You know, metadata is a different kind of data but it actually is very intimate. If you call a suicide prevention hotline, it doesn’t matter what you say; it’s the fact that you called them. Metadata reveals who we’re intimate with, who we associate with, what our interests are, who we are, what we are. And because it can be processed by computers automatically — it’s not voice conversation, it’s just data — it allows people with access to that metadata to do very extensive surveillance.

– Bruce Schneier, Lateline, ABC, 10th March 2015

This is a bill to entrench a system of passive mass surveillance. It is corrosive of the very freedoms that governments are elected to protect, and it has no place in a democracy. And yet, it is a democratically elected parliament that [has enacted it].

– Senator Scott Ludlam

On October 13th, the new metadata retention law comes into effect in Australia. Data about your phone and internet communications must then be retained for at least two years and be accessible without warrants by a multitude of agencies.

What phone data is retained?

  • Phone number of everyone you called or sent SMS to
  • Missed numbers
  • Time and date of calls and SMS
  • Duration of calls
  • Your rough location at time of call or SMS

How can I protect my phone data?

Avoid using the cellular network to make calls or send text messages whenever possible. There is an excellent free app for this. Think of it as equivalent to WhatsApp and Skype but with privacy built-in.

I recommend this app specifically because it is private in general, i.e. messages are encrypted so that only the sender and intended recipient can read them. This protects you not just against Australian metadata retention but also snooping by other states, organisations and individuals.

Android and iPhone

Using Signal, you can communicate with other Signal users – remember that your contacts must also have installed the Signal app for you to contact them.

More detailed usage instructions are available on Surveillance Self-Defense for Signal on Android, and Signal on iPhone.

iPhone only

  • On iPhone, you can also use iMessage and FaceTime to communicate with other iPhone users -— these are encrypted and unaffected by the Australian law; the downside is that they are not open source.

What internet data is retained?

  • Your IP address
  • Time and duration of your web connections
  • The law does not require carriers to retain ‘destination’ IP addresses (your web browsing history), but a carrier may do so
  • The volume of your uploads and downloads
  • Location and geographical data

Fairfax Media technology editor Ben Grubb has discovered private communication from the AG’s department to telcos saying that carriers will not be required to store “destination” IP addresses. However, “it does say that if ‘a carrier wishes to retain those additional elements (it) is a decision for the carrier’.”

A destination IP address reveals which web servers a user has accessed and is a form of web browsing history, although it cannot always show specifically what website on that server you were accessing.

“For many telcos, they will likely start storing destination IP addresses from October 13 because it will be difficult for them to remove (this data) in many cases, especially for mobile carriers due to the way their systems are designed,” Grubb said.

Read more

How can I protect my internet usage?

Use a Virtual Private Network (VPN). This creates an encrypted tunnel, keeping your browsing destinations private, only exposing the fact that you are connected to a VPN. It costs about $5 to $10 a month.

I recommend IPVanish because in my experience it is reliable and easy to use – register, pay up, install an app (on your computer or your phone), click ‘connect’ and let it run.

If you want to do your own investigation, there are a number of aspects to consider. Follow CryptoPartyAus to find out when the next public cryptoparty is being held in your city. Or, if you can’t wait, and you can handle some technical jargon, check Gizmodo’s VPNs for Australians guide or

About your location…

Your location is recorded with your web and phone usage – this cannot easily be prevented. If you really want to fix this problem, here are some options (easiest to hardest):

  • Help campaign against this law and others like it (follow EFA, CitizensNotSuspects, WatchThisSpace…)
  • Leave your phone at home.
  • Don’t use the internet…

What email data is retained?

If you use an Australian email service:

  • Who you’ve emailed
  • Date, time you sent email
  • Attachment data volumes

How can I protect my email?

Use a non-Australian email provider. Some good options:

What’s actually ‘new’ on 13th October?

  • The data collection is now mandated, whereas previously it was only incidental to providing a service.
  • The data must now be retained for two years.
  • The exact data to be collected is now specified.
  • Fines of $2m will now be enforced on non-compliant service providers.
  • A two-year jail sentence for anyone caught revealing information about instances of metadata access.

Telstra refers to this as “a ‘honey pot’ for hackers”.


About 2500 people can access the data, without warrant. The same people can authorise access for others, without warrant.

The list of agencies authorised to access this information without a warrant:

  • ASIO (Australian Security Intelligence Organisation)
  • Australian Border Force
  • Australian Federal Police
  • All state and territory police forces
  • The Australian Commission for Law Enforcement Integrity
  • Australian Crime Commission
  • Australian Securities and Investments Commission
  • Australian Competition and Consumer Commission
  • NSW Crime Commission
  • NSW Independent Commission Against Corruption
  • NSW Police Integrity Commission
  • Queensland Crime and Corruption Commission
  • West Australian Corruption and Crime Commission
  • South Australian Independent Commission Against Corruption
  • Any other agency (public or private) the Attorney General publicly declares

What next?