Australian spookhaus ASIO could retain private data FOREVER

Intelligence oversight chief points out omission in metadata retention bill

The Inspector-General of Intelligence and Security (IGIS) has told the government it's forgotten to set down how long ASIO is allowed to keep metadata handed over by telecommunications companies.

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 requires that carriers hold data for two years. However, once that gets hoovered into ASIO, it could be retained forever.

Inspector-general Dr Vivienne Thom's submission to the inquiry says there is no current law, nor any requirement in the bill, that limits ASIO's capacity to hold telecommunications data.

“There is no requirement in the TIA Act, the ASIO Act or in the Bill that would require ASIO to destroy telecommunications data it has obtained from a carrier after a certain period of time, nor is there any legislative requirement for ASIO to make an active decision as to whether telecommunications data (or other material) is not relevant or is no longer relevant to security and to destroy that material”, Dr Thom writes.

In fact, she writes, it's easy for ASIO to decide not to delete data collected under warrants: all it needs do is decide not to bother making a decision.

Although the current interception regime requires destruction of records “if the Director-General is satisfied that the records are not required”, the D-G isn't required to reach that decision:

“I have recently been advised by ASIO that the power had not been delegated and that the Director-General does not currently make any decisions under these provisions. Therefore currently no records are destroyed under these provisions”, she writes.

While she says ASIO is diligent in meeting its legislative requirements, it seems that the agency is very good at interpreting those requirements to the letter. The problem, in other words, is not a non-compliant ASIO, but laws that don't tie its hands tightly enough.

Unsurprisingly, the submission notes that “ASIO record retention practices have been identified as an area for IGIS inspection in 2015”.

Dr Thom also offers a veiled warning to the telecommunications industry: whatever data carriers collect about their customers can be swept up in a spook request. If carriers “do retain more than the minimum required then whatever information they retain, so long as it is not content, will be able to be accessed”, she writes.

That poses a problem for carriers, Dr Thom suspects, because service providers might find it cheaper and easier to “store everything” than to try and filter the retained data to meet the government's minimum standard.

The Register notes that the minimum data set to be retained is defined not by the letter of the legislation, but rather by regulation. The risk that the data set could change in the future would, it seems to Vulture South, represents an incentive to over-collect. And what could possibly go wrong with that?®

Other stories you might like

  • Amazon warehouse staff granted second chance to vote for unionization

    US labor watchdog tosses previous failed result in the trash

    America's labor watchdog has given workers at Amazon’s warehouse in Bessemer, Alabama, another crack at voting for unionization after their first attempt failed earlier this year.

    “It is ordered that the election that commenced on February 8 is set aside, and a new election shall be conducted,” Lisa Henderson, regional director at the National Labor Relations Board, ruled [PDF] on Tuesday.

    “The National Labor Relations Board will conduct a second secret ballot election among the unit employees. Employees will vote whether they wish to be represented for purposes of collective bargaining by the Retail, Wholesale and Department Store Union.”

    Continue reading
  • It's the flu season – FluBot, that is: Surge of info-stealing Android malware detected

    And a bunch of bank-account-raiding trojans also identified

    FluBot, a family of Android malware, is circulating again via SMS messaging, according to authorities in Finland.

    The Nordic country's National Cyber Security Center (NCSC-FI) lately warned that scam messages written in Finnish are being sent in the hope that recipients will click the included link to a website that requests permission to install an application that's malicious.

    "The messages are written in Finnish," the NCSC-FI explained. "They are written without Scandinavian letters (å, ä and ö) and include, for example, the characters +, /, &, % and @ in illogical places in the text to make it more difficult for telecommunications operators to filter the messages. The theme of the text may be that the recipient has received a voicemail message or a message from their mobile operator."

    Continue reading
  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading

Biting the hand that feeds IT © 1998–2021