Data Retention & Internet Privacy

[TheRealJoeFish]

My rule of thumb: Always behave (in public, maybe in private) as if someone is watching.

[brewer]

mh.brewer that's a disingenuous comment - what if you need to access a sensitive service in which confidentiality - or even anonymity - is required?

OK, I'm disingenuous. Move on.

[bradhaddin81]

You might be confused as to why this is in off-topic - the topic covers politics, security, privacy, liberty, technology, the law, and current affairs.

Which is unfortunate because people need to understand a whole range of issues to get a decent idea about why privacy is important, and why you should be very concerned if your data is going to be "retained" by service providers. It's the topic of my latest blog, and I'm hoping to get the second part done today (how to secure your data). Privacy is a very important value of mine, and I'll briefly explain why I think it should be an important value for everyone.

Here are a select bunch of resources - mostly focused on the Australian-context - but would apply equally to anywhere where the is data retention (much of Europe, Canada, Mexico, etc).

• Universal Declaration of Human Rights.
  
• IQ2 debate Only The Wicked Need Fear Government Spying - well worth listening to!
  
• Malcolm Turnbull's blog.
  
• iiNet's explanation of what data is retained by this "metadata".
  
• Journalist explanation of what data is to be retained.
  
  

VPN resources I recommend:

• Whirlpool, obviously.
  
• Choice, obviously.
  
• TorrentFreak.
  
• Vpncoupons Reddit. Right now at vpncoupons you can get a 1 year subscription to F-Secure Freedome for free.
  
• My website (where I will put a page up within a week on this).
  

First I'll answer the question - why you you need internet privacy? Well it's a basic human right. You don't want your data stored by your ISP to be hacked or leaked and then god knows what done with it. From so-called "metadata" alone it could possible to hack your passwords from any insecure connections that pass the username and password through the address bar. Your identity could be stolen. The metadata doesn't just recording your browsing history, it can be used to obtain a complete profile of software installed on your system which connects to the internet.

It is also going to include email metadata! Something no self-respecting email host does at present. You have no control whatsoever over what comes in through your email - and yet that correspondence can later be used to create a case against you!!

Your data can be accessed without a warrent - and without you even being a suspect. So long as one person who used a shared family or business account (large corporate accounts are said to be exempt by the order), you data will be accessed along with theirs. They could then be questioned about services that you accessed in confidence and didn't want disclosed to other people (debt consultation, help for depression or addiction, etc).

As for browsing - perhaps you don't want people knowing what kinky flavour of pornography you're into. Perhaps as I just mentioned you need to access sensitive services - like Gambling Help Online, the website says it's "free, professional, and confidential". Well it's not going to be confidential when your metadata is retained for two years by your ISP, and it's not going to be confidential when the phone number you call is stored by your Telco for 12 months. It's not going to be confidential when somebody else who used the same phone line or internet connection as you is questioned about the sensitive services that you accessed in private.

Furthermore, the fact that your data is stored at the ISP level will make a target for hackers. Just like Ashley Madison was a target. They don't need to hack into ASIO or the AFP or the other government agencies accessing the data - they can just hack the ISP where's there's fuck-all security protecting your sensitive data from being exploited. As noted in the IQ2 debate - we actually do have special handling procedures for sensitive information such as credit card numbers - because if they're not immediately destroyed by the handler it becomes a target to be exploited.

Government spying is not legal in Australia - or for that matter in most countries. Yet they want the private sector to spy on you and store the data so they can access it whenever they need it.

Data retention laws have been revoked in many European countries. I know about ten European countries where data retention laws were found to be unconstitutional. The countries are Austria, Germany, Belgium, Bulgaria, Czech, Slovenia, Slovakia, Romania, Cyprus, and Argentina (see my blog for references).


So here are my personal feelings:

The Australian law comes into effect on October 7. We should be very worried and concerned with our privacy.

It will no longer be safe for any Australian to use their ISP email OR their Australian-hosted workplace emails. Websites hosted overseas are unaffected. Sadly this means Australian companies now can't compete evenly with foreign-owned companies - it would be my suggestion for all Australian companies to move their email provider to an overseas provider. This can be done while still having Australian websites hosted in Australia, and it would be particularly important for charities, law firms, pharmacies, medical practitioners, and any service that provides potentially sensitive services.

I have already moved as much as I can away from my ISP email - all the forums I signed up to with it as well as amazon.com, etc. I highly suggest to all Australians to move off their ISP emails entirely. I wouldn't trust Google either - they read the contents of all incoming emails to build an advertising profile for you. Email is an unencrypted protocol, so it will never be completely private unless you use an encrypted service (which also requires the sender use the same service), and even if you don't  use your ISP email the ISPs in Australia have been instructed to log all email metadata that they can see - so all information pertaining to the emails in your Outlook or similar program will be logged and recorded by your ISP. Which is why you will need to encrypt the data using a VPN.

We can no longer trust our ISPs with our DNS, so install DNScrypt (do not use OpenDNS though as they do log your data). This has two advantages - firstly all DNS on your device would be secured and encrypted, not even your ISP will see it. Secondly it will prevent so-called "DNS leaks" entirely from your VPN - since any DNS enquiries not handled by it will be handled by DNScrypt and not your ISP.

We also need to secure all potentially sensitive information since now all of it will be stored for two years. Get a VPN. You can get F-Secure from the Reddit page above for free for a whole year (it doesn't support P2P though, unlike most others, but it is certainly fast), or go with any number of other well-regarded services.

I was happened with me also when I used a public WiFi network to connect myself and before happening this with me I was thought it is just fake and they are not real persons but after facing the same situation I admit that data retention is a very big problem specially in Australia and now I am using the torrent-freak services to save data.

Thanks.