A VPN will not save you from government surveillance

Privacy is a multi-faced topic, and so to protect it, you need to take more than a single precaution.
Written by Chris Duckett, Contributor

Late on Friday afternoon, the Commissioner of the Australian Federal Police waltzed out in front of the microphones and admitted that his agency had misused the metadata that the nation's telecommunication companies are forced to store.

It was a stunning admission. The nation had barely made it a fortnight since the deadline for telcos to have their data retention systems in place had passed, yet here was the AFP self-reporting an event that saw an officer in breach of the metadata laws, and despite years of preparation and interaction with metadata, placed the blame on "human error".

Naturally for the cynics watching, AFP Commissioner Andrew Colvin said the officer involved would not be punished, and the AFP said later in a statement that "it was not an offence under the Act".

Alastair MacGibbon, formerly of the AFP and now special adviser to the prime minister on cybersecurity, said on Twitter: "It's clear this is a story of human error which AFP caught themselves thru [sic] audit & owned. That's transparency & accountability."

The message is clear: The AFP are doing a good thing by admitting its mistakes, and you should continue to trust them. Don't fear that it is able to warrantlessly sift through the metadata of Australians at will.

The irony in this entire situation is the AFP was caught in the equivalent of the only mouse trap in a field several acres in size -- it was incorrectly given a journalist's metadata; specifically a week's worth of call records.

Under the laws that force telcos to store customers' call records, location information, IP addresses, billing information, and other data for two years, there is a small caveat for journalists that forces agencies to obtain a warrant when seeking to uncover a journalist's source.

Neither the journalist, nor the telcos, will ever know that such a warrant existed, but these provisions were essentially a figleaf to shut up the Canberra press gallery under the auspices of protecting democracy and freedom of the press when the data retention laws were being considered -- and it worked.

But journalist warrants are almost superfluous. By asking for the metadata of anyone considered to be a journalist's source, agencies can still find out if communication with a journalist happened, and will therefore be able to skirt these provisions at will.

Upon the news that the AFP had handled the metadata of a journalist, the online outrage squad kicked into gear with a chorus singing the praises of Australia's magic bullet to security in 2017: using a VPN.

"Get a VPN. Use Signal!" the online masses screamed as Colvin was delivering his press conference.

To think that merely encasing one's data communications in a encrypted tunnel is enough to stop the authorities from invading one's privacy is no different from sitting on six drums of gasoline with a lit stick of dynamite and thinking you are safe because you have a fire extinguisher.

As Friday's events showed, no VPN in the world would have saved this particular journalist's call records. The only thing that would have, was to never have communicated with a source via the phone in the first place.

Even if the conversation had been moved onto a service such as Signal, if the journalist had physically met with the source and carried their mobile phone with them, a telco would then be able to provide the authorities with source's location data to help their investigation.

If the source had been silly enough to communicate via an email address controlled by an Australian ISP, the AFP could have simply requested the metadata of those emails to establish that communication with a journalist had occurred.

And all this same data could have been handed to the AFP about the journalist in question, if a journalist warrant had existed.

Encrypted communications are useful in protecting some aspects of people's digital lives from enforcement agencies, but it is a band-aid that constantly needs reapplication, not a cure.

The only way to truly get unwarranted government surveillance off your back is to end the system, and the US took a small step towards that last week when it ended the collection of domestic emails and text messages that mention details about foreign targets.

But it will be a long time before Australia makes any movements in the same direction, with both major parties continuing their support for the Abbott/Shorten data retention scheme they both voted for.

"This legislation was passed by Parliament with the assurance that the system had strong safeguards and could be trusted," Shadow Attorney General Mark Dreyfus said on Friday. "That trust has now been breached."

It might be tempting to think that Labor is beginning to realise it was sold a pup, but Dreyfus speaks of the "unique place the media holds in our democracy" and not the ongoing privacy breaches that occur on a daily basis to the rest of the population, or when journalists finish work and their metadata is regarded the same as everyone else's.

There were warnings in 2015 when former intelligence officer and now Member for Denison, Andrew Wilkie, said any access to metadata needed a warrant.

"Yes, that will be hard. It will slow things up. But it will ensure that the security agencies less and less unnecessarily access our property, and more and more focus on the property of people who should be scrutinised," he said.

"Of course they will ask for everything, that is their job. It is our job to limit what they get; to limit it to what is acceptable to the community; to limit the power of the state to acceptable levels."

Just over two years ago, Australia created a codified method for tracking the location and communication of all its citizens and residents, a scheme shrouded in secrecy that offers an unlimited buffet lunch to all authorised agencies.

Call me cynical if you want, but until the AFP stands in front of a press conference apologising for mishandling the metadata of an unemployed welfare recipient in the outer suburbs of an Australian city, I will not believe they are committed to transparency.

On Friday, the AFP gave lip service to updating the training and processes to the organisation, but make no mistake, it'll be business as usual when officers return to work on Monday, and the metadata of Australians is able to be warrantlessly sifted through by enforcement agencies to their heart's content.

Using a VPN is not a bad idea, but it is not a cure-all to the bigger issue of surveillance.

Telling people online to use Signal is like declaring someone needs to floss their teeth to fight off a tooth infection.

Australia needs an extraction, not a solution to remove the contents of last night's dinner.


The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.

Previously On Monday Morning Opener:

Editorial standards