Data Retention: It's Not The Data That Matters, It's Who You Can Be Connected With

The purpose and implementation of the Australian government’s proposed metadata retention scheme is making less sense as political pressure mounts to get the legislation passed. So what’s going on?

Luke Heemsbergen is a PhD Candidate in Media and Politics at the University of Melbourne. This post originally appeared on The Conversation.

The Bill, as written, suggests it can be easy for criminals to "opt out" of data collection, while the remainder of Australians still have their personal communications spied on, retained for two years and kept in commercial data centres at taxpayers' expense.

The Australian Greens senator Scott Ludlam recently raised a number of such concerns about the Bill which has already met opposition from privacy advocates.

But the Bill’s worth as a tool to specifically fight terrorism, or any other serious crime, seems dubious if potential terrorists and criminals in Australia can easily “opt out” of having their data retained simply by choosing any internet messaging service where the persons operating the service do not own or operate “in Australia, infrastructure that enables” that service.

So what does that mean for the apps commonly used on smartphones today?

Whatsapp, the popular mobile messaging app with 700 million users, around 10 per cent of which come from the Middle East, or Viber, a similar app with 20 million users in Pakistan alone, would both be excluded from data retention. These are some of the apps that the UK’s Prime Minister David Cameron recently mused about banning in the UK.

According to answers given by Australian Attorney General’s (AG) department staff during the Senate Legal and Constitutional Affairs Reference Committee, the “in Australia” provision also means that even Google’s web-based Gmail service is excluded from data retention.

So what does the Bill call for?

With all the reports of what the Bill leaves out and doesn’t do, no one seems to acknowledge what is actually in the draft Bill, and how that language might affect policing, government and privacy. So what is at play?

One possible explanation is that Australia is carrying out its obligations as part of the “five eyes” network of English speaking intelligence partners. The logic here is that it makes economic and political sense to have Australian internet service providers (ISPs) such as Telstra and iiNet retain what originates in their infrastructure rather than have the US’s National Security Agency (NSA) collect it.

A more plausible explanation is that, contrary to the PM’s politiking, the data to be retained is not valued by the Australian government for its national security or anti-child abuse value.

Instead, Australians are to be spied on for data that will become valuable for other state functions including the expanded reach of civil litigation. The expanded value considers normal policing, civil subpoenas and even copyright disputes.

A look inside the Bill

The Australian government is not explicitly interested in the internet protocol (IP) addresses that you visit. The Bill in its current form states in section 187A that the government:

[…] does not require a service provider to keep, or cause to be kept […] [information that] states an address to which a communication was sent on the internet, from a telecommunications device.

In more detail, the helpful “explanatory memorandum” codifies that:

Under proposed paragraph 187A(4)(b), the retention obligation is explicitly expressed to exclude the retention of destination web address identifiers, such as destination internet Protocol (IP) addresses or uniform resource locators (URLs).

So what are we talking about then?

It’s all about the destination

What the government does seem to be after is “destination” data that basically amounts to an assortment of dummy variables that help identify you, and who you are communicating with.

Instead of IP address or web pages, it is interested in retaining email accounts, Skype handles and phone numbers, etc. for the connections you have made.

The government’s “destination” is in many ways more invasive than IP addresses or web URLs alone. For instance, think about how each person in Australia connects to the IP address 69.63.176.13. That’s the IP for Facebook.com, and is physically located in the US.

Retaining the metadata of time spent at that address would not produce much actionable intelligence on you or the other 8 million Australians who browse Facebook each day. Nor would it be all that invasive to privacy.

“Destination” data is different. “Destination” data seeks to capture who, specifically, you’re spending time with online; who is the destination that you are messaging through email, Skype or possibly even Facebook’s real-time apps and services?

Think of it this way: two “destinations” pass data through the same communications service at a series of very specific times, again, again and again. No other two “destinations” share this unique pattern of time and connection.

The government’s definition of “destination” is multiple click here, search for “destination”), but we can isolate a key phrase:

This information can then assist with determining the subscribers who sent or received relevant communications.

That is to say, who you’re talking to online, not where you went.

Analysing how these “destinations” link together with other metadata (geo-location, device type/operating system, etc.) allows the government – or anyone else who snoops in on the retained data – to predict, for instance, that these communications were yours, and whether you targeted them to, let’s say, your spouse, or an “old friend” across town. And whether you meet up with that person from time to time. And where. And for how long.

Geolocation data alone is incredibly powerful when we all carry smartphone and other devices that connect to the internet in our pockets. People are just starting to learn how powerful this type of metadata is.

Retaining all of that metadata provides an incredible amount of information for civil litagants that can ask for it through a subpoena. As an former iiNet lawyer wrote:

The Data Retention Bill does not impose any limitation on access to the retained data by other legal avenues. This means there’s nothing stopping your ex-husband, your employer, the tax office or a bank using a subpoena to get access to that data if it is relevant to a court case.

All this data also creates a very valuable target for hackers, including “adversarial intelligence agencies” trying to infiltrate your identity, ransom you for your secrets, or run some form of economic espionage.

Can we trust Australian service providers can keep all the data safe once they’ve accumulated two years worth of intimate connections for each Australian who uses any sort of telecommunications device?

Sadly, recent security breaches at companies as diverse as Apple, Target, and the latest heist from “100 banks and other financial institutions in 30 nations” suggest otherwise.

The flawed explanations of what good the Bill does, what privacy risks it creates and the reality of how our retained data will be used, offers many red flags on why this legislation should be reconsidered.


Comments

    And the really funny joke here is that even if you were able to explain this to the Powers that be, in a way that they fully understood you, they would still feel compelled, by those with money, power and influence, to continue down this path. I'm talking about you Merica, Hollywood, etc!

    Last edited 26/02/15 10:26 am

    A German Politician was able to gain access to 6 months of his own Meta Data and made it available online. Ziet Online combined the data and allows you to play through that six months and see some of the meta data that was collected in that time.

    http://www.zeit.de/datenschutz/malte-spitz-data-retention

    No wonder all the spy agencies want this passed. Effectively track every Australian with a smart phone without a warrant at all times. It's like handing them the golden ticket, while flushing any semblance of your right to privacy down the toilet.

      Not just you! But the metadata will show out going calls. Including tower ID,range and angle, meaning the GPS location of the person you are calling. even if they don't answer the call, the data is there.

    Watching Shaun Micallef's Mad As Hell Last night, it had a good segment about the Govt wanting to cut the Australian Census (voluntary data retention) for a saving of about $400mil and wanting to implement a $400mil non-voluntary data retention program.

      Amusing, but a fallacy given the relevant census data is now to be collected involuntarily anyway, just not during census time.

      Government didn't want to cut the Census. The Bureau of statistics wanted to do it

        and who do they work for again? Who gives them their money and for what purpose?

    In the United States, with their advanced espionage technology and all their intercept and survelliance programs courtesy of the NSA, FBI, CIA etc. the number of people on the Terror Watch List is INSANELY HIGH!!! Something like a third or even half are innocent people cause they are 1-3 degrees of seperation from a suspect already on the list.

    ASIO dropped Monis from their suspect list even after several warnings from concerned citizens cause they didnt have the many power... Data Retention will give ASIO a Big Data Problem where they will spend more time proving people innocent and removing them from the list than actually following up credible leads to find real culprits. Cause they are so short-staffed that they crossed off a dole bludging murder-suspect refugee with wierd travel habits and hate mongering background... cause they were short staffed and couldnt validate any claims. SERIOUSLY lack of information isnt their problem, its lack of staff and its lack of brains.

    According to Citizenfour, the number of people on the watch list at the time was 1.2 Million.

    Absolutely insane. I'd suggest this number has increased as people start to more actively campaign against data rentention, and other legislation that removes basic human rights. The NSA does not like people who want to be free to live their lives without Government control.

Join the discussion!

Trending Stories Right Now