TECHNOLOGY SPECTATOR: The dark side to data retention

As ASIC and other regulatory agencies look to increase their power by piggybacking on Canberra's data retention plans, few have considered the potential downsides.

Technology Spectator

The government review into cyber-security has turned into a free for all by government agencies demanding access to data that would be collected under the proposed two-year data retention regime.

Proposed changes to the national legislation covering telecommunications and the digital network are being seen by government agencies as a once in a generation opportunity to get access to the online usage history of all Australians.

The Australian Securities and Investment Commissions has gone further and asked for telecommunication intercept capability. If the government is not careful the review could become a farce – if we have not already reached that point. The push for enhanced powers not only raises question marks about how the process will be managed, but also the prospect of consumers jumping on to the darknet to protect their privacy.

The end result of this could well be that ISPs end up with a whole stack of useless information.

Swamping the ISPs

Under future legislation that meets the agency wish list carriers and Internet Service Providers could be swamped with telecommunication intercept and retained data access notices. However, there is precious little information on how the entire exercise will be managed.

How would a carrier or ISP guarantee that data is not tampered with, hacked into, leaked or that agencies don't trip over each other with concurrent investigations?

The same questions apply to telecommunication intercepts. These are important issues that merit careful consideration and it’s crucial that no changes are set in motion before the state of the digital network is reviewed extensively.

TOR and the darknet

One possible outcome if any changes are indeed made to the Telecommunications (Interception and Access) Act 1979, the Telecommunications Act 1997, the Australian Security Intelligence Organisation Act 1979 and the Intelligence Services Act 2001 is the prompt development of an industry that will train Australian in how to use TOR and the darknet.

The darknet is a network of servers that are not accessible over the Internet but can be accessed by using secure virtual private network connections to darknet node servers. TOR is a software application that provides secure VPN connections to darknet nodes.

When TOR is used people can access darknet servers or by using anonymisers people can access servers on the internet. An anonymiser makes tracking the person using the internet almost impossible to find. Well, technically you could find the user but the process is so hard that it is almost not worth the effort.

What this means is that the data collected under the proposed data retention scheme could be of little or no value. All that will be collected is an indication that a person has commenced a secure VPN connection to a server that is likely to be outside Australia and therefore outside Australian control.

As the traffic over the secure VPN is encrypted there would be in effect nothing to monitor, collect and store for two years. The carriers and ISPs could have whole data centres full of useless encrypted information. This would be a scene reminiscent of Yes Minister where an efficiency award went to a hospital with no patients.

I wonder if the review or the government has considered this possibility?

Viable alternatives

Rather than a half-baked policing option perhaps the government should look for viable alternatives that reinforce the digital network, which is not secure and must be rebuilt urgently to improve privacy and security.

It appears a small step may occur soon in the UK where Nominet, the non-profit body responsible for overseeing all net addresses ending in .uk, is proposing an important change.

Under Nominet’s proposal companies would be able to use domain names shortened to www.domain.uk and by making this change agree to several conditions. The conditions include the mandatory use of Domain Name System Security Extensions and have a proven company presence in the UK.

DNSSEC is a security protocol that utilises a digital signature to ensure that the domain is valid when accessed, for example when browsing to www.mydomain.uk. This reduces the likelihood of domain hijacking and other attacks on domains and websites.

The Nominet proposal is a small step forward that should be immediately implemented in Australia.

We can also add to this the compulsory use of secure HTTP, secure connections between email servers, secure connections between email servers and client applications and the immediate introduction of Internet Protocol version 6 (with IP version 4 turned off).

If the government is serious about boosting Australia’s credentials then implementing the aforementioned technical changes to the digital network would be a good start. The security and privacy benefits for all Australians will be a natural by-product of that process.

Mark Gregory is a Senior Lecturer in Electrical and Computer Engineering at RMIT University