The Abbott government wants your metadata. It has introduced legislation to Parliament that it wants passed this month. Should the metadata retention bill be passed into law, it will set up an Australia-wide system of citizen surveillance.
The implications are broad and alarming. This article attempts to explain what’s at stake.
What is the legislation?
The bill currently before the parliament is called the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.
The law is a wide-ranging update to existing surveillance legislation dating from 1979, under which police agencies are already able to obtain telecommunications intercepts.
The new law will force phone companies and internet service providers to capture and keep the metadata of all their customers for two years.
Where are we at?
The bill is currently in its first reading. The powerful Parliamentary Joint Committee on Intelligence and Security has held an inquiry into the new law and published a report.
The government is now expected to consider the report and propose a number of amendments. Attorney-General George Brandis has said the government will support the Joint Committee's recommendations.
Tony Abbott has said he wants the law passed by March.
Why do we need it?
The government, the Attorney-General’s Department and the various security agencies claim we need a new law to ensure that metadata is retained for investigations.
Prime Minister Tony Abbott said in a media conference on February 5 that “as we know, technology is changing all the time and telecommunications companies are not keeping these records for as long as they did”.
“We have, if you like, a burning platform and as a result of that burning platform, increasingly, police and other crime fighting agencies are going blind.”
Interestingly, one of the key justifications for the new law is that, in the wake of the Edward Snowden revelations about government surveillance, more and more citizens are using encryption and other technologies that make it harder for enforcement agencies to spy.
Metadata gets around this constraint. Even an encrypted message can still reveal lots of information about the sender and recipient.
As Detective Superintendent Kopsias from NSW Police told the Joint Committee on Intelligence and Security, “encryption has become mainstream now, with the Snowden impact; we have over-the-top applications and the smartphones out there: all those things are impacting on us.”
What is metadata?
When Sky News’ David Speers interviewed Attorney-General George Brandis last year, Brandis infamously struggled to explain just what metadata is.
The interview won Speers a Walkley award, and demonstrated that the man in charge of Australia’s surveillance apparatus doesn’t really understand what his spies are collecting.
So what is it? The easiest way to explain metadata is to ignore the “meta”. The “meta” in metadata simply refers to the fact that it is data about your data. Metadata is data: data about the emails you send, the phone calls you make, the photos you snap, and much, much more.
Metadata typically includes temporal and geographical information: where you were when you made a call, and at what time. It also includes technical information such as what device you were using, what network, the subject lines of email correspondence and the file names of email attachments.
Metadata from phone and internet records can also be cross-checked. It can be compared with financial data obtained from a suspect’s bank account, for example allowing credit card purchases to be checked against phone calls or emails.
In other words, metadata is incredibly useful information for any potential snoop. As the Guardian’s Oliver Laughland disclosed back in 2013, metadata can be used to build up a remarkably accurate outline of somebody’s life.
Perhaps that’s why Australian intelligence agencies were so interested in the metadata from the Indonesian President’s phone.
What metadata will this law force phone and internet companies to collect?
Whatever the government wants. The law has been specifically drafted to allow the government of the day to determine what metadata must be collected by regulation. As the explanatory memorandum states:
“Proposed paragraph 187A(1)(a) provides that the data to be retained is to be prescribed by regulation. The use of regulations to prescribe the details of data to be retained facilitates the prescription of the necessary technical detail to provide clarity to telecommunications service providers about their data retention obligations while remaining sufficiently flexible to adapt to rapid and significant future changes in communications technology.”
According to section 187A of the bill, the metadata to be kept will include:
(a) characteristics of any of the following: (i) the subscriber of a relevant service; (ii) an account relating to a relevant service; (iii) a telecommunications device relating to a relevant service; (iv) another relevant service relating to a relevant service; (b) the source of a communication; (c) the destination of a communication; (d) the date, time and duration of a communication, or of its connection to a relevant service; (e) the type of a communication, or a type of relevant service used in connection with a communication; (f) the location of equipment, or a line, used in connection with a 9 communication.
The only thing specifically ruled out is what websites you browse to. The draft bill notes that “service providers are not required to keep information about subscribers’ web browsing history.”
What services will it apply to?
Only Australian ones. The government cannot force foreign providers such as Google, Apple or Yahoo to store or share metadata.
The absurd nature of the bill was vividly displayed in a Senate Committee by the Attorney-General Department’s Anna Harmer.
Under questioning from Greens Senator Scott Ludlam, Harmer admitted that overseas providers such as Google would not be covered.
SCOTT LUDLAM: So if my email account is an @iinet.net.au address, it will be within scope. And if my email is an @gmail.com, it'll be out of scope. ANNA HARMER: So it's correct that iiNet, Internode as an Australian carrier service provider, depending on which part of the entity you're using, is subject to the obligations. Gmail itself, or Google as an entity, is not subject to the obligations. So that is in relation to the provision of the email service.
Communications Minister Malcolm Turnbull seems to understand this. He has admitted to using encrypted, “over-the-top” services such as Wickr and WhatsApp.
Who can access the metadata?
Anyone the Attorney-General decides.
The legislation defines the following agencies that will be able to access the metadata. But it also includes a clause that allows the Attorney-General to give access to any agency he or she wants to.
