[AusNOG] Warrant-less Info Requests / Cost Recovery

Shaun Dwyer shaun at dwyer.id.au
Wed Mar 18 16:57:42 EST 2015 

What legal culpability would there be for an operator who was to comply (in error) with a request for information that was later found to be illegal or over-reaching? Some of the requests can be fairly intimidating in their presentation, and it may not be possible for the smaller operators to afford to lawyer up every time a request comes in.

Are we afforded any legal protection in this circumstance?


Cheers!
Shaun

> On 18 Mar 2015, at 12:44 pm, Mark ZZZ Smith <markzzzsmith at yahoo.com.au> wrote:
> 
> You forgot a step. 2, verify the requester has the right to ask for what they're asking for, to catch both errors and overreach.
> 
> In fact, as you're unlikely to be a lawyer, it'd other be best to pass all the requests through a lawyer, or get a lawyer to define a strict set of common request definitions and who can ask for them, and then punt every non-matching request to your lawyer.
> 
> 
> 
> From: James Hodgkinson <yaleman at ricetek.net <mailto:yaleman at ricetek.net>>
> To: ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net> 
> Sent: Wednesday, 18 March 2015, 15:24
> Subject: Re: [AusNOG] Warrant-less Info Requests / Cost Recovery
> 
> It WILL take much more than 60 seconds to:
> verify the requestor’s identity,
> the parameters of the request,
> do the lookup,
> format it appropriately
> send it
> generate the bill
> manage payment receipt, when it inevitably goes wrong
> … should I go on? 
> This doesn’t include the sunk costs of the infrastructure to host it on, and recovering that cost.
> Is there mention of penalties for when your $system goes bye bye (fire/flood/hacker/MTBF of hdd’s) and you can’t respond?
> James
> 
> 
> 
> 
> 
> 
> On 18 March 2015 at 2:17:21 pm, Paul Brooks (pbrooks-ausnog at layer10.com.au <mailto:pbrooks-ausnog at layer10.com.au>) wrote:
> 
> They'll tell you you're dreaming.
> 
> counter-view...
> 
> Remembering that Telstra recently announced they'll charge $25 to process a simple request - the same amount they charge a LEO.
> 
> If you've built even a dodgy lookup system, should it really take more than 60 seconds to type in an IP address, a start date/time, an end date/time, and have the lookup system (that the Gov will help contribute to your reasonable costs to build *cough*) decrypt the RADIUS database for the time window, and extract a dump of records for that IP address?
> 
> If you think you'll be able to charge $500 - $1000, you'd better be prepared to explain to the CAC why you have to have a live person ruffling through a set of filing-cabinet of printed-out A4 sheets of paper with your records printed on them. They might be the Gov't, but even they know we have computers do do this sort of database lookup these days.
> 
> 
> On 18/03/2015 1:27 PM, Andrew Yager wrote:
>> Hi Terry,
>> 
>> We are taking the view that this is an exercise that is equivalent of up to 2 hours technical services, and given the costs of verifying and ensuring compliance, our standard cost for a request will be $500 per request.
>> 
>> For greater time periods (e.g. reporting on two years), our charging rate will extend to $15 000 for this service.
>> 
>> More complicated requests (such as access logs from a web server) will also attract higher rates.
>> 
>> I’d encourage everyone to ensure that their costs are reasonable relating to the amount of work - and the opportunity cost associated with complying with this daft legislation.
>> 
>> Andrew
>> 
>> --
>> Andrew Yager, Managing Director   (MACS Snr CP BCompSc MCP JNCIA-Junos)
>> Real World Technology Solutions Pty Ltd  - IT people you can trust
>> ph: 1300 798 718 or (02) 9037 0500
>> fax: (02) 9037 0591
>> http://www.rwts.com.au/ <http://www.rwts.com.au/>
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>> On 18 Mar 2015, at 1:11 pm, Terry Sweetser <terry+AusNOG at skymesh.net.au <mailto:terry+AusNOG at skymesh.net.au>> wrote:
>>> 
>>> Hello Noggers,
>>> 
>>> I'm wondering what policies and pricing any/all of your organisations have in place to "recover" costs when asked for (meta-)data about ip addresses, customers and so on?
>>> 
>>> Given the transition for 2-year retention and the expansion of the (meta-)dataset to be retained, what plans are in place to charge reasonable fees to state and federal LEOs for the data?
>>> 
>>> Is $200 a fair sum of money for an ip address match up?
>>> 
>>> Is $20,000 a fair sum of money for a dump of the (up to) 2 years of data for an ip address or customer?
>>> 
>>> --
>>> http://about.me/terry.sweetser <http://about.me/terry.sweetser>
>>> 
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>> http://lists.ausnog.net/mailman/listinfo/ausnog <http://lists.ausnog.net/mailman/listinfo/ausnog>
>> 
>> 
>> 
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog <http://lists.ausnog.net/mailman/listinfo/ausnog>
> 
> _______________________________________________ 
> AusNOG mailing list 
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net> 
> http://lists.ausnog.net/mailman/listinfo/ausnog <http://lists.ausnog.net/mailman/listinfo/ausnog> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog <http://lists.ausnog.net/mailman/listinfo/ausnog>
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog <http://lists.ausnog.net/mailman/listinfo/ausnog>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150318/718816fd/attachment.html>

More information about the AusNOG mailing list