Mercifully, I managed to find this from actual lawyers, which explains the legal landscape for those interested in the detail.
metadata - Gilbert + Tobin <https://www.gtlaw.com.au/file/10841/download?token=b7MKFd6q> Kind regards Paul Wilkins On 3 May 2018 at 09:08, Paul Wilkins <paulwilkins...@gmail.com> wrote: > Regards section 282 certs, s282 of which Act / Regulation? > > Near as l can see, all disclosure provisions in the Act itself are either > voluntary, or require a warrant, where the police need to locate a caller > in a life threatening situation the one exception. > > Kind regards > > Paul Wilkins > > On 2 May 2018 at 15:29, Ross Wheeler <aus...@rossw.net> wrote: > >> >> >> On Wed, 2 May 2018, Noel Butler wrote: >> >> After DR, two things have changed. >>> 1. We have a legal obligation to capture and securely retain a >>> whole pile of things. >>> 2. We are required to give extracts of that information >>> when requested, and but DO NOT REQUIRE A WARRANT. >>> >> >> No, only number 1 is new >>> >> >> Are you saying that we now DO require a warrant to give an authorised >> person data captured in compliance with the mandatory data retention laws, >> or that we DIDN'T require one previously? Because as far as I was aware, we >> required a legal instrument before, and for DR stuff (as opposed to >> interception) we now explicitly will NOT get a warrant except for the >> specific case of information requested of a journalist. >> >> , and as for ISP's (not telcos) Id hardly call radius and email logs a >>> "whole pile of things", >>> >> >> For some of us, it is far more than radius and email logs. >> It includes SIP, FTP, and indeed any other service you provide that isn't >> an "OTT" service, a webserver or a few other specific exclusions. >> >> >> I'd also not call it that for those offering phone services either since >>> clients like to lookup to see their recent history they would be keeping >>> that for a while anyway, >>> >> >> What you kept for production and billing purposes is unchanged, but the >> legislation actually requires all information captured for the DR (and the >> wording is sufficiently unclear that it appears that "if it is captured for >> DR (even if it is ALSO captured for billing or operational reasons)" that >> data MUST be encrypted and secured at the point of collection (unless you >> asked for and were granted an exemption on the immediate encryption of >> otherwise collected data). >> >> >> >> its hardly earth shattering for typical ISPs. >>> >> >> I didn't say or imply it was. Merely that for some people there was >> significant additional work to collect logs that they had not previously >> needed, and not all systems made that easy. I was lucky, most did. >> >> >> And #2 has always been the case under s282, I recall doing them as far >>> back as 2002 >>> >> >> Yes, but S282 certificates are specifically NOT REQUIRED for LEA and >> others to access (quite specifically) data captured and stored under the >> mandatory data retention legislation. >> >> >> >> >>> huh? where do you get interception from or are you just moving the goal >>> posts >>> >> >> Others raised "interception". >> >> >> your OP never mentions a word of it, and >>> nobody has unless I missed a post or three, >>> >> >> You have, then. >> >> >> your post was a bout user joe blogs information which never has required >>> it, DR or no DR. >>> >> >> Huh? You're saying now that an ordinary users information has never >> required a warrant? Now YOU are conflicting your own statements? >> >> _______________________________________________ >> AusNOG mailing list >> AusNOG@lists.ausnog.net >> http://lists.ausnog.net/mailman/listinfo/ausnog >> >> >
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog