A senate hearing has revealed Australian telcos might be giving away more metadata to police than first realised due to "ambiguities" in the controversial data retention laws. This means law enforcement officials have a pretty good clue of what you've been looking at just by looking at the URL.
During a public hearing regarding Australia's metadata retention laws on February 7, Commonwealth Ombudsman Michael Manthorpe admitted the legislation's ambiguity meant law enforcement officials were able to access more metadata than originally promised when the laws were passed back in 2015. Manthorpe said the law's lack of clarity meant telcos sometimes provided the full URLs to law enforcement officials — something that was supposed to be excluded.
"The piece of ambiguity we have observed through our inspections is that sometimes the metadata in the way that it is captured – particularly URL data and sometimes IP address, but particularly URL data — does start to actually, in its granularity, communicate something about the content of what is being looked at," Manthorpe told the committee.
"It can be quite long or it can be quite short, and in some cases the descriptor is long enough where we start to ask ourselves, 'well that's almost communicating content, even though its captured in the URL.'
"When the scheme was commenced the concept of metadata was probably thought to be quite a clean and delineable thing, but we know that there is a greyness on the edges here that we thought we should call out."
So what does this actually mean? As an example, the article you're reading contains most or part of the headline - anyone looking at the URL alone would be able to determine what the page contains. It's argued this, as well as just information showing you've visited a site like Gizmodo, constitutes as content.
An Australian government department has shown interest in forcing pornography sites to verify a user's age, and it's willing to offer its facial recognition services to get it done.
The committee also heard from Bethany West, director of National Assurance and Audit, who said that very little of the metadata retrieved by law enforcement agencies had been deleted and it wasn't clear how long it could be held by them.
Australia's metadata retention laws came into effect in 2015 with the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. The laws enabled law-enforcement agencies like the Australian Federal Police, ICAC, ASIC and state police forces to access the metadata of Australians without a warrant if in the interest of national security. The major exception to the rule is the metadata of journalists, which requires a warrant.
Captured metadata was infamously explained by Senator George Brandis in 2014 as the envelope but not the letter containing your message. For phone calls, this meant details of when and where the call was made and the phone numbers involved, for example, but a recording of your conversation was not permitted.
On the web, Brandis said in a 2014 Sky News interview the "electronic web address" would be captured but browsing within the site would not. An amendment to the act, under 187A (4)(b) and (c), meant web browsing history was not to be captured under the metadata legislation.
After a serious outbreak of coronavirus in China, South Australian police revealed it'd accessed the metadata of an infected Chinese couple who travelled to Adelaide to determine potential locations of spread. It's not known whether the couple provided consent but the force confirmed to Gizmodo Australia it accessed the data in accordance with the relevant legislation — the Telecommunications (Interception and Access) Act 1979.
Watch the first part of the senate hearing here. Another hearing will be held on February 14.
The Australian Tax Office (ATO) has made it no secret it's after access to Australians' metadata in order to investigate tax evasion in the country. It comes after the tax agency was excluded from warrant-free access with the 2015 metadata retention laws.