Feeds

No, minister Turnbull, IP addresses aren't part of routine billing data collection

Meta-splaining Malcolm's metadata misstep

Internet Security Threat Report 2014

Australia's government is still trying to explain exactly what its metadata retention regime will capture, in spite of last week's intervention into the debate by the formerly-silent communications minister Malcolm Turnbull.

Meanwhile, president of the Internet Society of Australia Narelle Clark has cast doubt on the assertion that holding IP addresses long-term represents “nothing new” in what carriers normally do.

On Friday, Turnbull joined the list of government ministers who have made contradictory statements about metadata collection, saying that IP addresses will and won't be included in the metadata collection regime. He also reiterated statements by attorney-general George Brandis and ASIO director-general David Irvine that the government isn't proposing the collection of any new data.

To the Australian Broadcasting Corporation's AM radio programme on Friday, Turnbull said: “the security services, the police, ASIO and so forth, are not asking the Government to require telcos to record or retain information that they are not currently recording.”

“And they also want the IP address, which is the number that is assigned to your phone or your computer when you go online by your ISP, so that you can be connected on the internet. And, that is of course connected, that the ISP knows that IP address is connected to your account. That's recorded in their records. They want that information to be kept for two years,” he continued.

That statement was apparently repudiated on Channel 9's Today programme (the video displays at the top of this story in The Australian:

“What I can confirm is that the law enforcement agencies, and therefore the government is not seeking that the telcos … retain any information that they are not not currently retaining. In particular they are not seeking that the telcos retain details of your Web browsing history, which sites you go to, which IP addresses you connect with” (emphasis added).

The Register was curious regarding one aspect of the latest round of “meta-splaining”, that ISPs retain the association between IP addresses and subscribers as business records, so we contacted Narelle Clark, president of The Internet Society of Australia.

Partly, Clark said, it depends on whether a user is on a fixed or mobile connection.

“When it's a mobile network connecting to a mobile device – a GSM-based system where you're using 3G or 4G or LTE protocols – there's pretty good binding between the IP address and the handset,” she said.

And unless you're routinely turning your phone into an open hotspot that you share with all and sundry, that in turn creates a good association between an IP address and an individual that can be extracted from customer records later.

So far, so good: but how about a fixed broadband connection in the IPv4 world, where the shortage of addresses demands they be shared among an ISP's customer base?

Clarke is sceptical of the idea that such records are part of the day-to-day business operations of ISPs. For most providers, she told The Register, such a record is of operational rather than business value: good for faultfinding and troubleshooting, but not a useful business or billing record.

Noting that log files (such as those on a Radius server, where a subscriber might be provisioned with their IP address) get very large, very quickly, Clark notes that ISPs might never have provisioned enough storage to keep those files for the periods sought by law enforcement.

It's the kind of data that an operator “might want to keep” for fault investigation, but after that, it's likely to be flushed. In the computer world, “logging was not designed for billing, it was designed for troubleshooting”, she continued.

Moreover, in the fixed world, there's so much address sharing that Clark is concerned that “there's very little correlation between an end user device and a human being.”

That means retention of IPv4 address data will end up gathering an awful lot of haystack for very little needle.

Clark emphasised that the service provider community is happy to help law enforcement and national security agencies. In that light, she said, the collection of data under warrants (which would among other things identify whose data is being collected) isn't what worries ISOC-AU's members. Rather, it's indiscriminate data collection that can be accessed by too many parties that matter – particularly if there's a lack of process and oversight. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
'Internet Freedom Panel' to keep web overlord ICANN out of Russian hands – new proposal
Come back with our internet! cries Republican drawing up bill
What a Mesa: Apple vows to re-use titsup GT sapphire glass plant
Commits to American manufacturing ... of secret tech
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.