Australian ISP iiNet Says It Will Fight Against Data Retention Rules
from the if-only-other-ISPs-were-so-customer-focused dept
Last week, we wrote about some vague plans announced by Australia’s Attorney General George Brandis to require data retention rules for ISPs. “Data retention” is a euphemism for mass surveillance. It requires ISPs to hold onto a ton of data and allow the government to snoop through it. Australian ISP iiNet — a company whose willingness to stand up for its customers against Hollywood extremism we’ve discussed before — has come out with a blog post in which it promises to fight back against any such data retention rules.
Unlike the typically buzzword heavy responses you normally see from overly compliant ISPs regarding government surveillance, iiNet continues its reputation of being a straightshooter and explaining what’s really going on and how the company is working to protect its users.
Law enforcement agencies (like ASIO and Federal and State Police) are proposing private companies, like iiNet, should keep ongoing and very detailed records of customers? telephone and online activity. We?re not talking targeted surveillance of individuals suspected of a crime, we?re talking about the wholesale collection and storage of data on your online, digital and telephone activity. These records are euphemistically labelled ?metadata? ? and could include the unfiltered records of your browsing, updates, movements and phone calls, which can be readily matched to the identities in your customer account.
We don?t think this ?police state? approach is a good idea, so we?re fighting moves by the Australian Government to introduce legislation that would force us to collect and store your personal information.
iiNet goes even further in explaining and demonstrating graphically just how much “metadata” reveals about you. For example they show a single tweet — and then all the “metadata” associated with that tweet to show just how much more information is often revealed in the metadata:
The data collected can be incredibly sensitive ? it can reveal who your friends are, where you go and what websites you visit. Indeed, it may even tell more than the content of a phone call or an email. Recent research from Stanford University showed that when analysed this data may create a revealing profile of a person?s life including medical conditions, political and religious views, friends and associations.
Police say ?If you have nothing to hide, then you shouldn?t be worried?. Personally I think that if you follow that dubious logic, we?d all be walking around naked. It?s not about being worried, or wanting to ?hide? anything. It?s about the right to decide what you keep private and what you allow to be shared. YOU should be the one to make that call, and that decision should stick until a warrant or something similar is issued to law enforcement agencies to seize your information.
Not convinced? Then we suggest you check out the startling website based on information collected on German politician Malte Spitz by Deutsche Telekom over just six months. Zeit Online combined this geo-location data with information relating to his life as a politician, such as Twitter feeds, blog entries and websites, all of which is all freely available on the Internet. It?s really worth a look and illustrates just how informative and personally invasive metadata can be ? it is truly scary stuff.
Experts in the US have some equally frightening things to say about metadata. According to NSA General Counsel Stewart Baker, ??metadata absolutely tells you everything about somebody?s life.? General Michael Hayden, former director of the NSA and the CIA, called Baker?s comment ?absolutely correct,? and frighteningly asserted, ?We kill people based on metadata.?
Brandis, in the past, has seemed totally impervious to people who have a different opinion than he does (even if they have the evidence on their side), so it’s unclear how much good this will do. Still, it’s good to see an ISP that is loudly and clearly standing up against data retention, and not hiding behind misleading language, but clearly stating what’s happening and why it’s bad.
Filed Under: australia, consumers, data retention, george brandis, privacy
Companies: iinet
Comments on “Australian ISP iiNet Says It Will Fight Against Data Retention Rules”
The whole “metadata are no big deal” moniker is most revealing anyway.
Riddle me this, if metadata are so harmless and say nothing of real value, why do you want them to collect in the first place?
Contents vs. metadata
Metadata only tells the government whom is talking to whom.
If Alice and Bob want to communicate covertly and have the ability to deny it later, there are plenty ways they can employ to make data retention useless.
Complete waste of taxpayer money.
Re: Contents vs. metadata
You’re optimistically (highly optimistically) (extremely optimistically) (ludicrously optimistically) presuming that Bob and Alice not only have the technical skills to do so, but the self-discipline to pull it off.
I estimate that the number of people on this planet with that skillset is probably on the order of 10e3 to 10e4, but no higher.
So if we’re making policy, we should probably craft it for the 10e9 who are incapable of even remotely approaching this level of expertise on their very best day. Policy (and thus law and regulation and practice) should default in their favor, not merely admit exceptions for those who’ve been lucky enough to be graced with high intelligence and the opportunity to learn advanced techniques.
