Australian Data Retention laws see VPN use up 100%

Australia new data retention laws have seen a boom in VPN use in the country, with NordVPN reporting an increase in Australian subscribers of 100% since National Get a VPN Day in Australia back on April 13th.

Your online data is now retained for two years

As regular readers may recall, back in March 2015, the Australian Parliament passed the Telecommunications (Interception and Access) Amendment (Data Retention) Act. This legislation included a number of controversial measures, but none more so than its data retention requirements.

These required data generated by Australians when they go online, either through a fixed line connection, Wi-Fi, or a mobile connection to be retained for a period of two years. The retained data included such details as the date and time of their connection, their account name, and the duration of their connection to different services.

The cut-off date for ISPs to ready themselves for these new requirements was April 12th this year, which is why privacy advocates labeled April 13th as National Get a VPN Day, the first day when all Australian’s using the internet should be doing so via a VPN if they care at all about their online privacy.

How to protect your online data

“[A VPN] is probably one of the best ways to try and get around the idea of your internet provider providing all of the metadata engagement that you do online to your government,” explained Tim Singleton Norton from Digital Rights Watch, who played a big part in making National Get a VPN Day such as success.

And if NordVPN’s figures are anything to go by, it seems that plenty of them have got the message that if you don’t want the Government to know everything about your online activity, then a VPN is the ideal solution.

Marty P Kamden, the CMO of NordVPN has also explained why he thinks they have seen such an upturn in the number of users down under.

“Collecting metadata undermines Australians’ privacy — and the benefits of data collection are still not clear. Additionally, any kind of data retention is known to attract hackers, lured by huge amounts of personal data stored in one place.”

Bulk data collection threatens security as well as privacy

Kamden is right to emphasise the security risks of the bulk collection of personal data as well as the privacy implications. Data is a valuable commodity and storing such quantities of valuable data in a single database is a potential recipe for disaster.

Hackers will inevitably be drawn to such sites for the rich pickings that are on offer and the sad fact is that often this data is not kept in a secure and encrypted format. This makes it easy for hackers to make it away with your data and this, of course, could potential compromise your security too.

It is not just Governments that collect data in this way, big IT companies, social media sites, and advertisers do the same.

There are a number of steps that people can take to protect their online data from being collected and stored in this manner. The principal one is to make use of a reputable VPN which will encrypt all of your online data and also hide your IP Address, making it all but impossible for your online data to be connected to you.

And there are various other steps you can take to protect in addition to using a VPN, as Marty Kamden has rightly pointed out. This includes regularly deleting cookies, using privacy-oriented browser plugins, installing effective anti-virus and anti-tracking software, and not undertaking any sensitive activity on public Wi-Fi networks without protecting yourself with a VPN.

In the wake of National Get a VPN Day, the Australian people seem to be getting the message and users in other countries where such bulk data retention takes place, like the UK, are also using VPNs in growing numbers too.

But in the current climate, it is strongly advisable that everyone using the internet, on any advice, does so through a VPN connection and takes all the other privacy steps laid out in this article as well. Both your online privacy and your data security depends on it.

  • Craig Thomas

    A VPN doesn’t make any difference to the data retained under the Data Retention Act.
    As s187A,4 makes clear, only relevant connections are subject to data retention and a relevant connection is one made from a subscriber to the provider of the relevant service.
    “Over the top” communications are not relevant communications.
    The relevant communication is the connection you make to your provider at which time they assign you an IP address. The retained data in this case is the subscriber name, service delivery address, date & time and duration, and the IP address assigned. A VPN is entirely over the top of this connection and can’t possibly in any way affect this retained data.

    • VPNCompare

      I think most people are concerned more about the fact that without a VPN every URL you access is stored for 2 years.

      I’m not sure many care that with a VPN the ISP can still retained you were assigned an IP Address at some point. After all most people have a router connected 24 hours so the IP Address is permanently assigned.

      The fact is that the only data retained when using a VPN is the fact the user was assigned an IP Address, at what time and likely the IP Address of the VPN server they connected to, nothing else is possible to be viewed.

      • Craig Thomas

        As the Act makes clear, no URL is retained.

      • Craig Thomas

        As is clear if you’ve read the Act, your connection to a VPN server is not subject to Data Retention so the IP address of the VPN server is not retained.

        • VPNCompare

          As a non-Australian website we will take your word for it.

          However, it seems to be the understanding that this type of information is retained from both Australian and international sources. How this came to be I do not know, but it’s the general consensus.

          • Craig Thomas

            It’s not so much a “consensus” as collective hysteria. It chiefly stems from iinet’s misinformation. iinet were the chief reason this update to our Telecommunications Act (1979) had to be passed as they were advocating some kind of net-anarchy and deliberately obstructing law enforcement activities in relation to access of Telecomms data.

