The asymmetry implicit in Internet data retention

By the way: Anonymous go home

High performance access to file storage

As we speak, apathetic Australians are failing to lodge submissions objecting to the government’s ill-defined data retention proposals.

But Anonymous thinks it represents us, and until it actually started showing the data, @Op_Australia on Twitter descended into the kind of “RSN” you can only deliver if you’re an archetypal self-abuser.

Forgive me if I say that the principal arguments about freedom and peoples’ right not to be snooped on have been aired in many forums in the context of Australia’s data retention debate, and I’d have no new insight to add on that score.

However, there are a couple of aspects to the Australian government’s call for comment regarding data retention that haven’t received much publicity.

Chief among these, in my mind, is this: in modeling data retention on what’s retained in phone records, governments and law enforcement either don’t realize or don’t care about the differences between the Internet and the telephone.

If the Australian government sticks to its previously-expressed enthusiasm for retention modeled on the European Data Directive, then the retained data would include the user ID, time of day, source IP address, and destination IP address for their Internet interactions.

As I said, it’s modeled on phone data records, in which carriers keep calling party, called party, and a timestamp for billing purposes (and law enforcement trawls if it’s given permission by a judge to see who someone called).

There are problems using the phone record as a model. For example, I’m not in control of every IP address my Web browser visits. No matter that I only intend to look at a story in (say) the Sydney Morning Herald, the site owner imposes all sorts of cruft for me to view the story: there’s the trackers (Google Analytics, IMR Worldwide and so on), the ad servers (Doubleclick, Google), the videos which might come from a different IP address to the story, and all the affiliate links which might also come from a different IP.

It only takes one visit to a compromised Web server, and a user can make contact with an IP address that ASIO or the AFP doesn’t like – without knowing they’ve done so.

It’s not a phone, it’s more like a series of … tubes

If we were talking about phone calls, there’s a reasonable chance that Joe Sixpack can at least talk sense to a policeman knocking at his door. A phone bill is human-readable. People can recognize telephone numbers; 02 9555 5555 makes sense. Even if Joe ends up needed a lawyer to help him, they can communicate on common ground.

"Honestly, I can swear on the witness stand that nobody in my house ever called 9555 5555!"

On the other hand, is not meaningful to the ordinary user. I can tell El Reg readers that it’s the address to which Telstra.com resolves, but most people don’t know what that means.

So when the the Chief Inspector leans across the table and utters dark threats because someone using your IP address accessed a sub-domain on a given IP address, and that the sub-domain was host to an extremist Web page showing bomb-making instructions … what exactly do you say?

You get my point, I hope. You can't challenge evidence you can't understand.

By thinking of Internet transactions as some kind of analogue for telephone calls, law enforcement is creating a huge asymmetry that doesn’t exist when we discuss telephone call records.

“I have no idea what you’re talking about, officer”. “Tough luck, mate, you can’t argue with the logfiles.”

Surely we don’t want to create a country in which this conversation is feasible.

Anonymous, again

Mind you, I can think and discuss this without Anonymous’s assistance.

Its latest attacks, and release of a sample of data purloined from AAPT, via Melbourne IT, are as always completely unhelpful. They give aid and comfort to those who argue in favour of regulating the Internet, without doing a damn thing to prevent said regulation.

With the kind of geopolitical ignorance that screams “American” at me, Anonymous attacked Queensland government Websites to protest events in Canberra. That left the group taking out its anger with one jurisdiction - all of Australia - on a single state. Worse still, the respective governments of those jurisdictions share robust and ongoing enmity.

I’m actually in favour of having the issue debated, and submissions made to government: a strong “don’t snoop” response from the public is a good way to get the message across.

I don’t like the (mainly media-driven) oversimplification that takes every government request for comment as a fait accompli. It discourages people from taking part in the process - which is exactly the point of inviting submissions.

If we truly believe in the Internet as a medium for democratic interaction, then we need to encourage governments to put their proposals up for comment – as they now do, and but for the depressing apathy of the populace, with much greater debate.

Nearly every proposal will have its opponents, whether they’re right or wrong, informed or ignorant, leftist, centrist, right-wing or none of the above. People will support or oppose wind farms, marine parks, coal mines, gas loaders, logging, Medicare, government deficits, government surpluses, the carbon tax, income tax, private school subsidies and the rest.

Some may even grab the placard to protest over something if they feel strongly enough about it. More power to them: it’s a democratic right – as is even the loon stumping up his or her own money to take a government to the High Court.

Those things, however, take courage. You have to lend your name to the protest, have to be prepared, if necessary, to front the court and pay the fine.

“For your own good” an expression of the will to power. I don’t care who you are, Anonymous: you don’t have permission to exercise power over me. Even for my own good. ®

High performance access to file storage

More from The Register

next story
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.