Feeds

The asymmetry implicit in Internet data retention

By the way: Anonymous go home

The Power of One eBook: Top reasons to choose HP BladeSystem

As we speak, apathetic Australians are failing to lodge submissions objecting to the government’s ill-defined data retention proposals.

But Anonymous thinks it represents us, and until it actually started showing the data, @Op_Australia on Twitter descended into the kind of “RSN” you can only deliver if you’re an archetypal self-abuser.

Forgive me if I say that the principal arguments about freedom and peoples’ right not to be snooped on have been aired in many forums in the context of Australia’s data retention debate, and I’d have no new insight to add on that score.

However, there are a couple of aspects to the Australian government’s call for comment regarding data retention that haven’t received much publicity.

Chief among these, in my mind, is this: in modeling data retention on what’s retained in phone records, governments and law enforcement either don’t realize or don’t care about the differences between the Internet and the telephone.

If the Australian government sticks to its previously-expressed enthusiasm for retention modeled on the European Data Directive, then the retained data would include the user ID, time of day, source IP address, and destination IP address for their Internet interactions.

As I said, it’s modeled on phone data records, in which carriers keep calling party, called party, and a timestamp for billing purposes (and law enforcement trawls if it’s given permission by a judge to see who someone called).

There are problems using the phone record as a model. For example, I’m not in control of every IP address my Web browser visits. No matter that I only intend to look at a story in (say) the Sydney Morning Herald, the site owner imposes all sorts of cruft for me to view the story: there’s the trackers (Google Analytics, IMR Worldwide and so on), the ad servers (Doubleclick, Google), the videos which might come from a different IP address to the story, and all the affiliate links which might also come from a different IP.

It only takes one visit to a compromised Web server, and a user can make contact with an IP address that ASIO or the AFP doesn’t like – without knowing they’ve done so.

It’s not a phone, it’s more like a series of … tubes

If we were talking about phone calls, there’s a reasonable chance that Joe Sixpack can at least talk sense to a policeman knocking at his door. A phone bill is human-readable. People can recognize telephone numbers; 02 9555 5555 makes sense. Even if Joe ends up needed a lawyer to help him, they can communicate on common ground.

"Honestly, I can swear on the witness stand that nobody in my house ever called 9555 5555!"

On the other hand, 144.140.108.23 is not meaningful to the ordinary user. I can tell El Reg readers that it’s the address to which Telstra.com resolves, but most people don’t know what that means.

So when the the Chief Inspector leans across the table and utters dark threats because someone using your IP address accessed a sub-domain on a given IP address, and that the sub-domain was host to an extremist Web page showing bomb-making instructions … what exactly do you say?

You get my point, I hope. You can't challenge evidence you can't understand.

By thinking of Internet transactions as some kind of analogue for telephone calls, law enforcement is creating a huge asymmetry that doesn’t exist when we discuss telephone call records.

“I have no idea what you’re talking about, officer”. “Tough luck, mate, you can’t argue with the logfiles.”

Surely we don’t want to create a country in which this conversation is feasible.

Anonymous, again

Mind you, I can think and discuss this without Anonymous’s assistance.

Its latest attacks, and release of a sample of data purloined from AAPT, via Melbourne IT, are as always completely unhelpful. They give aid and comfort to those who argue in favour of regulating the Internet, without doing a damn thing to prevent said regulation.

With the kind of geopolitical ignorance that screams “American” at me, Anonymous attacked Queensland government Websites to protest events in Canberra. That left the group taking out its anger with one jurisdiction - all of Australia - on a single state. Worse still, the respective governments of those jurisdictions share robust and ongoing enmity.

I’m actually in favour of having the issue debated, and submissions made to government: a strong “don’t snoop” response from the public is a good way to get the message across.

I don’t like the (mainly media-driven) oversimplification that takes every government request for comment as a fait accompli. It discourages people from taking part in the process - which is exactly the point of inviting submissions.

If we truly believe in the Internet as a medium for democratic interaction, then we need to encourage governments to put their proposals up for comment – as they now do, and but for the depressing apathy of the populace, with much greater debate.

Nearly every proposal will have its opponents, whether they’re right or wrong, informed or ignorant, leftist, centrist, right-wing or none of the above. People will support or oppose wind farms, marine parks, coal mines, gas loaders, logging, Medicare, government deficits, government surpluses, the carbon tax, income tax, private school subsidies and the rest.

Some may even grab the placard to protest over something if they feel strongly enough about it. More power to them: it’s a democratic right – as is even the loon stumping up his or her own money to take a government to the High Court.

Those things, however, take courage. You have to lend your name to the protest, have to be prepared, if necessary, to front the court and pay the fine.

“For your own good” an expression of the will to power. I don’t care who you are, Anonymous: you don’t have permission to exercise power over me. Even for my own good. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.