Dear both Department of Human Services, and Mr Ben Fairless,

I am writing to advise both of you on this issue. I do not believe this is a valid request to be made of the department.

As an IT professional, I cannot think of any situation where this information might be useful to any individual or organisation that does not intend to use it in a malicious manner. Anyone can access the 'Public IP information' for the organisation using 'whois lookup', in fact I performed this lookup myself and will provide the results here for you:

$ whois humanservices.gov.au
Domain Name: humanservices.gov.au
Last Modified: 24-Feb-2014 04:48:57 UTC
Registrar ID: Finance
Registrar Name: Department of Finance
Status: serverTransferProhibited

Registrant: Department of Human Services
Registrant ID: OTHER GOVAU-HIMI1001
Eligibility Type: Other

Registrant Contact ID: GOVAU-HIMI1001
Registrant Contact Name: Data Network Team
Registrant Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs

Tech Contact ID: GOVAU-SHDA1002
Tech Contact Name: Gateway Operations
Tech Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs

Name Server: dns1.humanservices.gov.au
Name Server IP: 203.13.3.6
Name Server IP: 2407:6a00:0:0:0:0:0:531
Name Server: dns2.humanservices.gov.au
Name Server IP: 203.13.3.7
Name Server IP: 2407:6a00:0:0:0:0:0:532

It is not the concern of the public to know how the organisation chooses to sub-allocate their IP addresses, or whether they only have one publicly facing IP address and use NAT (Network Address Translation) to connect their machines to the internet.
After a short brainstorming session, these are the possible activities I could think of that one could perform using a more detailed knowledge of an organisations internal network address allocations.

> Targeted Denial of Service attacks - The malicious individual/organisation makes numerous unsolicited requests on servers/machines located at specific IP addresses in order to overwhelm them (potentially also causing issues downstream within the targeted organisation)
> If the user has access to Backbone network infrastructure (Works for and ISP / Telco or has otherwise maliciously obtained access) they could snoop packets marked with specific IP addresses, analogous to wire tapping.

There are probably other possibilities, but again, I can't think of any non-malicious reasons anyone external to an organisation would need to know this information.

Thanks,

Guy,

There are several reasons why this information could be useful.

For example, website owners (such as Right to Know) could be interested in reporting on traffic from Government Agencies. I would personally be interested to know how often various Government agencies access Right to Know.

I've also heard of a twitter account which sends out a tweet every time the Russian Government updates something on Wikipedia. This would rely on IP addresses to work (I think!).

I still think the request is valid under the FOI Act. s23(2) of the Act makes it clear that the Department cannot take into account any reason that I give for requesting access, or the Department's belief as to my reasons for requesting access[1].

I don't disagree that the information can be used for malicious purposes, but I don't think *all* uses are malicious.

Ben

[1] http://www.austlii.edu.au/au/legis/act/c...

Hi again,

While I understand and agree with the reasons you give (the public should be able to know the general actions of government organisations) this is perfectly possible with what information you have available to you.

Using currently available public registries you are able to perform reverse look-ups on any IP address and find the registrant/owner. I myself have done this several times for reporting on traffic to websites I control. If you had access logs for the Right to Know website, you would be able to show which government agencies viewed it (when and how much).

In the case of the twitter example, the service would scrape the page of recent changes to Wikipedia (http://en.wikipedia.org/wiki/Special:Rec...) and perform reverse lookups on the IP addresses, checking for Russian government owned ones.

If would you personally be interested in more granularity (i.e. which specific sub-departments or even users) were making accesses then that is your preference, but I feel that releasing that information would not be useful, only more informative for malicious parties.