Metadata: What we know and who wants it

While the Australian government has yet to provide a set definition of "metadata" it wants telecommunications companies, this is what we know so far.
Written by Josh Taylor, Contributor

The Australian government announced this week it is speeding ahead with plans for mandatory data retention, but has yet to fully explain to the public what data it intends on forcing telecommunications companies to actually keep. This is what we know so far:

What is metadata?

The tired cliche used by those advocating for mandatory data retention is that metadata is the "envelope" not the "letter". That is, it tells you who sent what to whom, where and at what time.

Since ZDNet first revealed data retention plans back in 2010, there has been a push for the government agencies to be up front about what data they actually want telecommunications companies to retain.

At the peak of a parliamentary investigation into the matter last year, the Australian Federal Police and the Attorney-General's Department handed in a working definition of metadata (PDF) that breaks it down into the following information about telephone calls, and internet communication:

  • the internet identifier (eg IP address) assigned to the user by the ISP
  • the mobile number called or texted
  • the email address, phone number or VoIP number used to send the communication
  • the time and date of the communication
  • the location from where the communication was sent — in the case of mobile this includes the mobile tower
  • the duration of the call

Metadata is also defined using this document to include the name, address, phone number or mobile number, and email address of the telecommunications company's customer.

What the government says it is not, is "content". That is, what is in the email, the call, or even the website a person is visiting. Accessing content requires a warrant, under existing legislation.

Although the AFP denied seeking web browsing history, other government agencies, including the Northern Territory Police, have advocated requiring ISPs to retain every single website visited by their customers.

Since the announcement of the data retention plan this week, the federal government has not yet confirmed what data it wants to keep.

How is it used by government agencies?

The metadata held by the telecommunications companies can be used to link a person to a location at the time of a crime through the location of their mobile at the time of the crime, or can provide police with access to every contact a person of interest has been calling or emailing when suspected of a crime.

According to the last report, government agencies accessed metadata records without a warrant 319,874 times in the 2012-2013 financial year. That is not even counting the access to the data by ASIO and other intelligence agencies.

But the reach goes far beyond traditional law enforcement.

The report reveals that local and state government agencies including RSPCA South Australia, Wyndham City Council, Racing NSW, and the Department of Fisheries accounted for 2,355 authorisations in the financial year for the "protection of public revenue", meaning it is used to chase down unpaid fines.

Why does the government need to change the way it works today?

The claim is that existing methods of accessing the data aren't as effective because people are now moving online with their communications and it is not as useful a tool to law enforcement as it once was. In broadening the definition to include online communications, the aim would be to retain the existing powers the law enforcement has, according to previous statements from the Australian Federal Police

The data agencies had been reliant upon is also no longer being stored for longer periods of time. Telcos don't need to store call logs or any internet access history for longer than it takes to bill the customer for their monthly service, and with more and more companies offering unlimited calls on mobile and fixed, that data is simply not needed at all.

Additionally, Australian Privacy Principle 11, implemented this year, expressly prohibit companies from retaining personal customer information for any longer than it needs the information, and must destroy or de-identify the information. Under no express obligation from the government to keep the data, telecommunications companies are compelled by the Australian Privacy Principles to get rid of metadata.

Who will pay for data retention?

iiNet has estimated that data retention will cost the company AU$100 million to establish in the first two years, and potentially more after that, a claim Prime Minister Tony Abbott has denied.

If ISPs are forced to set up systems to retain this data, then it is possible that the cost for those systems will be passed onto their customers in the form of higher internet or phone subscription prices. If the government offers to pay for the establishment of the system, then taxpayers will be footing the bill to have their own data stored.

Should I be worried?

On a granular level, metadata might seem like it can't tell much about a person, but when all the different types of data are collected, it can reveal much more than the content of an individual email or phone call might. Records of a call from a woman's phone to her doctor, then to her mother, and then to a family planning clinic tell much more than one of the phone calls might have revealed.

There is also the issue of the security of the data. Australian Security Intelligence Organisation chief David Irvine argued that data retention was not "Big Brother" like the US in requiring the government store all the data because it would remain with the telecommunications companies, but there are over 200 telecommunications companies, large and small across Australia storing very different types of data in very different storage methods.

Telstra, Australia's largest telecommunications company and arguably the best placed to secure our data, has had a number of privacy breaches over the past few years alone. Given at the moment there is also no mandatory data breach notification laws in place, we have no way of telling if other telcos have also suffered data breaches over the years.

There's no saying what security measures will be in place for all telcos across Australia should data retention be implemented, and what's worse is that if we don't have mandatory data breach notification laws in place, there is no obligation for companies to report those breaches unless they are caught out by customers or the media.

When will this start?

Attorney-General George Brandis has said he is currently developing a framework for mandatory data retention with a view for the legislation to be entered into parliament before the end of this year. It is unclear how long the legislation would take to get through parliament given the controversy surrounding the proposal. Nor is it clear how long telecommunications companies would be given to comply with new rules should they pass, but it is likely it will be at least sometime in 2015 before mandatory data retention is in place.

Editorial standards