[clug] The biggest mass surveillance scheme in Australian history

Sun Mar 1 02:01:08 MST 2015

On 01/03/15 14:01, Bob Edwards wrote:
> On 28/02/15 01:14, Scott Ferguson wrote:
>> On 28/02/15 00:17, Bob Edwards wrote:
>>> On 27/02/15 23:01, Bryan Kilgallin wrote:
>>>> {Parliament’s Joint Committee on Intelligence and Security has ticked
>>>> off on the government’s proposed mass surveillance scheme, with some
>>>> minor amendments.
>>>>
>>>> Once legislated, the scheme will require communications companies to
>>>> log
>>>> and retain data about all customers’ usage of their services for two
>>>> years.}
>>>>
>>>> http://www.crikey.com.au/2015/02/27/committee-recommends-data-retention-with-some-half-baked-protections/
>>>>
>>>>
>>>>
>>>>
>>>
>>> Without wanting to be seen to be supporting this in any way, one
>>> important difference between this scheme and PRISM is that each ISP
>>> keeps it's own customers (meta)data, whereas in the U.S. it was all
>>> being slurped up by the NSA into a single central govt. owned/controlled
>>> database.
>>
>> Not just the US. Five-Eyes*1 (here too). Providing it for police is the
>> justification for being able to force ISPs to retain (in most cases they
>> do for their own purposes anyway) *and* hand over the metadata. Brandis
>> has two motivations - (neither of which is law enforcement):-
>>
>> 1. make 5Eyes work easier - metadata is the key to the existing bulkdata
>> collection. The metadata enables you to locate a needle in a haystack,
>> the point is in the needle (not it's location). (i.e. you connected to a
>> forbidden site - which your ISP already knows for billing purposes
>> unless you use a VPN or Tor, but 5Eyes (and some peering providers) do
>> stateful packet inspection... (BGPs compromised, likewise submarine
>> cables*2).
>>
>> 2. TPP, make it easier to prosecute "pirates" and protect the revenue
>> streams of those that back the parties (or attack the parties) - the
>> media giants. Political self-preservation to be expected by all parties
>> when they are actually in power.
>>
> 
> Most of this is quite likely the case, but at Ruxcon 2014, the closing
> panel, consisting of: Senator Scott Ludlum (Greens), Patrick Gray (Risky
> Business), Tony Dimou (Head of Cyber Crime at Vic Police), Vanessa
> Teague (Research Fellow, UniMelb CompSci) and Doran Moppert (?), spoke
> about the then proposed metadata legislation (this is just months after
> the highly dodgy ASIO bill was passed, and immediately after the Labor
> leadership publicly admitted that they may have got that wrong...)
> 
> Anyway, the Vic Police guy stated that when investigating child
> pornography, cyber-bullying and similar cases (possibly including
> piracy), all they have to start their investigation with is an IP(v4?)
> address. If they can't resolve that to a customer, then they have
> "nothing" and the investigation essentially stops right there.

As a former complex data tester for Telstra - I can assure you that has
always only required them to ring or email quoting a warrant number to
organise. If they can't get a warrant they shouldn't be able to get the
data (period).

> 
> Patrick Gray proposed a simple fee (I think it was $800) to cover the
> ISPs expenses in resolving a legal enquiry (warranted or otherwise)
> and to put some back-pressure on the law-enforcement officers getting
> too carried away seeking more metadata than they really needed.
> 
> The Vic Police guy thought that was going to impede investigations,
> at which suggestion Gray (or maybe Ludlum) ridiculed him by suggesting
> that resolving a cyber-bullying incident would definitely be worth
> paying $800 for. The audience seemed, to me, to be in agreement with
> that sentiment.

One way or another the tax-payer seems destined to foot the bill. As a
tax payer I'm more than happy to pay for target police investigations -
 but not for dragnets.

> 
> Another thing that came out was that the ISPs don't want/need to
> store the (meta)data for more than the current billing period.

I only know first hand of Telstra/BigPond's previous practises - that
data is kept beyond billing periods for market analysis purposes. But
I'd agree from a business management perspective it 'should' be an ROI
equation - if it's not profitable for business to do so, then they
should be able to bill investigators (and the government *should* stump
up the additional funding for police).

> 
> Whether this is true or not is up for debate. Seems that the Govt.
> have decided to hand over $400M "to meet their costs", so playing it
> their way seems to have been a winner for them. Either way, the ISPs
> come out of all this ahead: They get to keep the (meta)data that they
> may have been collecting anyway; they get paid for it; and, if anyone
> complains, they can now blame the Govt. legislation.

Yes.  Agreed. And it does seem relevant that 'some' ISPs 'may' turn a
blind eye to the uses of the services when it is profitable (piracy).

> 
> As for how does all this affect Linux? Dunno. There were some great
> Linux'y talks at Ruxcon 2014: https://ruxcon.org.au/slides/ :)
> 
> cheers,
> 
> Bob Edwards