Mandatory ISP data retention and the law of unintended consequences

Well, good one Australia, UK and whoever else has embarked on this hare-brained scheme, you've just made things a whole lot worse. Our respective governments (in all their ivory-towered wisdom), have decided that because one of us could one day decide to become a terrorist, they'd better keep a big whack of our internet browsing history just in case. The theory these genius policy makers have is that if they can probe into all our lives far enough, they'll be able to see when we're doing terrorist kinda stuff. And really, what better way is there than siphoning up info on the websites we go to? Job done, beer o'clock, glad we solved that one.

Except no, they've just made a metric shitload of things much, much worse. Let's take Australia where the subject is topical due to mandatory meta data retention laws becoming well, mandatory, just last week. If you're in the UK then refer instead to your Snoopers' Charter and all the same observations apply. So anywho, our ISPs now have to store metadata on our browsing habits and right off the bat, there's a big problem - our government isn't quite sure what metadata is:

This isn't just some random pollie trying to wrap his head around it either, it's George Brandis, the bloody Attorney General! So there's your first problem - those who want the data aren't actually sure what it is. But hey, they've got advisers and some of them are probably quite switched on so let's move past the inability of a politician to explain technology for a moment.

Regardless of George's stammering about what it is the gov is actually forcing ISPs to store, the sentiment is simply that they want to know what you're looking at on the internet. So that's that, they've got your data, now your private things are no longer private. Except because people are kinda pissed about their privacy being eroded, we're being flooded with advice on how to circumvent the new law. For example, Lifehacker talks about How To Protect Your Metadata With A VPN, the ABC is relaying the EFF's advice to 'get a VPN' and then - just in case you missed it the first time - the next day Lifehacker backed it up with How To Choose The Best VPN In Australia. And this is just a tiny sample of just what I've seen down under in recent days.

There has never been more information available about how to hide your traffic from authorities!!

Every single day over the last week, I've seen VPN how-tos in places I'd never seen them before. There's a barrage of stories in the mainstream media telling you precisely how to circumvent the law in just a few simple steps. Of course, just like much of the security and tech advice targeted at "normals", a bunch of it is also pretty bad but hey, a whole heap of people who couldn't even spell VPN a few weeks ago now know how to use one with ease.

Let's take Bruce. Bruce is considering a career in terrorism (and no, I don't care that Bruce's name doesn't align to the expected stereotype of a terrorist). A couple of years back, Bruce would have happily discussed terroristy things via SMS, email and whatever messaging app he preferred because hey, that's how you have conversations in the modern era. But now Bruce knows that the gov is watching his every move because, well, that's exactly what they've said they want to do with this law. Bruce knows that he has to get smarter about his comms. Fortunately, Bruce reads Lifehacker and the ABC so he invests a few minutes of his time and gets a VPN, routes his traffic out through a foreign location via a provider that doesn't store logs and it's happy days for Bruce. Not so happy for the rest of us because he's now flying under the radar, but hey, at least it looks like the government is doing something useful!

Now take Sharon. Sharon's not a terrorist, she's quite happy with her career as it stands and isn't considering a switch. But Sharon has a different problem - she's suffering from depression (possibly after watching George Brandis on the telly). It's a real medical condition and she's doing her best to deal with it, but it's a private matter and she wants to keep it as such. She's been visiting Beyond Blue and seeking guidance from there but even though the site is served over an HTTPS connection, Sharon is smart enough to know that this doesn't hide the sites she's visiting from her ISP. Like Bruce, she reads Lifehacker and the ABC and quickly learns about VPNs so she goes and gets herself one in order to help keep her condition private. Problem is, Sharon also likes watching Netflix and that poses a bit of a problem:

Because the MPAA doesn't want Sharon watching her favourite shows via the massively more extensive US library, they've forced the likes of Netflix to block anyone using a VPN from accessing the service. Yes, Sharon is suffering from a serious mental illness and doing her best to fight it whilst retaining her privacy, but there's a chance she may watch reruns of Breaking Bad which Aussies aren't really meant to have access to on Netflix because "reasons", so best just block her altogether. Oh - and per the responses to that tweet above, there's a heap of other stuff that breaks on a VPN too because who knows how many shady characters might be hiding shady things. Ok, so they're things they simply don't wish to share but hey, that's makes them shady too, right? Guys? Hello?

It doesn't take Sharon long to realise that a VPN is just not a practical everyday thing to run 24x7. Yes, her privacy is important to her but we humans have a habit of sacrificing that pretty quickly when there's a convenience upside; simple passwords, smart phones without PINs, listening devices in our homes courtesy of voice activated assistants and smart TVs - they all erode our privacy but damn they make our lives better! When a technology makes an immediate-term improvement to our lives, it will be adopted. When it makes things harder, it will struggle to get traction. VPNs are the latter.

Now, faced with the inevitability that terrorist minded folks will simply turn on the VPN before discussing terroristy things, there has been much discussion over the years about simply banning encryption. Putting aside for a moment the insurmountable challenge of doing this without us all getting pwned six ways from Sunday day in and day out, let's imagine how Bruce would handle this if he and Macca had to work out how to talk about terrorist stuff:

Bruce: Right Macca, we've gotta be smart about this and encrypt our communications when we talk about blowing shit up.

Macca: Oh, haven't you heard? The government has banned encryption.

Bruce: Ah, good point, we'd better not use it then.

This is not how it's gonna go down!

Bad guys don't just simply stop being bad because the government says they shouldn't be bad! They use the broad array of readily accessible encryption technologies that are freely available all over the web regardless of what their government does and doesn't like and they behave like bad guys anyway!

I don't know exactly what percentage of us are terrorists or paedophiles or any of the other genuinely nasty things the community as a whole agrees we don't really want amongst us, but I betcha it's small. Very small. By extension, the number of us that are good guys is massively large yet somehow, we've arrived at this entirely nonsensical point where the gov is trying the catch the infinitesimally small minority at the expense of the vast majority and it does stuff all good anyway because now there's more info than ever about how to avoid interception in the first place!

And just to make the whole thing even more nonsensical, VPN providers aren't subject to the same data retention laws, indeed they may not even operate within your political jurisdiction. Good VPN providers also store absolutely nothing about your traffic and thus have no metadata to give the government anyway should they ask. Or perhaps of greater relevance to all of us, they have nothing on us that they could lose and that's extremely important because once information is captured and digitised such as metadata retention laws require, there's always the risk of disclosure to unintended parties.

So, where all this leaves us is that Bruce and Macca have more access than ever to encryption technologies that enable them to hide genuinely nasty deeds whilst Sharon now has unquestionably private information about her personal life in the hands of her ISP and upon request, in the hands of the government. This is the law of unintended consequences; this is not the outcome anyone wanted yet somehow - miraculously - here we are.

Edit: I've had some feedback from a few fellow Aussies around the definition of "metadata" as the gov here sees it. It doesn't change the fundamental premise of this post (it actually makes a bunch of things more confusing), but let me ensure it's addressed anyway.

The piece I was most consistently pointed at was LifeHacker's Everything You've Been Told About Data Retention Is Wrong written in 2015. The basic premise is that ISPs need to store info on when you connect to the web and how much data you store, but not the sites you're connecting to (host name, IP, etc). On that basis, the metadata retention law (and frankly, this is now a very loose use of the word "metadata" as it's no longer really even "data about data"), doesn't include anything that identifies where people are browsing to. Now in case you're thinking "wait a minute - didn't Troy just link to two stories from LifeHacker about how to use a VPN to avoid metadata collection?", yes I did and now you're seeing just part of the reason why people are so damn confused.

Someone made the point that these logs are retained in order for the cops to be able to match IP address activity on some external service back to the individual connecting to the ISP. This is precisely what a VPN protects against because those server logs contain the address of the VPN exit node, not that of the user's ISP. So long as the VPN provider doesn't store logs, the traffic can't be traced back to the source. But that doesn't mean the ISP's mandated data collection specifies the site, although technically they can observe this both for traffic over unencrypted HTTP connections and as I said earlier, even communications over the HTTPS scheme still leak info about the target site. The ISP can see this and if they were legally required to capture it, a VPN would also circumvent that.

Regardless of how much the Aus gov is or isn't forcing ISPs to store, the pattern of governments requesting increasingly extensive amounts of data to be collected and retained is obviously one that's playing out across the world. I mentioned the UK Snoopers' Charter and by all accounts it's one of the most invasive examples of this and appears to go well beyond our approach down under. All of this is driving the push towards VPNs and regardless of how much the gov is trying to collect (or have collected on their behalf), there's never been more info available on VPNs and they do make it much harder to track down illicit activity. There's undoubtedly confusion about what's in and what's out of the Aussie law and even since writing this piece, I continue to see stories on how to use a VPN to circumvent it.

Whichever way you define it, mandatory ISP data retention laws are causing more people than ever to attempt to hide their traffic with a VPN.

Security VPN
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals