Feeds

Data retention: ASIO says Web browsing habits would need a warrant

E-mail logs yes, browser history no

Internet Security Threat Report 2014

The Australian Security Intelligence Organisation (ASIO) has renewed its call for Australia to implement a data retention regime, with director-general David Irvine telling a Senate committee that it's asking for nothing that doesn't already happen, and promising that it will treat Web browsing differently to e-mail communications.

Irvine also said that it was not up to ASIO to try and work out the likely costs of such a regime, telling the Senate committee looking at changes to Australia's Telecommunications Interception Act that it would be up to the government to consult with the telecommunications industry if it were to create a data retention regime.

Noting that agencies have to pay telcos to access retained data, Irvine said a too-broad retention regime would be ruinous: “If ASIO had to pay for mass surveillance, we'd be broke in a week”, he said.

Some of the remarks Irvine made to the committee will be uncontroversial and in some quarters perhaps even welcomed. For example, a key aspect of the changes that have been brought to parliament are designed, he said, to reduce the number of warrants needed because at the moment, if an individual has a number of mobile phones, the aim is to eliminate the need to secure one warrant for each device by applying the warrant to the person instead of the device.

Irvine also explained ASIO's view of the ability to snoop on third-party computers, saying that it's necessary to prevent attacks against critical infrastructure.

“Hacker attacks on our national infrastructure [or] espionage attempts to obtain our secrets – these use innocent third-party computers,” he said. “If we can watch traffic going through that third-party computer, discarding anything we don't need, simply looking at the malicious signatures and where they come from, we have taken a great stride forward,” Irvine told the committee.

Irvine, under questioning from Senators on the committee (including Scott Ludlam [Greens], Susan Reynolds [Liberal] and Jacinta Collins [ALP]), said “ASIO is not asking for any change to the principles, definitions or rules under which we seek access to call data. What we are asking for is that the call data be retained.”

That led to an extended discussion about the distinction between metadata and content, particularly with respect to Internet browsing (for example, is the IP address of a Web server content or metadata?).

Irvine put ASIO's view that the agency considers e-mails and Web browsing as different creatures: e-mails, he said, involve an individual at each end of the communication, and therefore their associated metadata should be retained; Web browsing, he said, is considered content and could not be included in a data retention regime.

However, he said, where an individual is accessing e-mail using a Web browser: “Under the current definitions if it's an e-mail – whether you're using a browser or not, it's using a communication.

“The principle is that web surfing … or, indeed, Googling 'Al-Qaeda atrocities' … is not picked up by us, not regarded by us as metadata,” he said.

Irvine repeated a complaint that he has made in the past, that people allow commercial enterprises to invade their privacy “in order to sell you a new BMW … I cannot understand why it is correct for all your privacy to be invaded for a commercial purpose, but not by me to save your life.”

Regarding the struck-down European Data Directive, Irvine considers the court case under which it was struck down to be concerned with implementation detail rather than fundamental principles.

“The court said it didn't contain sufficient safeguards for implementation across EU member states, and the way it was framed it violated the principle of proportionality under EU law,” he said.

However, he said the court's judgement acknowledged there is a legitimate purpose to be served by data retention. “The legal processes are not yet completed, and it would be wrong of us … to rule out [data retention] as a gross violation of human rights across the board.” ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Bladerunner sequel might actually be good. Harrison Ford is in it
Go ahead, you're all clear, kid... Sorry, wrong film
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
Forget Hillary, HP's ex CARLY FIORINA 'wants to be next US Prez'
Former CEO has political ambitions again, according to Washington DC sources
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.