[AusNOG] Metadata retention... it's now (almost) a thing

Narelle narellec at gmail.com
Fri Oct 31 13:18:32 EST 2014


[Provisor IANAL and I haven't gone through the legislation yet... N]

On Thu, Oct 30, 2014 at 3:40 PM, Matt Perkins <matt at spectrum.com.au> wrote:
> I would be interested to see paragraph 187A(4) of the act.  It seems to
> indicate that
>
> This item will only apply to the service provider operating the relevant
> service: So does that mean we need to know who chatted to who on facebook
> for example but facebook is the service provider so they would be the people
> that would need to get the info. Not the ISP. The ISP could not be expected
> to break an encryption do get the info.
>
> So im thinking a lot of this will be "who is the service provider" .  Is it
> skype, Is it facebook, Is it the guy providing the copper ?
>
> Matt.


Matt
in the discussion paper it says: "Nothing in this data set applies to
or requires the retention of destination web address identifiers, such
as destination IP addresses or URLs."

Thus given facebook is accessed via a "web address" it would be out of scope.

Of course, by extension, if you want your activities to stay unlogged
or obfuscated, you change mac addresses, use other people's wifi, and
wrap things via http or some other vpn.

BUT

the paper also requires a LOT more than just radius logs.

It does apply to "all entities that provide communications services to
the public".
"Who will data retention apply to?
Data retention obligations, consistent with existing legal and
regulatory obligations, should be able to apply to all entities that
provide communications services available to the public in Australia.
Therefore, data retention obligations should not be limited to
licenced carriers but should also extend to any entity that provides
communications services to the Australian public."




Here is the full text of the "requirements" egs not included, but copy attached.

B. Obligations for data retention—data set
The data set described in the following pages has been developed for
consultation with the telecommunications industry. It reflects the key
requirements of security and law enforcement agencies, is designed to
be technologically-neutral, and is broadly consistent with the
categories of data set out in Article 5 of the former Directive
2006/24/EC; and ETSI Standards TS 102 656 (V1.2.1) Retained Data:
Requirements of Law Enforcement Agencies for handling Retained Data,
and TS 102 657 (V1.15.1) Retained Data Handling: Handover interface
for the request and delivery of retained data.
The explanatory information in section B provides further information
including examples of how these requirements would apply to particular
technologies and services.
Nothing in this data set applies to or requires the retention of
destination web address identifiers, such as destination IP addresses
or URLs.

1. Information necessary to identify, and supplementary information
regarding, the subscriber of a service:
(a) the current and historical name and address of the subscriber of
the account, service and/or device
(b) any current or historical account, service and/or device
registered to the account
(c) any current or historical permanent or transient identifier(s)
allocated by the provider to an account, service and/or device
(d) any current or historical supplementary identification, billing
and payment, or contact information
(e) current and historical account, service and/or device status
(f) current and historical information about the usage of the account,
service and/or device
2. Information necessary to trace and identify the source of a
communication (including unsuccessful or untariffed communications):
(a) the identifier(s) allocated to an account, service and/or device
from which a communication is sent or attempted to be sent.
3. Information necessary to identify the destination of a
communication (including unsuccessful or untariffed communications):
(a) the identifier(s) allocated to an account, service and/or device
to which a communication is sent or attempted to be sent
(b) in cases where a communication is forwarded, routed or
transferred, the identifier(s) allocated to an account, service and/or
device to which a communication is forwarded etc, or attempted to be
forwarded etc.
4. Information necessary to accurately identify the date, time of
start and end or duration of a communication (including unsuccessful
or untarriffed communications)
(a) the time and date of the start and end of the communication, or
attempted communication
(b) the time and date of the connection to and disconnection from the service
5. Information necessary to identify the type of communication:
(a) the type of service used
(b) service features used by or enabled for the communication
6. Information necessary to identify subscribers communication
equipment or what purports to be their equipment:
(a) the identifier(s)of the line, device and equipment connected to
the service from which a communication is sent or attempted to be sent
(b) the identifier(s) of the line, device and equipment connected to
the service to which a communication is sent, including a device or
equipment to which a communication is forwarded or transferred.
7. Information necessary to identify the location of communications equipment:
(a) the location of the device or equipment used to send or receive a
communication, based on the device’s or equipment’s connection to the
service at the start and end of a communication or session.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AGD - Revised Industry consultation paper - Data retention - (23 Septemb....pdf
Type: application/pdf
Size: 651862 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141031/154a7716/attachment-0001.pdf>


More information about the AusNOG mailing list