Re: Re: Contents vs. metadata
well, considering his copyright ramblings in the comment sections here, bob certainly has none of those skills…
Re: Re: Contents vs. metadata
You’re optimistically (highly optimistically) (extremely optimistically) (ludicrously optimistically) presuming that Bob and Alice not only have the technical skills to do so, but the self-discipline to pull it off.
Considering the number of research papers and educational texts on cryptography that features the exploits of Alice and Bob it is clear to me that Alice and Bob are the most highly skilled cryptographers in the history of the world!
Of course if it turns out that the government in employing Eve…
Re: Contents vs. metadata
If Alice and Bob make an attempt to communicate covertly, they are now suspect and open themselves up to further investigation, because now there’s reasonable suspicion that there is something worth hiding.
Re: Contents vs. metadata
that is completely the wrong way to look at it. yes, alice and bob, aware that they need to hide from the government, can take some fairly easy steps to obfuscate their trails.
but the target is neither alice nor bob (nor eve nor mallory) – but the regular john q public. those that think “i have nothing to hide” and, in a just society, may actually be right. but with more laws on the books than the lawyers can count, these military tools are very powerful weapons used against the innocent civilian populace to paint any individuals from therein in any nefarious light some random dick on a powertrip feels like framing them into. “Give me six lines written by the most honest of men, and I will find something in there to hang him by.” These tools are not used to go after the terrorists, they are an attack on the freedom and security of “the public and other adversaries” (to quote one NSA training slide).
It is ripe for abuse; it has been abused; and it forms a strong pillar of turnkey totalitarianism. regardless of whether or not you believe we are in a despotic government now, history has shown time and time again that blanket surveillance and secret courts have always lead to despotism.
We, the People, have been whipped over the second box for far too long. I am hoping the third is sufficient to stay us from the course, that we can rebuild the second, and that we can rekindle general interest in the first, before it is too late.
I do not want the fourth to open in my lifetime.
got a damn sight more guts than anywhere else to date! the UK as an example, the 4 main ISPs were falling over themselves to retain their customers data even though they were aware that they were acting illegally according to the EUCJ/EUCHR. but then i suppose when you have an arse hole like Murdoch in the fray with a debt to repay for getting an enquiry ‘to drop charges’ of the ‘phone hacking scandal’, he’ll do anything he can! the really annoying thing is that these data retention laws are to aid an industry that refuses to aid itself by doing what customers want and the industries are in the USA more than anywhere else! and the USA isn’t doing what it is actually practically demanding other countries to do!! if there happens to be a terrorist titbit found every 6 months or so, the industries have done what they intended
Re: Re:
Australian ISPs can spot an unfunded mandate a mile away and know better than to let it become their responsibility. Apart from Telstra, which is linked to Foxtel, the ISPs aren’t serious content companies, so they have nothing to gain from surveillance – they don’t want to have to charge their customers more (well, they aren’t reducing their profits) to provide a worse service.
Re:
Then nice that we still have Retroshare, cyberlockers, BTsync and numerous other alternatives. .
local ISP > VPN > Retroshare
Problem solved.
Any metadata stored at your local ISP now only reveals that you connect to a foreign VPN, and only the foreign VPN has your IP.
‘Criminals’ could also use this setup to communicate or exchange data that would be indistinguishable from ordinary p2p trafick, and only a timely crossborder correlation of all logs across several providers and seizure of the suspect’s computer would be of help to the police.
Even if the VPN provider and all intermediary online services keep logs for a short time, they likely only retain IP addresses and hashes of contents.
All this info must be gathered by the government, correlated and backtraced to the suspect and a chain of custody established before the data is expired or poisoned.
A data retention period of two years is useless since most metadata will in the most likely case only be kept for a few weeks.
Contents vs. metadata
‘You’re optimistically (highly optimistically) (extremely optimistically) (ludicrously optimistically) presuming that Bob and Alice not only have the technical
skills to do so, but the self-discipline to pull it off.’
How difficult is it to download and install Bitmessage or use an online overseas datadump for arranging a private conversation?
I will argue that these solutions have progressed to the click and run level being accessible to the nonsavvy user.
And if they can’t, the learning curve is not difficult.
