Wednesday, 29 August 2007
The Senate Legal and Constitutional Committee report on the Telecommunications (Interception and Access) Amendment Bill 2007 was tabled in parliament on 7 August. Get the report here. The legislation was intoduced into the Senate on 16 August 2007. Given the changes that this Bill introduces to the current arrangements for interception capability, and access to ‘telecommunications data’, the recommendations of the Senate Committee will have a relatively low impact on the shape of the final Bill. There was an interesting response put by the A-G’s Department in the committee inquiry in respect the nature of ‘telecommunications data’ (see page 10 fo the A-G response). If RFC 2822 is of interest to you, read on…
It appears that RFC 2822 may be used to determine the substance of ‘telecommunications data’ even though the RFC 2822 requirements are not included in any definition in the Bill. As I understand it, you wouldn’t expect to find an RFC used in a piece of legislation given what an RFC is in the the grand scheme of internet regulation & governance. Have a look at RFC 2822 here.
I think the concerns of the EFA & the Commonwealth Privacy Commissioner still stand – it was to EFA/OPC that the A-Gs response was addressed – the Bill as drafted does not provide clear guidance on what constitutes ‘telecommunications data’. The A-G’s Department argues that it’s not prudent to provide a definition because of rapid changes in technology. I suppose that relates to an argument about responsive and flexible regulation. However, citing RFC 2822 to allay the EFA’s concerns isn’t a guarantee that all bodes well in Denmark.
As I understand an RFC, it is a voluntary standard and as Kathy Bowrey explains, compliance with an RFC is about achieving “the level of functionality that comes with adopting a tried and tested ‘best practice'”. So RFCs are about best practice – they establish protocols, procedures and conventions used in or by the internet. The International Engineering Task Force (IETF) looks after the drafting and publishing. (See Kathy Bowrey, Law & Internet Cultures (2005) Cambridge Uni Press, page 3). Bowrey also notes that there is no law of the internet that says your site or network must be compliant (Bowrey, 2005, page 3). So it is quite possible that some telecommunications services are configured on the basis of the old RFC 822 or not RFC compliant at all…I understand there is a strong culture of compliance with the RFC but I would like to nut out the regulatory implications a bit.
It comes down to what constitutes ‘telecommunications data’ for the purposes of the Act. Is RFC 2822 a guideline or will compliance be mandatory? Does RFC 2822 provide the data which comprises ‘telecommunications data’ as described in the EM definition? Will it be used as a guide by security and law enforcement agencies when they approach ‘telecommunications services’ for data? Who out there in the ether is currently RFC 2822 compliant? Perhaps RFC 2822 will surface in the interception capability determinations made by the Minister in the new Part 5-3 (being an international standard?)? RFC 2822 is not mentioned in the EM. If it is important, how will compliance with RFC 2822 be measured? Is adoption of the RFC up to those subject to the Telco Intercept Act? Many services which create telecommunications data (Skype, Google, Microsoft) are not subject to telco intercept regulation (although this may become a moot point given the use of ‘telecommunications service’ in the Bill).
If this is important for the operation of the Act, why wasn’t there more discussion about protocols and how it would actually be done? I gather that it is important – regulatory certainty is a key concern for the industry – so how will the industry know what will be required of them and how will we, as citizens, have certainty about the kind of information that will be collected as ‘telecommunications’ data?
The EM gives the following explanation of ‘telecommunications data’:
“Telecommunications data is information about a telecommunication, but does not include the content or substance of the communication. Telecommunications data is available in relation to all forms of communications, including both fixed and mobile telephony services and for internet based applications including internet browsing and voice over internet telephony. For telephone-based communications, telecommunications data includes subscriber information, the telephone numbers of the parties involved, the time of the call and its duration. In relation to internet based applications, telecommunications data includes the Internet Protocol (IP) address used for the session, the websites visited, and the start and finish time of each session. Telecommunications data specifically excludes the content or substance of a communication. Currently, the use and disclosure of this data is generally prohibited under sections 276, 277 and 278 of the Telecommunications Act. Sections 282 and 283 allow access to this data for specific law enforcement and national security purposes.”
