Latest posts by Kieran Cummings (see all)
illustraltion: Setreset (wikimedia)
With the federal government’s metadata retention bill having passed the lower house, and all but assured to pass the senate, the technical implications are still sketchy at best.
Costing an estimated $400 million a year (a figure that will no doubt be revised up substantially), the legislation isn’t a cheap exercise in flag waving like the government’s almost daily announcements. The implications for internet users will be extensive, affecting every aspect of their daily use of data services.
From Facebook and Twitter updates, to downloading the latest episode of your favourite show (legitimately or not), to playing your favourite online game, everything will be monitored, providing you don’t use services to obfuscate your activities.
With the backers of this law being unable to offer explanations of what metadata is, let alone how it will be implemented, we are left having to piece together exactly how this legislation will work. Fortunately other countries have attempted to implement similar policies, and have failed miserably.
Security
One of the key components is requiring Service Providers to log all information about what data was transmitted where from all users. Just monitoring a medium sized company’s internet use requires exponetial amounts of storage, if you’re stupid enough to keep the data more than a month. Keeping 32 million (mobile and fixed line services) internet connection metadata for 2 years will require exabytes (1 000 000 000 000 000 000 bytes) of storage now, in the future this would grow as fast as our internet usage grows.
The problem with storing so much data is not just the cost of housing it, but the cost and skill required to keep this data from falling into the wrong hands, although some would say law enforcement is the wrong hands for this data. With data breaches happening almost weekly to large corporations and government departments alike (remember the Department of Immigration breach?), we can be assured this metadata will be stolen.
Implementation
Implementation is a hurdle that seems to have slipped by the wayside, and being the hardest thing to get right, shows exactly how poorly thought out this legislation is. Too aggressive and services will experience disruptions, too lax and no data will be captured. Getting the balance right will be nigh on impossible, which generally means the users are the ones who will suffer slow speeds and disruptions.
With no plan as to how to implement this legislation, it’s clear the government are going to hand over to law enforcement agencies to devise exactly how it will be implemented. We all know exactly how well law enforcement implement technical solutions.
To get some idea of how aggressive the implementation will be, you just have to look at the words of AFP Assistant Commissioner Tim Morris’ statement that “Those with nothing to hide have nothing to fear”.
Location
For this legislation to be effective in any way, customer data will need to be accessed by the monitoring system, matching IP addresses to physical locations. The easiest way is to hook into customer databases, something that will present a challenge for Service Providers. Customer data is definitely not something providers want stolen in a breach, but this legislation will create a greater attack surface to gain access to customer data.
This also means that cellular providers will be required to log the location of handsets almost constantly. Every notification, every email, every message, will be logged along with your physical location, turning your mobile phone into a personal tracking device for the Australian government.
Organisation
One problem that comes to mind is, “how will law enforcement find any meaning in exabytes of data?”. Not easily, unless the data is organised in a way that links specific customers’ data together, across multiple connections. Not an easy, or smart, task to implement.
This will create a nightmare for those implementing the legislation, and for those being subjected to its overreaching hand.
Failure
The reality is, this metadata retention legislation is useless. From a law enforcement perspective it’s ineffective, impotent, and a gross breach of rights for no valid reason. Metadata laws didn’t stop the Charlie Hebdo attacks in France, they won’t stop an attack in Australia.
Why won’t it work? Simple: a VPN will defeat this legislation; using Gmail or any other overseas email provider will defeat this legislation; hijacking someone’s wireless network will defeat this legislation; any and all forms of spoofing, encryption, etc, will defeat this legislation.
The only reason to introduce such unethical, immoral, legislation is to monitor technologically illiterate law abiding citizens. This is not about catching terrorists, paedophiles, or drug smugglers, this is about taking away freedom of association, freedom of speech, freedom to think, and freedom of movement.
This is a failure politically and technologically from the party that waves flags and demands freedom to be a bigot, freedom of speech, and freedom of markets. The worrying aspect of this legislation is that a supposed progressive party has backed it, throwing out decades of fighting for rights in the process.
A pox on both your houses Australian politicians, a pox on both your houses.
Conclusion
This is just the beginning of our rights being eroded, piece by piece, all in the name of “beating the terrorists”. The real terrorists are the politicians that ignore the greatest threats to Australian lives, such as beds, ladders, domestic violence, suicide, and tractors.
There is always a price to pay for living in a free and fair country, but that price should not include freedom itself. As Benjamin Franklin once wrote “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”
The technology is there to implement this legislation, the question is “Why would we want to implement it?”. Not to save lives, but to monitor every aspect of our lives.
