[AusNOG] (Abuse of) mandatory data retention information.

[Ross Wheeler]

On Wed, 2 May 2018, Noel Butler wrote:

>       After DR, two things have changed.
>       1. We have a legal obligation to capture and securely retain a
>          whole pile of things.
>       2. We are required to give extracts of that information
>          when requested, and but DO NOT REQUIRE A WARRANT.

> No, only number 1 is new

Are you saying that we now DO require a warrant to give an authorised 
person data captured in compliance with the mandatory data retention laws, 
or that we DIDN'T require one previously? Because as far as I was aware, 
we required a legal instrument before, and for DR stuff (as opposed to 
interception) we now explicitly will NOT get a warrant except for the 
specific case of information requested of a journalist.

>, and as for ISP's (not telcos) Id hardly call radius and email logs a 
> "whole pile of things",

For some of us, it is far more than radius and email logs.
It includes SIP, FTP, and indeed any other service you provide that isn't 
an "OTT" service, a webserver or a few other specific exclusions.


> I'd also not call it that for those offering phone services either since 
> clients like to lookup to see their recent history they would be keeping 
> that for a while anyway,

What you kept for production and billing purposes is unchanged, but the 
legislation actually requires all information captured for the DR (and the 
wording is sufficiently unclear that it appears that "if it is captured 
for DR (even if it is ALSO captured for billing or operational reasons)" 
that data MUST be encrypted and secured at the point of collection (unless 
you asked for and were granted an exemption on the immediate encryption of 
otherwise collected data).



> its hardly earth shattering for typical ISPs.  

I didn't say or imply it was. Merely that for some people there was 
significant additional work to collect logs that they had not previously 
needed, and not all systems made that easy. I was lucky, most did.


> And #2 has always been the case under s282, I recall doing them as far 
> back as 2002

Yes, but S282 certificates are specifically NOT REQUIRED for LEA and 
others to access (quite specifically) data captured and stored under the 
mandatory data retention legislation.


   
> huh? where do you get interception from or are you just moving the goal posts

Others raised "interception".


> your OP never mentions a word of it, and
> nobody has unless I missed a post or three,

You have, then.


>  your post was a bout user joe blogs information which never has 
> required it, DR or no DR.  

Huh? You're saying now that an ordinary users information has never 
required a warrant? Now YOU are conflicting your own statements?