“Metadata absolutely tells you everything about somebody’s life…”
Former General Counsel of the National Security Agency, Stewart Baker.
Metadata is all over the news
On the news and in internet forums ‘metadata’ is becoming a buzzword that individuals are using more frequently than ‘humblebrag’ or ‘YOLO’. Recently, my clients have been asking me a lot of questions about ‘metadata’, like: What is it? Are technology providers legally permitted to collect it and store it? Can they provide it to law enforcement agencies without a warrant?
There is no legal definition of metadata
As I tweeted when metadata hit the headlines back in August, there is no single legal definition of metadata in Australian law. An obvious reason for not defining the term is to give the authorities flexibility when applying it. Put another way, referencing today’s technology in the definition of metadata means the definition could be out of date as technology develops and improves.
Think of metadata like a dinosaur footprint from Jurassic Park
In an online publication the Australian Parliament has said that metadata (also known as ‘communication data’) is simply information about an electronic communication that is not the content or substance of a communication. Accordingly, I find it helpful to think of metadata as the footprint that is left behind after you send an email, use the internet or make a telephone call. It is sort of like a dinosaur footprint from Jurassic Park (if the dinosaur is the content of your communication). When you come across the footprint you see it, you have evidence that a dinosaur has been there as well as the approximate size of the dinosaur and the speed it was travelling…but there is no dinosaur.
When you use a telephone service, metadata includes:
- the number called and duration of the call;
- the location from which the call is made; and
- the date and time of the call,
but not a recording or transcription of the of the call or SMS itself.
In relation to the internet metadata may include:
- the IP address of your computer;
- the email address of the sender and recipient; and
- the amount of data up/downloaded and the start/finish time of an internet session
but not the content of the email or websites that you visited. (However, in August it was found that Telstra has previously handed over details of websites visited by its customers to government agencies without a warrant).
What content can be lawfully intercepted?
In Australia, the government requires a lawful warrant to intercept your web-browsing or content of your emails (ie. content that is not metadata). Interception, law enforcement and national security obligations apply to carriers and carriage service providers, including internet service providers, under the Telecommunications Act 1997 , the Telecommunications (Interception and Access) Act 1979 and related legislation. In summary, carriers and carriage service providers are required to assist law enforcement and national security agencies to carry out their duties, maintain lawful interception capabilities and endeavour to ensure that telecommunications facilities and networks are not used in the commission of offences. Carriers and carriage service providers are required to maintain interception capability. Interception of the content of communications passing over networks as well as associated signalling and customer information is required to be carried out under warrant. Warrants are granted to law enforcement officials by federal judges once certain criteria are satisfied. Warrants may be issued for the purpose of investigating a wide range of criminal and revenue offences.
Is a warrant needed to obtain metadata?
Stored communications, for example on an internet service provider’s server, may be accessed by law enforcement authorities under warrant. However, access to stored communications may also be possible without the necessity of a warrant under a broader range of powers since no ‘interception’ is necessarily required. Currently, a warrant is not needed to access stored metadata and an Australian Federal Police Superintendent only has to complete a request form and submit it to the carrier.
New laws to make data retention mandatory – EU law position
In April 2014, in a case brought by Digital Rights Ireland, the Court of Justice of the European Union invalidated the European Data Retention Directive and removed the legal basis for data retention laws in EU member countries. The CJEU held that the mass collection of metadata unreasonably interferes with an individual’s privacy. The court also noted that the nexus between preventing terrorism or crime and collection of metadata is not explicit enough. Finally, in relation to access to sensitive data, it recommend that a court or an independent administrative body must review a request for access to sensitive data before it such request is approved.
New laws to make data retention mandatory – Australian law position
Today, Australian carriers and carriage service providers do retain and store a degree of metadata and communications data for billing purposes and other analysis. However, as it is not mandatory, this metadata can be deleted when the service provider runs out of storage space in their data centres. Despite the EU decision, the Australian government is trying to introduce legislation to make it compulsory for internet service providers to store all customer metadata for a minimum of two years under the auspices of ‘fighting terrorism’. Forgetting about the privacy concerns, and the fact that the EU has rejected a similar approach, I’ll leave the last word to internet service provider iiNet. The image below shows what iiNet believes to be the actual dollar cost of mandatory data retention…