Australian ISP iiNet Says It Will Fight Against Data Retention Rules
from the if-only-other-ISPs-were-so-customer-focused dept
Last week, we wrote about some vague plans announced by Australia's Attorney General George Brandis to require data retention rules for ISPs. "Data retention" is a euphemism for mass surveillance. It requires ISPs to hold onto a ton of data and allow the government to snoop through it. Australian ISP iiNet -- a company whose willingness to stand up for its customers against Hollywood extremism we've discussed before -- has come out with a blog post in which it promises to fight back against any such data retention rules.Unlike the typically buzzword heavy responses you normally see from overly compliant ISPs regarding government surveillance, iiNet continues its reputation of being a straightshooter and explaining what's really going on and how the company is working to protect its users.
iiNet goes even further in explaining and demonstrating graphically just how much "metadata" reveals about you. For example they show a single tweet -- and then all the "metadata" associated with that tweet to show just how much more information is often revealed in the metadata:Law enforcement agencies (like ASIO and Federal and State Police) are proposing private companies, like iiNet, should keep ongoing and very detailed records of customers’ telephone and online activity. We’re not talking targeted surveillance of individuals suspected of a crime, we’re talking about the wholesale collection and storage of data on your online, digital and telephone activity. These records are euphemistically labelled ‘metadata’ – and could include the unfiltered records of your browsing, updates, movements and phone calls, which can be readily matched to the identities in your customer account.
We don’t think this ‘police state’ approach is a good idea, so we’re fighting moves by the Australian Government to introduce legislation that would force us to collect and store your personal information.
Brandis, in the past, has seemed totally impervious to people who have a different opinion than he does (even if they have the evidence on their side), so it's unclear how much good this will do. Still, it's good to see an ISP that is loudly and clearly standing up against data retention, and not hiding behind misleading language, but clearly stating what's happening and why it's bad.The data collected can be incredibly sensitive – it can reveal who your friends are, where you go and what websites you visit. Indeed, it may even tell more than the content of a phone call or an email. Recent research from Stanford University showed that when analysed this data may create a revealing profile of a person’s life including medical conditions, political and religious views, friends and associations.
Police say “If you have nothing to hide, then you shouldn’t be worried”. Personally I think that if you follow that dubious logic, we’d all be walking around naked. It’s not about being worried, or wanting to ‘hide’ anything. It’s about the right to decide what you keep private and what you allow to be shared. YOU should be the one to make that call, and that decision should stick until a warrant or something similar is issued to law enforcement agencies to seize your information.
Not convinced? Then we suggest you check out the startling website based on information collected on German politician Malte Spitz by Deutsche Telekom over just six months. Zeit Online combined this geo-location data with information relating to his life as a politician, such as Twitter feeds, blog entries and websites, all of which is all freely available on the Internet. It’s really worth a look and illustrates just how informative and personally invasive metadata can be – it is truly scary stuff.
Experts in the US have some equally frightening things to say about metadata. According to NSA General Counsel Stewart Baker, “…metadata absolutely tells you everything about somebody’s life.” General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and frighteningly asserted, “We kill people based on metadata.”
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, consumers, data retention, george brandis, privacy
Companies: iinet
Reader Comments
Subscribe: RSS
View by: Time | Thread
Riddle me this, if metadata are so harmless and say nothing of real value, why do you want them to collect in the first place?
[ link to this | view in chronology ]
Contents vs. metadata
If Alice and Bob want to communicate covertly and have the ability to deny it later, there are plenty ways they can employ to make data retention useless.
Complete waste of taxpayer money.
[ link to this | view in chronology ]
Re: Contents vs. metadata
I estimate that the number of people on this planet with that skillset is probably on the order of 10e3 to 10e4, but no higher.
So if we're making policy, we should probably craft it for the 10e9 who are incapable of even remotely approaching this level of expertise on their very best day. Policy (and thus law and regulation and practice) should default in their favor, not merely admit exceptions for those who've been lucky enough to be graced with high intelligence and the opportunity to learn advanced techniques.
[ link to this | view in chronology ]
Re: Re: Contents vs. metadata
[ link to this | view in chronology ]
Re: Re: Contents vs. metadata
Considering the number of research papers and educational texts on cryptography that features the exploits of Alice and Bob it is clear to me that Alice and Bob are the most highly skilled cryptographers in the history of the world!
Of course if it turns out that the government in employing Eve...