Remember that even under the most draconian data retention regime enacted so far, only communications data generated by certain protocols must be retained.
Such a endrun will not be to any avail if you are already under individual surveillance, but communications data are useless if it ccan’t be individualized to the parties talking.
‘If Alice and Bob make an attempt to communicate covertly, they are now suspect and open themselves up to further investigation, because now there’s reasonable
suspicion that there is something worth hiding.’
And how would you know that they are attempting to have a covert conversation?
SSL properly implemented does not give away the relative URL but only the IP address of the visited website.
If they use an SSL enabled cloud provider, there is no giveaway that they are talking to each other.
Re: Contents vs. metadata
You make an unsubstantiated assumption – that people have the competency to do these kinds of things and understand why and what they are doing.
Most end-users of computer systems are just not competent in other than the bare minimum for the use of computers. That is 30+ years speaking here.
Secondly most of these end users are using Microsoft O/S’s of some description which puts them even further behind the eight ball. Those that are Apple users are generally in no better position.
Let me put it another way, how many car drivers are able to strip and rebuild their vehicles? In terms of the general population, very few and far between. I know how to do various things with my vehicle but I can’t say that I am competent enough to do anything other than the basics.
Re: Contents vs. metadata
On an entirely unrelated note… Sophomoric pseudo-intellectual masturbation in an homage to one’s own disingenuous false modesty concerning technological sophistication isn’t quite as helpful as some might think.
Privacy
here are 2 more candidates for privacy/security.
http://www.linuxbsdos.com/2014/07/19/protonmail-and-subrosa-encrypted-communication-for-the-privacy-conscious/
Proton is end to end encrypted email.
Subrosa is end to end encrypted, peer to peer IM and VOIP.
This is a case of a pissant government wanting to show that they are big boys (and going way overboard to boot) as well. It’s nice to know that Abbott and cronies care for the ordinary corporations and filthy rich…I mean ordinary little Australians.
Fail
iinet fails here for a bunch of reasons, but the key one is simple:
The people willingly share their personal information online with social media sites, and generally violate their own expectations of privacy by sharing it with a group of people and not only a single individual.
For all the hand waving, they need to understand that for most people, a read of their facebook, twitter, and other social media accounts combined with perhaps the images on instagram and such are more than enough to figure out most things about them.
Add in your tracked Google searches, or the website visits tracked by various advertising companies, and pretty much anyone who want to know anything about you will know it, meta data or not.
Anything related to social media is pretty much a losing argument.
Re: Fail
you make a valid point; the constant “consensual” surveillance many of us participate in has dangers.
but i disagree with your approach to the subject. we need to open debate about the tradeoffs we are engaging in, and if one party is in the business of gathering all this information, we need to have certain guarantees about how this information can be used.
i’m not talking about the stuff willingly put online into the general public’s view – that is a different creature; but all the stuff that’s normally hidden (as the infographic lays out in stark clarity). it used to be in the united states that credit unions could collect reams of data about your financial habits and they did not have to show it to you ever. i think we need a similar (and better) adjustment in the dealings with these online services.
we are trading some of our privacy in return for services and conveniences. that needs to be treated as a business contract between us, the consumers, and the corporation. just because i am the product in some corporation’s system should not mean that i have no rights in regards to these transactions or the metadata that is generated.
I’m still trying to form my philosophy on this….
/ramble
Re: Re: Fail
Most of the “metadata” in the Twitter example is perfect… almost all (if not all) of it ends up public anyway, and is are bare minimum the contractual requirement to use the service. Yes it is a contract, but since the data was destined for someone else (followers on twitter, example) the post information isn’t particularly private.
It gets to the nub of the problem here. The phone company (no matter which one) keep a list of all of your calls. Yes, they retain meta data, and that data can be requested by summons. In the case of mobile, information such as cell tower used, signal strength, and other items are also passed as part of the call (and retained).
The question is what level should an internet provider be required to maintain. iinet claims “nothing at all”, but that seems too much like creating a legal hiding place for end users to me.
Re: Re: Re: Fail
“The question is what level should an internet provider be required to maintain.”
Indeed, that is the question. I say “none of it” is the correct answer. Requiring private entities to retain information for law enforcement purposes makes them effectively law enforcement agents. It’s a way for law enforcement to offload the costs of what they want to do onto third parties instead of footing the bill themselves. It’s also a backdoor method to allow the government to engage in actions that would be on shaky legal ground if they were to do it themselves.
