Feeds

Data retention: ASIO says Web browsing habits would need a warrant

E-mail logs yes, browser history no

Secure remote control for conventional and virtual desktops

The Australian Security Intelligence Organisation (ASIO) has renewed its call for Australia to implement a data retention regime, with director-general David Irvine telling a Senate committee that it's asking for nothing that doesn't already happen, and promising that it will treat Web browsing differently to e-mail communications.

Irvine also said that it was not up to ASIO to try and work out the likely costs of such a regime, telling the Senate committee looking at changes to Australia's Telecommunications Interception Act that it would be up to the government to consult with the telecommunications industry if it were to create a data retention regime.

Noting that agencies have to pay telcos to access retained data, Irvine said a too-broad retention regime would be ruinous: “If ASIO had to pay for mass surveillance, we'd be broke in a week”, he said.

Some of the remarks Irvine made to the committee will be uncontroversial and in some quarters perhaps even welcomed. For example, a key aspect of the changes that have been brought to parliament are designed, he said, to reduce the number of warrants needed because at the moment, if an individual has a number of mobile phones, the aim is to eliminate the need to secure one warrant for each device by applying the warrant to the person instead of the device.

Irvine also explained ASIO's view of the ability to snoop on third-party computers, saying that it's necessary to prevent attacks against critical infrastructure.

“Hacker attacks on our national infrastructure [or] espionage attempts to obtain our secrets – these use innocent third-party computers,” he said. “If we can watch traffic going through that third-party computer, discarding anything we don't need, simply looking at the malicious signatures and where they come from, we have taken a great stride forward,” Irvine told the committee.

Irvine, under questioning from Senators on the committee (including Scott Ludlam [Greens], Susan Reynolds [Liberal] and Jacinta Collins [ALP]), said “ASIO is not asking for any change to the principles, definitions or rules under which we seek access to call data. What we are asking for is that the call data be retained.”

That led to an extended discussion about the distinction between metadata and content, particularly with respect to Internet browsing (for example, is the IP address of a Web server content or metadata?).

Irvine put ASIO's view that the agency considers e-mails and Web browsing as different creatures: e-mails, he said, involve an individual at each end of the communication, and therefore their associated metadata should be retained; Web browsing, he said, is considered content and could not be included in a data retention regime.

However, he said, where an individual is accessing e-mail using a Web browser: “Under the current definitions if it's an e-mail – whether you're using a browser or not, it's using a communication.

“The principle is that web surfing … or, indeed, Googling 'Al-Qaeda atrocities' … is not picked up by us, not regarded by us as metadata,” he said.

Irvine repeated a complaint that he has made in the past, that people allow commercial enterprises to invade their privacy “in order to sell you a new BMW … I cannot understand why it is correct for all your privacy to be invaded for a commercial purpose, but not by me to save your life.”

Regarding the struck-down European Data Directive, Irvine considers the court case under which it was struck down to be concerned with implementation detail rather than fundamental principles.

“The court said it didn't contain sufficient safeguards for implementation across EU member states, and the way it was framed it violated the principle of proportionality under EU law,” he said.

However, he said the court's judgement acknowledged there is a legitimate purpose to be served by data retention. “The legal processes are not yet completed, and it would be wrong of us … to rule out [data retention] as a gross violation of human rights across the board.” ®

Internet Security Threat Report 2014

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Special pleading against mass surveillance won't help anyone
Protecting journalists alone won't protect their sources
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.