[AusNOG] (Abuse of) mandatory data retention information.
Ross Wheeler
ausnog at rossw.net
Wed May 2 15:29:43 EST 2018
On Wed, 2 May 2018, Noel Butler wrote:
> After DR, two things have changed.
> 1. We have a legal obligation to capture and securely retain a
> whole pile of things.
> 2. We are required to give extracts of that information
> when requested, and but DO NOT REQUIRE A WARRANT.
> No, only number 1 is new
Are you saying that we now DO require a warrant to give an authorised
person data captured in compliance with the mandatory data retention laws,
or that we DIDN'T require one previously? Because as far as I was aware,
we required a legal instrument before, and for DR stuff (as opposed to
interception) we now explicitly will NOT get a warrant except for the
specific case of information requested of a journalist.
>, and as for ISP's (not telcos) Id hardly call radius and email logs a
> "whole pile of things",
For some of us, it is far more than radius and email logs.
It includes SIP, FTP, and indeed any other service you provide that isn't
an "OTT" service, a webserver or a few other specific exclusions.
> I'd also not call it that for those offering phone services either since
> clients like to lookup to see their recent history they would be keeping
> that for a while anyway,
What you kept for production and billing purposes is unchanged, but the
legislation actually requires all information captured for the DR (and the
wording is sufficiently unclear that it appears that "if it is captured
for DR (even if it is ALSO captured for billing or operational reasons)"
that data MUST be encrypted and secured at the point of collection (unless
you asked for and were granted an exemption on the immediate encryption of
otherwise collected data).
> its hardly earth shattering for typical ISPs.
I didn't say or imply it was. Merely that for some people there was
significant additional work to collect logs that they had not previously
needed, and not all systems made that easy. I was lucky, most did.
> And #2 has always been the case under s282, I recall doing them as far
> back as 2002
Yes, but S282 certificates are specifically NOT REQUIRED for LEA and
others to access (quite specifically) data captured and stored under the
mandatory data retention legislation.
> huh? where do you get interception from or are you just moving the goal posts
Others raised "interception".
> your OP never mentions a word of it, and
> nobody has unless I missed a post or three,
You have, then.
> your post was a bout user joe blogs information which never has
> required it, DR or no DR.
Huh? You're saying now that an ordinary users information has never
required a warrant? Now YOU are conflicting your own statements?
More information about the AusNOG
mailing list