[AusNOG] Metadata retention... it's now (almost) a thing

[Matt Palmer]

On Mon, Nov 03, 2014 at 08:20:15AM +1100, Joseph Goldman wrote:
> Well, with current requests for information that I have received
> before (from AFP exclusively), that requests for information on who
> was using what IP at what time

That's the form of request I've dealt with, too (from NSWPF).  Was fun when
they asked for the details for an IP allocated to a shared hosting server. 
"Sure, which of the umpty-thousand connections in progress at that time were
you looking for?"

> I would imagine it wouldn't change much with the new laws - they are
> interested in the personal info related to the log, not the log
> itself. The only reason I could see them needing the raw logs is if
> it is required for evidence in prosecution (have had AFP agents fly
> in to pick up some form of evidence before from a colleague in a
> previous job).

It's pretty much guaranteed that if the details you provide end up being
provided in court as direct evidence, the raw logs will be requested by the
defence (just in case they can poke a hole in it).  That means that the
person who pulled the data will be required to appear as a witness (most
likely in a voir dire[1]) to testify to the processes used in storing
and querying the logs, and affirm the accuracy of the data presented to the
court.  Been there, done that.

- Matt

[1] A mini-trial used (in this case) to determine the admissability of
evidence.  Since the information that may come out can bias the jury,
they're usually held without the jury present.  Must be fun being a juror on
those cases, sitting around on hold for a few days or weeks while the
lawyers do their stuff.

-- 
I have always wished that my computer would be as easy to use as my
telephone. My wish has come true. I no longer know how to use my telephone.
		-- Bjarne Stroustrup