Alarm bells rang for digital rights advocates in August 2014, when at a joint press conference, then prime minister Tony Abbott and attorney general George Brandis announced that the government was introducing a metadata retention regime to counter the threat of terrorism.
Following the passing of the Data Retention Bill in early 2015, metadata retention came into play that October. The regime requires that telcos and internet service providers store all customers’ metadata for the period of two years.
The content of communications is not metadata. The data being stored includes the date, time and length of calls, text messages, emails and internet sessions. The location of where communications are made from is stored, along with whom they are made to.
And while to many this information may seem innocuous, experts warn that it can be used to develop quite a detailed profile of an individual, including their activities, associates and political views. Today, 22 law enforcement and security agencies are permitted warrantless access to it.
Access all areas
Currently, the Parliamentary Joint Committee on Intelligence and Security is reviewing the mandatory data retention regime in line with the provisions of the legislation. And some of the revelations coming out of the review have been quite startling.
The Australian federal police revealed during a committee hearing that over the year 2017-18, it had accessed citizens’ metadata close to 20,000 times, while ACT policing has admitted to accessing metadata unlawfully over 3,000 times, and some of this information has been used in prosecutions.
But, this should come as no surprise, as from its early days, the accessibility of data has consistently come under scrutiny. In January 2016, it was revealed that over 60 government agencies had accessed it, including Bankstown City Council, the WA Department of Fisheries and the ATO.
Climate activists beware
La Trobe University research fellow Dr Stanley Shanapinda has been investigating the ability of law enforcement and security agencies to access metadata. In his submission to the parliamentary review, he points out that the laws are likely being used to target young activists and the Greens.
And with mobile network providers updating their systems to 5G networks, Dr Shanapinda asserts that the ability the metadata regime provides to track the location of mobile devices at both the start and end point of calls is going to become more significant.
Dr Shanapinda outlines as well that last year’s Assistance and Access Bill has provided the federal police, ASIO, the Australian Signals Directorate and the defence force with the ability to also collect relevant data from social media platforms.
Sydney Criminal Lawyers spoke to Dr Stanley Shanapinda about why Australians shouldn’t simply shrug off the collection of this data, his concerns around the broad definitions that allow access to it, and how law enforcement might have already built up profiles of young climate activists.
Firstly, you’ve been conducting research into the government’s metadata regime and the relationship law enforcement and intelligence agencies have with it. Dr Shanapinda, how do you explain what metadata is?
In a technical and computer science sense, metadata is data that describes other data. So, if you upload a picture, the location of the picture would be the metadata. It wouldn’t be the picture itself. The picture is the content.
Under the metadata retention and disclosure regime, the location information of a mobile phone qualifies as metadata, because it indicates where the phone has been. It indicates the geographic location in longitude and latitude.
The technology has advanced to the extent that it may tell you what floor someone is on if they’re in a building. It may include the velocity: the speed at which that phone is moving. But, those estimates are not precise.
It has been narrowed down from a radius of 100 metres to 1 metre now with 5G. And some are even saying it’s possible to get it down to 1 centimetre.
Other, metadata types include the serial number of the device. There is a unique identity that your mobile phone has, which is being tracked inside the network, so that it knows where to deliver the communication. That would be the IMEI number, which is unique to that specific phone.
The big question around metadata is whether your web browser history – the URLs – constitutes metadata, or whether it constitutes content of communication. That’s an issue that’s not been clearly solved or addressed yet.
Why should Australians be concerned that certain agencies have warrantless access to metadata?
This data is needed for law enforcement and security investigations and inquiries. And that’s a good thing, which should be done.
If we compare how the regime came about in Europe, it was also about warrantless access to all this information. And then the courts stepped in and said, “This information is becoming very personal.”
One reason why Australians may need to ask questions is around how personal this information is. Because traditionally, what the courts have said is if you want to get personal information, such as the content of a voice communication, you need a judicial warrant.
Now, you get location information. You can estimate location to the position of 3 metres to 1 metre. And added to that, you’re tracking my location information several times throughout the day, so you get quite a clear picture of movement.
Previously, this regime started with traditional fixed phone lines and they just knew it was your house and that’s it. But, if you left your house, they would have no idea where you’d be. You could make your next call from a phone booth on the corner, so it wasn’t seen as invasive.
Collecting this data under current law, it’s at the start of a phone communication or a text message, and when it ends. We’ve gotten into the habit of using our phones quite a bit, so if you aggregate all of that data, then it reveals quite a lot of personal, and possibly sensitive, information. And that information is being accessed without a judicial warrant.
The argument is that it’s just as sensitive as voice communication. So, because it’s the same level, the same standard of protection – a judicial warrant – may need to be issued to protect this information, because they are equally sensitive and personal.
So, back in 2014, when these laws were first put to the public, critics said that the metadata being collected could be used to build quite a profile of a person: who they’d been speaking to and what sort of organisations they were involved with.
But, you’re saying that now the technology has progressed that tracking locations is a more prominent issue?
And the 5G network that providers are currently upgrading to is going to further compound the privacy concerns around the collection and accessing of metadata?
Yes. All the metadata gets aggregated using artificial intelligence: programs where all of the metadata is fed into. And that will then identify individuals and people they are associated with. These are people they would have come in close contact with by being in the same area.
So, if you look at the serial number of the phone – the IMEI – and you compare it to all the serial numbers that were in that radius of 1 metre or 100 metres. And if one shows up all the time in the same area, then you could make the assumption that those individuals with those phones know each other.
And with 5G coming, it becomes more precise. So, there’s greater confidence that those individuals would know each other, and be associated. Because the likelihood of those individuals showing up that close to each other all the time, and that just being a coincidence, would be highly unlikely. That’s the benefit it’s giving to the agencies.
