Tag Archives: metadata

Think your metadata is only visible to national security agencies? Think again

Posted on by

Damien Manuel, Deakin University

It was bound to happen, and it did. Poorly crafted legislation – designed to allow national security agencies to collect information with the aim of protecting Australians from terrorists – is now reportedly being exploited by a range of different government agencies for other purposes.

It has been widely reported that the Veterinary Surgeons Board of WA, Victorian Fisheries, Liverpool City Council, and the Australian Sports Anti-Doping Authority are among the entities that have requested access to metadata.



Read more:
Benign and powerful: the contradictory language of metadata retention

Under the Telecommunications (Interception and Access) Act 1979, only agencies tasked with enforcing criminal law are entitled to access metadata from telecommunications companies.

Metadata is the information recorded by the telco when you make a call or use the internet. It can include information such as where you are, whom you called or texted, how long you talked for, how frequently you called or texted someone, what services you used, what websites you visited and when, and much more besides.

Under the legislation there are 22 criminal law enforcement agencies that can legally access these metadata. They include the federal police, state police forces, the Australian Criminal Intelligence Commission, federal and state police integrity commissions, state anti-corruption bodies, and parts of the Australian Border Force.

The federal home affairs minister also has the power to declare other agencies as “enforcement agencies” under the law.

Why is data being accessed?

Generally, enforcement agencies are entitled to access metadata if it is either given to them voluntarily, or if they issue a formal request for information they believe is required to perform their duty.

The definition of an enforcement agency was narrowed in 2015, at the same time the federal government introduced the controversial mandatory data retention framework, which requires telcos to retain customers’ metadata for at least two years.

Before the definition was tightened, an estimated 80 different agencies were covered by the previous laws. They included not just criminal and national security investigators, but also a wide range of agencies pursuing financial matters such as unpaid fines or taxes.

Since 2015, however, most of those agencies found themselves excluded by the new definition of an enforcement agency, but could use a range of laws that still grant powers to request metadata directly. One example is Section 20 of the New South Wales Fair Trading Act 1987. According to the submission made by the Australian Communications Alliance to the Parliamentary Joint Committee on Intelligence and Security, 60 federal and state agencies have sought access to metadata via this mechanism.

What is metadata anyway?

The information contained in metadata was infamously described by former Attorney-General George Brandis as the “material on the front of the envelope” (rather than the contents of the letter itself). But in reality it is much, much more.

Of course, metadata can be useful to help telcos improve their services, by revealing peak calling times or popular locations on the network. But you can also think of metadata as a digital breadcrumb trail that each of us leaves in our wake as we go about our lives.

It can provide enough information to establish a detailed picture of someone’s life: their daily routine, relationships, interests, preferences, and behaviour. It can even reveal someone’s location, to whom they have spoken, and for how long.

It seems excessive that two years’ worth of someone’s metadata can be kept on file and then obtained without a warrant. Although the low access threshold was called out in submissions before the law was passed, there was no public discussion of the implications for privacy and liberty.

If properly understood, the metadata access regime would not pass the pub test.

How is metadata really being used?

The federal home affairs department’s 2017-18 annual report lists a range of offences for which metadata has been sought by various agencies.

The report says that information was sought in relation to a total of 23,586 criminal offences including homicides, abductions, sexual assaults, fraud, robbery and drug offences.

Offences against which authorisations were made for access to specified information or documents that come into existence during the period for which an authorisation is in force (part 1).
Telecommunications (Interception and Access) Act 1979 Annual Report 2017-18
Offences against which authorisations were made for access to specified information or documents that come into existence during the period for which an authorisation is in force (part 2).
Telecommunications (Interception and Access) Act 1979 Annual Report 2017-18

The report also reveals that 300,781 items of metadata were disclosed during the reporting period in total across all categories.


Telecommunications (Interception and Access) Act 1979 Annual Report 2017-18.

