Pty Ltd  - IT people you can trust
>> ph: 1300 798 718 or (02) 9037 0500
>> fax: (02) 9037 0591
>> http://www.rwts.com.au/
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> On 18 Mar 2015, at 1:11 pm, Terry Sweetser 
>>> <terry+AusNOG at skymesh.net.au <mailto:terry+AusNOG at skymesh.net.au>> 
>>> wrote:
>>>
>>> Hello Noggers,
>>>
>>> I'm wondering what policies and pricing any/all of your 
>>> organisations have in place to "recover" costs when asked for 
>>> (meta-)data about ip addresses, customers and so on?
>>>
>>> Given the transition for 2-year retention and the expansion of the 
>>> (meta-)dataset to be retained, what plans are in place to charge 
>>> reasonable fees to state and federal LEOs for the data?
>>>
>>> Is $200 a fair sum of money for an ip address match up?
>>>
>>> Is $20,000 a fair sum of money for a dump of the (up to) 2 years of 
>>> data for an ip address or customer?
>>>
>>> --
>>> http://about.me/terry.sweetser
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net  <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150318/e8e634c3/attachment.html>


More information about the AusNOG mailing list