#[1]Latest topics for ZDNet in Security * Edition: + Asia + Australia + Europe + India + United Kingdom + United States + ZDNet around the globe: + [2]ZDNet China + [3]ZDNet France + [4]ZDNet Germany + [5]ZDNet Korea + [6]ZDNet Japan Search What are you looking for? ____________________ (BUTTON) Go * [7]Videos * [8]Windows 10 * [9]Enterprise Software * [10]Cloud * [11]AI * [12]Security * [13]TR Premium * more + [14]Build a Website + [15]5G Guide + [16]Innovation + [17]CES 2020 + [18]Best Smartphones + [19]Executive Guides + [20]Best VPN Services + [21]Web Hosting + [22]See All Topics + [23]White Papers + [24]Downloads + [25]Reviews + [26]Galleries + [27]Videos + [28]TechRepublic Forums * [29]Newsletters * [30]All Writers * + [31]Preferences + [32]Community + [33]Newsletters + [34]Log Out * * + What are you looking for? ____________________ (BUTTON) Go * Menu + [35]Videos + [36]Windows 10 + [37]Enterprise Software + [38]Cloud + [39]AI + [40]Security + [41]TR Premium + [42]Build a Website + [43]5G Guide + [44]Innovation + [45]CES 2020 + [46]Best Smartphones + [47]Executive Guides + [48]Best VPN Services + [49]Web Hosting + [50]See All Topics + [51]White Papers + [52]Downloads + [53]Reviews + [54]Galleries + [55]Videos + [56]TechRepublic Forums * * + o [57]Preferences o [58]Community o [59]Newsletters o [60]Log Out * us + Asia + Australia + Europe + India + United Kingdom + United States + ZDNet around the globe: + [61]ZDNet China + [62]ZDNet France + [63]ZDNet Germany + [64]ZDNet Korea + [65]ZDNet Japan Cops are getting full URLs under Australia's data retention scheme There is content on the envelope. A Senate committee has been told that law enforcement agencies sometimes get full URLs from telcos, despite government reassurances. * * * * * * [66]Stilgherrian By [67]Stilgherrian for [68]The Full Tilt | February 7, 2020 -- 03:33 GMT (19:33 PST) | Topic: [69]Security The Commonwealth Ombudsman, Michael Manthorpe, has revealed that law enforcement agencies are being given the full URLs of web pages visited by people under investigation. Australia's mandatory telecommunications [70]data retention scheme was meant to deliver only so-called "metadata" to the cops and spooks. Under the scheme, a warrant is not required. But according to Manthorpe, the "ambiguity around the definition of content" means that agencies might effectively be receiving the content of communications. The ombudsman explained his concerns during a hearing of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Friday. Senator Andrew Hastie, Committee Chair: Could you talk about your concerns regarding ambiguity around the definition of content and whether or not an agency should have access to that when disclosed by a carrier under an authorisation? Michael Manthorpe, Commonwealth Ombudsman: Yes, essentially, the piece of ambiguity we have observed through our inspections is that sometimes the metadata, in the way it's captured, particularly URL data, and sometimes IP addresses but particularly URL data, does start to actually in its granularity start to communicate something about the content of what is being looked at. That's essentially the point we're making. Hastie: Just to be very clear, you get the URL, you get the full www. whatever it is .com? Manthorpe: That's right. Hastie: Which can indicate indicate what they're looking at. Manthorpe: Exactly. It can be quite long, or it can be quite short, and in some cases the descriptor is long enough to start -- we start to ask ourselves well that's almost communicating content, even though it's captured in the URL. Hastie: And then multiple -- we are getting too technical but you know -- multiple clicks, for example, on a thread would generate more and more, I guess, content. Manthorpe: That's right. Yes, exactly. So it's, we're simply highlighting that I think when the scheme was commenced, the concept of metadata was probably thought to be quite a clean and delineable thing, but we know that there is a greyness on the edges here that we thought we should call out. Hastie: Yeah. Sometimes there's information on the envelope, so to speak, to use the analogy from a couple of years ago. Manthorpe: That's a good analogy. As for the intelligence agencies, the Inspector-General of Intelligence and Security (IGIS), Margaret Stone, said that she wasn't aware of any instances of content being provided unlawfully, but she echoed Manthorpe's concerns. "There is this assumption that you get more from content than