Citizens not Suspects - Notes on Mandatory Data Retention

Matthew Hackling

Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years. Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling

Why should a CSO care about the government's mandatory data retention scheme? It’s your customers’ metadata. It’s your company’s metadata.

1. The Australian government is essentially treating all Australian citizens as suspects and proactively issuing a nation-wide data preservation notice. Previously these were only issued on persons of interest. Everyone's getting wiretapped not just the suspected criminals.

2. Metadata can be accessed without a warrant by a subset of government agencies defined as "enforcement agencies" in the act. Enforcement agencies include the ATO, Centrelink, the RSPCA and local councils as well as police and ASIO.

2. Many organisations being asked to retain data (ISPs and Telcos) are not geared up to do this. These requirements will impact personnel, process and technology, not to mention the security requirements. ISPs and Telcos are currently only geared up for "law enforcement intercept" to facilitate the wiretapping of persons of interest.

3. The definition of metadata is vague and is likely to expand to meet the "mission". For example, if Senator Brandis wants to find out who has been watching a certain extremist propaganda video on LiveLeak he'll need the subscriber details, source IP and destination URL. Therefore, the government will need to retain (at least) all users’ URL history if they want to achieve this objective. Location data is currently excluded, but this probably means GPS locations, not the physical addresses of service subscribers. If new technologies emerge like peer to peer , the definition is likely to expand or be "legally re-interpreted", perhaps in secret like the US has done in the past.

Do not underestimate the importance and sensitivity of metadata. At a minimum it provides enough information to blackmail someone. The former director of the NSA Michael Hayden places metadata in the context of military use with this quote "We kill people based on metadata". Mapping sets of data about "persons of interest" together, is a point and click activity these days for the software used by intelligence agencies such as Palantir. If whistle-blowers, journalists, activists and politicians become persons of interest there is a threat to the free press, correct operation of our democracy and the independence of our legislators from undue influence by our intelligence agencies.

4. If extremists or paedophiles look on the Internet for twenty minutes they will find useful methods for encrypting, proxying and hiding their communications that still necessitate intelligence agencies compromise the endpoint. Wiretapping will still need to happen for the bad guys.

5. Customers will demand SSL encryption on all corporate web applications to protect their privacy leading to changes of infrastructure and increased costs.

6. To maintain access to the data due to "the scourge of encryption" the government could mandate ISPs to intercept SSL traffic.

7. The existing website blacklist could be expanded in its use. Expect something like YouTube to be accidentally blocked. It has already happened to 250,000 websites following an ASIC request to takedown a scam website.

8. The data retained by these ISP systems and the access made available to it will be unprecedented and poorly secured. It will become a target for criminals, private investigators and debt collectors. There will be incidents of misuse by administrators, including resale of the data. Even nation state threat actors will want this access to these juicy targets.

9. ISPs and telcos will get hacked and the government will blame them for poor security.

In summary Senator Brandis should tell the AFP and ASIO to go get specific warrants and go after the terrorists with justified targeted surveillance, not a society-wide "fishing expedition".

www.citizensnotsuspects.org.au

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags: CSO, centrelink, ATO, metadata, data retention, Australian citizens, the RSPCA, #citizensnotsuspects

Show Comments