New web spy powers: for and against

In June 2010, I broke the ZDNet story that the federal government was holding secret meetings with telco companies to try and get them on side with the idea that they should store users' web browsing histories. It wasn't only browsing histories that the Attorney-General's department wanted telcos to store, but also telephone call data, text message data, and a bunch of other data.

Even having telcos store your passport number so they could tie it to your telephone or internet account was proposed. "Why the hell an ISP would ask anybody for a passport number is beyond me," a telco source told me at the time the proposal was being debated.

The Attorney-General's department and law enforcement bodies were basically after anything and everything. And they weren't telling anyone but the industry about their new demands.

Now the "data retention" scheme, which has been secretly put together by the Attorney-General's department for its minister for more than two years now, has been given a push by Attorney-General Nicola Roxon.

The Attorney-General this week put the proposal to a parliamentary joint committee on intelligence security to review it, among other proposals. If passed, the proposals would be the most significant expansion of the intelligence community's powers since the Howard-era reforms that followed the 2001 terrorist attacks.

Of the 5380 Fairfax readers who voted on a poll attached to this morning's story about the scheme, 95 per cent voted that telcos should not be forced to store telephone and internet data. But the government is singing a different tune, and is under increasing pressure from law enforcement to pass laws to retain telco data.

The scheme is likely to get support from the Coalition, but not the Greens, and will likely become law sooner rather than later.

Positives v negatives

Colin Dyson, head of the NSW fraud squad, today spoke to Fairfax Media, publisher of this website, about the scheme's positives for police, while a member from the telco industry, who wished to remain anonymous, spoke about its negatives.

We need telco data to fight crime: Dyson

Mr Dyson said some police investigations had "essentially hit brick walls" because data police sought to assist them was held by some telcos in a "very ad hoc way depending on [who] we are talking about".

"So by the time we receive a report of a crime very often the information that we require to track the offender is no longer there," Mr Dyson said. "In some cases the data is lost within 24 hours."

One telco that is understood to delete most customer data after 24 hours is Vodafone. Telstra is understood to voluntarily keep data for a period of time, which has satisfied some law enforcement bodies.

But no standard policy exists across the board, and it's up to telcos as to whether they store data. In most cases, it's deleted as soon as possible, as the anonymous source for the ISP industry told Fairfax.

"Most ISPs that I'm aware of flush out the data they don't need to keep as quickly as possible after they've completed their billing operations because storing data costs money," the ISP industry source said.

"... And there's no reward for spending money that you don't need to spend."

But it'll protect you: Dyson

Another argument often put forward by law enforcement for keeping telco data is that it will protect Australians more than they are currently protected. Mr Dyson is someone that agrees with this sentiment.

"I really think the public should be more concerned about their privacy being intruded into by offenders [rather] than those [law enforcement agencies] that are trying to protect those interests," he said.

"Criminals don't have to abide by any legislative protocols or any formal protocols in relation to them breaching people's privacy or doing data intrusions. That's what people should be more concerned about."

Huge security risks: ISP source

Despite this, there may be huge security risks associated with storing telco data, as the ISP source pointed out. Though law enforcement would have to request data in a matter that complies with the law, hackers could inevitably beat them to it, and post every Australian's internet and telephone data history online.

"The hacking thing concerns me greatly because this body of data would be immensely valuable to all sorts of people," the ISP source said. "There would be a huge incentive to attempt to gain access to it. So you would assume that it would be a target and while large service providers are used to securing data you nevertheless see incidents with data leaks and you would have to assume that some amount of this data would leak."

The ISP source questioned whether law enforcement, let alone government, could ensure data was stored securely, especially given the government has so far avoided talk of it paying for any of the scheme's costs.

The source also pointed to a recent breach by a former federal government security advisory body, AusCERT, as proof the government was not the best at securing data. AusCERT lost 8000 Australian's data on a DVD.

Encryption enough? Police 'yes', industry 'no'.

But law enforcement bodies, and NSW Police's Mr Dyson, say encryption technology should be enough to prevent data from being exposed, even if it did leak, something disputed by the ISP source who spoke to Fairfax.

"There are a lot of companies that do store that data and there are security measures they can put in place to make sure that the data is secure ... encryption being one," Mr Dyson said.

"All data I think should be secured on the internet. This is just one form of it. Those same providers do store a lot of other information which I would assume is being stored or I would hope is being stored securely."

The ISP source said encrypting data would secure it against people without data security knowledge, but said the cost burden to most ISPs would most likely see telcos not encrypt data if they didn't have to.

"Unless the encrypted data is stolen and somebody has a large enough incentive to decrypt it, most people who aren't data security experts aren't very good at encryption so it would be an interesting challenge," the source said.

Huge cost burden: ISP source

The ISP source said the cost of keeping data was another huge issue with running a data retention scheme. They estimated that it would cost Australian ISPs roughly $14.4 million to purchase the amount of hard disk drives required to store data reliably for a period of 24 months and allow for rapid access of data.

There were also other costs that would run into the hundreds of millions such as running a data centre to store the data.

"You can dream up ways in which this could be done," the ISP source said.

"But when you have to add up all of the costs associated with achieving that you come up with a price tag that adds some potentially hundreds of millions of dollars to running the internet in Australia.

"And if that's considered acceptable and we get hundreds of millions of dollars worth of value from that exercise then perhaps there's an argument for it. But it looks to me very much like an example of security theatre and the actual results from it are likely to be of relatively low value.

"Perhaps we'd get a better result if we'd spent hundreds of millions more on our police forces instead?"

Despite all this, NSW Police's Mr Dyson said that if people were going to use the internet then they would have to live with a "general lack of privacy" in some instances.

The story New web spy powers: for and against first appeared on The Sydney Morning Herald.

Smartphone
Tablet - Narrow
Tablet - Wide
Desktop