Protecting your privacy: Our stand against ‘mandatory data retention’

Posted on by

One of the features of the iiNet Copyright Trial was our strong stand against monitoring our customers. The Hollywood Studios believed we should data-match information provided by third parties who were monitoring our customers, and then send warning notices to alleged copyright infringers, all without lawful warrants – the High Court agreed with us.

In iiNet’s view, we should not be forced to collect, store or match personal information on behalf of third parties – our only obligation is to retain the information necessary to provide, maintain and bill for services. iiNet does not keep any web browsing history or download records, for example.

Last week the Attorney General, George Brandis said the government is now actively considering a data retention regime that could impact on anyone who uses the Internet in this country.

What exactly is proposed?

We don’t know for sure; the Attorney-General’s Department and various law enforcement agencies has floated at least three different suggestions over the past few years, including:

1. Limited, routine metadata that carriers normally collect for phone billing purposes.

2. A middle ground that indicates metadata on all communications, but with the metadata processed to remove the content.

3. A documented specification from government that details every bit of metadata generated by phone or online communications.

We’re confused by the contradictory comments and I expect that our policy makers are, too. We have a formal briefing paper from the Attorney General’s department (provided to us in March 2010) which we will focus on rather than media reports and ad hoc comments.

Law enforcement agencies (like ASIO and Federal and State Police) are proposing private companies, like iiNet, should keep ongoing and very detailed records of customers’ telephone and online activity. We’re not talking targeted surveillance of individuals suspected of a crime, we’re talking about the wholesale collection and storage of data on your online, digital and telephone activity. These records are euphemistically labelled ‘metadata’ – and could include the unfiltered records of your browsing, updates, movements and phone calls, which can be readily matched to the identities in your customer account.

We don’t think this ‘police state’ approach is a good idea, so we’re fighting moves by the Australian Government to introduce legislation that would force us to collect and store your personal information.

At the end of this month, iiNet will front a Senate Committee reviewing telecommunications laws concerning interception and access to communications data or metadata, which could include introducing mandatory surveillance and data retention on the communications activities of the entire Australian population. Our statement to the Committee is summarised, in part below.

Metadata, what is it?

Metadata is information generated as you use technology. It’s generated by your computer, tablet, phone, games console, smart-watch, some cars and even digital photo frames. The telecommunications data collected often contains personal and content-specific details, as well as transactional information about the user, the device and activities taking place, including:

The content of posts

The content associated with web pages

The people and organisations you associate with

Your Internet activity, including pages you visit and when

User data and possibly user login details with auto-fill features

Your IP address and Internet Service Provider (like iiNet)

Device hardware details, operating system and browser version

Cookies and cached data from websites

Date and time you called somebody

Locations – like where you last accessed your email, browsed the net or made a call.

But it doesn’t contain any content does it?

People who should really know better have repeated that furphy. When we use freely available tools to check the embedded data about communications like Twitter, Facebook and websites, we see that the ‘metadata’ does include content, and lots of it.

Should I really be worried?

The data collected can be incredibly sensitive – it can reveal who your friends are, where you go and what websites you visit. Indeed, it may even tell more than the content of a phone call or an email. Recent research from Stanford University showed that when analysed this data may create a revealing profile of a person’s life including medical conditions, political and religious views, friends and associations.

Police say “If you have nothing to hide, then you shouldn’t be worried”. Personally I think that if you follow that dubious logic, we’d all be walking around naked. It’s not about being worried, or wanting to ‘hide’ anything. It’s about the right to decide what you keep private and what you allow to be shared. YOU should be the one to make that call, and that decision should stick until a warrant or something similar is issued to law enforcement agencies to seize your information.

Not convinced? Then we suggest you check out the startling website based on information collected on German politician Malte Spitz by Deutsche Telekom over just six months. Zeit Online combined this geo-location data with information relating to his life as a politician, such as Twitter feeds, blog entries and websites, all of which is all freely available on the Internet. It’s really worth a look and illustrates just how informative and personally invasive metadata can be – it is truly scary stuff.

Experts in the US have some equally frightening things to say about metadata. According to NSA General Counsel Stewart Baker, “…metadata absolutely tells you everything about somebody’s life.” General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and frighteningly asserted, “We kill people based on metadata.”

If it helps catch crooks, what’s the problem?

Australia already has systems in place to help catch crooks. The Telecommunications (Interception and Access) Act specifies the circumstances in which interception of customer communications is lawful and when it is permitted for telecommunications companies to disclose communications data.

The focus of this data retention proposal is not crooks; it’s the 23 million law-abiding men, women and children that will go about their daily lives without ever bothering law enforcement. Those 23 million customers include my 93-year-old mum and my 12-year-old niece. We don’t believe that is either necessary or proportionate for law enforcement.

We’ve seen no evidence that justifies surveilling inoffensive customers on the chance that, two years later, some evidence might help an investigation. It’s the equivalent of collecting and storing every single haystack in the country, indexing and filing all the straws, keeping them safe for two years, just in case there’s a needle, somewhere. We don’t know if there’s a needle, but there might be.

I say forget spying on my mother and niece and get on with chasing the crooks.

What will this all cost?

It is hard to measure exactly what this will all cost, but we expect that collecting and keeping every customer’s ‘metadata’ would require the construction of many new data centres, each storing petabytes (that’s 1 billion megabytes!) of information at a cost of tens or hundreds of millions of dollars. There is no suggestion that the government would pay these costs, so our customers will be expected to pick up these costs in the form of a new surveillance tax.

If they need someone to process the full set of metadata down to metadata-minus-content, then there is a significant cost to process the collected metadata and redact it. (Imagine a lot of people with thick black markers, blotting out the content – just like the government does with some Freedom-of-Information requests).

The Government must also consider the privacy implications if Internet providers are to be compelled to collect data on Australians. The vast amount of data stored would prove to be an appealing target for hackers all around the world – creating a risk of information and identity theft in the event that storage of the data is breached.

It’s not right. It’s not Australian, we don’t support it.