Nothing to Hide but Everything to Fear – Part 1 of our Special Series on the New Metadata Laws

There has been a great deal of political rhetoric lately about the federal government’s proposed meta-data retention laws, which would require internet and phone service providers (ISPs) to store your personal data for 2 years and make it available to a range of law enforcement agencies without them even having to obtain a warrant.

But what do the laws actually say?

This is part one of a two-part blog series about the government’s proposed meta-data retention laws.

It looks at what the legislation says – including the definition of ‘meta-data’ (or lack thereof) – how it is likely to impact upon our right to privacy, some of the dangers and the costs of implementation

What is meta-data?

Meta-data is data that describes and gives information about other data. It includes things like internet searches, URLs of internet pages, passwords, telephone data and email data.

Clear things up? Probably not. If you struggle to understand the meaning of meta-data, you’re not alone. Even Attorney General George Brandis was unable to define the term during a recent television interview where he embarrasingly mumbled, twisted and turned for several minutes attempting to evade the exposure of his ignorance.

In fact, meta-data isn’t even defined in the proposed new laws, which means that it is unclear as to precisely what data will be stored and accessed.

What does the proposed law say?

The proposed laws are actually amendments to the Telecommunications (Interception and Access) Act 1979 (the “Act”).

They are contained in the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 (the “Bill).

The term ‘communication’ is defined in the Act as including a conversation and a message, or any part of a conversation or message in the form of:

• Speech, music or other sounds;
• Data
• Text
• Visual images, whether or not animated; or
• Signals
• Any other form or a combination of the above forms

Section 1 of the the Bill requires ISPs to keep and store communications which relate to

(a) Information of a kind prescribed by the regulations; or

(b) Documents containing information of that kind.

But there are no regulations yet, which means that the details can be conveniently filled in by the government at a later date.

Content of communications

However, section 4(a) of the Bill does make it clear that the proposed laws do not capture the actual content of phone calls or emails; for example, what you said during a conversation, or the contents of the email or text message itself.

Web browsing history

Subsection 4(b)(i) reads as follows:

“This section does not require a service provider to keep, or cause to be kept…. information that states an address to which a communication was sent on the internet, from a telecommunications device, using an internet access service provided by the service provider”.

The notes under the subsection say that “service providers are not required to keep information about subscribers web browsing history”. The subsection’s explanatory memorandum also says that is intended to make sure that ISPs are not required to record the URLs that you visit.

But some have raised concerns that the section itself does not reflect the notes or memorandum at all; in other words, that although the section talks about not requiring “an address to which a communication was sent”, it does not seem on its face to prohibit information about URLs accessed. That view is supported by the definition of “communication” in the legislation, which focuses on information that is actually sent to and from users, such as emails, phone calls and messages. If that is correct, it leaves open the possibility that law enforcement agencies can access data about URLs that have been accessed, either through a browsing history or by otherwise accessing information stored about specific sites that have been accessed in locations other than any consolidated history.

If law enforcement agencies can gain information about URLs accessed, it would not be difficult for them to manufacture criminal cases against just about anyone who regularly uses the internet for information.

Indeed, a whole range of people access URLs which could be used to suggest that they are involved in illegal activities, even terrorism. For example, it is not unusual for students, bloggers and lawyers to access dozens or even hundreds of pages that provide information about terrorist activities and groups, or about drugs, or about other unlawful conduct. Such content might be accessed to write essays and blogs, to provide legal advice or even out of general interest. Those pages might only represent a small portion of thousands of pages accessed by the person over a two-year period. However, it is not hard to see how law enforcement agents looking back at two years of a person’s data could manufacture a case against them by emphasising that they accessed URLs relating to terrorism, bikies, drugs, organised crime, criminals etc. Unscrupulous officers might even use the information to bolster a case against a suspect in a completely unrelated matter.

Greens Senator Scott Ludlam says that the proposed laws treat every single Australian as a criminal.

No content = less dangerous?

Since the actual content of communications does not have to be stored, some see meta-data as non-invasive and safe, but this is not necessarily correct. Meta-data covers a lot more than some might think, and the absence of content could actually leave open the possibility of unfairly adverse inferences being drawn against innocent people, especially if they can’t recall the reason for past communications or the nature of the content.

What can be accessed without a warrant?

