Last night, Communications Minister Malcolm Turnbull honoured the GovHack 2014 awards ceremony in Brisbane, a night dedicated to recognising excellence in the field of using government data in creative and meaningful ways to create applications that help make sense of our social and economic milieu.
During his address he made a brief reference to the growing controversy around the Australian Government’s plans to require carriers (and possibly other entities) to store metadata to help law enforcement agencies in upholding laws.
We were fortunate enough to receive a little of the Minister's time to discuss the issue.
During the interview, Turnbull lived up to his deserved reputation as a skilled politician, statesmen and orator. The team at iTnews decided it was fairest to present the interview transcript unplugged, including all of your correspondent’s logical fumblings and bumblings around this complex issue. We offer it to you for your consideration.
*Any references to Telstra in this article are incidental in Mr. Turnbull’s explanation of data retention and should not be seen as a reflection of the entities the federal government and law enforcement agencies are targeting.
Malcom Turnbull: What the government is committed to doing is to legislate or formalise rules for the retention of metadata, which immediately begs the questions: ‘what does that mean, what does that include’?
In terms of the IP world - the internet world - what the security agencies have asked for is the allocation of IP addresses to the ISP’s customers at the time they’re using the internet. Those records, of course, are created because the ISP need to know which customers are using the internet and accessing the network at given time, but [it is now sought that] such a record should be kept for at least two years.
That’s what the agencies are asking us (for) but they’re not seeking any retention of data relating to web history or web browsing or destination IP addresses. (That is) the web sites or hosts we may connect to or visit.
iTnews: Does the collection of those IP addresses, in any case, give an indication or approximate the places that…
MT: No, no it doesn’t.
iTnews: It’s impossible?
MT: Yeah, you’ve got it. Let me explain: when you go online, your ISP allocates to you an IP address, which is your address on the internet. It is dynamically allocated and it may change, even during an internet session, and it’s certainly not going to be the same on every day. Now, you know, the City of Brisbane, The Australian, The Sydney Morning Herald - they each have got static IP addresses so they’ve got the same IP address - or probably a collection of IP addresses - for a very long time.
iTnews: So we can see that someone visited the Sydney Morning Herald but we can’t see the page they visited?
MT: No, you’re confused between destination and customer IP addresses. So, Fred Blogs, a customer of Telstra goes online through his mobile phone or his computer at home. Telstra allocates an IP address.
MT: Which is a number.
MT: A string of numbers.
MT: And they have a record of that, obviously. What the security agencies are after is that (retention entities) should be required to keep that record for two years. And the purpose of that is: if at some point, it is noted that a particular IP address, which is one of the bundle of IP addresses that belong to Telstra, has been on a criminal web site and engaging bad people - you know, whatever - then the police can go to Telstra and ask ‘IP address 12345, who was the customer that was using that on the 4th of June 2014?’
What they’re asking us is to, in effect, require nothing to do with destination IP address. Did you follow me?
iTnews: Destination, in what sense?
MT: Well, this is why this issue is so difficult.
iTnews: But every IP is an address, a destination.
MT: No, no. When you go online you are given an IP address. Your computer will, in the course of your internet browsing, or whatever, connect to a whole set of IP addresses. Let's say, websites that you visit and whole other hosts - they’re called destination IP addresses. Now, there are some records kept of those but that is not part of this debate. So there is no request for people’s web surfing or web history retained. Okay?
iTnews: Right, well I don’t know that…
MT: I don’t think you understand what I’m saying. Do you understand the distinction between the customer IP address and the destination IP address?
MT: Okay. So all that the security people are asking is that the record of the customer IP address be kept for two years. So in other words, the IP that is allocated to you today - and so that Telstra, if that’s your carrier, knows that IP address 1234 is allocated to your account, for a particular period, which may be this evening, for example - that a record is kept of that for two years.
iTnews: How is that useful to them without a destination IP address that actually validates that level of scrutiny on their IP address?
MT: It’s useful in this sense because, if through other surveillance it may appear that they may receive information that, through other surveillance activities and intelligence activities, they may receive information that a particular IP address was communicating with a server. It might be somewhere else in the world.
And that IP address may be one, in this case, that might be known to belong to a slab of IP addresses that belong to Telstra. So, what this means is that the police will know that, as long as that has happened in the last two years, Telstra will be able to say ‘Yes, the IP belonged to Mr.Smith’. You know it was allocated to Mr. Smith at a particular time.
iTnews: What does that mean? That you’ll go to a particular destination IP address - your words - and just check anyone has connected at Telstra?
iTnews: No wait, you’re talking about destination IP addresses and I understand what you mean because you’re talking about where people access information from, right?
iTnews: So how do investigators link that DHCP (dynamically allocated IP address) information to those sites?
MT: Because in the course of police work, surveillance work, from time to time law enforcement agencies will become aware of a particular IP address connected with a particular host or computer. And the question is ‘who is behind that?’
iTnews: But what is the goal? Do they (for instance) want to find out who is commenting on a jihadist web site? Do they want to find out…
MT: Yes, exactly. It could be something like that.
MT: And essentially that is the point. If you look at piracy you know that what rights owners do is… they will participate in a torrent storm and they will note that at an IP address there is Game of Thrones being downloaded, uploaded, shared by IP address 123456. So they then go to Telstra and say ‘this is one of your customers, you better send them a rude letter or do something about it.
In New Zealand, they’ve got a scheme that works like this. The content owners can identify the IP addresses being used to share copyright information without a licence and the ISP then says ‘right, that’s Billy Blogs, we’ll send him a letter’.
iTnews: So, can I ask you then, is this targeted at terrorist activity, criminal activity or copyright (infringement) activity?
MT: Well, no it’s not targeted at copyright (infringement) activity at all.
iTnews: I’m surprised that example came up.
MT: I’m just trying to explain to you the difference between a customer IP address and destination IP address but what the police …*pause*… this whole package has been announced in the context of national security…
iTnews: … and the example you give is in the context of copyright?
MT: Well, it’s an example I’ve given you. It’s one of several, but the point I’m making is that there’s no request by the security agencies or the police for people’s web surfing, web history or IP addresses.
iTnews: I understand that at a technical level, but do you understand that that may be inferred from the information?
MT: Well, I keep on saying it’s not, and I’m doing my best.
iTnews: It’s not inferred? They go to a web site - jihadi website or another website and they (ask) ‘who connected to this web site?’ You know what the website is beforehand and you’re saying the history can’t be inferred?
MT: No… the bottom line is ISPs are not being asked to record and retain for two years any web history, whether it is by reference to domain names or by reference to IP addresses.
iTnews: So it can only be inferred from specific investigations?
MT: That is exactly what (Australian Federal Police) deputy commissioner Andrew Colvin said on Friday. So you discover other investigations that a particular IP was visiting or connecting to a particular site. For whatever reason, you want to know who was behind IP address 1234 at a particular point in time and that is why the proposal is being put to government that ISPs be required to keep that information for two years.