From: Digest <deadmail>
To: "OS/2GenAu Digest" <os2genau_digest at os2site.com>
Date: Mon, 24 Aug 2015 00:00:21 WST-8WST,10,1,0,7200,4,1,0,7200,0
Subject: [os2genau_digest] No. 2113
Reply-To: os2genau_digest at os2site.com
X-List-Unsubscribe: www.os2site.com/list/

**************************************************
Sunday 23 August 2015
 Number  2113
**************************************************

Subjects for today
 
1  Re:  Australian Data Retention Legislation : Peter Moylan <peter at pmoylan.org>
2  Re:  Australian Data Retention Legislation : <deadmail>



**= Email   1 ==========================**


Date:  Sun, 23 Aug 2015 15:44:47 +1000
From:  Peter Moylan <peter at pmoylan.org>
Subject:  Re:  Australian Data Retention Legislation

On 2015-Aug-22 04:54, deadmail wrote:
> Hi All,
>
> FYI
>
> This email list needs to comply with the "Australian
> Data Retention Legislation" of 2015. As of the
> 13th October 2015, all information in relation to
> email headers of emails received, emails sent, and
> in the case of this email list, the entire contents of
> the email body will be kept for possible retrieval
> of every person the Australian government deems
> has a need to have access to such information.
>
> [Basically anyone from Local, State, Federal
> Government, or law enforcement here in Australia]

This message left me a little worried, and I had to go away and read the
act. That didn't much help without a lawyer, because there's a lot in
there that's ambiguous. (For example, must incoming e-mail be logged,
including spam that's been blocked by a firewall, or only outgoing?)

As I read it, you still have another year to find an off-shore VPN, and
you're entitled to apply for a government grant for the cost of
implementing the changes. Most likely those grants will be given only to
the big players, though.

As far as I can tell, I'm safe for now. My mailing lists are hosted in
less paranoid countries, and my mail server seems to be covered by the
"immediate circle" rule. I have no idea, though, whether I'll have to
turn off my web and ftp servers. I think that's covered by the fact that
requests are coming in from outside. Technically, as I read the rules,
it will be ftp and web _clients_ that will become illegal, but it should
take the government a long time to figure that out.

> The list is archived anyway so really there is no
> main problem that I can see except I need to
> retain the actual email logs from Weasel as well
> as the list emails.

Except that they have to be stored in encrypted form, as I read the
rules. It would be interesting to see whether one-way encryption would
satisfy the rules. A court would probably rule that the encryption has
to be one that Australia's spy agencies have already cracked, but I
don't see such a provision in what I've read.

> In the not to distant future it also looks like the AG's
> department here in Australia will also be dictating what
> hardware and software can, and cannot be used in
> Australia on public networks in the interest of
> National Security. That ones going to be interesting...

Another interesting case that could arise: I still have a university
e-mail account, but I don't use it because the university, in its
stupidity, gave the contract for e-mail management to Microsoft, and
Microsoft has an arrangement with America's NSA to supply it with a copy
of all mail. The people "in the know" at the university have warned
everyone never to send "commercial in confidence" information via a
university e-mail account, but the management just doesn't care.

Now, it is not possible for Australia's spies to get information
captured by American spies, and clearly the university is already in
violation of the confidentiality rules. What can/will the AG do about that?

-- 
Peter Moylan                          peter at pmoylan.org
                                      http://www.pmoylan.org

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

  -----------------------------------------------
 To Subscribe/Unsubscribe go to <http://www.os2site.com/list/>
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

This is a pulp free product.


**= Email   2 ==========================**


Date:  Sun, 23 Aug 2015 15:06:32 +0800 (WST)
From:  <deadmail>
Subject:  Re:  Australian Data Retention Legislation

Hi Peter,

<snip>

I was going to reply privately but figured I might as well
leave it all on the mailing list.

> This message left me a little worried, and I had to go away and read the
> act. That didn't much help without a lawyer, because there's a lot in
> there that's ambiguous. (For example, must incoming e-mail be logged,
> including spam that's been blocked by a firewall, or only outgoing?)

I'm on Internet Org Australia, AusNOG and a few other
lists and the only way I think most have muddled there
way through it is to go back and forth with the AG's dept
who have a dedicated email address and phone line.

Note that when you go through the process everything
becomes confidential, which makes it hard to pass on
information. They have however helped with a fact sheet
that https://www.internet.org.au/ and the Comms Alliance
have all helped with. Anyone wants a copy, happy to email
it to you.

