[AusNOG] PJCIS report on data retention bill has been posted

Paul Wilkins paulwilkins369 at gmail.com
Fri Feb 27 17:44:07 EST 2015


Terms of Reference
The section 'Terms of Reference' makes no mention of scope. So perhaps the
PJCIS is of the view they can make whatsoever recommendations they see fit.
But it is a mistake to consider the PJCIS has carte blanche, where their
May 2013 Terms of Reference limit enquiry to the following:

• the desirability of comprehensive, consistent and workable laws and
practices to protect the
security and safety of Australia, its citizens and businesses,
• the need to ensure that intelligence, security and law enforcement
agencies are equipped to
effectively perform their functions and cooperate effectively in today’s
and tomorrow’s
technologically advanced and globalised environment, and
• the fact that national security brings shared responsibilities to the
government and the private sector:

Recommendation 7
The Committee recommends that the Explanatory Memorandum to the
Telecommunications (Interception and Access) Amendment (Data Retention)
Bill 2014 be amended to make clear that service providers are not required
to keep web - browsing histories or other destination information, for
either incoming or outgoing traffic.

This sounds persuasive, but the metadata is still subject to definition by
the regulator. And it's not clear the power of the regulator is prevented
from being able to widen the scope to include this information further down
the track.

There should be clarity if the FQDN is to be logged, as opposed to the
complete URL.

Recommendation 8
Good luck defining 'session' for UDP traffic. We'll have to see the new
legislation, but either they will have to exclude UDP from logging, or all
UDP traffic will need to be logged. Unworkable either way.

Recommendation 10
Rather late in the game to be seeking clarification on requirements for the
storage and destruction of retained data. Importantly, they appear to have
overlooked any recommendation where data retained is to be restricted to
Australian jurisdiction. Without this being stipulated, metadata will be
stored in low rent clouds in some very interesting and colourful
jurisdictions, unbeknownst to the end user.

Recommendation 16
The PJCIS doesn't seem to appreciate that retrofitting existing
infrastructure for data retention in all cases will be incredibly complex
and wastefully expensive. A sensible approach would be to allow existing
infrastructure to run to end of life, while requiring new infrastructure
have the necessary data retention capability.

Recommendation 23
A welcome concession, that prevents retained data being subject to
discovery in civil law.

Recommendation 26
Additional time to consider ramifications for media and journalists. But it
rather begs the question why the media and journalists' right to free
speech are treated with greater respect than the public, and whether this
is consistent with democratic norms.

Recommendation 31
Surprisingly, the first review of the costs of the scheme won't be for 3
years. One would think that a cost/benefit analysis should be conducted at
the outset.

Recommendation 35
Not only must ISPs comply with data retention. They must ALSO, comply with
the Australian Privacy Principles. That's a lot of responsibility on ISPs
they never looked for.

Recommendation 39
That the bill be passed, once PJCIS recommendations are addressed. But bear
in mind, there are outstanding recommendations from the 2013 PJCIS report
(recommendation #1).

The case for data retention

The PJCIS claims a broad range of stakeholders support mandatory data
retention, and go straight to the Braveheart's case for pursuing pedophiles
(who by now one would expect are all on Tor or Freenet). If anyone has
taken the time to review the 204 submissions to the PJCIS enquiry, the
great majority of submissions see retention as an invasion of privacy
rights. Law enforcement agencies uniformlysupport the regime. The real turn
up was the Attorney General's dept. submission, which made extensive
criticisms of the bill's drafting and inconsistencies.

In my opinion, the data retention regime is only going to be a huge waste
of time and money, which would be better spent beefing up the capabilities
of security agencies, some of which should go to facilitating legal
intercept capabilities and anti spoofing controls in ISPs.

Paul Wilkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150227/4d08a85e/attachment.html>


More information about the AusNOG mailing list