Under the legislation, law enforcement agencies can certainly access the following information without a warrant:

• Characteristics of: the subscriber of the service, the account relating to the service, the device used, or another service device relating to another service;
• The source of the communication;
• The destination of the communication;
• The date, time and duration of a communication, or of its connection to a relevant service;
• The type of communication or type of service used in connection with a communication; and
• The location of equipment, or a line, used in connection with a communication

All this information must be kept by ISPs for two years after it comes into existence.

The location and time of each phone conversation you have, or email you send, can then be mapped out, building a picture of your daily travel movements and habits. It could place you at the scene of a crime, or at the same location as a suspect, even if you had nothing to do with it.

And the proposal could also mean that ‘confidential’ journalist sources might have their cover blown – despite recent amendments which say that police and other agencies have to obtain a warrant to access journalists’ metadata.

It is important to note that the new provisions which require a warrant to access metadata will only apply to journalists, not ordinary individuals or other non-media organisations.

Furthermore, it is unclear how the law will define ‘journalists’ – and the laws say that journalists and media outlets do not have to be notified when a warrant has been sought or when their metadata has been accessed.

This means that police and law enforcement agencies could simply make an application to access data without a journalist even knowing. If a warrant is granted, police could potentially find points of intersection such as geographical location or phone calls between journalists and suspected whistleblowers.

EU meta-data laws were rejected

Metadata retention laws in the EU were quickly knocked-back when courts found that they violated the right to privacy contained in the EU Charter of Fundamental Rights.

Unfortunately in Australia, we have no national Bill of Rights let alone a specific right to privacy; but the fact that the EU has found similar legislation to be an unacceptable breach of privacy suggests that it is hardly as innocuous as the government would have us believe.

How will it work?

The legislation does not have a targeted approach to collecting information – it simply requires ISPs to store everything.

The Australian Privacy Foundation criticised the lack of procedural safeguards, such as the need to obtain a warrant when accessing the metadata of individuals.

Currently, law-enforcement agencies are supposed to obtain a warrant before they access meta-data about individuals. And of course, the amount of retrospective meta-data that they will be able to access will depend on how much has been retained by the ISP.

The extra step of having to obtain a warrant currently means that an independent magistrate or judge must find that there are good reasons for law enforcement agencies to access an individual’s private information. While the current warrant system is far from perfect – with police being known to exaggerate or fabricate information to get warrants – at least we currently have some form of protection.

But if the Bill passes, police will not need a warrant to access meta-data collected about you over the past two years.

Who will have access to your information?

There are currently 13 groups of criminal law-enforcement agencies listed in the Bill who would have access to your metadata without a warrant:

• Australian Federal Police;
• A Police Force of a State;
• The Australian Commission for Law Enforcement Integrity;
• The ACC;
• The Australian Customs and Border Protection Service;
• The Crime Commission;
• The Independent Commission Against Corruption;
• The Police Integrity Commission;
• The IBAC;
• The Crime and Corruption Commission of Queensland;
• The Corruption and Crime Commission;
• The Independent Commissioner Against Corruption

How much will it cost and who will pay?

Apart from privacy concerns, the cost of the scheme has also attracted major criticism. Customers are expected to be footing most of the bill – and it isn’t going to be cheap.

The Attorney General’s Department has discreetly released information on its website estimating that the cost of implementing the legislation will be between $188.8 million and $319.1 million. With figures like that, it’s no wonder that the government wants to keep it under a secret. And those figures don’t even take into account all of the likely costs; with Telstra warning that millions of additional dollars will need to be spent attempting to protect the goldmine of data from hackers.

The government has said that it will make a substantial financial contribution to the costs, but no figure has yet been cemented. So it’s is not surprising that telcos foreshadow that consumers will bear most of the costs through higher telephone and internet prices. The iiNet group estimates that internet usage bills could increase by up to $10 per month as a result of the legislation.

Despite all of these uncertainties, dangers and costs, the Bill is inching its way towards becoming law. It is expected that Labor will support the Bill after all 38 recommendations by the Parliamentary Joint Committee on Intelligence and Security were recently accepted by the government.

Unfortunately the bi-partisan committee recommendations do not go far enough in restoring the balance, still leaving gaping problems with the Bill. Most of the recommendations are minor, and do not address the significant uncertainties, privacy concerns and dangers that civil liberty groups have flagged.

Whichever way you look at it, the Bill is huge leap towards a police state, where everything we do and say is monitored by law enforcement agencies.

Stay tuned for part two of this blog, looking in greater detail at the dangers of the proposed laws.