Data retention proposals make cybercrime suspects of us all

The Federal Government is concerned about cybercrime, which we understand and expect. However, in response to this concern, they’re putting forward a proposal that would oblige ISPs to retain all customer phone and Internet records for up to two years, in line with the ‘European Directive’.

They’re not just talking about suspected offenders here, they’re talking about everyone – you and me and even every child that ever uses a mobile or personal device like a tablet or smart-phone, or a home computer, or school laptop. Everyone in Australia – even your grandma.

That just seems over-the-top to me. We don’t live in a country wracked by civil unrest or political violence. We live in a stable, western democracy. Our law enforcement agencies already have the power to demand information about the telecommunications habits of ‘people of interest’ via warrants or court orders.

Attorney General Nicola Roxon claims the changes are required to allow law enforcement departments and intelligence agencies to crack down on criminals in this digital age, telling a conference in Canberra:

“We can’t live in a society where criminals and terrorists operate freely on the internet without fear of prosecution. We can’t allow technology to create a safe haven for criminals or a no-go zone for law enforcement.”

Well, you know, I think that sentence should really read –

We can’t live in a society where innocent Australians cannot operate freely on the internet without fear of being spied upon.”

The role of an ISP in fighting cyber crime

Fighting cybercrime means that we will need to cooperate with law enforcement agencies as necessary – and we do. That usually means that the authorities determine whom they want information about and by using an existing process, issue us with an appropriate order to either establish a tap for them or supply whatever information is required by the warrant.

We only need to retain data required for us to deliver the services for our customers, in line with the National Privacy Principles, and additional data is only retained when authorised.

Innocent until proven guilty

The proposal being discussed at present, however, is that all telecommunications records about any telecommunications event (email, web surfing, phone calls, etc) by any Australian, including kids, will be collected all the time. Retaining customer data from all Australian Internet and phone users assumes that we suspect everyone and trust no one. This is a backwards step by government – whatever happened to the principle of ‘innocent until proven guilty’?

A police state ?

One of the most controversial aspects of the proposal is the fact that ISPs would be obliged to retain phone and Internet records for all customers – not just persons of interest.

Dr Anthony Bendall, Victoria’s acting private commissioner commented that the proposal would make ISPs agents of the state, typical of a police state.

Interestingly, three countries in Europe have rejected similar proposals based on the ‘European Directive’ because they consider them to be unconstitutional. These countries are Romania, Germany and the Czech Republic – countries that have trodden the path of the heavy-handed police state in the past. Perhaps it is their experience of where this sort of intelligence gathering leads, that has led to their rejection of such an approach.

A security issue

While we’re opposed to the proposal on the basis that it would make iiNet an agent of the state, it also opens up new issues in terms of data security and cost.

Our estimate of the costs associated with such a scheme is that a large data centre storing possibly 20 thousand terabytes of data at a cost of around $60 million would be required. The government won’t pay for that, so our customers would have to pick up the tab in higher charges.

The retained customer information would need to be carefully encrypted and securely stored. As we know, security breaches can and do happen, opening up the Federal Government and ISPs to major headaches –keeping customer records, on the off chance the information, may be useful to build a criminal case two years down the line!

Another thing to think about is how far this proposed data retention could extend. While, for the moment, the proposal focuses on telecommunications providers, why would this sort of legislation stop there? Isn’t it logical that if this approach is seen to be acceptable, that transport companies, utility providers, retail stores, banks and other private organisations would also be told to store customer data?

Just in case?

Photo credit 

Steve Dalby made a statement to the Parliamentary Joint Committee on Intelligence and Security on Thursday, September 27th 2012. You can read the full statement below:

Thank you for your invitation to the iiNet Group to offer additional comments to this Parliamentary Joint Committee on Intelligence and Security.

The iiNet group includes iiNet, Internode, Netspace, TransACT and Westnet and a range of other brands.

I am iiNet’s Chief Regulatory Officer and my colleagues are John Lindsay, Chief Technical Officer and David Ohri, legal Counsel.

Our written submission has been previously provided and covered our concerns about Carriers and CSPs being saddled with :

  • additional intelligence gathering on its customers;
  • additional obligations for response times;
  • additional obligations for decryption;

as well as proposals to provide:

  • unfettered power to government agencies for information about our private infrastructure and to direct C/CSPs to take certain actions in respect of their networks.

In brief, we believe that there is inadequate information in the discussion paper or in the public domain to make any review of the reforms meaningful and we understand that such a comment repeats what others have said.

However, more recently  other, more useful details have been provided by the Attorney General, detailing the information being sought by government. 

The recent advice from the Attorney General, via her public letter to this Joint Committee, is that the dataset being considered is the same dataset that (so far) has been rejected by three European countries as unconstitutional and that the issue of such data collection is far from settled elsewhere in Europe.

Far from an unnecessary debate, it is important that all stakeholders, including the general public, be granted access to the range of data the government believes should be collected on every Australian (including minors), on every telecommunication, at all times into the future. That proposal should, for the sake of clarity, avoid jargon and be stated in plain English. Even with the Attorney General’s letter, it appears that there is still some requirement for clear communication about the Government’s objectives. 

