No, minister Turnbull, IP addresses aren't part of routine billing data collection
Meta-splaining Malcolm's metadata misstep
Australia's government is still trying to explain exactly what its metadata retention regime will capture, in spite of last week's intervention into the debate by the formerly-silent communications minister Malcolm Turnbull.
Meanwhile, president of the Internet Society of Australia Narelle Clark has cast doubt on the assertion that holding IP addresses long-term represents “nothing new” in what carriers normally do.
On Friday, Turnbull joined the list of government ministers who have made contradictory statements about metadata collection, saying that IP addresses will and won't be included in the metadata collection regime. He also reiterated statements by attorney-general George Brandis and ASIO director-general David Irvine that the government isn't proposing the collection of any new data.
To the Australian Broadcasting Corporation's AM radio programme on Friday, Turnbull said: “the security services, the police, ASIO and so forth, are not asking the Government to require telcos to record or retain information that they are not currently recording.”
“And they also want the IP address, which is the number that is assigned to your phone or your computer when you go online by your ISP, so that you can be connected on the internet. And, that is of course connected, that the ISP knows that IP address is connected to your account. That's recorded in their records. They want that information to be kept for two years,” he continued.
That statement was apparently repudiated on Channel 9's Today programme (the video displays at the top of this story in The Australian:
“What I can confirm is that the law enforcement agencies, and therefore the government is not seeking that the telcos … retain any information that they are not not currently retaining. In particular they are not seeking that the telcos retain details of your Web browsing history, which sites you go to, which IP addresses you connect with” (emphasis added).
The Register was curious regarding one aspect of the latest round of “meta-splaining”, that ISPs retain the association between IP addresses and subscribers as business records, so we contacted Narelle Clark, president of The Internet Society of Australia.
Partly, Clark said, it depends on whether a user is on a fixed or mobile connection.
“When it's a mobile network connecting to a mobile device – a GSM-based system where you're using 3G or 4G or LTE protocols – there's pretty good binding between the IP address and the handset,” she said.
And unless you're routinely turning your phone into an open hotspot that you share with all and sundry, that in turn creates a good association between an IP address and an individual that can be extracted from customer records later.
So far, so good: but how about a fixed broadband connection in the IPv4 world, where the shortage of addresses demands they be shared among an ISP's customer base?
Clarke is sceptical of the idea that such records are part of the day-to-day business operations of ISPs. For most providers, she told The Register, such a record is of operational rather than business value: good for faultfinding and troubleshooting, but not a useful business or billing record.
Noting that log files (such as those on a Radius server, where a subscriber might be provisioned with their IP address) get very large, very quickly, Clark notes that ISPs might never have provisioned enough storage to keep those files for the periods sought by law enforcement.
It's the kind of data that an operator “might want to keep” for fault investigation, but after that, it's likely to be flushed. In the computer world, “logging was not designed for billing, it was designed for troubleshooting”, she continued.
Moreover, in the fixed world, there's so much address sharing that Clark is concerned that “there's very little correlation between an end user device and a human being.”
That means retention of IPv4 address data will end up gathering an awful lot of haystack for very little needle.
Clark emphasised that the service provider community is happy to help law enforcement and national security agencies. In that light, she said, the collection of data under warrants (which would among other things identify whose data is being collected) isn't what worries ISOC-AU's members. Rather, it's indiscriminate data collection that can be accessed by too many parties that matter – particularly if there's a lack of process and oversight. ®
Sponsored: Becoming a Pragmatic Security Leader