[ link to this | view in chronology ]
Re: Contents vs. metadata
[ link to this | view in chronology ]
Re: Contents vs. metadata
but the target is neither alice nor bob (nor eve nor mallory) - but the regular john q public. those that think "i have nothing to hide" and, in a just society, may actually be right. but with more laws on the books than the lawyers can count, these military tools are very powerful weapons used against the innocent civilian populace to paint any individuals from therein in any nefarious light some random dick on a powertrip feels like framing them into. "Give me six lines written by the most honest of men, and I will find something in there to hang him by." These tools are not used to go after the terrorists, they are an attack on the freedom and security of "the public and other adversaries" (to quote one NSA training slide).
It is ripe for abuse; it has been abused; and it forms a strong pillar of turnkey totalitarianism. regardless of whether or not you believe we are in a despotic government now, history has shown time and time again that blanket surveillance and secret courts have always lead to despotism.
We, the People, have been whipped over the second box for far too long. I am hoping the third is sufficient to stay us from the course, that we can rebuild the second, and that we can rekindle general interest in the first, before it is too late.
I do not want the fourth to open in my lifetime.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
local ISP > VPN > Retroshare
Problem solved.
Any metadata stored at your local ISP now only reveals that you connect to a foreign VPN, and only the foreign VPN has your IP.
'Criminals' could also use this setup to communicate or exchange data that would be indistinguishable from ordinary p2p trafick, and only a timely crossborder correlation of all logs across several providers and seizure of the suspect's computer would be of help to the police.
Even if the VPN provider and all intermediary online services keep logs for a short time, they likely only retain IP addresses and hashes of contents.
All this info must be gathered by the government, correlated and backtraced to the suspect and a chain of custody established before the data is expired or poisoned.
A data retention period of two years is useless since most metadata will in the most likely case only be kept for a few weeks.
[ link to this | view in chronology ]
Re: Contents vs. metadata
skills to do so, but the self-discipline to pull it off.'
How difficult is it to download and install Bitmessage or use an online overseas datadump for arranging a private conversation?
I will argue that these solutions have progressed to the click and run level being accessible to the nonsavvy user.
And if they can't, the learning curve is not difficult.
Remember that even under the most draconian data retention regime enacted so far, only communications data generated by certain protocols must be retained.
Such a endrun will not be to any avail if you are already under individual surveillance, but communications data are useless if it ccan't be individualized to the parties talking.
'If Alice and Bob make an attempt to communicate covertly, they are now suspect and open themselves up to further investigation, because now there's reasonable
suspicion that there is something worth hiding.'
And how would you know that they are attempting to have a covert conversation?
SSL properly implemented does not give away the relative URL but only the IP address of the visited website.
If they use an SSL enabled cloud provider, there is no giveaway that they are talking to each other.
[ link to this | view in chronology ]
Re: Re: Contents vs. metadata
Most end-users of computer systems are just not competent in other than the bare minimum for the use of computers. That is 30+ years speaking here.
Secondly most of these end users are using Microsoft O/S's of some description which puts them even further behind the eight ball. Those that are Apple users are generally in no better position.
Let me put it another way, how many car drivers are able to strip and rebuild their vehicles? In terms of the general population, very few and far between. I know how to do various things with my vehicle but I can't say that I am competent enough to do anything other than the basics.
[ link to this | view in chronology ]
Re: Re: Contents vs. metadata
[ link to this | view in chronology ]
Privacy
http://www.linuxbsdos.com/2014/07/19/protonmail-and-subrosa-encrypted-communication -for-the-privacy-conscious/
Proton is end to end encrypted email.
Subrosa is end to end encrypted, peer to peer IM and VOIP.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Fail
The people willingly share their personal information online with social media sites, and generally violate their own expectations of privacy by sharing it with a group of people and not only a single individual.
For all the hand waving, they need to understand that for most people, a read of their facebook, twitter, and other social media accounts combined with perhaps the images on instagram and such are more than enough to figure out most things about them.
Add in your tracked Google searches, or the website visits tracked by various advertising companies, and pretty much anyone who want to know anything about you will know it, meta data or not.
Anything related to social media is pretty much a losing argument.
[ link to this | view in chronology ]
Re: Fail
but i disagree with your approach to the subject. we need to open debate about the tradeoffs we are engaging in, and if one party is in the business of gathering all this information, we need to have certain guarantees about how this information can be used.
i'm not talking about the stuff willingly put online into the general public's view - that is a different creature; but all the stuff that's normally hidden (as the infographic lays out in stark clarity). it used to be in the united states that credit unions could collect reams of data about your financial habits and they did not have to show it to you ever. i think we need a similar (and better) adjustment in the dealings with these online services.
we are trading some of our privacy in return for services and conveniences. that needs to be treated as a business contract between us, the consumers, and the corporation. just because i am the product in some corporation's system should not mean that i have no rights in regards to these transactions or the metadata that is generated.
