Although currently on hold, the government has been looking into the requirement for all internet providers to keep logs for 2 years. Part of the proposal would also require the ISP to retain all URLs the user has viewed and all ingoing and outgoing emails.
The proposal also allows ASIO to access these logs without a warrant...
"Most often, the term warrant refers to a specific type of authorization; a writ issued by a competent officer, usually a judge or magistrate, which permits an otherwise illegal act that would violate individual rights and affords the person executing the writ protection from damages if the act is performed." - http://en.wikipedia.org/wiki/Warrant_(law)
Where is your Email Stored
Lets cover email quickly. My email provider is in Canada. I am sure lots of people are using GMail, so not in Australia once more. They won't be covered by these laws. The vast majority of email systems, including Webmail, POP and IMAP (used by most desktop systems) are automatically configured to be encrypted. This means the ISP can not see the email. The email is encrypted from the overseas server all the way to the laptop/desktop/mobile device reading it.
OK Keeping URL data is annoying. It technically does not provide the data, but does show you what you were doing.
Jimmy Wales (Wikipedia) has said he will encrypt the whole of Wikipedia if the UK introduces similar laws. You can not log URLs if you are using Encrypted web sites (e.g. HTTPS). All that the ISP will have logged is that you made a connection to Wikipedia, and no idea what page you were viewing. So yes, they would have logged that you went to guyspy, but not what you read.
Encrypting is becoming the norm.
IP is not a person
A web site that doesn't require authentication does not know anything about the user except their IP number. This IP number is often not the actual user. ISPs use proxy and transparent proxy, and even IP masquerading. All of these mean that you can't tell, even with logs from the web site, who it actually was.
In my house alone we have 8 laptops, 5 main desktops, a few servers, 2 iPads, an Android tablet, 4 mobile phones and 6 separate people all using the one IP number, which is randomly allocated by our ISP. So you have no way to know who it was.
A VPN (Virtual Private Network) is becoming more popular. It is also becoming more standardised and easy to use even from mobile devices like iPhone/iPad and Android. This means a work user may be accessing a VPN - which means all traffic is now going via the office computer. That will be a single IP as well (most likely). Now it could be that each work is required to do their own VPN, so lets switch to a home VPN - will people be required to keep their own logs?
VPNs are readily available in other countries. These VPNs guarantee not keeping logs, you can even use many of them. They are easier to setup than email !
What will be the responsibility for backup by the log keepers? Most business can't afford backups of the most current data of their site. Now they will be expected to keep logs for 2 years. What if they loose their logs? What if I accidentally kept my logs on an unreliable disk with no backup? Do I go to jail, or is this a loop hole we can all use?
We have seen even the best companies loose their data. And that is users who are careful and keeping financial data. Logs, which are normally kept on less secure servers will now need to be kept for long periods, and securely. But they still have to be accessible.
What is the cost for access? and who pays? You archive, encrypt and backup your logs. Now government agency asks for logs against a user. This is going to cost you some time, what if you get a few of these a week, starts to become a full time job. So you can automate it and make things more accessible, but that itself costs more. And automating and making things accessible means your security is lower.
Giving out your Passwords
One of the recommendations is that a password must be handed over by the owner of an account on request by the government agency. This one is just silly. We need to look at this one further, but here are just a few ideas to consider:
- Change password after release - this one will probably be covered
- "Refuse to answer that question" - we don't have the constitutional right to remain silence, but it is accepted in criminal cases. Among the exceptions to this is the anti-terrorism laws. You have human rights, unless you are a suspected terrorist...
- Something you have. You should start to use "something I know" and "something I have" security. E.g. RSA keys.
Computer access - remote control
Not sure how this one is going to work? Anything ASIO can do to my computer without my permission another "baddy guy" (what my kids call criminals) could do, and we are constantly protecting against that. In most ways I think we can ignore this one. Just make sure you are protecting your computer from any malware, spyware, etc.
Criminals are not idiots. Encryption is not only common place, it isn't even hard. So if you are a criminal, none of these new rules will help catch them, as they are all easy to work around. 10 years ago it may have taken someone with good computer skills, but not now.
We are yet again loosing our privacy, sacrificing liberty for a false sense of security.
The article says that government agencies are concerned that SilentCircle is making encryption easy. Again, who cares? Easy is for non-criminals. Any criminal has been able to have this kind of secure encrypted communications for years. So why is government nervous? One line of argument is that it is trying to monitor everyone else. More likely I think that governments are just out of touch with technology. They assume that if it isn't easy for anyone, then it isn't used by anyone. Mainly, I think they are just 10 years out of phase with where consumers are.