(a) the Australian Federal Police; or (b) a Police Force of a State; or (c) the Australian Commission for Law Enforcement Integrity; or (d) the ACC; or (e) the Crime Commission; or the Independent Commission Against Corruption; or (f) the Police Integrity Commission; or (g) the IBAC; or (h) the Crime and Misconduct Commission; or (i) the Corruption and Crime Commission; or (j) the Independent Commissioner Against Corruption; or (k) an authority established by or under a law of the Commonwealth, a State or a Territory that is prescribed by the regulations for the purposes of this paragraph; or (l) a body or organisation responsible to the Ministerial Council for Police and Emergency Management – Police; or (m) the CrimTrac Agency; or (n) any body whose functions include: (i) administering a law imposing a pecuniary penalty; or (ii) administering a law relating to the protection of the public revenue
In addition, ASIO can access the metadata.
This definition is very broad. As noted constitutional lawyers George Williams and Keiran Hardy argued in their submission to the Parliamentary inquiry about the metadata bill, “the Attorney-General could declare any authority or body as a criminal law enforcement agency, so long as he or she considers the specified range of factors in doing so. In particular, the Attorney-General may consider ‘any other matter’ that he or she considers relevant.”
The recent Parliamentary Joint Committee on Intelligence and Security report into the new law recommended that the clause allowing the Attorney-General to give agencies access by regulation be amended.
However, it also recommended that two new agencies be given access to metadata: corporate regulators ASIC and the ACCC.
Is a warrant required?
No. The current legislation, dating back to 1979, does not require a warrant for metadata. This law, which will update the existing regime, will not require a warrant either.
As the Guardian’s Paul Farrell has discovered via a freedom of information request, at present relevant agencies like the AFP only need to fill out a simple one-page form.
How could metadata be used by police and spy agencies?
The Attorney-General’s Department and the various police forces claim that the metadata will be used mainly to catch crooks.
However journalists, lawyers and privacy groups are concerned the new law could also be used to investigate and prosecute journalists and whistleblowers.
For example, let’s say you’re a whistleblower with information about something going inside a government department, and I’m an investigative journalist. After making contact by calling the switchboard of my publication, let’s say you call my mobile from a payphone near your office. We arrange to meet and talk. Sometime later that day, you send me a series of sensitive documents via a supposedly secure email address on my company’s web server.
But there’s a problem. The government is embarrassed by the leak. The Federal Police launch an investigation. They ask your phone company and ISP for your metadata. They do the same for my phone company. They don’t need a warrant: just a simple request will do.
The metadata shows the following: that you called my publication’s office from your work landline. That my mobile phone received a call from a payphone very near your office, at a time when data from your office swipe card showed you had left the office. That you had sent an email from your personal email account to an address on my company’s web server. And that later that night I had emailed my editor, and that shortly afterwards I had received a number of calls from my publication’s editor, managing editor and in-house lawyer. The next morning, an article by me detailing the leak appeared in my publication.
Similar scenarios have already occurred in Australia, Britain and the US.
In 2005, The Australian published a secret report about airport security by a former Customs officer named Alan Kessing. He was charged and convicted under section 70 of the Crimes Act and received a nine-month suspended sentence. According to the ABC’s Media Watch, metadata showed he had called The Australian from a payphone near his house.
In 2014, former US State Department official Stephen Kim was convicted under US espionage law for leaking a State Department report to a Fox News journalist. Metadata established that he had made and received calls to journalist James Rosen, that he had called up the report on a secure computer at his work, and that both he and Rosen had left the State Department building at roughly the same time.
Last year in Britain, London police used metadata to arrest and charge a police officer for leaking information to the political editor of The Sun, Tom Newton Dunn. Newton Dunn’s phone records were obtained without a warrant and despite a British law which protects journalists’ sources.
Is there potential for abuse?
Clearly, yes.
Phone and internet companies will be required to keep much more data than they require. This data could then be hacked by criminals that manage to get unauthorised access – a scenario we’ve seen repeatedly with hacking cases such as Anthem and Aussie Travel Cover.
Law enforcement officers could also abuse the system. As a former police officer explained to the ABC’s Marc Fennell, current safeguards are simply not good enough to prevent officers from abusing their access.
“Right now it would be so easy for me to slip in my ex-girlfriend’s number in the current process under any investigation and no-one would pick it up, because there’s no detail,” the anonymous former officer told Fennell. “The Australian people are being sleepwalked into a system the Attorney-General can not even articulate.”
Another unforeseen consequence includes the ability of metadata records to be subpoenaed as part of civil lawsuits. Communications Minister Malcolm Turnbull has admitted that the current legislation allows third parties to access stored metadata under a court order. That metadata could then start popping up in civil cases, such as insurance fraud, copyright violation – even divorce proceedings.
For instance, in 2013-14, Telstra disclosed communications content and metadata because of a court order 598 times.
What are the safeguards?
The new law will be overseen by the Commonwealth Ombudsman, who will be able to investigate and report on potential abuses. The law stipulates that the Ombudsman must report to the Attorney-General annually, and that the minister must then table that report to Parliament.
According to the bill’s Explanatory Memorandum, “the Commonwealth Ombudsman will, for the first time, have the power to inspect the records of enforcement agencies to ensure that agencies are complying with their obligations under the TIA Act.”
However, any investigation will happen only after the fact. The Ombudsman does not act as a gatekeeper and will not have any role in approving or denying metadata requests.
The Ombudsman’s reports are likely to be heavily redacted. The bill states that the Ombudsman’s report cannot reveal any details that might prejudice an investigation, or “compromise any enforcement agency’s operational activities or methodologies.”
Will the bill pass?
It seems likely.
The bill will pass with the support of both major parties. Labor has said it supports the bill. Labor members on the Joint Committee on Intelligence and Security have recommended that the bill be passed with amendments. It depends on Labor.
The Greens and other minor parties will not be able to block the legislation if Labor supports it.