You also raised concerns about the definition of “security” in ASIO guidelines and “national security” in federal legislation. What do these definitions entail? And why should they be of concern?
There were two purposes for why the laws were rolled out. One was for law enforcement-crimes. The second one was for security. And absolutely, metadata is crucial for these inquiries and these particular investigations.
There are two concerns. Firstly, the one around law enforcement and crime. Originally, the motivation for passing these laws was serious crime. It was terrorist crime. And no one would argue against that.
The global trend for serious crime is you need speedy response and you don’t need additional bureaucracy to access and investigate it. And most people agree that for serious crimes the agencies can have warrantless access to it.
However, as time went on, and when the laws became clearer, we saw that the laws don’t only cover serious crime, they cover non-serious crime as well. So, personal information – this highly sensitive information, because of the advancement in technology – is being used for less serious crime.
The local councils were using it. And that started raising questions for people. And also, these agencies are starting to collect the personal information and that started raising more eyebrows – there’s some scope creep here.
But, around the security question, the courts have interpreted the definition of security and national security as it being the ambit of government to decide what they consider is in the national interest and is national security. And the courts don’t limit the definition of security.
So, the definition of what constitutes security, or what may be a threat to national security, is quite wide and it’s at the discretion of government to decide. Many actions may be seen as a potential threat to security.
To collect someone’s metadata, they don’t need to have committed a crime. Their actions only need to be relevant to security. So, that’s the test. As long as it’s relevant to security at the discretion of government then your metadata may be collected.
The broadness of that term raises concerns about where the limits are, where the oversight is and what’s the criteria of what may qualify as security.
These laws were brought in by the Abbott government ostensibly to deal with the threat of terrorism. However, in your submission you warn that the most likely group to be targeted are politically active young people. Why are they the most likely target?
Some would call young people “digital natives”. In other words, they were born in the era of the digital revolution.
They’re used to using mobile phones. They are used to using social media to communicate. They have online and real-world personas. And in addition to socialising on social media, they also organise on it, in terms of, they’re political activities.
So, if they decide to form a protest, they go online, and they message each other. They go on Twitter and they tweet about it. And they hashtag all of these protests.
Now, metadata is being collected for social media applications, as well as telecommunication companies. And the likes of Google and so on, under the Assistance Act that was passed in 2018, are required to keep technical information. And that information relates to social media applications, because the traditional focus would not have this ability. And that data must be retained for everyone.
Young people use mobiles and social media more than the older generation. The stats are around at least three times a day. They are quite active. So, if you collect data three times a day, seven days a week, 30 days a month over a 12 month period, you get quite a lot of information.
Metadata is retained for a minimum period of 2 years. And there is no guarantee that the information is dispersed afterwards.
Now, if someone is politically active and they want to protest climate change, they’re more likely to organise themselves on social media. And what happens if they’re protesting climate change, a lot of these protests are around mining activities. These mining activities are seen as of national interest.
So, if the protests are against these activities and are relevant to security, the risk is that they’re metadata may be retained, and their activities may be inquired into, so they become persons of interest to see if they may be potentially breaking any laws.
You also point out that in the US and UK, courts have enforced judicial roles in relation to accessing metadata, whereas this hasn’t occurred in Australia. You advocate that a metadata warrant system be implemented here. What would that entail? And what would it protect?
In the US, specifically, it was around location information, where the Supreme Court said generally the agencies should obtain a warrant. In the UK, it was also for other types of metadata, like URLs and serial numbers.
What I’m proposing is a procedure where there is an independent authority firstly to which a request for metadata is submitted. Currently, the agencies are doing that inhouse.
The suggestion is that there’s an independent authority that’s part of the judicial system to which all of these requests are submitted. And a judge or a magistrate is appointed that looks at the application.
The application should be issued under oath. And based on those statements, this independent authority would raise questions around the validity, the process and the offence that’s likely to have been committed.
And then they issue the approval and it states the specific metadata that can be collected for around a period of time and it can be used for this specific criminal investigation.
Then you would feedback to this independent authority about the serving of the warrant, report on how it was served, and then the courts would make sure that all of the conditions set out in the warrant have been met.
And lastly, Dr Shanapinda, over recent months, it’s become apparent with the rise of groups, such as Extinction Rebellion and the climate change student strike, that young people plan on taking to the streets to bring about change in regard to the climate emergency.
A lot of what they want to change relates to the way big industry runs. If the metadata retention regime continues to develop in the same way it has been, what do you think the implications are for these new movements?
Firstly, direct action has been taken, where the Criminal Code has been amended to criminalise the activities of trespassing and other activities of activists. It has criminalised activities that previously may have not been seen as criminal.
To investigate whether protesters have committed those activities, they’re metadata would have been collected, because the offence is if you incite anyone to destroy property you may run foul of these offences. And you may have done this on social media, so your social media metadata would then be collected.
The other implication is that you may potentially become a person of interest, or relevant to security. And if you become a person of interest – organising these protests, always being involved in these activities and always showing up at various protest venues – then your activities become relevant to security and your metadata for the period of two years can be collected, analysed and retained indefinitely.
So, the security agencies will be building profiles of some of these protesters that are front and centre of these movements?
Once you become a person of interest, if you’ve committed an action that’s relevant to security – you don’t need to have committed a crime – they may collect your information. You might not know about this and you may not even be charged.
The submission from the Commonwealth Ombudsman raised the issue around the destroying of metadata that’s been collected, as it’s been left unaddressed. And so, it looks the metadata is being retained indefinitely.
If it is being retained indefinitely, it can be potentially used in the future for other activities. So, you could argue that the profiles made of these individuals may be kept.