Data Retention

The Week: Government Business

Story of the week is the Federal Government’s new mandatory data retention legislation, which stipulates that the communications metadata of all Australian citizens must be retained for no less than two years, and will be accessible by government agencies without a warrant. 

Even as I write the legislation is continuing its inexorable journey through the upper and lower houses of the Australian parliament, much as food makes its way through the upper and lower intestines of a large mammal. As with digestion, nothing has been particularly improved by the passage of this legislation. The federal opposition insist they conducted a robust party room debate on the subject, whereby standing members were encouraged to voice their concerns and air their reservations about the new laws.

What emerged however were a series of all but pointless amendments precisely calibrated to give the impression that Labor wasn’t merely rubber-stamping another government policy, without actually addressing any of the fundamental issues.

The government took one look at the proposed amendments, shrugged, and waved them through. The more strenuous amendments proposed by independent MPs and senators, as well as the Greens, were voted down

There's nothing to worry about though: it's just metadata. It's not like they're reading your emails or listening to your phone calls. What can you tell from metadata? Well, lots, actually.

The fun doesn't stop here, though. Next week will see the introduction of new site-blocking legislation, which is primarily designed to crack down on internet piracy. 

Given that Labor itself pursued even more sweeping and arbitrary laws when it was in office - Communications Minister Malcolm Turnbull is adamant that this new regime is not an internet filter - you can expect that this legislation will also enjoy similarly spirited 'opposition'.

It is either revealing or coincidental that this legislation is being introduced now, just as Netflix launches in Australia. Along with other new Video-On-Demand (VOD) services such as Stan and Presto, it is anticipated that Netflix may lead to a dramatic long-term drop in piracy rates. 

Emergency Spectrum

Anyway, while our politicians spend time, resources and energy passing laws that are of debatable use, yet provide easy political capital, there are other important measures that are at risk of falling by the wayside. The federal government has finally released the terms of reference (TOR) for the cost-benefit analysis (CBA) for the creation of a national emergency services mobile network. Sounds complicated. Maybe that's why it has taken so long.

The need for a national emergency mobile network has existed for years. When completed, it will provide reserved mobile spectrum for Australian emergency services. Last March the Communications department announced that the CBA was imminent. November 2014 saw the announcement that Productivity Commission would look at the costs (and benefits!) of allocating spectrum to this service. 

Of course, the issue predates those time-frames, and even the current government. The Police Federation of Australia in fact made a submission to the previous government, requesting 20MHz in the 700MHz spectrum. This request was rejected, since that spectrum was being auctioned off, and just giving it away for public safety was a waste of money.

Anyway, today the terms of reference were finally released.  The final report is due in nine months.

Do Not Call

Some good news from parliament! As reported on ACCAN's website, inclusion on the National Do Not Call Register is now indefinite.

Whereas previous registration only lasted eight years, now the registration is permanent. We encourage anyone interested in not being pestered by telemarketers to register immediately. Bear in mind, however, that you can still be contacted by charities, political parties (sadly) and research companies (seriously?). 

Registration is free, and can be done here.

The Week: The End of Mobile Security

Story of the week has undoubtedly been the revelation – again courtesy of Edward Snowden – that the United States' National Security Agency (NSA) and the United Kingdom’s Government Communications Headquarters (GCHQ) in 2010 stole a very large number of mobile SIM encryption keys.

They did this by hacking into the IT systems of Gemalto, the world’s largest manufacturer of SIM cards, and monitoring and intercepting the communications of its employees. Gemalto produces about two billion SIM cards annually, supplying over 450 of the world’s top telcos, including US giants AT&T, T-Mobile and Verizon. Closer to home, Gemalto customers include Telstra, Optus and Vodafone, which means that pretty much every Australian mobile user could be affected.

Obtaining these keys enables the NSA and GCHQ to monitor large portions of the world’s mobile communications, including both voice and data. They can also access any personal data stored on the SIM. Furthermore, having these keys obviates the needs for complicated interception techniques, and removes the inherent limitations of wire-tapping.

SIM encryption is fairly simple, involving a basic key exchange. The key is kept on the SIM itself, and by your telco. These are checked against each other whenever the SIM is used for transmission. It is a system that remains secure only so long as the secret keys aren’t obtained by a third party, which of course they have been. 

