Law Enforcement – Data Retention/ IP Address Retention/Tracking
You are responsible for who uses your internet connection and what your guests do on it. Read your ISP’s Acceptable Usage Policy. They clearly state that you are responsible for what someone does on your connection.
In October 2011 the government signed the Anti-Counterfeiting Trade Agreement that mandates that you are responsible for who uses your Internet if you offer it free or paid and businesses may be prosecuted for illegal downloads and access to inappropriate websites by users of their internet network.
The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) (otherwise known as the “new data retention laws”) has been passed into law in April 2015. The Act requires Internet Service Providers (ISP’s) operating a “relevant service” to retain “metadata” for a minimum period of two years. “Relevant service” principally covers telecommunications and ISP’s.
The types of “metadata” that must be retained are specified in the Act. Broadly, it includes:
- identification information about the account holder (e.g. name, address or billing information)
- information about the source and destination of a communication
- date, time and duration of a communication
- type of communication (e.g. voice, SMS or email) or the type of relevant service used for a communication (e.g. ADSL, wifi, VoIP or cable)
- location of equipment or line used at both ends of a communication.
You’re probably thinking that this doesn’t or won’t affect your business as you are not an ISP, however there is some information you need to be aware of and you are responsible for who uses your internet connection and anything they do on it.
I have extracted some information from Piper Alderman’s website. Piper Alderman is a commercial law firm with offices in Sydney, Melbourne, Brisbane and Adelaide and has extensive legal knowledge about the Act.
The Act excludes a service that is provided only to places that “are all in the same area.” This clause is intended to exempt cafes, restaurants, accommodation providers etc providing free wifi access from compliance with data retention laws. Instead, the obligation to retain “metadata” rests with the ISP, supplying the underlying internet service. This exemption has its limits.
The Communications Access Co-ordinator has power to impose the data retention laws on any particular service despite the exemptions. Organisations will also need to have adequate procedures and policies to ensure access to their internal networks are appropriately limited, failing which, they will have data retention obligations under the Act.
Some activities may potentially involve both criminal offences and civil contraventions. For example, “metadata” could reveal widespread downloading of copyright-infringing material in a network in the course of a criminal investigation. An enforcement agency may, during its investigations, disclose that fact despite no criminal conduct being found. This could alert potential civil litigants to seek discovery in relation to an organisation’s computer systems or logs.
The Act does not generally impose any data retention requirements on an entity that is not a telecommunications or ISP. However, organisations operating internal networks need to ensure that their networks are exempted under the Act. Otherwise, they will need processes to comply with the new data retention requirements. In any event, legal compliance policies of organisations should be reviewed to ensure that they are adequate to minimise legal compliance risks in circumstances where evidence of non-compliance may be more readily available in regulatory investigations or which may encourage civil litigation.
IMPORTANT – Read your ISP’s Acceptable Usage Policy. They clearly state that you are responsible for what someone does on your connection.
You must be able to prove it wasn’t you using the system, otherwise you are liable. To be able to prove it wasn’t you, you must be able to retain information on your guest wifi system similar to that of the “metadata” requirements outlined above.
The Telstra Internet Solutions/Telstra Wholesale Internet Acceptable Usage Policy states: This Acceptable Usage Policy outlines certain prohibited uses of the Telstra Network and the consequences which may flow from a violation of this Policy.
It goes on to outline prohibited use and that any breaches or violations to the policy, that Telstra reserves the right to take all legal and technical steps available under the Customer Agreement including suspending or disconnecting a Customer’s service. Telstra may also take remedial action if the law or a regulator or other authority requires Telstra to do so. Such remedial action may include:
- immediately terminating or suspending the provision of a Customer’s service;
- giving a Customer a notice to stop the activities or conduct, or to take steps to remedy the Customer’s breach of this Acceptable Usage Policy;
- giving a Customer a warning that any further repetition of the activity or conduct will result in Telstra immediately terminating or suspending the provision of a service to the Customer; and
- reporting of the activities or conduct to relevant authorities.
Handing out a generic password to all your guests does not comply – they go through your modem/router and only your IP address is retained – you have no granular information to prove it wasn’t you using the system.
If you are offering free or paid internet to clients (e.g.: resorts, cafe, restaurant, motel/hotels, library, etc) there can be serious consequences if you do not have the correct policies, procedures and systems in place.
Should law enforcement agencies seek to investigate your business for piracy concerns and identify end users/guests that have accessed the Internet inappropriately, you are obligated to provide the traffic data and location data “meta data” which can be the trace source of a communication.
To help protect yourself and your business from inappropriate Internet access, Time Out Internet, if requested by authorities, can commence retaining IP addresses that your business produces for a rolling 24 month period of time.
This information is confidential and can only be accessed by the Time Out Internet Directors if the information is required by law enforcement agencies and the correct authority in writing would be required before the information can be accessed/obtained.
Time Out Internet does not keep the Name and Address details of guests, only IP address details, date and time of login, user name and MAC address.
The details that Time Out Internet retains will need to be matched to the guests name and address details that you retain when they offer the guest Internet access.
The number of months that Time Out Internet retain/track IP Addresses for is subject to change based on Australian Laws and Time Out Internet’s customers will be kept abreast of any changes that may occur to retention times.
The new data retention laws – what you should be aware of
Accom Management Guide Winter 2015
Piracy and data retention rears its head again in the Australian government Accom Management Guide Autumn 2014
August 22nd 2012 IT News
Senate Passes ‘Lite’ Data Retention Laws
21st September 2012 ABC News
ASIO backs controversial data retention policy
Oct 10 2012 IT News Attorney General told to keep data retention to 6 months
Thu Sep 27, 2012 ABC News Police insist tougher data retention laws needed
21 September 2012 Pirate Party Roxon Letter on Data Retention
July 2012 Australia Government Attorney General’s Dept
EQUIPPING AUSTRALIA AGAINST EMERGING AND EVOLVING THREATS
A Discussion Paper to accompany consideration by the Parliamentary Joint Committee on Intelligence and Security of a package of national security ideas comprising proposals for telecommunications interception reform, telecommunications sector security reform and Australian intelligence community legislation reform.
May 2012 COMMUNICATIONS ALLIANCE LTD
PUBLIC WI-FI NETWORKS INDUSTRY INFORMATION PAPER
Communications Alliance Ltd (formerly Australian Communications Industry Forum Ltd) was formed in 2006 to provide a unified voice for the Australian communications industry and to lead it into the next generation of converging networks, technologies and services.