[AusNOG] (Abuse of) mandatory data retention information.
Paul Wilkins
paulwilkins369 at gmail.com
Thu May 3 09:08:37 EST 2018
Regards section 282 certs, s282 of which Act / Regulation?
Near as l can see, all disclosure provisions in the Act itself are either
voluntary, or require a warrant, where the police need to locate a caller
in a life threatening situation the one exception.
Kind regards
Paul Wilkins
On 2 May 2018 at 15:29, Ross Wheeler <ausnog at rossw.net> wrote:
>
>
> On Wed, 2 May 2018, Noel Butler wrote:
>
> After DR, two things have changed.
>> 1. We have a legal obligation to capture and securely retain a
>> whole pile of things.
>> 2. We are required to give extracts of that information
>> when requested, and but DO NOT REQUIRE A WARRANT.
>>
>
> No, only number 1 is new
>>
>
> Are you saying that we now DO require a warrant to give an authorised
> person data captured in compliance with the mandatory data retention laws,
> or that we DIDN'T require one previously? Because as far as I was aware, we
> required a legal instrument before, and for DR stuff (as opposed to
> interception) we now explicitly will NOT get a warrant except for the
> specific case of information requested of a journalist.
>
> , and as for ISP's (not telcos) Id hardly call radius and email logs a
>> "whole pile of things",
>>
>
> For some of us, it is far more than radius and email logs.
> It includes SIP, FTP, and indeed any other service you provide that isn't
> an "OTT" service, a webserver or a few other specific exclusions.
>
>
> I'd also not call it that for those offering phone services either since
>> clients like to lookup to see their recent history they would be keeping
>> that for a while anyway,
>>
>
> What you kept for production and billing purposes is unchanged, but the
> legislation actually requires all information captured for the DR (and the
> wording is sufficiently unclear that it appears that "if it is captured for
> DR (even if it is ALSO captured for billing or operational reasons)" that
> data MUST be encrypted and secured at the point of collection (unless you
> asked for and were granted an exemption on the immediate encryption of
> otherwise collected data).
>
>
>
> its hardly earth shattering for typical ISPs.
>>
>
> I didn't say or imply it was. Merely that for some people there was
> significant additional work to collect logs that they had not previously
> needed, and not all systems made that easy. I was lucky, most did.
>
>
> And #2 has always been the case under s282, I recall doing them as far
>> back as 2002
>>
>
> Yes, but S282 certificates are specifically NOT REQUIRED for LEA and
> others to access (quite specifically) data captured and stored under the
> mandatory data retention legislation.
>
>
>
>
>> huh? where do you get interception from or are you just moving the goal
>> posts
>>
>
> Others raised "interception".
>
>
> your OP never mentions a word of it, and
>> nobody has unless I missed a post or three,
>>
>
> You have, then.
>
>
> your post was a bout user joe blogs information which never has required
>> it, DR or no DR.
>>
>
> Huh? You're saying now that an ordinary users information has never
> required a warrant? Now YOU are conflicting your own statements?
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180503/6008de4b/attachment.html>
More information about the AusNOG
mailing list