metadata," Stone told the committee. "But when you look at the range of metadata, and what it tells you, there's an argument that could be made that it is just as intrusive, or almost as intrusive, as content. You can tell a lot about what a person's doing from that." See also: [71]Why Australia is quickly developing a technology-based human rights problem (TechRepublic) 'Grave concerns' that this wasn't meant to happen Labor Senator Anthony Byrne noted that the major telecommunications companies had given the government "numerous assurances ... that they could keep metadata in a subset" away from the content. "The federal government actually gave these telecommunications companies a substantial amount of money to ensure that that has actually happened," Byrne said. "If that's not happening, that's of grave concern to me." Byrne stressed that he wasn't critical of the agencies, nor the Commonwealth Ombudsman's office, merely that what he was now being told did not match how he thought the system was meant to work. "We are undertaking a review of this mandatory data regime, whether or not it works, whether or not it could be improved," he said. "It's nothing more than that." Telco data requests are meant to be written down Law enforcement agencies are obtaining telco data without written authorisation in a "very small number" of cases, according to ombudsman Manthorpe. "In some cases, they issue an internal authorisation based on verbal advice. And at an operational level, I can understand why that might occur, but it isn't catered for in the legislation," he said. "Sometimes, agencies -- if they issue a verbal authorisation -- do subsequently go to commit[ing it] to writing." Or, presumably, sometimes not. "We see non-compliance in a small minority of cases generally, and this is one area of potential non-compliance," Manthorpe said. "I would want to emphasise that, you know, there is a big volume of authorisations, and as far as we can ascertain, most of them are authorised appropriately." However as the committee noted, with the huge number of authorisations issues, a small percentage might still represent a large absolute number. In the 2018-2019 financial year, [72]295,691 authorisations to access metadata were issued across all state and federal law enforcement agencies. This number does not include those issued to intelligence agencies. ASIO guidelines 'well out of date' The Attorney-General's guidelines that cover data collection by the Australian Security and Intelligence Agency (ASIO) are "well out of date", according to Margaret Stone. "The present guidelines were issued in 2007, so guidance in relation to new powers introduced since then would be very helpful," she said. As well as accessing mandatory data retention, those new powers include Australia's [73]controversial encryption laws, and the power to conduit a range of "special operations". "We've been saying for many years now, that those guidelines need revising," Stone said. "They're well out of date, the present guidelines." PJCIS has been hearing evidence as part of its [74]review of the mandatory data retention scheme. These powers were legislated as Part 5-1A of the [75]Telecommunications (Interception and Access) Act 1979, usually referred to as the TIA Act, in 2015. The committee is due to report by April 13. SEE ALSO * [76]Human Rights Commission wants data retention period limited to six months * [77]Telstra questions whether metadata restrictions are working as intended * [78]Optus gained exemption to store metadata unencrypted * [79]Home Affairs floats making telcos retain MAC addresses and port numbers * [80]Commonwealth Ombudsman singles out Home Affairs over stored communications and metadata handling * [81]ACT Policing had an unauthorised metadata access party 3249 more times in 2015 * [82]Australian enforcement agencies angling for metadata review on telco cost recovery * [83]Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board trying to access metadata: Comms Alliance Related Topics: [84]Australia [85]Security TV [86]Data Management [87]CXO [88]Data Centers * * * * * * [89]Stilgherrian By [90]Stilgherrian for [91]The Full Tilt | February 7, 2020 -- 03:33 GMT (19:33 PST) | Topic: [92]Security [93]Show Comments LOG IN TO COMMENT * [94]My Profile * [95]Log Out | [96]Community Guidelines Join Discussion Add Your Comment [97]Add Your Comment More from Stilgherrian * Security [98]How the B-Team watches over Australia's encryption laws and cybersecurity * 5G [99]Britain 'doing the wrong thing' by letting in Huawei 5G: former ASD officer * Security [100]Home Affairs report reveals deeper problems with Australia's encryption laws * Security [101]AI and disinformation join nukes in the race for armageddon Please review our terms of service to complete your newsletter subscription. [ ] By registering, you agree to the [102]Terms of Use and acknowledge the data practices outlined in the [103]Privacy Policy. You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time. [ ] You agree to receive updates, alerts, and promotions from the CBS family of companies - including ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the [104]Terms of Use and acknowledge the data collection and usage practices outlined in our [105]Privacy Policy. (BUTTON) Continue Newsletters See All See All Related Stories * 1 of 3 * * [106]As coronavirus challenges mount, WHO's reputation is being hijacked for data theft scams A potential pandemic, an “infodemic,” and scams are all challenges being faced by the WHO. * [107]Ransomware installs Gigabyte driver to kill antivirus products RobbinHood ransomware deploys novel technique to make sure it can encrypt files without being interrupted. * [108]Open source takes on managing and securing the electrical grid LF Energy and Alliander Announce a program -- GXF -- to securely manage the modern electrical grid's Industrial Internet of Things. * [109]UK government rolls out red carpet for infamous spyware vendor NSO Group will be touting its wares to visiting officials, including those potentially from oppressive regimes. * [110]Device security firm Forescout snapped up by Advent in $1.9 billion deal The agreement represents a premium of roughly 30 percent on closing share prices. * [111]OAIC wants visual on what telcos are handing over under data retention regime The commissioner also reiterated the importance of limiting the retention period, introducing a warrant-based system, better defining terminology used in the legislation, and ... * [112]Human Rights Commission wants data retention period limited to six months The commission also wants a warrant system introduced to the country's data retention regime, saying it would 'help to focus the mind of the agency that is seeking the data'. ... * [113]US Attorney General says US and allies should invest in Huawei competitors US Attorney General Barr says the US and its allies should invest in Nokia and Ericsson. * [114]Malaysia warns of Chinese hacking campaign targeting government projects MyCERT security alert points the finger at APT40, a Chinese state-sponsored hacking crew. [115]ZDNet Connect with us © 2020 CBS Interactive. All rights reserved. [116]Privacy Policy | [117]Cookies | [118]Ad Choice | [119]Advertise | [120]Terms of Use | [121]Mobile User Agreement Visit other CBS Interactive sites: [Select Site_____] * [122]Topics * [123]Galleries * [124]Videos * [125]Sponsored Narratives * [126]CA Privacy/Info We Collect * [127]CA Do Not Sell My Info * [128]About ZDNet * [129]Meet The Team * [130]All Authors * [131]RSS Feeds * [132]Site Map * [133]Reprint Policy * [134]Manage | [135]Log Out * Join | Log In * [136]Membership * [137]Newsletters * [138]Site Assistance * [139]ZDNet Academy * [140]TechRepublic Forums References Visible links 1. https://www.zdnet.com/topic/security/rss.xml 2. http://www.zdnet.com.cn/ 3. http://www.zdnet.fr/ 4. http://www.zdnet.de/ 5. http://www.zdnet.co.kr/ 6. http://japan.zdnet.com/ 7. https://www.zdnet.com/video/ 8. https://www.zdnet.com/topic/windows-10/ 9. https://www.zdnet.com/topic/enterprise-software/ 10. https://www.zdnet.com/topic/cloud/ 11. https://www.zdnet.com/topic/artificial-intelligence/ 12. https://www.zdnet.com/topic/security/ 13. https://www.techrepublic.com/premium/ 14. https://www.zdnet.com/article/how-to-build-a-website-for-your-business-your-step-by-step-guide/ 15. https://www.zdnet.com/article/what-is-5g-the-business-guide-to-next-generation-wireless-technology/ 16. https://www.zdnet.com/topic/innovation/ 17. https://www.zdnet.com/topic/ces/ 18. https://www.zdnet.com/article/10-best-smartphones/ 19. https://www.zdnet.com/topic/executive-guides/ 20. https://www.zdnet.com/article/vpn-services-the-ultimate-guide-to-protecting-your-data-on-the-internet/ 21. https://www.zdnet.com/article/buying-guide-cheap-web-hosting-services/ 22. https://www.zdnet.com/topic/ 23. https://www.techrepublic.com/resource-library/whitepapers/ 24. https://downloads.zdnet.com/ 