[AusNOG] (Abuse of) mandatory data retention information.

Thu May 3 12:12:59 EST 2018

Mercifully, I managed to find this from actual lawyers, which explains the
legal landscape for those interested in the detail.

metadata - Gilbert + Tobin
<https://www.gtlaw.com.au/file/10841/download?token=b7MKFd6q>

Kind regards

Paul Wilkins

On 3 May 2018 at 09:08, Paul Wilkins <paulwilkins369 at gmail.com> wrote:

> Regards section 282 certs, s282 of which Act / Regulation?
>
> Near as l can see, all disclosure provisions in the Act itself are either
> voluntary, or require a warrant, where the police need to locate a caller
> in a life threatening situation the one exception.
>
> Kind regards
>
> Paul Wilkins
>
> On 2 May 2018 at 15:29, Ross Wheeler <ausnog at rossw.net> wrote:
>
>>
>>
>> On Wed, 2 May 2018, Noel Butler wrote:
>>
>>       After DR, two things have changed.
>>>       1. We have a legal obligation to capture and securely retain a
>>>          whole pile of things.
>>>       2. We are required to give extracts of that information
>>>          when requested, and but DO NOT REQUIRE A WARRANT.
>>>
>>
>> No, only number 1 is new
>>>
>>
>> Are you saying that we now DO require a warrant to give an authorised
>> person data captured in compliance with the mandatory data retention laws,
>> or that we DIDN'T require one previously? Because as far as I was aware, we
>> required a legal instrument before, and for DR stuff (as opposed to
>> interception) we now explicitly will NOT get a warrant except for the
>> specific case of information requested of a journalist.
>>
>> , and as for ISP's (not telcos) Id hardly call radius and email logs a
>>> "whole pile of things",
>>>
>>
>> For some of us, it is far more than radius and email logs.
>> It includes SIP, FTP, and indeed any other service you provide that isn't
>> an "OTT" service, a webserver or a few other specific exclusions.
>>
>>
>> I'd also not call it that for those offering phone services either since
>>> clients like to lookup to see their recent history they would be keeping
>>> that for a while anyway,
>>>
>>
>> What you kept for production and billing purposes is unchanged, but the
>> legislation actually requires all information captured for the DR (and the
>> wording is sufficiently unclear that it appears that "if it is captured for
>> DR (even if it is ALSO captured for billing or operational reasons)" that
>> data MUST be encrypted and secured at the point of collection (unless you
>> asked for and were granted an exemption on the immediate encryption of
>> otherwise collected data).
>>
>>
>>
>> its hardly earth shattering for typical ISPs.
>>>
>>
>> I didn't say or imply it was. Merely that for some people there was
>> significant additional work to collect logs that they had not previously
>> needed, and not all systems made that easy. I was lucky, most did.
>>
>>
>> And #2 has always been the case under s282, I recall doing them as far
>>> back as 2002
>>>
>>
>> Yes, but S282 certificates are specifically NOT REQUIRED for LEA and
>> others to access (quite specifically) data captured and stored under the
>> mandatory data retention legislation.
>>
>>
>>
>>
>>> huh? where do you get interception from or are you just moving the goal
>>> posts
>>>
>>
>> Others raised "interception".
>>
>>
>> your OP never mentions a word of it, and
>>> nobody has unless I missed a post or three,
>>>
>>
>> You have, then.
>>
>>
>>  your post was a bout user joe blogs information which never has required
>>> it, DR or no DR.
>>>
>>
>> Huh? You're saying now that an ordinary users information has never
>> required a warrant? Now YOU are conflicting your own statements?
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180503/77106b8a/attachment.html>