Feeds

No, minister Turnbull, IP addresses aren't part of routine billing data collection

Meta-splaining Malcolm's metadata misstep

Providing a secure and efficient Helpdesk

Australia's government is still trying to explain exactly what its metadata retention regime will capture, in spite of last week's intervention into the debate by the formerly-silent communications minister Malcolm Turnbull.

Meanwhile, president of the Internet Society of Australia Narelle Clark has cast doubt on the assertion that holding IP addresses long-term represents “nothing new” in what carriers normally do.

On Friday, Turnbull joined the list of government ministers who have made contradictory statements about metadata collection, saying that IP addresses will and won't be included in the metadata collection regime. He also reiterated statements by attorney-general George Brandis and ASIO director-general David Irvine that the government isn't proposing the collection of any new data.

To the Australian Broadcasting Corporation's AM radio programme on Friday, Turnbull said: “the security services, the police, ASIO and so forth, are not asking the Government to require telcos to record or retain information that they are not currently recording.”

“And they also want the IP address, which is the number that is assigned to your phone or your computer when you go online by your ISP, so that you can be connected on the internet. And, that is of course connected, that the ISP knows that IP address is connected to your account. That's recorded in their records. They want that information to be kept for two years,” he continued.

That statement was apparently repudiated on Channel 9's Today programme (the video displays at the top of this story in The Australian:

“What I can confirm is that the law enforcement agencies, and therefore the government is not seeking that the telcos … retain any information that they are not not currently retaining. In particular they are not seeking that the telcos retain details of your Web browsing history, which sites you go to, which IP addresses you connect with” (emphasis added).

The Register was curious regarding one aspect of the latest round of “meta-splaining”, that ISPs retain the association between IP addresses and subscribers as business records, so we contacted Narelle Clark, president of The Internet Society of Australia.

Partly, Clark said, it depends on whether a user is on a fixed or mobile connection.

“When it's a mobile network connecting to a mobile device – a GSM-based system where you're using 3G or 4G or LTE protocols – there's pretty good binding between the IP address and the handset,” she said.

And unless you're routinely turning your phone into an open hotspot that you share with all and sundry, that in turn creates a good association between an IP address and an individual that can be extracted from customer records later.

So far, so good: but how about a fixed broadband connection in the IPv4 world, where the shortage of addresses demands they be shared among an ISP's customer base?

Clarke is sceptical of the idea that such records are part of the day-to-day business operations of ISPs. For most providers, she told The Register, such a record is of operational rather than business value: good for faultfinding and troubleshooting, but not a useful business or billing record.

Noting that log files (such as those on a Radius server, where a subscriber might be provisioned with their IP address) get very large, very quickly, Clark notes that ISPs might never have provisioned enough storage to keep those files for the periods sought by law enforcement.

It's the kind of data that an operator “might want to keep” for fault investigation, but after that, it's likely to be flushed. In the computer world, “logging was not designed for billing, it was designed for troubleshooting”, she continued.

Moreover, in the fixed world, there's so much address sharing that Clark is concerned that “there's very little correlation between an end user device and a human being.”

That means retention of IPv4 address data will end up gathering an awful lot of haystack for very little needle.

Clark emphasised that the service provider community is happy to help law enforcement and national security agencies. In that light, she said, the collection of data under warrants (which would among other things identify whose data is being collected) isn't what worries ISOC-AU's members. Rather, it's indiscriminate data collection that can be accessed by too many parties that matter – particularly if there's a lack of process and oversight. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.