By now, you've heard about the new Australian data retention laws. And while everything is still in the early stages, I wanted to go over what we know so far.
These data retention laws, (passed 43 for, 16 against, in the Senate back on 26th March 2015), are actually a series of amendments added to the Telecommunications (Intercept and Access) Act 1979. Many amendments were proposed, some were shot down, and some got through.
What is metadata?
What does this mean for you?
How can you get around having your metadata captured?
The law now mandates that telcos and ISPs store their customers' metadata for two years. In the name of preventing terrorism and serious crime, government agencies can access that data when it's "reasonably necessary" to an ongoing investigation.
There are exceptions - such as journalists - who were added as a sort of protected class in an effort to make it easier for them to protect their sources. If an agency wants access to a journalists' metadata, they'll need a warrant. Who exactly qualifies as a journalist is still a bit sketchy, but it looks like they're pretty rigidly defined, meaning occasional writers and bloggers probably won't be included in the protections.
For everyone else (who is not a journalist), their metadata is freely accessible by authorities, without warrant, for two years, after which it may be destroyed.
The telcos have until 2017 to implement their various systems to get ready for this, but some telcos are already storing your metadata.
What is metadata? So what does the metadata that will be stored include?
For starters, metadata includes;
- The name, addresses, birthdates and financial information (of account holders)
- For phone calls, the metadata is such things as the date, time, and location and the caller id of the parties in a conversation (but not the conversation)
- For emails that would include the date, time and size of emails and if they had attachments, (but not the subject or the actual email text)
- For chat sessions, the date and time and who was in the chat session (but not the actual content of the chat)
- For general browsing this would include the IP addresses (of account holder), the sites visited (IP address of sites), upload and download volumes and the size of each upload and download.
So the actual content of a conversation—a phone call, an email, a text—will still be privileged, and any agency that wants access to that information will, as they do today, have to obtain a warrant for it, if it is available.
The case for and against
The estimated cost is between $190 and $320 million for telcos and ISPs to ready their infrastructure (they'll have 18 months to do that). After that, it will cost about $4 per customer per year to maintain.
Now, who will pay that bill is still undecided, it seems. According to the reports I've read, the government is still negotiating with telcos about who will pay what. Officially, the cost will be covered by taxpayers with a "significant contribution" added by the government. Of course, the worry is that, if the telcos pay a significant portion, they'll pass that cost onto customers. Again, that all remains to be seen.
Of course, telcos and ISPs already have all this information; it was simply unregulated. Now it is mandated (from 2017) and government agencies have a much swifter path of access.
These laws, if you have been following them at all, have been very controversial. I can see both sides of this argument;
Typical argument against metadata retention: That this is a total breach of privacy and it is absurd that Australian taxpayers and consumers are going to pay for a national electronic monitoring and surveillance database of all their conversations and online activity. And that the data stored will not be at all useful for the real intended purpose, and worse, will only lead to the creation of data profiling of innocent citizens which could then be easily misused.
Example argument for metadata retention: The Australian security authorities need access to this metadata to fight crime. Terrorism is a real threat, and access to this metadata will make it easier for the authorities to reduce this threat and make Australia a safer place. Also we can trust our agencies to use this data for its intended purpose. And anyway, if you are not doing anything wrong you have nothing to hide and all this information (and more) is already being captured.
So that's the 3 minute version of where we are now.
Will this be effective?
Given that (with just one exception explained below) it is very easy to circumvent theses laws, I personally think that the target audience (the people that really have something to hide) will just implement some simple measures such as using a foreign VPN service ($30- $70 a year) to conceal internet browsing, and will make phone calls via skype, or Apple facetime (yep, no metadata).
The exception? As far as I know, the only part of the metadata that will actually be hard to conceal is the mobile phone location. Sure, it can be turned off or put it into airplane mode (if a user doesn’t want to be tracked), but it will have to be turned it on even to make a skype/facetime or other non-network or encrypted call. Then the location is known and recorded. Yes, I can see how this can be a good thing, for example police investigating a crime can contact all the people that were in a location to see if they saw something – missing persons etc. – BUT – given how easy it is to NOT have all the other metadata stored, I wonder what the real value will be?
Personally, my concern is we already had legislation that specified when authorities could lawfully intercept customer phone and internet conversations (the Telecommunication Interception and Access Act before these amendments). So what value will the data retention laws add to the intended purpose? Given how simple it is for concerned individuals to bypass the capture of most of the metadata, will we just be left with storing the metadata of the people that are law abiding and have nothing to hide?
What are your thoughts?