Monday, 19 January 2015
Dissecting Australia's Proposed Data Retention Law
Much has been written about the societal impact of Australia’s proposed data retention laws (see some examples here and here) which I won’t repeat. However, they are quite interesting — and worrisome — from a more technical perspective.
Below are some initial thoughts after a weekend reading the legislation and supporting documents (as well as getting more familiar with the Australian legislative system). To be clear, I’m not a lawyer; I’d love feedback as to whether I’m interpreting what the proposed legislation allows correctly (but note that I said “allows,” not “intends”).
With that caveat in place, let’s have a look.
What’s Being Logged?
One contentious part of the proposal is regarding what data will be collected (I won’t use the term “metadata”, because determining what that means is very much in the eye of the beholder). These two paragraphs are the meat of it:
(2) The kinds of information prescribed for the purposes of paragraph (1)(a) must relate to one or more of the following matters:
- (a) characteristics of any of the following:
- (i) the subscriber of a relevant service;
- (ii) an account relating to a relevant service;
- (iii) a telecommunications device relating to a relevant service;
- (iv) another relevant service relating to a relevant service;
- (b) the source of a communication;
- (c) the destination of a communication;
- (d) the date, time and duration of a communication, or of its connection to a relevant service;
- (e) the type of a communication, or a type of relevant service used in connection with a communication;
- (f) the location of equipment, or a line, used in connection with a communication.
(4) This section does not require a service provider to keep, or cause to be kept:
- (a) information that is the contents or substance of a communication; or
Note: This paragraph puts beyond doubt that service providers are not required to keep information about telecommunications content.
- (b) information that:
- (i) states an address to which a communication was sent on the internet, from a telecommunications device, using an internet access service provided by the service provider; and
- (ii) was obtained by the service provider only as a result of providing the service; or
Note: This paragraph puts beyond doubt that service providers are not required to keep information about subscribers’ web browsing history.
- (c) information to the extent that it relates to a communication carried by means of another relevant service operated:
- (i) by another service provider; and
- (ii) using the relevant service; or a document to the extent that the document contains such information
(Emphasis mine throughout)
The carve-outs in (4)(a) and (4)(b) seem intended to reassure, backed up by the explanatory notes in many places, e.g.:
- Under proposed paragraph 187A(4)(b), the retention obligation is explicitly expressed to exclude the retention of destination web address identifiers, such as destination internet Protocol (IP) addresses or uniform resource locators (URLs). This exception is intended to ensure that providers of internet access services are not required to engage in session logging, which may otherwise fall within the scope of the destination of a communication.
Unfortunately, further reading of the notes makes things quite muddy again:
- Paragraph 187A(2)(c)—the destination of a communication: This category covers identifiers of an account to which a communication is sent. An example of such an identifier is the telephone number dialled when making a telephone call. The retention of telecommunications data regarding the destination of a communication (such as telephone numbers and e-mail addresses ) is necessary in order to connect a communication of interest to the particular telecommunications service being used to send or receive this communication. This information can then assist with determining the subscribers who sent or received relevant communications. If providers of telecommunications services did not retain this telecommunications information, there is a real risk that agencies would not be able to determine with whom a person has been communicating, providing important information on linkages and connections of investigative significance and which are critical to advance inquiries into criminality and security threats.
Note that e-mail addresses are potentially collected, but they say URLs aren’t. Ignoring the fact that e-mail addresses can also be URLs, how does a “service provider” know how to balance (2)(c) and (4)(b)? Are there other application protocols that they want to collect and just haven’t yet bothered mentioning?
This is where things get confusing. Reading further into the explanatory notes, we indeed see a few more mentioned; from page 41:
For application services provided over the top of internet access, examples of service types include Voice over Internet Protocol(VoIP), instant messaging or e-mail.
Since these are just examples, one has to assume that potentially all application-layer protocols could end up being logged.
