[AusNOG] (Abuse of) mandatory data retention information.

Ross Wheeler ausnog at rossw.net
Wed May 2 10:45:06 EST 2018 


On Wed, 2 May 2018, Paul Wilkins wrote:

> Ross,
> I recall vaguely when this was first posted. I'm sceptical whether AG would have advised to just hand the data over, as doing so ironically
> enough breaches the Data Retention Act:
> 
> 187BA Ensuring the confidentiality of information
> A service provider must protect the confidentiality of information
> that, or information in a document that, the service provider must
> keep, or cause to be kept, under section 187A by:
> (a) encrypting the information; and
> (b) protecting the information from unauthorised interference orunauthorised access.
> ...
> 187LA Application of the Privacy Act 1988
> (1) The Privacy Act 1988 applies in relation to a service provider, as if
> the service provider were an organisation within the meaning of
> that Act, to the extent that the activities of the service provider
> relate to retained data.
> 
> In my non legal, non expert opinion, access to retained data (by ordinary police, not the intelligence agencies) would be either under or
> compatible with the Telecommunications (Interception and Access) Act 1979.

Yes, that may be the words, but I am also quite aware that at the time 
(and indeed subsequently) there has been a great deal of uncertainty 
within at least parts of the industry, exactly what constitutes a duly 
authorised person.

I recall there being a request by parts of the industry for a "register or 
list of people permitted to make requests", but that never happened. The 
fact that a minister could appoint people with no requirement to advise 
industry who was or wasn't appointed at any given time, combined with 
penalties for either:
  * providing information to someone NOT authorised
  * failing to provide information to someone who IS authorised
meant it was a precarious position for ISPs to be in.

I've never been asked for any data, so I've not had to seek confirmation, 
but I believe there was a blanket statement made that if an ISP were in 
doubt about a request, they should contact the AG for clarification. That, 
I believe, is what the friend-of-my-friend did. I feel the cavalier "give 
it to him" response reported by the AG, with a "the audit will catch it" 
(after the event, if anyone ever bothers) line as some sort of 
"protection" to be highly inappropriate - especially in the case where the 
person being asked for the data had a "reasonable doubt" that it was being 
used appropriately.

The whole thing stinks from top to bottom, but then we all knew that 
before it was even introduced.

R.

More information about the AusNOG mailing list