Despite the fact that Communications Minister Malcolm Turnbull was left out of the decision to enact a mandatory data retention proposal by the Cabinet's National Security Committee, he may just be exactly what they need to stop the swell of discontent around the policy. Turnbull is on a PR drive today to tell the common man and woman what metadata is, following a spectacular series of fails by Attorney General George Brandis earlier in the week. The spin is in.
Image: Stefan Postles / Getty
Turnbull's first stop this morning was the ABC's AM radio program, where he sat down and gave full and frank answers on exactly what the government knows right now about what it will be collecting when it comes to mandatory metadata retention. As Turnbull clearly points out, the policy is still being decided upon, so a few things are still up in the air, but Turnbull did his best to appear as the Cabinet's voice of reason after the disastrous interview George Brandis gave Sky News two nights ago.
So what's up with metadata, Malcolm?
The Minister quickly deferred a question relating to his involvement in the Cabinet's decision to enact a metadata policy, while also not denying he threw a "hissy fit" about the process. What he did want to mention right off the bat instead was that ISPs and telcos already capture customer metadata, but likely don't store it:
The security services, the police, ASIO and so forth, are not asking the Government to require telcos to record or retain information that they are not currently recording. There has been some concern expressed that the Government was proposing that telcos should retain for two years a record of the websites that you visit when you're online, whether that's expressed in the form of their domain names or their IP addresses, in other words, that there would be a requirement to keep a two-year record of your web browsing or web surfing history.
What they are seeking is that the traditional telephone records that are currently kept, and by some ISPs and telcos for more than two years, that is the caller, the called party, you know, I called you, time of call, duration of call - those records be, they want them to be kept for two years.
And they also want the IP address, which is the number that is assigned to your phone or your computer when you go online by your ISP, so that you can be connected on the internet. And, that is of course connected, that the ISP knows that IP address is connected to your account. That's recorded in their records. They want that information to be kept for two years. Now, that is... some ISPs keep that record for differing periods.
But that is information that is already being kept and it's clearly, it's, it's an essential part of an ISP's business.
The distinction around the government capturing IP address information about what you've visited and when and "web surfing history" as Turnbull says is an interesting one, and it's a point that Attorney General George Brandis fumbled his way through on Sky News a few nights ago. From what we can figure out, the government's messaging around the data retention program is about assuring people they're not being snooped on. By telling them that spy agencies will have access to a list of the IP addresses you connected to, you can technically say you're not scooping up someone's web browsing history.
In a technical sense, someone's web browsing history is a plain-text list of the websites a user may have navigated to. By saying that the government is collecting IP address histories rather than web browsing histories is a distinction meant to make the ordinary, web browsing Australian feel less intruded upon by the government's sweeping metadata collection drive. In reality, it's a misnomer.
Take the Australian Parliament's website, for example. If the government were to, under Turnbull's definition of data retention, identify that your IP address connected to aph.gov.au, all it would get would be the IP address of the server you ended up at. In this case, that IP is 220.127.116.11. Simple, right? By looking at that string of numbers in the abstract, you can't tell if I was on the APH website doing some research or on PornHub doing other "research". But wait, there's more.
Thanks to the magic of DNS, all you'd need to do to figure out what website that actually is would be to pop the address, namely 18.104.22.168, into your web browser and voila! The website appears. The government wants you to know it isn't coming for your web browsing history, but it doesn't matter either way: they know what you're looking at.
Finding IP addresses for websites is just as easy, with a bevy of online tools available for free allowing you to look up a website's IP in literally less than a second. Here's Malcolm Turnbull's website for example.
Don't believe the hype.
For what it's worth, Turnbull did say in the interview that the government doesn't explicitly want to collect the IP addresses that Australian internet users connect to, despite an assertion from AG Brandis that it would.
Brandis said two days ago:
“Well, um, what people are viewing on the internet when they web surf will not be caught. What will be caught is the, um, is the um…the web address they communicate to…the electronic address of the website.”
“What you’re viewing on the internet is not what we’re interested in…but what the security agencies want to know and be retained is the electronic address of the website that the web user [goes to].”
Turnbull said today, however:
MALCOLM TURNBULL: There has been some concern expressed that the Government was proposing that telcos should retain for two years a record of the websites that you visit when you're online, whether that's expressed in the form of their domain names or their IP addresses, in other words, that there would be a requirement to keep a two-year record of your web browsing or web surfing history.
MICHAEL BRISSENDEN (interviewer): So that's not the case?
MALCOLM TURNBULL: That is not the case. That is not the case.
Despite the fact that the Minister was looking to set the record straight, it's still a tad murky about what the government is actually coming for. It would make little to no sense to capture a user's IP address and not what they connected to online. That'd be like knowing everyone's phone number — the equivalent of having the White Pages — but not looking at who they're calling. It's a useless enterprise for the spy agencies who want it.
Unfortunately, we probably won't know for sure what the government wants until we see a draft of the legislation, and that's months away.