So, what’s the qualitative difference between collecting an e-mail address out of the To: line when a user sends an e-mail, and pulling the URL out of the request line of a HTTP message? Maybe it’s because the service provider is running the e-mail server as an intermediary; OK, but many run HTTP proxies (also intermediaries) too; if they do so, are they now required to collect something? Or maybe URLs are just special — does that mean that Jabber doesn’t need to be logged because it’s URL-based, even though it’s instant messaging?
This absurdity illustrates that (4)(b) is really just “do what I mean.” Words like “address,” “session” and “identifier” are far too vague to use without qualification in a layered architecture like the modern Internet. Of course the ISP industry is tearing its collective hair out about this; they’re caught in the middle.
This lack of insight into what they’re trying to control is even more apparent when the explanatory notes talk about “web browsing history” not being stored. This phrase is only meaningful in the browser itself, not on the network. Given the fuzzy definition of what’s “on the Web,” it’s likely that some aspects of people’s activity on the Web potentially will be retained under this legislation, depending on how it’s interpreted.
For example, if e-mail addresses are to be retained, how does GMail fit in? The emerging view of Web-as-platform in everything from phones to TVs to cars will only make this more difficult. If I sent a message from my HTML5-enabled car to someone else’s TV using my Facebook account over HTTP, is that “Web browsing”?
What’s a Service Provider?
The meaning of_ service provider_ is worth pondering too. Does it just mean your mobile phone operator and your ISP, or does it also mean Facebook and Twitter? Does it apply to a Web-based message board like Whirlpool? What about a cloud provider, like Amazon or Rackspace?
It appears it could;
(3) This Part applies to a service if:
- (a) it is a service for carrying communications, or enabling communications to be carried, by means of guided or unguided electromagnetic energy or both; and
(b) it is a service:
- (i) operated by a carrier; or
- (ii) operated by an internet service provider (within the meaning of Schedule 5 to the Broadcasting Services Act 1992); or
- (iii) of a kind prescribed by the regulations; and
- (c) the person operating the service owns or operates, in Australia, infrastructure that enables the provision of any of its relevant services;
but does not apply to a broadcasting service (within the meaning of the Broadcasting Services Act 1992).
Depending on your you interpret “carrying communications.” The get-out clause in (3)(b)(iii) effectively means you’re a service provider if the regulator says you are. In this case, I think that means that it just needs to be gazetted by ACMA.
Again, the explanatory notes seem to point to a strong interest in this direction, since VoIP, e-mail and IM often aren’t supplied by your carrier or ISP.
This also leads to some interesting questions about consequences. If Australian service providers require logging, does that create an incentive for people (bad or not) to use overseas services? If so, how will this affect Australian businesses that are trying to build products for an increasingly privacy-sensitive market?
Also, will messaging apps that don’t conform to these requirements be banned from the Australian app stores (since they’re being sold in Australia)? Given the market forces at play, if an overseas secure messaging service doesn’t make its logs available to Australian law enforcement, will it eventually be blocked by our not-a-filter?
Handball to the Regulators
Reluctantly reading the explanatory notes further, we find:
- Proposed section 187A of the Bill requires that service providers retain prescribed information or documents in relation to the use of their services. Proposed subsection 187A(2) limits the types of information that may be prescribed to information relating to subscribers to a service, the characteristics of an account or device relating to a service, the source, destination and timing of a communication, the type of communication and the location of a device used in connection with a communication. Details of the data falling within these circumscribed classes will be contained in regulations.
Aha. So what they’re really saying is “trust us — we’ll figure it all out in regulation.”
I think a lot of the fear, uncertainty and doubt about the proposal has come about because questions like this are possible given how it’s written, and the government has so far failed to clarify it adequately. What seems to be happening here is that our government wants to leave the door open as wide as possible, but realises that doing so sounds Orwellian, so they’ve thrown us a sop to calm people down — “don’t worry, we won’t be collecting your Web browsing history!”
I also understand that the proposal is designed to align with the “technology-neutral” approach of the Privacy Act. While this may be an appropriate approach for assuring that our privacy isn’t violated by third parties (although there’s debate about that), I question whether it’s a suitable constraint upon describing how the government violates our privacy — even with the best of intentions.