You know, metadata is a different kind of data but it actually is very intimate. If you call a suicide prevention hotline, it doesn’t matter what you say; it’s the fact that you called them. Metadata reveals who we’re intimate with, who we associate with, what our interests are, who we are, what we are. And because it can be processed by computers automatically — it’s not voice conversation, it’s just data — it allows people with access to that metadata to do very extensive surveillance.
– Bruce Schneier, Lateline, ABC, 10th March 2015
This is a bill to entrench a system of passive mass surveillance. It is corrosive of the very freedoms that governments are elected to protect, and it has no place in a democracy. And yet, it is a democratically elected parliament that [has enacted it].
– Senator Scott Ludlam
On October 13th, the new metadata retention law comes into effect in Australia. Data about your phone and internet communications must then be retained for at least two years and be accessible without warrants by a multitude of agencies.
What phone data is retained?
- Phone number of everyone you called or sent SMS to
- Missed numbers
- Time and date of calls and SMS
- Duration of calls
- Your rough location at time of call or SMS
How can I protect my phone data?
Avoid using the cellular network to make calls or send text messages whenever possible. There is an excellent free app for this. Think of it as equivalent to WhatsApp and Skype but with privacy built-in.
I recommend this app specifically because it is private in general, i.e. messages are encrypted so that only the sender and intended recipient can read them. This protects you not just against Australian metadata retention but also snooping by other states, organisations and individuals.
Android and iPhone
- Install and use Signal on Android or Signal on iPhone for both encrypted text messaging and encrypted phone calls.
Using Signal, you can communicate with other Signal users – remember that your contacts must also have installed the Signal app for you to contact them.
- On iPhone, you can also use iMessage and FaceTime to communicate with other iPhone users -— these are encrypted and unaffected by the Australian law; the downside is that they are not open source.
What internet data is retained?
- Your IP address
- Time and duration of your web connections
- The law does not require carriers to retain ‘destination’ IP addresses (your web browsing history), but a carrier may do so
- The volume of your uploads and downloads
- Location and geographical data
Fairfax Media technology editor Ben Grubb has discovered private communication from the AG’s department to telcos saying that carriers will not be required to store “destination” IP addresses. However, “it does say that if ‘a carrier wishes to retain those additional elements (it) is a decision for the carrier’.”
A destination IP address reveals which web servers a user has accessed and is a form of web browsing history, although it cannot always show specifically what website on that server you were accessing.
“For many telcos, they will likely start storing destination IP addresses from October 13 because it will be difficult for them to remove (this data) in many cases, especially for mobile carriers due to the way their systems are designed,” Grubb said.
How can I protect my internet usage?
Use a Virtual Private Network (VPN). This creates an encrypted tunnel, keeping your browsing destinations private, only exposing the fact that you are connected to a VPN. It costs about $5 to $10 a month.
I recommend IPVanish because in my experience it is reliable and easy to use – register, pay up, install an app (on your computer or your phone), click ‘connect’ and let it run.
If you want to do your own investigation, there are a number of aspects to consider. Follow CryptoPartyAus to find out when the next public cryptoparty is being held in your city. Or, if you can’t wait, and you can handle some technical jargon, check Gizmodo’s VPNs for Australians guide or BestVPN.com.
About your location…
Your location is recorded with your web and phone usage – this cannot easily be prevented. If you really want to fix this problem, here are some options (easiest to hardest):
- Help campaign against this law and others like it (follow EFA, CitizensNotSuspects, WatchThisSpace…)
- Leave your phone at home.
- Don’t use the internet…
What email data is retained?
If you use an Australian email service:
- Who you’ve emailed
- Date, time you sent email
- Attachment data volumes
How can I protect my email?
Use a non-Australian email provider. Some good options: privacytools.io.
What’s actually ‘new’ on 13th October?
- The data collection is now mandated, whereas previously it was only incidental to providing a service.
- The data must now be retained for two years.
- The exact data to be collected is now specified.
- Fines of $2m will now be enforced on non-compliant service providers.
- A two-year jail sentence for anyone caught revealing information about instances of metadata access.
Telstra refers to this as “a ‘honey pot’ for hackers”.
About 2500 people can access the data, without warrant. The same people can authorise access for others, without warrant.
The list of agencies authorised to access this information without a warrant:
- ASIO (Australian Security Intelligence Organisation)
- Australian Border Force
- Australian Federal Police
- All state and territory police forces
- The Australian Commission for Law Enforcement Integrity
- Australian Crime Commission
- Australian Securities and Investments Commission
- Australian Competition and Consumer Commission
- NSW Crime Commission
- NSW Independent Commission Against Corruption
- NSW Police Integrity Commission
- Queensland Crime and Corruption Commission
- West Australian Corruption and Crime Commission
- South Australian Independent Commission Against Corruption
- Any other agency (public or private) the Attorney General publicly declares
Follow me @rdoh for more privacy news and advice.
Got technical skills? Join Hack for Privacy and help fight mass surveillance.