25. https://www.zdnet.com/reviews/ 26. https://www.zdnet.com/pictures/ 27. https://www.zdnet.com/video/ 28. https://www.techrepublic.com/forums/ 29. https://www.zdnet.com/newsletters/ 30. https://www.zdnet.com/blog/ 31. https://www.zdnet.com/members/preferences/ 32. https://www.zdnet.com/members/community/ 33. https://www.zdnet.com/members/newsletters/ 34. https://www.zdnet.com/user/logout/ 35. https://www.zdnet.com/video/ 36. https://www.zdnet.com/topic/windows-10/ 37. https://www.zdnet.com/topic/enterprise-software/ 38. https://www.zdnet.com/topic/cloud/ 39. https://www.zdnet.com/topic/artificial-intelligence/ 40. https://www.zdnet.com/topic/security/ 41. https://www.techrepublic.com/premium/ 42. https://www.zdnet.com/article/how-to-build-a-website-for-your-business-your-step-by-step-guide/ 43. https://www.zdnet.com/article/what-is-5g-the-business-guide-to-next-generation-wireless-technology/ 44. https://www.zdnet.com/topic/innovation/ 45. https://www.zdnet.com/topic/ces/ 46. https://www.zdnet.com/article/10-best-smartphones/ 47. https://www.zdnet.com/topic/executive-guides/ 48. https://www.zdnet.com/article/vpn-services-the-ultimate-guide-to-protecting-your-data-on-the-internet/ 49. https://www.zdnet.com/article/buying-guide-cheap-web-hosting-services/ 50. https://www.zdnet.com/topic/ 51. https://www.techrepublic.com/resource-library/whitepapers/ 52. https://downloads.zdnet.com/ 53. https://www.zdnet.com/reviews/ 54. https://www.zdnet.com/pictures/ 55. https://www.zdnet.com/video/ 56. https://www.techrepublic.com/forums/ 57. https://www.zdnet.com/members/preferences/ 58. https://www.zdnet.com/members/community/ 59. https://www.zdnet.com/members/newsletters/ 60. https://www.zdnet.com/user/logout/ 61. http://www.zdnet.com.cn/ 62. http://www.zdnet.fr/ 63. http://www.zdnet.de/ 64. http://www.zdnet.co.kr/ 65. http://japan.zdnet.com/ 66. https://www.zdnet.com/meet-the-team/au/stilgherrian/ 67. https://www.zdnet.com/meet-the-team/au/stilgherrian/ 68. https://www.zdnet.com/blog/the-full-tilt/ 69. https://www.zdnet.com/topic/security/ 70. https://www.zdnet.com/article/mandatory-data-retention-passes-australian-parliament/ 71. https://www.techrepublic.com/article/why-australia-is-quickly-developing-a-technology-based-human-rights-problem/ 72. https://www.zdnet.com/article/home-affairs-report-reveals-deeper-problems-with-australias-encryption-laws/ 73. https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/ 74. https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Dataretentionregime 75. http://www.austlii.edu.au/cgi-bin/viewdb/au/legis/cth/consol_act/taaa1979410/ 76. https://www.zdnet.com/article/human-rights-commission-wants-data-retention-period-limited-to-six-months/ 77. https://www.zdnet.com/article/telstra-questions-whether-metadata-restrictions-are-working-as-intended/ 78. https://www.zdnet.com/article/optus-gained-exemption-to-store-metadata-unencrypted/ 79. https://www.zdnet.com/article/home-affairs-floats-making-telcos-retain-mac-addresses-and-port-numbers/ 80. https://www.zdnet.com/article/commonwealth-ombudsman-singles-out-home-affairs-over-stored-communications-and-metadata-handling/ 81. https://www.zdnet.com/article/act-policing-had-an-unauthorised-metadata-access-party-3249-further-times-in-2015/ 82. https://www.zdnet.com/article/australian-enforcement-agencies-angling-for-metadata-review-on-telco-cost-recovery/ 83. https://www.zdnet.com/article/clean-energy-regulator-wa-mines-department-and-vet-surgeons-board-trying-to-access-metadata-comms-alliance/ 84. https://www.zdnet.com/topic/australia/ 85. https://www.zdnet.com/topic/security-tv/ 86. https://www.zdnet.com/topic/data-management/ 87. https://www.zdnet.com/topic/cxo/ 88. https://www.zdnet.com/topic/data-centers/ 89. https://www.zdnet.com/meet-the-team/au/stilgherrian/ 90. https://www.zdnet.com/meet-the-team/au/stilgherrian/ 91. https://www.zdnet.com/blog/the-full-tilt/ 92. https://www.zdnet.com/topic/security/ 93. https://www.zdnet.com/article/cops-are-getting-full-urls-under-australias-data-retention-scheme/container 94. https://www.zdnet.com/members/preferences/ 95. https://www.zdnet.com/user/logout/ 96. http://cbsi.force.com/CBSi/zdnetcommunityfaq 97. https://www.zdnet.com/article/cops-are-getting-full-urls-under-australias-data-retention-scheme/#comments-ef338f5f-c0fd-4442-b61f-b9eeb1a504aa 98. https://www.zdnet.com/article/how-the-b-team-watches-over-australias-encryption-laws-and-cybersecurity/ 99. https://www.zdnet.com/article/britain-doing-the-wrong-thing-by-letting-in-huawei-5g-former-asd-officer/ 