Feeds

No, minister Turnbull, IP addresses aren't part of routine billing data collection

Meta-splaining Malcolm's metadata misstep

New hybrid storage solutions

Australia's government is still trying to explain exactly what its metadata retention regime will capture, in spite of last week's intervention into the debate by the formerly-silent communications minister Malcolm Turnbull.

Meanwhile, president of the Internet Society of Australia Narelle Clark has cast doubt on the assertion that holding IP addresses long-term represents “nothing new” in what carriers normally do.

On Friday, Turnbull joined the list of government ministers who have made contradictory statements about metadata collection, saying that IP addresses will and won't be included in the metadata collection regime. He also reiterated statements by attorney-general George Brandis and ASIO director-general David Irvine that the government isn't proposing the collection of any new data.

To the Australian Broadcasting Corporation's AM radio programme on Friday, Turnbull said: “the security services, the police, ASIO and so forth, are not asking the Government to require telcos to record or retain information that they are not currently recording.”

“And they also want the IP address, which is the number that is assigned to your phone or your computer when you go online by your ISP, so that you can be connected on the internet. And, that is of course connected, that the ISP knows that IP address is connected to your account. That's recorded in their records. They want that information to be kept for two years,” he continued.

That statement was apparently repudiated on Channel 9's Today programme (the video displays at the top of this story in The Australian:

“What I can confirm is that the law enforcement agencies, and therefore the government is not seeking that the telcos … retain any information that they are not not currently retaining. In particular they are not seeking that the telcos retain details of your Web browsing history, which sites you go to, which IP addresses you connect with” (emphasis added).

The Register was curious regarding one aspect of the latest round of “meta-splaining”, that ISPs retain the association between IP addresses and subscribers as business records, so we contacted Narelle Clark, president of The Internet Society of Australia.

Partly, Clark said, it depends on whether a user is on a fixed or mobile connection.

“When it's a mobile network connecting to a mobile device – a GSM-based system where you're using 3G or 4G or LTE protocols – there's pretty good binding between the IP address and the handset,” she said.

And unless you're routinely turning your phone into an open hotspot that you share with all and sundry, that in turn creates a good association between an IP address and an individual that can be extracted from customer records later.

So far, so good: but how about a fixed broadband connection in the IPv4 world, where the shortage of addresses demands they be shared among an ISP's customer base?

Clarke is sceptical of the idea that such records are part of the day-to-day business operations of ISPs. For most providers, she told The Register, such a record is of operational rather than business value: good for faultfinding and troubleshooting, but not a useful business or billing record.

Noting that log files (such as those on a Radius server, where a subscriber might be provisioned with their IP address) get very large, very quickly, Clark notes that ISPs might never have provisioned enough storage to keep those files for the periods sought by law enforcement.

It's the kind of data that an operator “might want to keep” for fault investigation, but after that, it's likely to be flushed. In the computer world, “logging was not designed for billing, it was designed for troubleshooting”, she continued.

Moreover, in the fixed world, there's so much address sharing that Clark is concerned that “there's very little correlation between an end user device and a human being.”

That means retention of IPv4 address data will end up gathering an awful lot of haystack for very little needle.

Clark emphasised that the service provider community is happy to help law enforcement and national security agencies. In that light, she said, the collection of data under warrants (which would among other things identify whose data is being collected) isn't what worries ISOC-AU's members. Rather, it's indiscriminate data collection that can be accessed by too many parties that matter – particularly if there's a lack of process and oversight. ®

Security for virtualized datacentres

More from The Register

next story
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
Heavy VPN users are probably pirates, says BBC
And ISPs should nab 'em on our behalf
Former Bitcoin Foundation chair pleads guilty to money-laundering charge
Charlie Shrem plea deal could still get him five YEARS in chokey
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
'Serious flaws in the Vertigan report' says broadband boffin
Report 'fails reality test' , is 'simply wrong' and offers ''convenient' justification for FTTN says Rod Tucker
FAIL.GOV – Government asks Dropbox for accounts that don't exist
Storage locker's transparency report shows rise in government data gobble attempts
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.