Back in 2014, the Australian federal Government announced that they’d be introducing a new Bill to Parliament. The aim of this Bill was to amend the 1979 Telecomunications (Interception and Access) Act to force telecommunication providers to hold on to their customers’ metadata for a minimum of two years.
With this Bill being announced, the word metadata was everywhere. In the news, on social media, people were stopping each other in the street to talk about it (not really). Metadata was a big buzzword, and this Bill introduced many people to the concept. But hardly anyone was talking about what metadata actually is – or at least, not well. In the years since the Bill’s announcement, and subsequent passing, the conversation has become a bit more informed. But at the time, it was a scary word.
I’m not a legal scholar, but I am an information expert, so I was asked by Nick and Katie at Progressive Podcast Australia to write and record a short explainer about metadata and what the implications of this Bill were. This is what I came up with (contains some strong language).
You can listen to the full episode here.
Nick: So should we get on to Luc’s thing?
Katie: Yeah, let’s play it.
Nick: His voicemail? So this is “What the fuck is metadata” thanks to Luc from Team Earthling.
Former CIA boss Michael Hayden: We kill people based on metadata
[Various clips of reporters and public figures saying “metadata”]
Luc: Metadata has been a hot-button issue in Australia over the last few months, starting back in August when the government proposed a mandatory data retention regime, and gaining further momentum at the end of October when a draft of that Bill made it through the first reading in the House of Representatives. This new Bill legislates that internet service providers (ISPs) must capture, hold, and store their users’ metadata for a minimum of two years.
Luc: But what the fuck is metadata?
In IT and Information Management fields, metadata is “Data that describes or defines all objects that make up a data source. In other words, metadata is data about the data.” Confused?
What this means for us is the new Bill wants ISPs to capture and store all the data that describes and defines everything we look at on the internet. So if I stream an episode of Progressive Podcast Australia from their website [clip from Progressive Podcast Australia] my ISP could be forced to capture and store things like
- the name of the episode
- who uploaded it
- the date it went up
- the file size or length
- the IP address for the server it’s hosted on
- how many hits it’s had
- when I listened to it
- where I was when I did that
- the brand of the computer, the operating system it’s running, and the browser I’m using AND
- how I got to the site – did I Google it, or did I punch the URL straight in?
But it doesn’t end there. Each time you move through a cellular network, your mobile phone connects and disconnects from access points along your route. Under this new Bill, your mobile phone could be used to track your movements. Your ISP could be forced to store this information for a minimum of two years. JUST IN CASE it’s relevant to a criminal investigation, and DESPITE similar regimes in the USA and Europe being declared ineffectual.
Luc: The people whose job it is to sell this Bill to the public are being very careful to say that URLs and search histories definitely won’t be included in the new retention regime. There are even explicit notes in the draft of the Bill stating that those things won’t be in in there, so we can all breathe a sigh of relief, right? Well, not really. While search histories might not be included URLs often turn up as part of a site’s metadata, in site descriptions, search keys, pingbacks, and other places.
If we pick a random website, say www.liberal.org.au, and look at the page source, we can see that it’s the website for the Liberal Party of Australia without even looking at the URLs. We can also see their Twitter handle, that they have a Facebook page, that their tagline is “Building a stronger Australia”, that they use Amazon Web Services as their preferred cloud storage service, and that they have a Google Analytics account. This is all just from looking at the metadata on that website. So even if we don’t look at the actual content of their website, I can tell roughly what the site’s about.
When the Bill was announced in a press conference at the end of October, Communications Minister Malcolm Turnbull and Attorney General George Brandis were trying to sell it as a matter of national security, by getting all the ISPs to do the same thing. They were very keen to reassure us that the Bill doesn’t give anyone any new powers – in fact, many agencies who have previously had unwarranted access to metadata (including the RSPCA, the Australian Competition and Consumer Commission, and local councils) will now have to get a warrant. This is the one positive of the Bill.
However, many people have concerns about this plan, even leaving aside the mass civil liberties-impinging surveillance state, where every person’s web activity is monitored, tracked, and stored, because they MIGHT be connected to something criminal.
Firstly, if access to data is being restricted, and police forces aren’t being given any new powers to investigate and prosecute, what’s the point of the Bill? Why will ISPs be forced to pay to create huge new databases to store all their customers’ information, if it’s highly unlikely that that information is even going to be accessed?
Which leads us to the second big concern. How much more is this going to cost Australian customers? Given Australia already frequently ranks low on internet cost vs speed lists for developed countries, is this Bill going to make us pay even more?
Also, how secure are these big databases going to be? As we’ve seen with the recent nude celebrity iCloud hacking and gamergaters targeting women in the gaming community, as well as the the not so recent Playstation ID hack, huge amounts of data all stored in one place isn’t very secure.
Finally, the Bill mandates that ISPs will have to monitor their customers’ download patterns and download volumes. For an explanation of why, here’s Andrew Colvin, the Australian Federal Police Commissioner, during the Bill’s announcement:
Reporter: Once the legislation is through, could it be used for example to target illegal downloads – those responsible for that?
Andrew Colvin: Well, I haven’t even touched on some of the range of crimes… Absolutely, I mean any interface, any connection somebody has over the internet, we need to be able to identify the parties to that connection. Again, not the content, not what might be passing down the internet. So, illegal downloads, piracy … cyber-crimes, cyber-security, all these matters and our ability to investigate them is absolutely pinned to our ability to retrieve and use metadata.
Luc: Basically, they want to know if you’re pirating stuff. Which is weird, because copyright infringement is a civil matter, not criminal. So why does the AFP need to know about you downloading the last season of American Horror Story?
Even notorious Liberal Party sycophants, the Institute of Public Affairs, thinks this is a bad move, with Policy Director Chris Berg writing an article for the Drum:
A lot of opponents of data retention have pointed out that this creates a very real risk of unauthorised access. It’s hard to keep data secure.
Yet just as concerning is authorised access. Once these databases have been created they will be one subpoena away from access in any and every private lawsuit.
Many people have some residual faith that police and security services are benevolent. After all, their mission is absolutely essential – to protect us. But do Australians have the same faith in movie studios? Their neighbours? Their employers?
After all, it’s been undeniable that data retention could help copyright infringement cases ever since the Government included “download volumes” in the list of data it wanted ISPs to retain.
But this is just getting started. Think about how useful mandatory data retention might be in other civil cases.
It would be easy to trace where somebody has been based on the source IP addresses of their mobile phone, as the phone moves from cell tower to cell tower, connecting and reconnecting to the network and internet every time.
Imagine how this sort of information might be used, for instance, in a workplace relations lawsuit.
Likewise, online defamation cases will be strengthened by records that match IP address to account holder. Do you sometimes comment anonymously on blogs and news websites? Under data retention lawyers could track down who you are months after the fact.
Luc: The implications of this Bill are hugely Orwellian in nature, and fucking scary. If it’s passed, it presents not just a massive breach of our rights to privacy, but also opens us up to further Big Brother tactics, forcing us to pay more for less privacy. All in the name of protecting us.
[‘1984’ by David Bowie plays]