Thursday, August 07, 2014

Metadata Retention for Law Enforcement

There seems to be some confusion within the Australian Government as to what data retention policy has been decided on by the Cabinet. It might be useful if the Prime Minister and the Attorney General were to ask for a briefing from their departmental staff as to what "metadata" is, or they could ask the Minister for Communications.

The Australian Minster, Mr. Tony Abbot, said on Tuesday:
We also need legislation which I have commissioned the Attorney to prepare, which the National Security Committee of the Cabinet has commissioned the Attorney to prepare to ensure that we are best able to monitor potential terrorist activity in this country. Obviously with the usual range of safeguards and warrants but that will include discussions with the telecommunications providers about the retention of metadata....
From Joint Press Conference - Prime Minister and Attorney General, Canberra,Tuesday, 5 August 2014)
The Attorney General said:
Finally, as the Prime Minister indicated, I have also been asked to develop – in consultation with relevant stakeholders, in particular, in the telecommunications sector – a system of mandatory data retention. That legislation has been approved in principle and is in development from today and will be introduced into Parliament later in the year.  ...
From Joint Press Conference - Prime Minister and Attorney General, Canberra,Tuesday, 5 August 2014)
Unfortunately I have been unable to find a copy of the legislative proposal for retention of metadata. In a later interview the Attorney General, Mr George Brandis, did not appear to know what metadata was, nor what it was proposed to require telecommunications companies to retain:
Brandis: "The web address, um, is part of the metadata."
Journalist: "The website?"
Brandis: "The well, the web address, the electronic address of the website. What the security agencies want to know, to be retained is the, is the electronic address of the website that the web user is ... "
Journalist: "So it does tell you the website?"
Brandis: "Well, it, it tells you the address of the website."

From: Attorney-General George Brandis struggles to explain Government's metadata proposal, ABC Radio, 7 August 2014
The Parliamentary Library produced a good overview of the issues "Surveillance in society—global communications monitoring and data retention" (Nigel Brew, Australian Parliamentary Library, 2013). The Wikipedia's "Telecommunications data retention" entry is also useful.

The UK House of Commons recently passed laws on data retention (Data Retention and Investigatory Powers Act 2014, UK Government). This authorises the UK Secretary of State to require telecommunications operator to retain specified communications data for up to one year. A warrant may not be required to obtain the data, under some circumstances. What data can be collected is not specified in the act, except to say that it does not include "data revealing the content of a communication". In the Australian context this data is being called "metadata". For an explanation of meta-data, see my ANU course lecture notes: "Metadata" (From Metadata and Electronic Data Management, by Tom Worthington, for ANU Course COMP3410, Information Technology in Electronic Commerce, 2009).

Internet metadata which would normally be stored would be the Internet protocol Address (IP Address) of the computer data was being sent from, the IP Address it was being sent to and the date and time. The issue which the Australian Attorney General appeared to be unclear about was if just the IP addresses were to be stored, or if the web address (URI) was also to be stored.

To use an analogy, the IP address would be the street address of a library someone was visiting, whereas the web address would be the number of the book they borrowed (event the chapter they opened it at). My interpretation of the UK law is that the web address would be part of the content of the communication and therefore not permitted.

What the Australian government proposes is unclear. A good first step would be for the Cabinet, and the Attorney General in particular, to be briefed on the basics of how the Internet works.

No comments: