The murky moves towards metadata retention
The ancient Greeks and Romans put their heads together and came up with a word full of conceptual variations and sliding meanings: “metadata”. It is now rolling off tongues as both a factoid and an abstraction.
To assist, Attorney-General George Brandis has promised a “statutory definition” of metadata when he introduces his data retention legislation any time soon.
He did add, though: “This is a term that does not have a precise definition. It is a description rather than a definition.”
This could not be more reassuring, from a man who only last month uttered this perplexing remark in relation to metadata retention: “What people are viewing on the internet when they web surf will not be caught. What will be caught is the web address they communicate to.”
Apparently he didn’t really mean that, just as Tony Abbott didn’t mean to say in relation to accessible information: “It is not what you’re doing on the internet, it’s the sites you’re visiting. It’s not the content, it’s just where you have been, so to speak.”
It was left to Minister for Communications Malcolm Turnbull, the man Abbott said “virtually invented the internet in this country”, to try to straighten things out by saying that the capture of web browsing history was not part of the government’s plan.
Except that is by no means guaranteed, because currently all sorts of government law enforcement agencies have access to browsing history, if they get a warrant.
The line being pushed from Canberra is that what should be retained by the telcos and internet service providers are: numbers called from and numbers called (landlines and mobiles), dates, duration, email addresses, the IP address of the user, the name and address of each customer, and locations.
The wish list includes information that would reveal users’ upload and download volumes.
The retention of this information for two years is deemed necessary because the carriers will soon no longer store customer data in an easily retrievable form, as they shift their systems to billing on the basis of communication volumes rather than numbers and lengths of calls.
The security and law enforcement agencies don’t really want any definition of metadata at all because it might restrict the expansive view they have of their functions. Just as they don’t want warrants for accessing metadata, because that’s too much bother.
The just-retired director-general of security, David Irvine, said issuing a warrant for metadata would be like writing “a three-page letter every time you want to look up the telephone book”.
We’ve adopted the US model where warrants are not necessary in cases where the information sought to be retrieved is classified as “transactional” rather than “communications”. Incredibly handy.
Maybe a three-page letter is the least of it when you consider where the metadata can lead. The Electronic Frontier Foundation put it this way: they know you rang a phone sex service at 2.24am and spoke for 18 minutes, or a suicide prevention hotline, or an HIV testing service, or a gynaecologist or a planned parenthood outfit, or a mortgage broker, or a divorce lawyer.
In other words, Irvine doesn’t actually need to know the content of those conversations because he knows pretty well what’s going on in your life.
The discussion about metadata is clouded with ambiguity and oversimplification. Who can forget Tony Abbott’s analogy that metadata is the “material on the front of the envelope, and the contents of the letter will remain private”. We only need to look at the way the National Security Agency in the United States thinks about an address on an envelope to see the exciting possibilities.
For instance, if a US “executive branch consumer” wants intelligence on a foreign target, the NSA will identity the offshore entities that have that information, research how they communicate and determine how to access those communications.
The NSA explained it this way: “The analysts will use metadata, similar to the address on the outside of an envelope, to attempt to develop selectors for their targets. Once they have them, they task the selectors to the collection systems in order to get access to the content, similar to the letter inside the envelope.”
If that doesn’t work, the federal government can threaten a service provider with fines of up to $US250,000 a day if they do not comply with a secret court order to turn over data about foreign customers – again, no warrants required.
In Australia, the first of the government’s new beefed-up counterterrorism bills is before a parliamentary committee. Among other things the legislation seeks to expand the definition of a “computer” in such a way as to allow the possibility that anything that connects to the internet could be accessed by intelligence agencies for surveillance purposes.
So if the proposed metadata law doesn’t skin you, the National Security Legislation Amendment Bill No. 1 will.
Nor should we think that data can only be accessed by security and counterterrorism people. What we are seeing is the expansion of emergency powers into the area of general policing, without the need for a warrant. Organisations that have some law enforcement functions – Medicare, the RSPCA, Bankstown Council, Australia Post and the tax office – seem to be able to get their paws on all sorts of personal material. It will be fascinating to see how the telecommunications interception amendments will define the outer reaches of who has access.
But while Australia is busily seeking to expand the horizons of data retention, in Europe and the US there have been processes working in the opposite direction. In response to the Edward Snowden disclosures, the US house of representatives passed a bill that provides for a judge to issue orders to telcos for “call detail records” and would restrict the bulk collection of data. An amended version is stuck somewhere in the senate.
In April, the European Court of Justice found that the directive of the European Parliament that member states retain traffic and location data and other identifying information was disproportionate to the aim of combating crime and terrorism.
The court said the directive applied “even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime.
“Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to the rules of national law, to the obligation of professional secrecy.”
The court was assisted by an advocate general, in this case Pedro Cruz Villalón, the former chief justice of the Constitutional Court of Spain.
He pointed to invasions of privacy and the “vague feeling” that surveillance may have an impact on freedom of expression. He added: “The data in question, it must be emphasised once again, are not personal data in the traditional sense of the term, relating to specific information concerning the identity of individuals, but ‘special’ personal data, the use of which may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.”
Although the prosecution of serious crimes is a legitimate aim, the court said the EU directive was not proportionate to those ends. Cruz Villalón would have limited the retention period to one year.
There seems to be no plan, at least so far, to apply a proportionality test to the Abbott government’s proposed metadata retention law.
Shortly after the European Court of Justice’s ruling, the British government rushed in the Data Retention and Investigatory Powers Act (DRIP), which replaced the regulations that had been invalidated by the European Court of Justice.
Electronic Frontiers Australia, which is a mover and shaker in the digital rights area, told an Australian parliamentary committee on intelligence and security that it was “highly questionable” whether data retention would aid the investigation of terrorism, organised crime or other serious illegal activities.
“It is worth noting that determined criminals will have little difficulty disguising, or anonymising, their communications. There are many relatively simple and very effective tools available that allow for the protection of communications from surveillance.”
This suggests the metadata retention regime will create a means whereby the entire country can be placed under surveillance, yet the suspects, the smart criminals and agents of terrorism, can continue to go about their business.
A narrower focus on what should be retained would seem to be the sensible way ahead – although this is unlikely when you consider the security wallahs have been fighting for mass data retention for 10 years or so.
According to the prime minister, the attorney-general and the director-general of security, the threat facing this country comes from jihadists with Australian passports, returning here after fighting in Iraq and Syria, as well as from lone wolves on home soil.
The numbers vary and the estimates are a bit like a floating craps game. In June Foreign Minister Julie Bishop said an “extraordinary” number of Australians had joined the extremist cause. This month, Brandis said about 60 Australians are currently “participating” in the conflict zone. Irvine says it’s a “large number” – 70 to 80. This is about half the figure that had been suggested earlier by the government. Brandis thinks another 100 of our citizens are currently thought to be supporting the Islamic State’s cause. Abbott said about 20 fighters have returned to Australia, although Irvine puts it at “tens”.
Whatever – if that is the extent of the terrorist threat that faces this country, the capture and storage of the metadata of the entire nation smacks of a disproportionate response. Irvine says ASIO has foiled a number of plots, the precise details of which are classified. These successes have occurred without the retention of citizens’ metadata.
The fact is security agencies and coppers always want more resources and more power. In this country they are on the cusp of getting mass retention and access to your electronic fingerprints. The next step is the full monte – the retrieval of web browsing data, without the need to write three-page letters.
This article was first published in the print edition of The Saturday Paper on Sep 20, 2014 as "Persona non data". Subscribe here.