[AusNOG] Please try to avoid making data retention worse

Mark Newton newton at atdot.dotat.org
Tue Jun 16 13:21:38 EST 2015


Like I said last week:  Get legal advice.

Some of you seem like you’re fully intending to make a bad situation worse, by 
over-egging the data retention pudding.

One of the massive concessions that we got out of the Government was to incorporate
the data set definition into the Bill, so it’s all there in the statute, in black and
white.

So you’re as bound by it as you ever would be; but now AGD is bound by it too.

I see some of you making comments about retaining netflow logs, retaining data when you’re
not covered by The Act, and other attempts to go above and beyond the requirements of 
the law. 

What you are doing is amplifying the bad effects of the law, by increasing your business
overheads, and diminishing the privacy of your users/customers. I cannot for one moment
fathom why you would want to do that.

There seems to be a willingness to go above-and-beyond to make sure that you’re not
missing anything, so that AGD can’t throw you into the shit for failing to retain something
you’re supposed to retain.

There’s already a mechanism in the Act for avoiding that situation: The Data Retention
Implementation Plans you’re supposed to be submitting.  AGD will assess them, and come 
back to you with advice about whether they think you’re complying with the data set
definition’s requirements.

With that mechanism in place, the way to ensure that data retention is minimally invasive
is to submit the most minimal Data Retention Implementation Plan you think you can lawfully
get away with.

If AGD rubber-stamps it, you’re done. Do what you said you’d do, and no more. AGD’s 
response is all you need to be legally green-lighted.

The alternative that some of you seem to be trying is to maximize what you’re putting
into your implementation plans.  AGD is never going to tell you you’re collecting too 
much data; they’re never going to reject a plan on the basis that it’s in excess of 
the law’s requirements. “Oh, you’re going to collect everything? Like, _REALLY_ everything?
Sure, right, let’s just file that one away in writing so it’s legally enforceable, and
we’re good to go.” 

The Government made a bunch of claims and assertions about how the impact on the ISP
industry would be minimal because the required data was minimal and low impact. Make 
them mean it: Submit minimal plans, and, if AGD tells you that you need more, make them
prove it by reference to legislation.

You owe your businesses, shareholders, and customers at least that much: Don’t go out
of your way to make a bad situation worse.

  - mark




More information about the AusNOG mailing list