Dear Australian citizen, the argument that you are meant to swallow hook, line, and sinker today is: Thank goodness that terrorism organisations have never heard of VPNs, Tor, or encryption, otherwise we’d never need to legislate a new data retention scheme to protect you.
It’s barely been 24 hours since the conservative government in Australia announced its intention to produce legislation that would establish a mandatory data retention scheme across the continent, and already there are myriad versions of what the government wants the nation’s telecommunication companies and ISPs to hold on ice for a period of two years.
Foreign minister Julie Bishop told ABC’s 7.30 program last night that the details were being worked out by Attorney-General George Brandis and Communications Minister Malcolm Turnbull.
“What we need to ensure is that our intelligence agencies can have access to relevant material. This is not about breaching privacy or listening in to people’s private conversations. This is ensuring that our intelligence agencies have the capability to detect terrorists at work,” she said.
“We will work with the telcos to ensure that there is a balance and that we only gather what we need to gather for the purposes of counter-terrorism.”
On the other side of the equation though, was Prime Minister Tony Abbott, and his postal analogy that the authorities are only interested in “what is on the envelope”, or in slightly more educated terminology, possibly the retention of an Australian resident’s complete web browsing history.
“Let’s be clear about what this so-called metadata is. It’s not the content of the letter, it’s what is on the envelope,” Abbott said on breakfast TV this morning.
“It’s not what you’re doing on the internet, it’s the sites you’re visiting. It’s not the content, it’s just where you’ve been, so to speak. We’re talking to the internet providers to ensure this so-called metadata is kept.”
Later in the day, Abbott’s office hamfistedly attempted the clarify what the Prime Minister had said, but it is still roughly in line with his tortured envelope analogy.
On the internet, given the information present on the “envelope”, it is possible to glean an awful amount of information. In fact, from an intelligence perspective, if you can get a hold of the HTTP headers, you’ll hardly need the content itself, because if you want the content, an officer can just open the URL in question themselves to see it.
For instance, take a search engine beginning with B and owned by Microsoft that doesn’t use SSL by default, and searching for “bad search term” leads to the following Request URL in request headers:
Request URL: http://www.bing.com/search?q=bad+search+term&go=Submit&qs=n&form=QBLH&pq=bad+search+term&sc=0-11&sp=-1&sk=&cvid=6f265849c6cf44a4bbc020f971dcb5a7
What sort of agent or automated big data processing alert system, needs to actually needs to view the content of that page to have a rough idea of what is there?
When it comes to thinking that internet metadata is anything like the details of an envelope, it misses the key issue, and that is that on the internet, the details available on the envelope are not only who send it and who received it, but also the first few pars of the “letter” inside, as Prime Minister Abbott would put it.
As users travel across the web on a daily basis, they can send the equivalent of hundreds of envelopes a day. Abbott claims that ISPs are already storing this information, presumably for billing purposes, but all ISPs are interested in is running totals of data throughput, not itemised billing of internet accounts.
But given that the definition of metadata is still yet to be properly defined by the government, let’s look at the other extreme of the retention proposal.
If the only metadata that the government wants stored is a from IP address, the to IP address, thanks to the wonders of reverse DNS lookups, it’s possible for the authorities to walk away with a long history of domain names that a person has visited. Even if it is most Google, Facebook, or YouTube domain names, eventually something such as badterrorsite.blogspot.com or illegalthoughts.wordpress.com will appear in the list.
This afternoon, Attorney-General George Brandis was asked to define metadata in an interview with Sky News, and if you want to see the technical illiteracy on offer from one of the co-authors of the legislation that will be drawn up, watch that interview in full.
Could the “electronic web address” that Brandis refers to be the IP address, the domain name, or the full requested URL? Whatever it is, this government minister told us yesterday that it was needed to be stored to protect us from terrorists attacks.
Steve Dalby, chief regulatory officer at iiNet told ZDNet today that Australia’s third largest ISP has approximately 3 petabytes of data going across its network every day, and it estimates that the company would need to strip approximately 1 petabyte of this data to retain as metadata.
That’s a lot of storage, cost, and automated scanning through URL entries such as http://media.tumblr.com/yet_another_cat_83622.gif, just to find the potential person who looked at some page related to bomb making.
As I mentioned earlier, this is all for naught though if the “bad guys” are able to encrypt their communications.
Every time that data retention has been put back on the political agenda, the triviality of circumventing it is always, rightly, pointed out.
If the Prime Minister and his Cabinet want to speak in analogies, all that data retention offers is a giant vacuum cleaner for the internet, that will only impinge on the privacy of the innocent and cost a lot of money, because the actual “bad guys” already know how to avoid it.