As of today, every major Australian telco and internet service provider is required to capture and store customer's "metadata" for a minimum of two years under the Australian Federal Government's mandatory data scheme. The legislation passed Parliament in March 2015, and following a subsequent extension in October, telcos were given until today to implement the necessary infrastructure to comply with these new laws.
The scheme primarily applies to text messages, phone calls, and emails. There is a component that relates to online activity, but your telco is not required to log your web history under the scheme.
What is being stored?
Under the scheme, your telco is required to store the following information or "metadata".
- Your name, address, and billing information
- Your phone number or email, and the phone number or email of the person you're communicating with
- The time, date and duration of a communication
- Your IP address
- The location of the communication equipment you use; for example, the closest cell tower
- The type of communication; phone call, text, or email
- Bandwidth usage such as the amount of data uploaded and downloaded
The content of your emails, phone calls, and text messages will not be stored, and neither will your web browsing history. In terms of internet usage, the scheme simply requires ISPs to log the time your modem connects to "the internet" and how much bandwidth you've used.
The collection of metadata related email currently only applies to email services provided by ISP.
What is metadata?
Metadata is best described as the details surrounding a communication, rather than the communication itself. As our digitally inept Attorney-General likes to say, the envelope rather than the letter.
However, metadata can be even more telling than the contents of a communication. When you talk with someone you can lie, you can use code, but it's far harder to obfuscate the metadata.
A phone call made to the number of a divorce lawyer still provides meaning, even when you don't know what was discussed. The meaning you can derive from metadata increases when this information is available in bulk. If someone received a phone call from a doctor, then followed it up by making a call to a psychologist, sensitive medical information is revealed without the need for the communication’s content.
Who is required to store this information?
By default, all Australian telcos and ISPs are required to retain this data by law. Certain providers may be granted an exception from this scheme when the cost of compliance would be too high, or where the services aren't of interest to law enforcement. These providers are however required to keep their exemption private.
Why is it being stored?
Mandatory data retention laws were originally said to be about protecting national security and investigating serious crime.
Don't telcos already have this data?
Some of the data required under the scheme is already kept by providers for billing and administrative purposes, but not necessarily for as long a time frame as two years.
Who can access this data?
Government agencies involved in criminal law-enforcement have warrantless access to the data stored under the mandatory data retention scheme:
- Australian Federal Police
- A police force of a state
- Australian Commission for Law Enforcement Integrity
- Australian Criminal Intelligence Commission
- subject to subsection (1A), the Immigration and Border Protection Department
- Australian Securities and Investments Commission
- Australian Competition and Consumer Commission
- Independent Commission Against Corruption
- Police Integrity Commission
- Independent Broad-based Anti-corruption Commission
- Crime and Corruption Commission
- Corruption and Crime Commission
- Independent Commissioner Against Corruption
- Any authority or body for which a declaration is in force
As of January last year, a further 60 federal, state, and local government agencies applies to get access to metadata. These included the National Measurements Institute, Bankstown City Council, Greyhound Racing Victoria, the Western Australian Department of Fisheries, and the RSPCA.
The Attorney-General's Department recently announced a review into the laws, which could have seen metadata opened up for use in civil lawsuits. However, the Attorney-General today announced that metadata will not be made available for use in civil proceedings.
Can you bypass data retention?
Yes. It's actually really easy to avoid having at least some of your information captured through the mandatory data retention scheme. For example, over-the-top messaging and calling services such as iMessage, Facebook Messenger, WhatsApp, Snapchat, FaceTime, and Skype are all exempt from the scheme. If you send a text using iMessage to another iMessage user, that communication's metadata won't be stored under the scheme.
International email service providers such as Gmail and Outlook.com aren't required to capture your metadata either.
What's the go with VPNs?
A VPN - or a virtual private network - allows you to access the internet through another computer's connection. Without a VPN, you're probably reading WhistleOut from Australia. With a VPN, your connection to our humble website could be coming through Switzerland before making its way to your computer or smartphone.
Due to this extra step in accessing a website, your telco would only see your connection to your VPN service, rather than the site you're accessing, effectively obfuscating your online activity. Of course, this comes down to a question of trust; by using a VPN, you're just changing who could potentially access and log your browser history. At the end of the day, one service provider gets to see the end point of your traffic.
While some privacy groups have dubbed today "Get a VPN Day", a VPN is next to useless when it comes to the data that telcos are required to store. The legislation explicitly states that providers do not have to record your web traffic and browser history. While it is possible a provider could still record internet history, iiNet has previously said this would require a petabyte (1000 terabytes) of storage per day for its user base alone. This would dramatically increase an ISP’s hardware requirements. If you're still concerned about this, a VPN will do the trick.
In fact, there are still merits to using a VPN from a privacy and security perspective, especially if you're regularly using public Wi-Fi networks. If you feel like you need one, I'd recommend F-Secure's Freedome.