Feeds

The asymmetry implicit in Internet data retention

By the way: Anonymous go home

Protecting against web application threats using SSL

As we speak, apathetic Australians are failing to lodge submissions objecting to the government’s ill-defined data retention proposals.

But Anonymous thinks it represents us, and until it actually started showing the data, @Op_Australia on Twitter descended into the kind of “RSN” you can only deliver if you’re an archetypal self-abuser.

Forgive me if I say that the principal arguments about freedom and peoples’ right not to be snooped on have been aired in many forums in the context of Australia’s data retention debate, and I’d have no new insight to add on that score.

However, there are a couple of aspects to the Australian government’s call for comment regarding data retention that haven’t received much publicity.

Chief among these, in my mind, is this: in modeling data retention on what’s retained in phone records, governments and law enforcement either don’t realize or don’t care about the differences between the Internet and the telephone.

If the Australian government sticks to its previously-expressed enthusiasm for retention modeled on the European Data Directive, then the retained data would include the user ID, time of day, source IP address, and destination IP address for their Internet interactions.

As I said, it’s modeled on phone data records, in which carriers keep calling party, called party, and a timestamp for billing purposes (and law enforcement trawls if it’s given permission by a judge to see who someone called).

There are problems using the phone record as a model. For example, I’m not in control of every IP address my Web browser visits. No matter that I only intend to look at a story in (say) the Sydney Morning Herald, the site owner imposes all sorts of cruft for me to view the story: there’s the trackers (Google Analytics, IMR Worldwide and so on), the ad servers (Doubleclick, Google), the videos which might come from a different IP address to the story, and all the affiliate links which might also come from a different IP.

It only takes one visit to a compromised Web server, and a user can make contact with an IP address that ASIO or the AFP doesn’t like – without knowing they’ve done so.

It’s not a phone, it’s more like a series of … tubes

If we were talking about phone calls, there’s a reasonable chance that Joe Sixpack can at least talk sense to a policeman knocking at his door. A phone bill is human-readable. People can recognize telephone numbers; 02 9555 5555 makes sense. Even if Joe ends up needed a lawyer to help him, they can communicate on common ground.

"Honestly, I can swear on the witness stand that nobody in my house ever called 9555 5555!"

On the other hand, 144.140.108.23 is not meaningful to the ordinary user. I can tell El Reg readers that it’s the address to which Telstra.com resolves, but most people don’t know what that means.

So when the the Chief Inspector leans across the table and utters dark threats because someone using your IP address accessed a sub-domain on a given IP address, and that the sub-domain was host to an extremist Web page showing bomb-making instructions … what exactly do you say?

You get my point, I hope. You can't challenge evidence you can't understand.

By thinking of Internet transactions as some kind of analogue for telephone calls, law enforcement is creating a huge asymmetry that doesn’t exist when we discuss telephone call records.

“I have no idea what you’re talking about, officer”. “Tough luck, mate, you can’t argue with the logfiles.”

Surely we don’t want to create a country in which this conversation is feasible.

Anonymous, again

Mind you, I can think and discuss this without Anonymous’s assistance.

Its latest attacks, and release of a sample of data purloined from AAPT, via Melbourne IT, are as always completely unhelpful. They give aid and comfort to those who argue in favour of regulating the Internet, without doing a damn thing to prevent said regulation.

With the kind of geopolitical ignorance that screams “American” at me, Anonymous attacked Queensland government Websites to protest events in Canberra. That left the group taking out its anger with one jurisdiction - all of Australia - on a single state. Worse still, the respective governments of those jurisdictions share robust and ongoing enmity.

I’m actually in favour of having the issue debated, and submissions made to government: a strong “don’t snoop” response from the public is a good way to get the message across.

I don’t like the (mainly media-driven) oversimplification that takes every government request for comment as a fait accompli. It discourages people from taking part in the process - which is exactly the point of inviting submissions.

If we truly believe in the Internet as a medium for democratic interaction, then we need to encourage governments to put their proposals up for comment – as they now do, and but for the depressing apathy of the populace, with much greater debate.

Nearly every proposal will have its opponents, whether they’re right or wrong, informed or ignorant, leftist, centrist, right-wing or none of the above. People will support or oppose wind farms, marine parks, coal mines, gas loaders, logging, Medicare, government deficits, government surpluses, the carbon tax, income tax, private school subsidies and the rest.

Some may even grab the placard to protest over something if they feel strongly enough about it. More power to them: it’s a democratic right – as is even the loon stumping up his or her own money to take a government to the High Court.

Those things, however, take courage. You have to lend your name to the protest, have to be prepared, if necessary, to front the court and pay the fine.

“For your own good” an expression of the will to power. I don’t care who you are, Anonymous: you don’t have permission to exercise power over me. Even for my own good. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.