For iiNet Ltd, comprehensive retention of information relating to all Australians is an issue of important principle that touches us all. It is a concern at both a personal and also at a corporate level. Apart from our sincere misgivings about the principal of non-stop intelligence gathering on innocent members of the community who are never ‘persons of interest’ in the law-enforcement sense, we also recognize a significant unreasonable commercial impost that will be born by those same people.

It should be noted that in the internet environment a range of applications or ‘apps’ may run simultaneously on the same service. These apps can emulate telephony, video communications, text and other communications on the same platform, using internet protocol. Many of these apps allow a person wishing to mask either their identity or location via wireless networks, proxy servers and other techniques to communicate in a covert way.

We find ourselves also assuming that the imposition of data retention obligations on private companies such as ourselves can be extended to any other part of the private sector, including transport companies, utilities providers, retailers, banks and so on. We see that the principle of mandatory data retention, being pursued in relation to the use of telecommunications products and services, could logically and quickly be extended to the use of any other product and service acquired by Australians as they go about their daily affairs. We do not have such high opinions of ourselves that the telecommunications sector is likely to consider itself as unique in respect of such attention.

As potential intelligence agents of the state, the impact on our business means that the significant costs incurred, will necessarily flow through to our customers. This suggests, therefore, that not only will we be intelligence agents of the state, but also tax collectors, as we recover the costs of law enforcement on behalf of the Commonwealth. We understand that the Commonwealth will only reimburse for the actual cost of the tiny proportion of the data as requested from time to time. This extreme approach to the collection of stupendous volumes of data, most of which will never be used, is – to say the least – a most inefficient approach. The suggestion that the sector ‘can afford it’ misses the point that the end-user actually foots the bill of such costs. Masking the funding for such initiatives by passing them through the private sector, rather than funding directly via government, tends to reduce the transparency, yet again.

In order to illustrate the scale of what we have to assume is being proposed, we have made some preliminary calculations on the likely financial impact of the data collection on the iiNet group of companies and, therefore, its customers.

To enable our customers to connect to the internet, we have around 200 gigabits of network capacity which is designed to meet demand both in and out. We prefer to avoid congestion.

Users of the internet negotiate on-line by the use of universal resource locators (or URLs). These URLs are translated to IP Addresses, a numerical code used to identify the location of objects on the web. Not only does the page have an IP Address, but so also does every item on that page. A page like the ABC’s or a newspaper or a corporate home page could include several hundred IP Addresses, each one describing a link or image or piece of text or an advertisement or an animated clip or video. ‘Clicking’ on any of those objects will cascade open to another page, also with many links and associated IP Addresses, all of which will need to be recorded in satisfaction of the requirements appended to the Attorney General’s letter.

The letter includes the sentence

“No data revealing the content of the communication may be retained under the Directive. The data set is at Attachment A.”

Attachment ‘A’ includes the following :

certain categories of data must be retained, namely data necessary for identifying:

a) the source of a communication;

b) the destination of a communication

The only conclusion we can draw about the ‘destination of a communication’ when considering internet access is that – what must be retained are IP addresses. As noted previously, little to no specific guidance is given by the Attorney General’s department on the data to be gathered, so will continue to make assumptions.

As I have mentioned, each object (or content) on each page also has an IP address, none of which can be discriminated from any other on the page, it is therefore a paradox that requires resolution when the letter has declared that the data revealing content must not be retained, but that the address data must. 

Estimates indicate that web caches or the devices that facilitate internet access, could see 25 URLs per second, per megabit.  Our bandwidth of 200 gigabits could, therefore, generate 5 million URLs per second – if we assume that the traffic is all web requests. 

Naturally, under the proposed regime, it would be an offence to lose this data so the expectation is that we will need to store it all securely and reliably. The data will need servers to process and file the data so that it can be stored and later recovered, as efficiently as possible.

We may choose to deploy commodity servers with directly attached storage and which will be obsolescent and discarded every two years because the solution proposed requires double the bandwidth and double the storage every two years.

We can currently purchase a 4TB disk for about $2,000. We will need ten thousand of these to store 20,000 terabytes of data. We can put ten of them in a rack so we will also need a thousand racks and about 2 megawatts of power to run the equipment and to run the cooling. That will require a serious data centre to house such infrastructure, for which our preference is green, efficient cooling to minimize our carbon footprint.

The estimated cost for this component is $20 million for the IT equipment and $10 million for the data centre building – to meet current traffic levels.

If we amortise the hardware over two years and the data centre over ten years, we estimate that the cost will be $1 million per month, plus power and overheads. Of course, there is always the option to outsource such a centre. Utilising a third party facility would cost about $2million per month at current rates for 1,000 racks at $1,000 per month, for two years’ data.

Either way, assuming we’re efficient about it we would still need to double that to cater for two years so we’re closer to $60 million for start up costs.

This leaves us with an estimate of $3million per month, just for iiNet, or a law enforcement tax of approximately $5.00 per month per service collected from our customers.

That unsophisticated estimate is simply for our own business, which has approximately 15% of the current market. Extrapolating these assumptions to the whole market gives us a possible estimate of $400 million for two years data storage.

Undoubtedly this figure will differ from estimates provided by others, simply because so little detail is available for us to genuinely calculate the cost. I believe we have been conservative in this estimate.

Given that our industry will be required to fund such activity, the incentive to provide a ‘belts and braces’ high-cost solution for the collection and retention of such data is unclear. 

Stephen Dalby

Chief Regulatory Officer

iiNet Ltd