> As I read it, you still have another year to find an off-shore VPN, and
> you're entitled to apply for a government grant for the cost of
> implementing the changes. Most likely those grants will be given only to
> the big players, though.

Actually, no one knows who gets that money, or when, or
how much and under what conditions, and it only covers a
fraction of the costs. Many are of the opinion that the end
game is to remove a lot of the smaller comm's players
to make it easier for law enforcement to track and trace
people.

You have to have a DRiP in, which is basically a plan of
how you are going to become compliant, and when you
expect to. That DRiP should have been in by 13th August
2015 though there is some scope for delayed submission.

No one else has said it but I will mention that the AG's
(Attorney Generals) Dept is ending up with a nice up to
date map of who does what that can also be cross referenced
with the TIO's office.

Strangely enough, I cant see that helping track
terrorists and others - MacDonalds and other public
WiFi areas are exempt :o)

> As far as I can tell, I'm safe for now. My mailing lists are hosted in
> less paranoid countries, and my mail server seems to be covered by the
> "immediate circle" rule. I have no idea, though, whether I'll have to
> turn off my web and ftp servers. I think that's covered by the fact that
> requests are coming in from outside. Technically, as I read the rules,
> it will be ftp and web _clients_ that will become illegal, but it should
> take the government a long time to figure that out.

It doesnt apply to HTTP/Web servers or FTP servers,
it is a Communication Bill so it only applies to
communications such as email, IRC and VoIP.

So your email lists are safe, and you can ignore the
legislation unless you start hosting an email list here
in Australia, then you can probably apply for an
exemption if your willing to follow the paper trail
but dont expect any funds to cover any of it.

I cant say to much about "immediate circle" as what that
means really depends on where you look but
I do get the impression that means an email server
for family and friends, or a small business based
server is exempt if it is only for the usage of that
one company and not for public usage.

> > The list is archived anyway so really there is no
> > main problem that I can see except I need to
> > retain the actual email logs from Weasel as well
> > as the list emails.
> 
> Except that they have to be stored in encrypted form, as I read the
> rules. It would be interesting to see whether one-way encryption would
> satisfy the rules. A court would probably rule that the encryption has
> to be one that Australia's spy agencies have already cracked, but I
> don't see such a provision in what I've read.

If the archives are public then encryption can be ignored as
you are not required to encrypt and store if you still need
the data for normal business. If I were to remove the
public archives then I would be required to encrypt
and store the data for two years.

I would also be required to have in place a system to
handle peoples applications for copies of thier private data,
which means stripping out everyone elses data so only the
applicants data is provided back to them.

See what I mean by its all becoming to hard to bother with.

> > In the not to distant future it also looks like the AG's
> > department here in Australia will also be dictating what
> > hardware and software can, and cannot be used in
> > Australia on public networks in the interest of
> > National Security. That ones going to be interesting...
> 
> Another interesting case that could arise: I still have a university
> e-mail account, but I don't use it because the university, in its
> stupidity, gave the contract for e-mail management to Microsoft, and
> Microsoft has an arrangement with America's NSA to supply it with a copy
> of all mail. The people "in the know" at the university have warned
> everyone never to send "commercial in confidence" information via a
> university e-mail account, but the management just doesn't care.

The above is not covered by Australian law unless it is
hosted in Australia. As to the NSA, I will only say point
of entry and leave the rest to your imagination.

> Now, it is not possible for Australia's spies to get information
> captured by American spies, and clearly the university is already in
> violation of the confidentiality rules. What can/will the AG do about 
that?

They can and do. Australia, NZ, UK and USA all have data
sharing agreements, as to the nitty gritty, thats up to your
imagination, or a search engine. I use to do contract work for
AT&T in the 90's, and I'm not dumb as to what, how, and why some
equipment was configured.

And the AG doesnt have to do anything about it :o)

The Trans Pacific Agreement thingy would make things a
lot more clearer re the law and obligations BUT that also
means we would very likely have to also have the same
copyright and other laws as USA, and likely the same or
a very similiar court system. From what I've heard the
Australian Gov has already said it will not be going with
that agreement in its current form.


Cheers
Ian Manners
http://www.os2site.com/
  -----------------------------------------------
 To Subscribe/Unsubscribe go to <http://www.os2site.com/list/>
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
This is a pulp free product.
