The use of virtual private networks (VPNs) and other methods to bypass mandatory data-retention regimes in Australia will be a challenge, according to Australian Security Intelligence Organisation (ASIO) director-general David Irvine, but metadata is still an invaluable tool for law enforcement.
As part of the Australian government's proposed mandatory data-retention regime, to be introduced in legislation later this year, telecommunications companies will be required to keep a vast amount of customer "metadata", including the IP addresses assigned to a customer.
Communications Minister Malcolm Turnbull has already acknowledged that VPNs would limit the ability of law enforcement to match up a user's IP address, and Liberal Democrat Senator David Leyonhjelm reportedly said that a minister, widely assumed to be Turnbull, had to recently demonstrate to a law-enforcement agency what a VPN is, and how it could mask an IP address.
"He gave them a demonstration on a VPN and said, 'By my IP address, tell me what you can find out about me now.' And they had no idea there was such a thing as a VPN. It indicates to me that these people are not well informed enough to make these kinds of decisions," Leyonhjelm reportedly said.
Speaking at the National Press Club in Canberra yesterday, Irvine was reluctant to go into the technical detail of the use of VPNs to bypass data-retention regimes, but said that it does present a challenge in the way his organisation uses metadata in investigations.
"Yes, there will be a whole series of changes in the way in which telecommunications are conducted. That will present challenges, but they will still leave very, very useful points of metadata that will be significant analytical tools for law-enforcement and security intelligence agencies into the future," he said.
He said that metadata is of "crucial importance", and that although ASIO's use of metadata is very targeted to specific individuals, ASIO uses metadata "very frequently".
"We have been using metadata for many, many years. We use it, as I say, on a targeted basis. We use it very frequently. We use it as frequently as any of us in the old days used to go look up the telephone book," he said.
Australians should have a level of trust in law-enforcement agencies to use metadata responsibly, Irvine said.
"You do need to have levels of trust in your security and law-enforcement agencies."
He told ZDNet after the event that ASIO's use of metadata is very specific but very frequent.
"We don't sit there with a rake," he said. "Any request we make for information is based on a named person, or a known number. It is based on an individual piece of information.
"Very targeted, regular use."
Although a leaked document provided to telecommunications companies this week shows a call for vast amounts of data they don't already retain, Attorney-General George Brandis said yesterday that the government would only ask the companies to retain what is able to be accessed under the current regime.
He said that metadata does not have a set definition.
"This is a term that does not have a precise definition. It is a description rather than a definition," he said. "The essential concept is that metadata is information about the communication, not the content or the substance of the communication.
"The specific definition, which will be a statutory definition — the technical specification will be included in the legislation."
James Kent contributed to this story.