The Anonymous-branded hack of AAPT proves the point: Internet service providers can't be trusted to keep telecommunications data safe for use in criminal investigations. But we knew this already, and random hacks don't help.
AAPT chief executive David Yuile is working hard to downplay the seriousness of this data breach. His short, all-caps press statement spun the predictable spin. Sure, we lost some data, but it was old and there wasn't really that much of it. We'll contact those affected, but the rest of you can move along now.
There was even some bizarre Yuile paralogic claiming that the servers weren't being "used" by AAPT even though they held AAPT data. Uhuh.
As I've said before, this isn't good enough.
All companies have an obligation to protect this kind of data. All of it. All the time. Given the endless stories of data protection failures by everyone from Sony to Stratfor, Telstra to The Sun, we shouldn't be letting them get away with it with a bit of misdirection from the PR department.
For an ISP, though, data protection is meant to be a core competency. If major players like AAPT and Telstra can't get it right now, they certainly won't be able to get it right once they're given even more data protection responsibilities under the mooted cybercrime data retention regime.
It's almost inevitable that police and other investigators will be given access to ISP customers' email, web browsing and perhaps even social network activity logs in some form or other.
The current most likely outcome is embodied in the Cybercrime Legislation Amendment Bill 2011, just one Senate reading away from being law. Law enforcement agencies could, without warrant, require an ISP to start logging data about a customer's internet use. Later, they'd be able to access that data with a warrant.
From one angle this looks roughly like the way telephone communications are handled. Police can request your phone call records – who, when, where – without a warrant but do need a warrant to conduct an intercept and listen in.
However there are far more comprehensive proposals being floated, including a requirement for all ISPs to log all customer comms data for two years.
We're talking a huge amount of data here. We already see 250,000 warrantless requests for communications data each year, just for phone calls. Now add in every email, every website visit, every Facebook post, every Tweet, every Angry Birds game... it'll add up big time.
The challenge for ISPs will be keeping all this data safe from hackers, and even from their own staff.
They'll also have to keep it compartmentalised. Any ISP data retention regime will presumably mirror the existing system for telephone logs, so access to any individual's internet logs can only be granted to the specific individual investigators and lawyers working on that specific case – with serious criminal penalties for any other access.
Small ISPs don't have the skill or budget to set up such a secure data repository. It'll spell their doom – though they're already doomed by the looming costs of migrating their wholesale arrangements to the National Broadband Network.
Even big ISPs will fail to meet this challenge.
If you talk to penetration testers, the 'white hat' hackers who evaluate the security of computer systems and networks, you'll soon learn that no matter what the target they can always find a way to break in.
Whether the bad guys actually do break in is simply a matter of risk versus return on investment. Whether they're sufficiently motivated by the potential gains, given the time and effort needed to plan and execute an attack that successfully avoids detection.
A warehouse containing detailed information on the personal communications of tens of thousands of people? That's an attractive, motivating target.
An attack doesn't even have to avoid detection. A noisy penetration, even leaving a "Kilroy was here" message, would cast reasonable doubt on the integrity of the data logs, potentially ruining their use in any criminal prosecution. That's even more motivating.
This latest Anonymous attack has, as the culprits intended, illustrated how the data of a major ISP held on servers at an established service provider (Melbourne IT) can be breached. But ISPs have already delivered this message to the government in less public forums, where it's more likely to influence policy.
The message delivered to the public by this Anonymous attack, when combined with all the scattergun attacks by the more numerous, less-focused wearers of the Guy Fawkes mask, is that the internet is under threat by unknown criminals who must be stopped.
The tactics of Anonymous will actually increase demand for the draconian laws they want to prevent. Time for a rethink, guys.