And that’s it. Within just a few short hours the world will end, your data, your movements online, the things you say, the people you say them to – it’s all in the hands of the government and likely it will be hacked and exposed – all because the Federal Government’s Data Retention laws come into place at midnight. Cause for concern? Or a necessary evil? Perhaps somewhere in between.
Facebook knows a lot about you, Google knows as much if not more, then there’s the banks and major supermarkets. Unless you’re living in a cash-only world, and not using the internet too much – the average user has a huge data profile sitting in various corporate institutions. Data Retention shouldn’t be your priority issue.
The Government wants ISPs and Telcos to retain top-level data (metadata – e.g.: not the content of email, but the source and destination of it) about what you do online, and on the phone. Why? Law enforcement. National Security – depends on the buzz words of the day in the political press.
Today, your ISP has a chunk of data about your recent browsing history – 30 days at least for billing purposes, probably 2-3 months in reality at best.
How is that stored? Well, normally a web server, proxy server, or ISP servers will store data in a log. A huge, in fact massive file that lists line by line each access item. By IP Address.
So, an IP address is listed, alongside the site it accessed.
One of the concerns about Data Retention is the potential for ISPs and Telcos to be hacked and your private details exposed, alongside your personal browsing history for example. I call BS on that argument. The user details will likely, as is currently the case, be stored in billing systems and connection data logs.
If law enforcement want to know what “Person X” has been doing Online, the ISP first checks the user account details, then connectivity details for the date or time in question. They use this to determine which IP address the user account was associated with at that time (Your IP address can and most likely does change every time you connect/reconnect).
They then take that IP and extract from their logs any activity that is requested.
Around the other way, if Law enforcement had concerns about a particular site or sites, then perhaps they could request from an ISP the details of users who have accessed that site. The ISP would go backwards on the previous scenario. Get the logs, filter the site access, then use those IPs to look up user details.
My point about “Data retained by ISPs being hacked” being “useless and hard to associate with any individual” is based on this scenario. ISPs are not going to be storing large log and access data directly alongside user data in one easy to obtain hackable database.
Yes, the legislation requires that the information about where you go is kept, as is all the user details even your credit card information. But there’s nothing to suggest that it must or should be stored together in a single database (which would increase the hacking risk).
That’s why I’m relaxed about the potential and ramifications from any “hack” that might occur on an ISP from people looking for this data.
Which leads me to my long bow statement about your VPN access being as big a risk. Frankly, with overseas (and local) web companies being hacked almost left right and centre, we are right to put the concern around hacking front and centre. But surely a small VPN provider (most are smaller than our smallest ISPs) and their customer data are just as good a target as the Telcos themselves here?
VPN gets hacked and your billing information is in the hands of someone else.
That’s as wild a theory as the theory that an ISP will be hacked – in my view, and that’s the point I’m making.
This is a political debate, there are as always two sides.
What’s concerning to me is the level of fear that opponents of the Data Retention policy are putting out there, without even opening their minds to the alternate view.
Yep, I’d prefer some privacy in life. Yep, if I want some level of online privacy I can get a VPN.
But, when it comes to data retention, I want the police to have access to a whole bunch of phone logs if someone is making threatening phone calls to me or my family. And yes, I want the police and federal law enforcement to be able to know exactly where online a person has been going if they have reason to suspect illegal activity.
Nope, didn’t mention Terrorism (oops, just did), because I have this funny belief that laws are meant to be enforced. So whatever the law is that you’re breaking, there should be a mechanism through which authorities can build a case against you. The objective there is to keep us all safe in the long run.
I’m sorry we don’t seem to trust our Government – comes from them playing politics more than governing I’d guess – but the cool thing here is – the Government isn’t storing the data – does an ISP want to be hacked? Hell no, what a blow to their reputation so they’ll have the strictest possible security. And if they are hacked? I doubt the hacker is looking for your web history. More likely they’re after your credit cards. If they do get your web history – and you’ve been on Ashley Madison – no worries, that’s already public info:)
PS: All this information is already available to authorities. The only difference at midnight tonight is that the information has to be kept for 2 years.
Trev is a Technology Commentator, Dad, Speaker and Rev Head.
He produces and hosts two popular podcasts, EFTM and Two Blokes Talking Tech. He also appears on over 50 radio stations across Australia weekly, and is the resident Tech Expert on Channel 9’s Today Show each day and appears regularly on A Current Affair.
Father of three, he is often found down in his Man Cave.