[AusNOG] Law Enforcement requests for data

Matt Carter matt at iseek.com.au
Mon Jan 17 12:14:59 EST 2011 

Coming in a bit late here, natural disaster and what not ☺

...I can appreciate this started as a request for legal advice, which I cannot offer and i’ve read the “off-topic” remarks and weighed up heavily whether to even contribute to keeping this thread alive, however I think it needs to be stated that almost always the task of processing law enforcement requests falls upon the shoulders of a designated “law enforcement liaison unit”.  Those people certainly have experience in this field, and can provide “input” (as requested) , despite being unable to provide specific “legal advice” . The point being, although  LELU people aren’t lawyers, they _are_ the front line for making an assessment as to what is a satisfactory request and what isn’t, and what needs to be sighted by legal counsel in the first place, so there is a degree of understanding which comes along with that. IMHO, processing these requests _IS_ an operational network activity of any reasonable sized SP .


1)      The topics of active data collection versus “request for information” come with two completely different requirements and frequency of use, RFI’s are commonplace, data collection not so much. RFI’s do not require warrants or security clearances as per collection of data. One is a single form, the other involves a lot of work and establishment if not already set up at a technical and personal level.

2)      If you are involve in any data collection there is going to be an exchange of information (including a warrant & probably security clearances) between the requestor and the requested which will no doubt elaborate on the specifics of who/where/how, (to address your question about pcaps etc) . basically, If you get that stage, you will be informed of what you need to do..

3)      Consider the technical flow of information per se with these two vastly different operations. If there is a person on your network doing something nasty, to get that persons name from an IP via an RFI the agency is going to have to come to you to look in your billing database. If they want to collect data, that can be done anywhere along the path. To this end, you may process hundreds of RFI’s and never perform a collection, because its a lot easier for agency to deal with <big carrier> above you who already have clearances and intercept technologies in place, they don’t need to talk to the ISP at the end of the chain unless its an RFI and they want to poke into the ISP’s billing db, which is a simple fax request and wait for reply.

4)      With regards to the subject of receiving faxes from NSW Police and the authenticity of the origin, with the potential for faxing information to incorrect parties through social engineering, typically most of the requests come from a core group of departments/teams so a degree of familiarity will be offered over time. Also, most agencies now have electronic systems of exchange so you don’t have to fall back to faxing things. (eg in the case of NSW Police “iASK” ) or return path via .gov.au hosts satisfying the return path authenticity off the bat.

5)      Depending on the agency making the request, the Act’s involved can vary, Usually telecommunications (interception and access) Act 1979 S178 or S179, but not always (eg S175 )


For an RFI, it should contain 4 components, authorised office, authorisation, notification, disclosure

Authorised office
<AGENCY> is an enforcement agency within the definition of an authorised agency in subsection <SECTION> of act <ACT>
I <OFFICERS NAME, POSITION> is an authorised officer within the definition of authorised officer in subsection <SECTION> of act <ACT>

Authorisation
Acting under subsection <SECTION> of the Act, I authorise the disclosure of the following specified information or documents, being information or documents that came into existence before the time the person from whom the disclosure is sought, being <YOU>, receives the notification of the authorisation;
<DETAILS OF INFORMATION SOUGHT>
I am satisfied that the disclosure is reasonably necessary for <CAUSE>

Notification
Acting under subsection <SECTION> of the Act, I notify the person listed above of this authorization.

Disclosure
The information to be disclosed by this authorization should be delivered to <CONTACT> via <MEANS>

There may be some variances eg some agencies like to put the Notification at the top, others group the Notification and Disclosure part into one portion at the bottom, horses for courses so long as its all there. Some agencies will provide specifics on the level of detail surrounding the subscriber information they are seeking, eg maybe just address/phone number for a given IP, they may want to know is the IP dynamic/static,  what is the date of signup, POP/call catchment area, billing details etc, possibly even a complete log of all dates & times of access . (logon/logoff records). These are all “historical” requests which can all be satisfied without a warrant upon receipt of a correctly formatted RFI from an authorised officer within an authorised agency.


Kind regards,




From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Noel Butler
Sent: Saturday 15 January 2011 4:55 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Law Enforcement requests for data

On Sat, 2011-01-15 at 13:30 +1100, Nick Brown wrote:



Afternoon all,



While this is likely better suited for our solicitor I'd very much

appreciate any input from the industry or from those who have had

requests in regards to capture of data for a specific customer from

Police or similar.



It is my understanding that under the Telecommunications Act any such

request must be accompanied with a warrant, however the Surveillance

Devices Act suggests that perhaps this can be overcome should permission

be granted (Our AUP implies explicit permission is granted for us to

comply with any request from a law enforcement agency).



For Police and ATO, no court orders are needed, the requirement is satisfied if made as a request under section 262 (bugger... is it 263? not had to deal with one for a few years) and it should by signed by an inspector (or above).

You are then required to furnish what they ask for, and return it to them in the format they ask for, basic details on a customer is usually email or fax, but live data usually hard disk  (and you are entitled to reimbursement for the cost of the hard disk as well).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20110117/80cf6641/attachment.html>

More information about the AusNOG mailing list