It has of course been done without any form of warrant: since the keys were stolen in the first place, it’s not as though the agencies involved were particularly bothered with legality. Nor were they likely to be caught, since interception via these methods leaves little trace on the actual network.

In the event that a telco did detect traces of snooping, the leaked documents also revealed that GCHQ has the capacity to alter billing data to remove evidence of spying.

It is unclear whether all compromised SIMs will need to be recalled. Telstra and Optus have both said they are awaiting further advice from Gemalto. If the SIMs do need to be recalled, it will entail an enormous – if not unprecedented – disruption to national telecommunications. I will update this post as more news comes to hand.

[UPDATE] Vodafone Australia has issued a statement, saying that they "have no evidence that any Vodafone Australia customers’ SIMs have been compromised."

Gemalto meanwhile insists that its systems are secure. (Then again, it also said that it didn’t expect there to be any financial downturn following these revelations. Its share value plummeted to the tune of a half billion dollars following the revelation, and has not recovered.)

The full story first appeared on The Intercept, a website mainly devoted to properly publishing the documents leaked by Edward Snowden. We encourage you to read the full story. As it makes clear: “Gaining access to a database of keys is pretty much game over for cellular encryption.”

[UPDATE] Gemalto's investigation has concluded that while their systems were compromised in 2010, the size of the theft has been "greatly exaggerated." Meanwhile The Intercept has responded, quoting one expert that "This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all."

Staying with Snowden for the moment, he yesterday appeared in an AMA (Ask Me Anything) on Reddit, alongside journalist Glenn Greenwald and Laura Poitras, director of the Oscar winningCitizenfour. All three were articulate and forthcoming, and it really is a must read. So read it here.

The Week: Metadata

There was enormous interest in the Prime Minister’s address to the National Press Club on Monday, but mostly for reasons that are of little direct concern here. Something about the leadership of the country?

Lost amidst the politicking and veiled threats to his own backbenchers were some details that were directly relevant, namely Abbott’s reinforced commitment to getting the new, expanded data retention legislation through parliament. The government argues that these laws would give ASIO augmented powers to identify potential terrorist threats. Others argue that even if these new powers would be effective, they come as the cost of further erosion of fundamental freedoms, and that by default they turn citizens into suspects.

The laws would require telecommunications providers to retain the metadata of customers for a period of no less than two years. Metadata is the data about communications, rather than the contents of the communication itself.

For example, metadata of a phone call would include the time when the call was made, its duration, who made the call, where it was made, the device it was made on, who was called and several other details. The federal government argues that this would not equate to snooping on people’s phone calls, and that the information you can glean from metadata is limited.

The truth is that the information you can obtain from metadata is less limited than you might think, and certainly less limited than the government is disingenuously letting on. Here, for example, is an excellent Ted Talk by Malte Spitz, in which he ‘maps’ 6 months of his own life based on the metadata he obtained from his telco.

Opponents of the legislation argue that there are insufficient safeguards against misuse by security agencies, inadequate provisions against ‘scope creep’, no clear definition of metadata, and no real breakdown of the cost of this expanded surveillance regime, either to tax payers or to telco providers who would pass this cost on to customers).

There is also the issue of who precisely can have access. Can Australian telco customers get access to their own data? Fairfax journalist Ben Grubb mounted an extended campaign to get access to his own metadata from Telstra, with frustrating results. Would thing improve under new expanded laws?

In any case, the Prime Minister believes that passage of this legislation has gained special urgency in light of the recent hostage incident at the Lindt café in Sydney – which the police have not classified as a terrorist attack – and the mass murders at the Charlie Hebdo offices in Paris. The implication, presumably, is that these attacks could have been prevented by legislation such as this. Is this true, or are these tragedies simply being repurposed for political ends, as David Marr warned they might be. In fact, France already data retention laws not dissimilar to the ones being introduced here.

The Prime Minister is in no doubt: “From the siege to Charlie Hebdo, there are a whole range of people in our country who want to do us harm, and it’s absolutely vital that we maintain the capacity to trace, detect and protect the Australian public against all kinds of crime. This government will not rest until our community is safe as it can be, and part of that is getting data retention through the Parliament.”

He also revealed this morning that he has written to the Opposition Leader not to block the legislation, which he hopes will make it through both houses by the middle of next month.