[AusNOG] Data Retention - are you kidding me??

[Ross Wheeler]

Had a call a short while back... I think I've got the details right, but I 
sure hope I've got something wrong....


ISP had a senior constable come in with a request for data.
Request had been signed by said senior constable.

As I understand the (meta)data retention legislation, a request has to be 
signed by a senior officer (commissioner or thereabouts), or a minister 
etc.

I suggested to the ISP that I thought the request was not valid but to 
check it with the CAC. Had a call back a while later that basically the 
ACMA said to honour the request, and that if there was a problem "it would 
be caught in the audit later".

This scares the pants off me.... if we're being told to just give the data 
out to low-level shitkickers with no senior level oversight or control, 
there's going to be no end of vexatious queries, fishing expeditions and 
trivial requests. Who's going to get banged up if we disclose private 
information that turns out (later) to have been given incorrectly? How 
will the damage to affected person(s) be undone?

A highly, HIGHLY dangerous precedent. (This was a smaller non-metro ISP in 
a fairly out-of-the-way part of the world, perhaps for the very reason 
that if it blows up in their face they can hide it more effectively than 
if it was a large, highly visible isp).

R.