I'm still trying to form my philosophy on this....
/ramble
[ link to this | view in chronology ]
Re: Re: Fail
It gets to the nub of the problem here. The phone company (no matter which one) keep a list of all of your calls. Yes, they retain meta data, and that data can be requested by summons. In the case of mobile, information such as cell tower used, signal strength, and other items are also passed as part of the call (and retained).
The question is what level should an internet provider be required to maintain. iinet claims "nothing at all", but that seems too much like creating a legal hiding place for end users to me.
[ link to this | view in chronology ]
Re: Re: Re: Fail
Indeed, that is the question. I say "none of it" is the correct answer. Requiring private entities to retain information for law enforcement purposes makes them effectively law enforcement agents. It's a way for law enforcement to offload the costs of what they want to do onto third parties instead of footing the bill themselves. It's also a backdoor method to allow the government to engage in actions that would be on shaky legal ground if they were to do it themselves.
If the government wants to retain all this data, then they should do it directly. This way, at least whatever safeguards still exist against governmental overreach are still in play. Requiring providers to retain data for law enforcement purposes is a bit sleazy at best.
[ link to this | view in chronology ]
Re: Re: Re: Re: Fail
[ link to this | view in chronology ]
Re: Fail
I chose iiNet as my ISP for exactly the same reasons that I an EFF member.
[ link to this | view in chronology ]
people need to remember this
I am ecstatic that this quote was brought out again. No other defense against "it's just metadata" should be needed now. (but it is still good to learn more about the techniques used to mine it.)
metadata is data
[ link to this | view in chronology ]
Re: Fail
I don't buy it.
Just because I may elect to share some info with a private company offering me free service does not give the government the right to mandate that every website I visit gets logged.
[ link to this | view in chronology ]
Re: Re: Fail
It's the third party doctrine grafted onto mandatory data retention.
And that's the reason why the third party doctrine is so dangerous, because once the lack of a reasonable expectation of privacy in call records has been extended to internet metadata the government can not only get the data, but can also legislate that all systems must retain metadata prior to a targeted investigation.
So what you are arguing is that there is no privacy violation in mandatory retention of data I generate on the internet, because these data already belong to a third party.
By the same logic, there would be no privacy violation in forcing all internet connected services to retain everything including contents forever for the government's perusal.
[ link to this | view in chronology ]
Re: Re: Re: Fail
No, I am not a big fan of wide spread data scooping, but requiring an ISP to keep logs of user log ins, IP address assigned, and so on to be made available by court order should be a reasonable and normal thing.
[ link to this | view in chronology ]
Re: Re: Re: Re: Fail
Requiring them to make such data they have available by court order is reasonable. But why should it be considered "reasonable and normal" to require them to retain data they would not normally have retained in the course of doing business?
[ link to this | view in chronology ]
Re: Re: Re: Re: Fail
You're not very good at this "lying" thing, are you?
[ link to this | view in chronology ]
Re: Re: Re: Fail
Here the justification that the communication is in public is not applicable, because the only public aspect to the communication is that me and my friend is using a third party intermediary.
Saying that a commercial ISP must keep records is something which I don't agree but, it's a least a logical extension to the phone company keeping call records for invoicing.
But if I connect to my friend's private server there is no justification for forcing him to retain logs, more than the government could force him to retain a written logbook of every private visitor to his house.
[ link to this | view in chronology ]
Re: Re: Re: Fail
So consequently data retention of metadata is not a privacy violation, because someone has already given the information to a third party.
But why stop there? There is no distinction between contents and metadata since both are handed over to the ISP for processing.
If I don't have a reasonable expectation in metadata revealing which websites I visit, and this information can be kept for one year, why should I have a lesser or greater expectation of privacy in not having the contents of my communication kept for the same time?
It seems that retention of both must be either permitted or forbidden.
[ link to this | view in chronology ]
The Wrong Question ...
The opponents of State snooping are therefore, ipso facto, pro crime, terror, death etc etc. In political terms, the debate is unwinnable since few if any if us can list the counterbalancing benefits of individual privacy rights in persuasive terms. Certainly not in less than the 15 seconds attention span of listeners.
The question should be: "By what right do you (the State) snoop on me, and under which specific circumstances"?
[ link to this | view in chronology ]