Law enforcement agencies have claimed that metadata helps to eliminate suspects by revealing their networks and contacts. But there is no information regarding the use of metadata by government bodies that are not officially enforcement agencies within the meaning of the data retention laws.

In simple terms, there is no central public report that outlines how all state and federal agencies are accessing and using this information.

Metadata stored is available to any enforcement body with the power (under state or federal law) to request or require the information. By tightening its definition of “enforcement agencies” in 2015, the federal government denied many smaller agencies the right to access metadata directly, but did not prevent them from getting it via other means. As a consequence they were also excluded from supervision by the Commonwealth Ombudsman.



Read more:
Is it possible to circumvent metadata retention and retain your privacy?

One interesting exception is that civil courts are prevented from obtaining metadata as evidence in civil proceedings, unless the metadata was collected and held by the telco for some purpose other than the mandatory data retention regime. Given the huge range of other authorities that can access it, this seems rather arbitrary and unfair.

So where to from here? Besides amending the law, it is also time for a wider public debate over the correct balance between our privacy and civil liberty on one hand, and our protection and national security on the other. This is especially important as we become more and more reliant on digital technology to live and work. Just imagine the privacy implications with 5G, when more personal devices are connected to the internet like your smart meter, light bulbs and toaster.

This article was coauthored by Patrick Fair, Chairman of the Communications Reference Panel, Communications Alliance.The Conversation

Damien Manuel, Director, Centre for Cyber Security Research & Innovation (CSRI), Deakin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Advertisements

Revisiting metadata retention in light of the government’s push for new powers

Posted on by


File 20180608 137322 zwv8sg.jpg?ixlib=rb 1.1
Despite its enormous cost, the metadata retention scheme wasn’t future-proof.
Shutterstock

Rick Sarre, University of South Australia

The Minister for Law Enforcement and Cybersecurity, Angus Taylor, foreshadowed this week that the Turnbull government will continue to pursue new law-enforcement powers that would allow authorities access to encrypted digital data in the fight against terrorism, organised crime and online crime, such as cyber fraud and child exploitation.

To assess the worthiness of this pursuit, it is useful to review the developments in the past six years regarding the government-mandated collection and storage of mass electronic data, referred to as “metadata”.



Read more:
Police want to read encrypted messages, but they already have significant power to access our data

Mass metadata collection

Metadata does not contain content. It is simply information about the digital links involved in communications, the location of the caller and receiver, the date and time of the calls, and the length of the conversation. It includes data pertaining to short messaging service (SMS) text messages, and the Internet Protocol (IP) addresses of users’ devices.

Twenty-one law enforcement agencies have been granted access to track and retain metadata. Given the ubiquity of smartphones and other portable devices, these agencies can find an enormously rich trail of information regarding users’ locations, calls and networks.

Metadata retention emerged as a potential strategy with the release in 2013 of the report of the Joint Committee on Intelligence and Security. The Committee noted that such a scheme would be of “significant utility” to national security agencies.

The government responded in due course. In October 2015 new laws came into force requiring telecommunications service providers to retain and store their metadata for two years so that it remained available for analysis.

The prime minister at the time, Tony Abbott, explained the decision thus:

To help combat terrorism at home and deter Australians from committing terrorist acts abroad, we need to ensure our security agencies are resourced properly and have the powers to respond to evolving threats and technological change.

The government sought to allay any concerns about executive “overreach” by giving a role to the Commonwealth Ombudsman to assess an agency’s compliance with its legislative mandate.

Concerns at the time

There were several other concerns raised at the time of the passage of the legislation. The key one was that it had the potential to erode the very democratic freedoms that governments are duty bound to protect, such as freedom of political association. It was pointed out that democracies such as France, Germany and Israel had not legislated for mass metadata collection.

Moreover, in addition to general privacy unease, there was a concern that there was no guarantee that our allies – when analysing Australian metadata – would preserve the privacy safeguards set out under Australian law.