If the government wants to retain all this data, then they should do it directly. This way, at least whatever safeguards still exist against governmental overreach are still in play. Requiring providers to retain data for law enforcement purposes is a bit sleazy at best.
Re: Re: Re:2 Fail
And I agree with you. Because enforcing mandatory a priori “everything and always” data retention policy equates to one of “guilty until proven innocent”. Combine that with secret courts and we have “guilty and punished when I feel like it”.
Re: Fail
I disagree. iiNet do not fail here. They should be lauded for standing up for not just their users but all Internet users in Australia. They are one of the only ISPs to stand up to the government and the entertainment industry, and as far as I know, the only ISP in this country to do both.
I chose iiNet as my ISP for exactly the same reasons that I an EFF member.
people need to remember this
I am ecstatic that this quote was brought out again. No other defense against “it’s just metadata” should be needed now. (but it is still good to learn more about the techniques used to mine it.)
metadata is data
Fail
So because (some) people willingly share their personal info in a bargain for free service, it’s now an argument for a *mandatory* retention of everyone’s metadata.
I don’t buy it.
Just because I may elect to share some info with a private company offering me free service does not give the government the right to mandate that every website I visit gets logged.
Fail
I suppose that what you are arguing is that the lack of a reasonable expectation of privacy flows from the customer having given his information to a third party.
It’s the third party doctrine grafted onto mandatory data retention.
And that’s the reason why the third party doctrine is so dangerous, because once the lack of a reasonable expectation of privacy in call records has been extended to internet metadata the government can not only get the data, but can also legislate that all systems must retain metadata prior to a targeted investigation.
So what you are arguing is that there is no privacy violation in mandatory retention of data I generate on the internet, because these data already belong to a third party.
By the same logic, there would be no privacy violation in forcing all internet connected services to retain everything including contents forever for the government’s perusal.
Re: Fail
You sort of got it, but not quite. If you have no expectation of privacy in posting on social media (or doing anything online, a public place) for any single event, is there any reason why it doesn’t apply to all events?
No, I am not a big fan of wide spread data scooping, but requiring an ISP to keep logs of user log ins, IP address assigned, and so on to be made available by court order should be a reasonable and normal thing.
Re: Re: Fail
” requiring an ISP to keep logs of user log ins, IP address assigned, and so on to be made available by court order should be a reasonable and normal thing.”
Requiring them to make such data they have available by court order is reasonable. But why should it be considered “reasonable and normal” to require them to retain data they would not normally have retained in the course of doing business?
Re: Re: Fail
Fail
Not every online communication is public. If I connect to someone’s private server over an encrypted channel, what we have is a private conversation.
Here the justification that the communication is in public is not applicable, because the only public aspect to the communication is that me and my friend is using a third party intermediary.
Saying that a commercial ISP must keep records is something which I don’t agree but, it’s a least a logical extension to the phone company keeping call records for invoicing.
But if I connect to my friend’s private server there is no justification for forcing him to retain logs, more than the government could force him to retain a written logbook of every private visitor to his house.
Fail
You argue that people have no reasonable expectation of privacy in things they do online, or that’s at least how I read it.
So consequently data retention of metadata is not a privacy violation, because someone has already given the information to a third party.
But why stop there? There is no distinction between contents and metadata since both are handed over to the ISP for processing.
If I don’t have a reasonable expectation in metadata revealing which websites I visit, and this information can be kept for one year, why should I have a lesser or greater expectation of privacy in not having the contents of my communication kept for the same time?
It seems that retention of both must be either permitted or forbidden.
The Wrong Question ...
Arguments about the ‘right to privacy’ are doomed to fail. Governments are delighted to engage on this question, its no problem for them; any privacy rights are effortlessly trumped by the list of supposed benefits to society that State snooping promises.
The opponents of State snooping are therefore, ipso facto, pro crime, terror, death etc etc. In political terms, the debate is unwinnable since few if any if us can list the counterbalancing benefits of individual privacy rights in persuasive terms. Certainly not in less than the 15 seconds attention span of listeners.
The question should be: “By what right do you (the State) snoop on me, and under which specific circumstances”?