100. https://www.zdnet.com/article/home-affairs-report-reveals-deeper-problems-with-australias-encryption-laws/ 101. https://www.zdnet.com/article/ai-and-disinformation-join-nukes-in-the-race-for-armageddon/ 102. http://www.cbsinteractive.com/legal/cbsi/terms-of-use 103. https://www.cbsinteractive.com/legal/cbsi/privacy-policy/highlights 104. http://www.cbsinteractive.com/legal/cbsi/terms-of-use 105. https://www.cbsinteractive.com/legal/cbsi/privacy-policy/highlights 106. https://www.zdnet.com/article/this-is-how-the-world-health-organization-is-being-abused-to-stoke-coronavirus-fears/ 107. https://www.zdnet.com/article/ransomware-installs-gigabyte-driver-to-kill-antivirus-products/ 108. https://www.zdnet.com/article/open-source-takes-on-managing-and-securing-the-electrical-grid/ 109. https://www.zdnet.com/article/uk-government-rolls-out-the-red-carpet-for-infamous-spyware-vendor/ 110. https://www.zdnet.com/article/device-security-firm-forescout-snapped-up-by-advent-in-1-9-billion-deal/ 111. https://www.zdnet.com/article/oaic-wants-visual-on-what-telcos-are-handing-over-under-data-retention-regime/ 112. https://www.zdnet.com/article/human-rights-commission-wants-data-retention-period-limited-to-six-months/ 113. https://www.zdnet.com/article/us-attorney-general-says-us-and-allies-should-invest-in-huawei-competitors/ 114. https://www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/ 115. https://www.zdnet.com/ 116. http://legalterms.cbsinteractive.com/privacy 117. http://legalterms.cbsinteractive.com/cookies 118. http://legalterms.cbsinteractive.com/adchoice 119. https://www.zdnet.com/advertise/ 120. http://legalterms.cbsinteractive.com/terms-of-use 121. http://legalterms.cbsinteractive.com/eula 122. https://www.zdnet.com/topic/ 123. https://www.zdnet.com/pictures/ 124. https://www.zdnet.com/video/ 125. http://narratives.zdnet.com/ 126. https://ca.privacy.cbs/ 127. https://ca.privacy.cbs/donotsell 128. https://www.zdnet.com/about/ 129. https://www.zdnet.com/meet-the-team/ 130. https://www.zdnet.com/blog/ 131. https://www.zdnet.com/rssfeeds/ 132. https://www.zdnet.com/sitemap/ 133. https://www.zdnet.com/reprints/ 134. https://www.zdnet.com/members/preferences/ 135. https://www.zdnet.com/user/logout/ 136. https://www.zdnet.com/about/ 137. https://www.zdnet.com/newsletters/ 138. https://cbsi.secure.force.com/CBSi/knowledgehome?referer=zdnet.com 139. https://academy.zdnet.com/ 140. https://www.techrepublic.com/forums/ Hidden links: 142. https://www.zdnet.com/ 143. https://www.zdnet.com/ 144. https://www.zdnet.com/article/cops-are-getting-full-urls-under-australias-data-retention-scheme/#comments-ef338f5f-c0fd-4442-b61f-b9eeb1a504aa 145. https://www.zdnet.com/article/cops-are-getting-full-urls-under-australias-data-retention-scheme/#comments-ef338f5f-c0fd-4442-b61f-b9eeb1a504aa 146. https://www.zdnet.com/article/how-the-b-team-watches-over-australias-encryption-laws-and-cybersecurity/ 147. https://www.zdnet.com/article/britain-doing-the-wrong-thing-by-letting-in-huawei-5g-former-asd-officer/ 148. https://www.zdnet.com/article/home-affairs-report-reveals-deeper-problems-with-australias-encryption-laws/ 149. https://www.zdnet.com/article/ai-and-disinformation-join-nukes-in-the-race-for-armageddon/ 150. https://www.zdnet.com/newsletters/ 151. https://www.zdnet.com/members/newsletters/ 152. https://www.zdnet.com/article/this-is-how-the-world-health-organization-is-being-abused-to-stoke-coronavirus-fears/ 153. https://www.zdnet.com/article/ransomware-installs-gigabyte-driver-to-kill-antivirus-products/ 154. https://www.zdnet.com/article/open-source-takes-on-managing-and-securing-the-electrical-grid/ 155. https://www.zdnet.com/article/uk-government-rolls-out-the-red-carpet-for-infamous-spyware-vendor/ 156. https://www.zdnet.com/article/device-security-firm-forescout-snapped-up-by-advent-in-1-9-billion-deal/ 157. https://www.zdnet.com/article/oaic-wants-visual-on-what-telcos-are-handing-over-under-data-retention-regime/ 158. https://www.zdnet.com/article/human-rights-commission-wants-data-retention-period-limited-to-six-months/ 159. https://www.zdnet.com/article/us-attorney-general-says-us-and-allies-should-invest-in-huawei-competitors/ 160. https://www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/ 161. https://www.facebook.com/pages/ZDNet/5953112932 162. http://twitter.com/zdnet 163. https://www.linkedin.com/company/zdnet-com 164. https://www.youtube.com/channel/UCr9QWb5RKLfaunjKHJZAdQQ