Feeds

Data retention: ASIO says Web browsing habits would need a warrant

E-mail logs yes, browser history no

Choosing a cloud hosting partner with confidence

The Australian Security Intelligence Organisation (ASIO) has renewed its call for Australia to implement a data retention regime, with director-general David Irvine telling a Senate committee that it's asking for nothing that doesn't already happen, and promising that it will treat Web browsing differently to e-mail communications.

Irvine also said that it was not up to ASIO to try and work out the likely costs of such a regime, telling the Senate committee looking at changes to Australia's Telecommunications Interception Act that it would be up to the government to consult with the telecommunications industry if it were to create a data retention regime.

Noting that agencies have to pay telcos to access retained data, Irvine said a too-broad retention regime would be ruinous: “If ASIO had to pay for mass surveillance, we'd be broke in a week”, he said.

Some of the remarks Irvine made to the committee will be uncontroversial and in some quarters perhaps even welcomed. For example, a key aspect of the changes that have been brought to parliament are designed, he said, to reduce the number of warrants needed because at the moment, if an individual has a number of mobile phones, the aim is to eliminate the need to secure one warrant for each device by applying the warrant to the person instead of the device.

Irvine also explained ASIO's view of the ability to snoop on third-party computers, saying that it's necessary to prevent attacks against critical infrastructure.

“Hacker attacks on our national infrastructure [or] espionage attempts to obtain our secrets – these use innocent third-party computers,” he said. “If we can watch traffic going through that third-party computer, discarding anything we don't need, simply looking at the malicious signatures and where they come from, we have taken a great stride forward,” Irvine told the committee.

Irvine, under questioning from Senators on the committee (including Scott Ludlam [Greens], Susan Reynolds [Liberal] and Jacinta Collins [ALP]), said “ASIO is not asking for any change to the principles, definitions or rules under which we seek access to call data. What we are asking for is that the call data be retained.”

That led to an extended discussion about the distinction between metadata and content, particularly with respect to Internet browsing (for example, is the IP address of a Web server content or metadata?).

Irvine put ASIO's view that the agency considers e-mails and Web browsing as different creatures: e-mails, he said, involve an individual at each end of the communication, and therefore their associated metadata should be retained; Web browsing, he said, is considered content and could not be included in a data retention regime.

However, he said, where an individual is accessing e-mail using a Web browser: “Under the current definitions if it's an e-mail – whether you're using a browser or not, it's using a communication.

“The principle is that web surfing … or, indeed, Googling 'Al-Qaeda atrocities' … is not picked up by us, not regarded by us as metadata,” he said.

Irvine repeated a complaint that he has made in the past, that people allow commercial enterprises to invade their privacy “in order to sell you a new BMW … I cannot understand why it is correct for all your privacy to be invaded for a commercial purpose, but not by me to save your life.”

Regarding the struck-down European Data Directive, Irvine considers the court case under which it was struck down to be concerned with implementation detail rather than fundamental principles.

“The court said it didn't contain sufficient safeguards for implementation across EU member states, and the way it was framed it violated the principle of proportionality under EU law,” he said.

However, he said the court's judgement acknowledged there is a legitimate purpose to be served by data retention. “The legal processes are not yet completed, and it would be wrong of us … to rule out [data retention] as a gross violation of human rights across the board.” ®

Security for virtualized datacentres

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.