Telecommunications data isn’t actually a defined term in the Telco Act 1997. The Telco Act uses ‘communications’. “Communications’ includes any communication:(a) whether between persons and persons, things and things or persons and things; and (b) whether in the form of speech, music or other sounds; and (c) whether in the form of data; and (d) whether in the form of text; and (e) whether in the form of visual images (animated or otherwise); and (f) whether in the form of signals; and (g) whether in any other form; and (h) whether in any combination of forms.
The sections referred to in the excerpt from the EM refer to ‘information or documents’ which reveal the content or substance of communications, not ‘data’ (even though information or documents are probably considered ‘data’). My pocket Macquarie Dictionary defines ‘data’ as ‘plural of datum; information known or available, especially numbers, measurements. ‘datum’ is defined as ‘any given statement which forms a basis for further reasoning; any fact taken to be a matter of direct observation’.
So it appears that ‘telecommunications data’ is still a somewhat open-ended concept which, as far as I can tell, provides no certainty for anyone.
Looking at it another way, an open-ended concept of “telecommunications data” allows national security and law enforcement agenices access (for law enforcement and national security purposes) to an on-line universe of known or available or future (prospective) information which is being collected, collated and transmitted by telecommunications services. The data, as Bowrey explains, is “used to identify us and speak for who we are” in a limited way. At page 179 of Law & Internet Cultures (mentioned above), Bowrey explains:
“Data is collected, collated and transmitted. Data is used to identify us and speak for who we are. But our identity is only revealed through the databases largely generated by the records of our choices and actions. The related political concern here is that our agency or capacities as citizens have already become confined by and through these webs and networks. We cannot expect the state to intervene on our behalf, to address our other needs, interests or desires. The nation state will only identify us as consumers of services signified by the data that represents us, or see us as threats to the network, the state and ultimately other citizens, requiring a strategic, political response.”
2 Responses to “you say data, i say data…Telco Intercept Amendment Bill introduced into the Senate…”
Leave a Reply
Do not post material that is defamatory or obscene, that infringes any third party's copyrights, trademarks or other proprietary rights, or that violates any other right of any other person.
We reserve the right to remove or edit any comment for any reason.
Note: Posting more than two links in a comment may cause it not to appear because it will be submitted for moderation. Also, links in comments will not be counted by Google, so spamming is pointless.
August 29th, 2007 at 5:02 pm
..and of course RFC2822 more or less describes the format of an email message without really enforcing the meaning of the fields. For example, it goes into intricate detail about the possible ways of describing the ‘Sender:’ email address, but doesn’t insist that the email address be real. A telecommunications provider carrying an email message across their network can use RFC2822 to see if it is well-formed but not if it actually came from who it says it came from. Hence spam.
The AG’s department is being a little disingenuous when it says “This is an obsolete standard that was superseded in 2001 by RFC 2822 and the relevant header fields stated by EFA cannot be found in the current standard. RFC 2822 also states that these obsolete fields `MUST NOT be generated'”. They are right: an RFC2822 system oughtn’t generate those headers, but they `MUST be accepted and parsed by a conformant receiver’. Because RFC2822 says these headers shouldn’t be out and about on the intertron doesn’t mean they aren’t.
So the EFF’s comments still apply. “Telecommunications data” is a very fuzzy term, as is “content”.
August 30th, 2007 at 5:31 pm
While I think the AG’s department is clearly quite in the wrong on the technical issues of RFC 2822 in any case. And they are more wrong that Jules suggests – RFC 2822 clearly allows optional fields, including most of those permitted by RFC 822 (it just doesn’t make the same guarantees about them).
But its beside the point. The mention of email RFCs was to make the point that technical boundaries about what is content and what is communications data do not usefully correspond to the level of privacy that should be afforded that data (as they may have with paper mail and telephone communication), and so a legal definition is necessary to make it clear where this boundary should be.