Read more:
Metadata and the law: what your smartphone really says about you

Hackles were again raised when, in April 2017, an Australian Federal Police operative sought and acquired the call records of an Australian journalist without a warrant.

The AFP Commissioner, Andrew Colvin, quickly acted to alert the media and to offer the opinion that there was no ill will or bad intent. While this assurance was comforting, the ease with which the access was obtained was, for observers, a problem.

It wasn’t future-proof

But the key fear was that the strategy, for its enormous cost — A$740 million over ten years — was not future-proof. Technologies that can hide from metadata collection are readily available and widely used.

Any encrypted messaging app — such as Wickr, Phantom Secure, Blackberry, WhatsApp, Tango, Threema and Viber — can circumvent data retention. Moreover, any secure drop system based on Tor is capable of evading metadata scrutiny too.

So that’s where Angus Taylor’s concerns are coming from.

He wants to find a way of compelling the telecommunications companies (telcos) to hand over encrypted data when his agencies suspect that communications are occurring in the pursuit of nefarious purposes.

Will this be through some form of commercial arrangement? Will it be via a threat to block services of non-compliant telcos? Will it involve embedding surveillance codes in devices? Will warrants be required in all cases? How much will it cost?

We won’t know until the legislation comes before the parliament. What we do know is that the process will not be easy.



Read more:
Police want to read encrypted messages, but they already have significant power to access our data

We don’t know if these powers are effective

It is worth remembering that governments must ensure that no policy sacrifices our hard-fought liberties in the pursuit of an expensive goal that is not readily attainable.

Indeed, we don’t even know whether the current metadata laws are having the desired effect. Anecdotal evidence emerges from time to time from law enforcement agencies that they have disrupted serious threats, but there has been no actual evidence that the disruption was caused or aided by access to metadata because of the secrecy that shrouds issues of national security. It boils down to a case of “trust us”.

The ConversationSo it is virtually impossible for the public to assess whether the digital data collection by security agencies has been effective or necessary, or even what that collection actually involves. We can only hope that the debate over accessing and analysing encrypted services is a little more enlightening.

Rick Sarre, Adjunct Professor of Law and Criminal Justice, University of South Australia

This article was originally published on The Conversation. Read the original article.

Metadata collection comes under fire in new UN anti-surveillance draft resolution

Posted on by

This has implications for Australia.

Gigaom

Germany and Brazil have drafted a new version of an anti-surveillance resolution that the United Nations adopted late last year, this time describing the collection of metadata as a “highly intrusive act.”

The earlier resolution was also the product of German and Brazilian anger over the mass surveillance revelations of NSA leaker Edward Snowden (well, specifically their anger at their leaders being personally spied upon, but we’ll take righteous outrage where we can find it).

However, while it described the monitoring and collection of communications and personal data as a threat to human rights, it didn’t talk about metadata – the logs of who contacted whom and when, or which webpages people visit, as opposed to the contents of those communications and webpages. These details also paint a vivid picture of a person’s activities and networks.

According to a Thursday Reuters report, the new draft says that arbitrary surveillance…

View original post 327 more words

Australia offered to share citizens’ metadata with allies, report claims

Posted on by

Gigaom

Australia’s intelligence services have been happy — at least in principle — to share raw data about the communications of Australian citizens with espionage partners in the U.S. and Britain, according to the latest NSA leak published by the Guardian.

Australia is part of the so-called Five Eyes alliance, which was set up in the turbulent 1940s as a way for a core group of English-speaking nations to share signals intelligence with one another and to avoid spying on one another. The other members are the United States, United Kingdom, Canada and New Zealand.

The latest piece of surveillance-related information, brought to light by NSA whistleblower Edward Snowden, records a meeting held by the five countries’ intelligence services in 2008. At that meeting, the services discussed how comfortable they were with sharing metadata – the fragments of recorded information that tell the spooks who contacted whom and when.

It seems…

View original post 233 more words