Opinion: We're getting a data retention regime that will track your every digital move. However, details about what constitutes 'metadata' — the information that will be retained — are as yet unclear, and it seems as if the architects of the scheme don't know either.
Proposed widespread data retention laws are being sold to the Australian public using a metaphor that is incomplete, inaccurate and insubstantial. If the government expects the citizens that voted it into power to accept its reasoning for laws that are incredibly wide-ranging and potentially invasive of our existing expectations of privacy, it had better get its message straight.
Last night, in an interview on Sky News, government Attorney-General George Brandis was repeatedly asked to explain what he meant by 'metadata', and by all accounts his explanation didn't satisfy either the majority of Twitter users or those with an important role to play in the data collection process.
"Imagine a letter. The metadata is the name and the address on the envelope, not the content of the letter."
This metaphor does not accurately describe the extent of the metadata that can be collected while monitoring anyone's activity on the Internet. It is passable for describing the metadata that is possible to be collected on a phone call — time, date, duration, location but not conversation — but its utility ends there. If you extrapolate Brandis' overly simplified metaphor to cover online communications, you begin to see its flaws. If, as Brandis goes on to explain, the mandatory data retention regime would capture for example web addresses, those Web addresses are inextricably tied to content.
If I am on Facebook, and I click on my friend's photo and view it in full in my browser, the 'metadata' involved in this online transaction would include, at the very least, my Internet connection IP address, the IP address of the Facebook server I am accessing on which that photo is stored, the time and date that I accessed it, my location (through IP geolocation) and the unique Web address of that photo file. The only thing not being stored as metadata in this transaction is the actual pixels of the photo — but those can be accessed by anyone with the metadata, as long as that photo remains at the Web address I accessed it via.
Brandis' suggestion that the government wants "to maintain the sharp distinction between metadata and content" — ostensibly to maintain the privacy of the general Internet-using public — is, to the best of my technical understanding, not possible. The letter metaphor might be an easy soundbite and might adequately cover phone calls, but it does not go nearly far enough to address Australians' existing expectation of privacy around online content. (By the way, I am completely happy to be proven wrong on this if it means that the collection of data does not extend as far as I am being led to believe.)
Will a user's complete Web browsing history be stored? Will Skype calls be recorded? Will Twitter and Facebook data (inextricably tied to Web addresses, as is everything else on the internet) be catalogued? Going on Brandis' explanation last night on Sky, the government honestly doesn't seem to know. Comparing metadata collection to glancing at the front of an envelope does more harm than good.
The privacy implications of even basic and top-level collection of online metadata are problematic. This isn't something that can be just proposed, confirmed and thrown together without serious consideration of the consequences, let alone the technical requirements. According to iTnews, the Liberal government's Communications Minister Malcolm Turnbull was not consulted before the data retention proposal was accepted by the National Security Council responsible for such matters.
If this this consideration has been made, why hasn't the content of that consideration been discussed or made public? If this consideration hasn't been made, why has this policy been proposed and confirmed and announced in the first place?
I understand that Brandis is not technically literate to the level that much of Gizmodo's audience and the wider technology industry in Australia is; he has a legal background, holding three Bachelor's degrees in arts and laws and civil law, that makes him arguably the most suitable member of the current Liberal government to be holding the Attorney-General's role, but he's not as techy as someone like Turnbull. I can understand there being confusion over a highly technical topic, and that the scheme itself is still in the early stages of its construction. But it can't be that early if he's talking about it on Sky News.
What is confronting for me is that in the interview, as in previous discussions on the topic, a huge amount of conflicting information and misinformation is being presented. Since the scheme was confirmed, we've heard that only phone call origins and destinations, times and durations and locations will be recorded. We've also heard that "website addresses" will be recorded, but not the content of those addresses. We've heard a lot of different statements, some of which are moderate, some of which are extreme, and some of which do not make technical sense.
When you are proposing to implement a scheme that would be incredibly expensive according to the companies required to foot the bill, that would have a "chilling effect" on free speech according to Australia's Privacy Commissioner, and would capture a huge amount of data on every Australian citizen's online and telecommunications activity according to its own goals, it is very important that you tell the Australian public very clearly what you are proposing if you expect them to accept it.