How can you find out what “metadata” means? You could ask the Attorney-General – but that might not be very much help. You could peruse the Bill if you were keen – but it doesn’t define what the data to be retained is. In fact, the Bill and the legislation it is amending refers to the data only as “telecommunications data”. And this phrase is not defined. The closest we get to a definition is section 172 which provides that the Chapter of the Act dealing with access to telecommunications data does not permit the disclosure of:
(a) information that is the contents or substance of a communication; or
(b) a document to the extent that the document contains the contents or substance of a communication.
So what does the explanatory memorandum say? It explains that the government doesn’t want to know the content of what you say, just the associated details – to use the only analogy the AG could manage, the writing on envelope, but not the content of it.
General Michael Hayden (retired director of the NSA) said "we kill people based on metadata". That sounds altogether more sinister than the bland assurances we are receiving from the government and the bureaucrats in AGD – and perhaps something that would be worthy of judicial oversight.
So let’s be clear. There is no meaningful distinction from a privacy point of view between metadata and content.
Metadata is a government weasel-word for data. They use the word so that they can make a handwave argument to suggest that some forms of personal uses of telecommunications are less deserving of privacy protection than others. They’ve never asked the electorate whether or not that’s actually true; they simply rely on “proof by repeated assertion,” believing that it will magically become true if they say it often enough.
So how privacy-intrusive is non-content telecommunications data? Consider these examples.
Sure, these might be glib anecdotes on a conference slide of how this data can reveal details of your private life, but these are just isolated events right? What sort of things could a week of your data give someone?
Well, pretty much everything.
By linking your publicly available data with other information on the internet – like the numerous password breaches which occurred in 2014 – this “non-content” telecommunications data can give access to the passwords for your accounts and enough detail of your life to give someone a fairly straight line on making you the next victim of identity theft. As iiNet pointed out in their submission on data retention, NSA General Counsel Stewart Baker has said, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”
The devil is, as is often the case, in the details. The AGD has helpfully provided their version of a Frequently Asked Questions on data retention, which even includes a “Myths and Facts” page. For example:
- Myth: The government will be able to track where I go through my mobile phone.
- Fact: Industry will only be asked to retain limited records, such as the location of a cell tower that a device was connected to at the start and end of a communication such as a phone call.
Now your phone communicates with the phone tower very frequently – to ensure you can receive mobile phone calls. Not just at the time you actually receive a call, but also when the phone is carrying out background tasks such as checking for new email and receiving text messages while it’s locked and safely ensconced in your pocket. And if you have an LTE phone, then it will also include high resolution location information as well. These are “communications” between your device and the tower.
The legislation does not exclude the collection of this sort of data – indeed it does not even define it, rather leaving the definition to regulation at the whim of the government of the day [or to the choice of your communications provider]. This means that some providers may choose or the government may require to, what is essentially continuous motion-tracking of your mobile devices.
The government not only want to be able to access this data, but they also want to be able to access it without having to obtain a warrant, which is the traditional form of judicial oversight that has protected Australians’ telecommunications privacy for generations. We are told by the AFP that intelligence and law enforcement would “grind to a halt” if a court order was required to access this data. Access to content still requires a warrant – the explanatory memorandum says access to content is “highly privacy intrusive,” but the bill will maintain the existing situation which allows access to this nebulous telecommunications data where “a case can be made this…is reasonably necessary to an investigation”. As we have explained, the sleight of hand that telecommunications data is less intrusive than content is a fiction.
In his National Press Club address, the outgoing head of ASIO compared security services accessing this data to “looking up a telephone book”. If so, it certainly says a lot about the computer literacy of the security services. There were 582,800 “authorised disclosures” of data in the 2013-14 financial year, according to a report by ACMA, despite the use of the dead-tree telephone books going through the floor.
The former Independent National Security Legislation Monitor, Bret Walker SC, has stated on the record that he believes judicial oversight of this access is reasonable. This opinion is shared by the Human Rights Committee of the federal parliament and many of the countries in Europe who have similar schemes. Some countries in Europe are in fact scaling back their data retention, and the European Court of Justice found that data retention laws violated the right to privacy.
In summary, the Government would like your communications provider to store data that reveals vast amounts of information about you, for them to access at any time, without judicial oversight. Of course, the costs of this storage will be passed on to internet users rather, than be borne by the security agencies. The Bill does not include any requirements for communications providers to maintain adequate security of these treasure-troves of deeply personal information. And the Australian Federal Police – who stand to benefit so much from this data, accidentally made examples of it publicly available (twice) on the web, without even the need for criminal activity. Furthermore, there is no legal requirement for the law enforcement agencies to delete the data once they have accessed it – further increasing the risk to your privacy.
The government is singing from the songsheet of the Federal Police and the Attorney-General’s Department and sadly, the choir is a bipartisan one. The only substantial opposition in Parliament has come from The Greens’ Senator Scott Ludlam (and possibly also Senator Leyonhjelm). With the Bill most likely to be re-introduced into the Parliament in early March, this is not just an issue for privacy wonks or computer security professionals.
Data retention has the potential to threaten journalism, whistleblowing and lawyer-client privilege as well as every person’s right to choose the information they disclose. We must all let the government – and the opposition – know that we will not stand for the introduction of a surveillance state in the name of security.
Those who would give up essential Liberty, to purchase a little temporary safety, deserve neither liberty nor safety.
— Benjamin Franklin, 1755
Have your say
You can read more details about our opinions on this in the Future Wise submission to the inquiry. We encourage you to write to and/or call to your local member and state senators– particularly if they are a cross-bencher or member of the opposition. Electronic Frontiers Australia produced a guide to writing a submission to the inquiry which contains ideas you could include in your letter, or you can read the upcoming post by Leanne.