            Denmark retains the sort of data you’re talking about.
            The Australian Data Retention Act explicitly excludes it:
            (4) This section does not require a service provider to keep, or cause to be kept:

            (a) information that is the contents or substance of a communication; or

            Note: This paragraph puts beyond doubt that service providers are not required to keep information about telecommunications content.

            (b) information that:

            (i) states an address to which a communication was sent on the internet, from a telecommunications device, using an internet access service provided by the service provider; and

            (ii) was obtained by the service provider only as a result of providing the service; or

            Note: This paragraph puts beyond doubt that service providers are not required to keep information about subscribers’ web browsing history.

            (c) information to the extent that it relates to a communication that is being carried by means of another service:

            (i) that is of a kind referred to in paragraph (3)(a); and

            (ii) that is operated by another person using the relevant service operated by the service provider;

            or a document to the extent that the document contains such information; or

            Note: This paragraph puts beyond doubt that service providers are not required to keep information or documents about communications that pass “over the top” of the underlying service they provide, and that are being carried by means of other services operated by other service providers.

          • VPNCompare

            Thanks for the info Craig. Appreciate you taking the time to keep us and our readers informed.

            What do you make of Australian VPN provider Wangle then who are selling a service that logs some of this type of info? They claim they’re complying with their requirements but if what you say is true they need not.

          • Craig Thomas

            All VPN services have to comply with the laws that apply where they run their servers. I know people who have had IP/copyright complaints forwarded to them from their US VPN provider.
            In Australia, a VPN provider is a service provider under the Act. The VPN service is a relevant service under the Act. If they are proxying as well as encrypting, then each proxied conection is a Communication under the Act and the provider must log details of the IP addresses it assigns to its customers’ outgoing connections.
            Customers of Australian VPN services are protected by the Data Retention Act, privacy laws and consumer laws, not to mention Australian courts, which, as was shown in the Dallas Buyers’ Club case, is pretty good protection against copyright trolling.
            Australian customers of VPN services operating overseas may not be aware that they are almost certainly exposed to far more risk than if they used an onshore service – many VPN servers are based in countries like Romania, Russia and China where your unencrypted data is up for grabs.

          • VPNCompare

            Craig I think you’re confusing things a little. Previously you said VPN providers weren’t part of the act because they were “over the top” communication providers, now you’re saying they are and must log the IP Addresses assigned to customers? Can you clarify this.

            If that’s the case then why the disparity between Wangle and a provider such as VPNSecure. One which claims to log this type of information and the other that claims it doesn’t. Surely VPNSecure should be getting a call right about now from the authorities.

            Anyone who is getting copyright complaints from a US provider needs to change provider, there are services that don’t forward this information and go as far to close servers in such locations.

            As far as I’m aware there are zero overseas providers complying with new Australian regulations and should that be the case many would rather close those server locations (see what happened in Russia, many providers pulled servers there) which will push Australians to use servers in New Zealand, Singapore, Hong Kong or other locations.

            Not sure what VPN providers you’re talking about but many servers aren’t based in Russia or China. Romania is also part of the EU so has to follow regulations that most countries within the EU do. Having a communist history they’re staunchly against going back to being controlled and surveilled.

            As always we appreciate your comments and discussion.

          • Craig Thomas

            The Data Retention Act applies to a communication made under a relevant service that is provided by a subject service provider.
            When we fire up our home router, it establishes a PPPoE connection to your ISP – your ISP is a service provider subject to the Act, and the communication is your connection to your ISP. Your ISP must make a record consisting of your name, address, a service ID, the timing of your connection together with the IP address you were assigned.
            With that connection established, you can now connect to Facebook, or a Romanian proxy server, fire up Skype or log into gmail. None of these communications belongs to a relevant service, as the service provider is not subject to the Act. Your ISP has nothing to do with the provision of services and is not required to log anything in relation to them.
            If you run a proxying service (or a cloud email service, etc…) in Australia, then the service you provide is subject to the Act, because you are a provider of communications services in Australia. Your proxying service is “over the top” of the underlying connection to the ISP, but that isn’t relevant to the fact that it is a service being provided by a local provider direct to the consumer.

            There are certainly Australian providers of telecomms services such as VPN services who will deny that they are subject to the Act. They are mistaken.

            As far as VPNSecure is concerned, who you say “don’t log”, they are subject to relevant local laws. If IP is protected by law in whichever jurisdiction VPNSecure runs its servers, and if a VPNSecure customer is detected breaking IP law by a motivated complainant, then the IP address they used being a VPNSecure IP address, VPNSecure will be held responsible and will have to negotiate a response. Generally this means agreeing with the complainant to remind the customer to not break the law. I very much doubt this “we don’t log” thing is true. I have seen with my own eyes a communication sent by a US VPN provider at the instigation of a copyright holder.

          • VPNCompare

            Thanks, that should clarify things for Australia readers.

            I do agree some US VPN providers do forward copyright notices. That’s why it’s important to use VPN services that use shared IP addresses because time stamps can’t pinpoint one user.