Australia's metadata debate is an utter shambles
The goalposts are moving hourly and ministers are contradicting intelligence agencies and themselves
As much as anything, Australians should fear the government's metadata retention proposals because it's becoming increasingly clear that our politicians have no idea what they're proposing.
Within a single day of the prime minister, Tony Abbott, taking to the microphone with attorney-general George Brandis and foreign minister Julie Bishop to announce the plan as a raft of counter-terrorism measures, the PM has:
- Broadened the justification for metadata retention from preventing terrorism to crime-fighting “in general”;
- Stated that the new laws are needed because carriers already store the data the government wants;
- Asserted that metadata retention will involve no cost to carriers because they already collect the data the government wants; and
- Broadened the scope of the data collection to Web browsing history, while simultaneously trotting out the national security establishment's falsehood that metadata collection is no more than “reading what's on the envelope”.
In a single day, the prime minister has put himself at odds with statements made by the national security establishment – most usually from the director-general of ASIO, David Irvine – to parliamentary committees examining data retention, security laws, and telecommunications interception laws.
On the need for new laws, Irvine is on the record as saying new data needs to be retained, because the Internet is different from the telephone network, where call data records are required for billing purposes.
ISPs currently don't keep per-communication metadata records for Web access, for Skype calls, for Tor connections, for e-mails and all the rest. Australia's national security and law enforcement agencies all want that data collected.
The PM, however, believes it already is collected, telling the ABC's Michael Brissenden that “the metadata we're talking about is information that is already kept”.
“All we want is for the telecommunications companies to continue to keep the person sending the information, the person to whom the information is being sent, the time it was sent, and the place it was sent from,” he said to Brissenden on the national radio programme AM.
The “envelope” metaphor is pervasive. The Register notes that it was used by Irvine as recently as July, and was used yesterday by Alistair MacGibbon of the Centre for Internet Safety (a kind of spook think-tank at the ANU) on Sydney's ABC 702 Drive show in conversation with presenter Richard Glover yesterday (August 5).
The “envelope” metaphor is a dangerous falsehood – and it's one that tripped up the PM in conversation with Channel Nine television, when he decided to expand on it.
“It's not the content of the letter, it's what's on the envelope … it's not what you're doing on the Internet, it's the sites you're visiting. It's not the content, it's just where you've been, so to speak.”
Once again, the prime minister seems to have contradicted Irvine, who in July said Web browser history is out-of-scope for metadata retention, saying “The principle is that web surfing … or, indeed, Googling 'Al-Qaeda atrocities' … is not picked up by us, not regarded by us as metadata”.
Then there's the question of why: yesterday's focus on terrorism has been expanded by the prime minister to include general crime-fighting. Quoting again from his interview with Michael Brissenden: “all of the expert advice from our counter-terrorist agencies is that this is absolutely critical, not just in the fight against terrorism, but in crime-fighting more generally.”
The Register would argue that political confusion about the entire debate – what is metadata, what will be kept, and what the agencies want – is dangerous. It greatly increases the likelihood that the government will be given a legislative agenda by the Australian Security and Intelligence Organisation (ASIO), The Australian Secret Intelligence Service (ASIS), the Australian Signals Directorate (ASD) and the Australian Federal Police (AFP), and will enact that legislation without grasping its import until later.
What of crypto?
Keep in mind that in the rush to debate yesterday's announcement, nobody seems to have considered the interaction between metadata retention and the Department of the Attorney General's desire to enact laws to force Australians to hand over encryption keys.
That emerged back in March – sufficiently long ago to have slipped everyone's attention.
At least one thing that's indisputably “metadata” would be the fact that someone's contacted a site offering VPN services, or that their e-mail negotiated a crypto session, or even that a corporate router began its connection to a service provider or another corporate router by negotiating encryption.
That last scenario – an enterprise network-to-network connection – brings up what The Register suspects is another error made in the public debate.
Right now, it's framed as data collection about individuals. This is partly because the government frames it that way when it talks up the terror threat.
But is that the limit of the metadata collection? Would carriers and ISPs also have to collect metadata about corporate connections to their network?
Vulture South suspects the answer is “yes”, if for no reason other than there's nothing in a TCP/IP packet that distinguishes the kind of entity that initiated the communication. Only if the traffic originates from an account associated with a corporate entity could the ISP tell the difference, and even then, there are individuals like sole-traders who sign on for business accounts, and businesses that use individual accounts.
Let's scale this up even further: would AS-AS communications require metadata collection and retention? Would peering exchanges have to collect metadata about the connections between their members? At what point might network operators find themselves facing demands for their customers' encryption keys?
There's no point in asking the government: even the prime minister mistakes Web browsing history for metadata. ®
Bootnote: In the interests of fairness to the Prime Minister, and because the ABC has not yet posted a transcript of his interview, The Register has transcribed relevant statements below.
“They're [the data retention laws – El Reg] not invading privacy. The metadata we're talking about is information that is already kept.
“All we're saying is that the telecommunications providers should continue to keep this organisation [a slip of the tongue. We believe he meant “information” – El Reg].”
“An interesting and I think instructive metaphor is that the metadata is the material on the front of the envelope, and the contents of the letter will remain private. All we want is for the telecommunications companies to continue to keep the person sending the information, the person to whom the information is being sent, the time it was sent, and the place it was sent from.
“It's as it were, it's the information on the front of the envelope which is currently kept, has been kept, we want it to continue to be kept. That's what we're proposing. We're not proposing anything new, we're just saying that the information that is currently kept by the telecommunications companies continue to be kept because all of the expert advice from our counter-terrorist agencies is that this is absolutely critical, not just in the fight against terrorism, but in crime-fighting more generally.
“My understanding is that if it's generated by you, it's content, and that won't be kept. If it's generated by the service provider, that's metadata, and that will be kept.
“We're not asking anyone to do what they don't already do, we're simply asking that they continue to do it, as technology changes, because this is an important weapon in the fight against terrorism, in the fight against crime more generally.
“This is not a new proposal, so to speak, it is simply a proposal that they continue to do what they've always done.”
When asked about the cost of data retention, the PM responded: “I don't know why they [ISP iiNet – El Reg] would be saying that, because this is information which is already kept. It's information which is currently kept … it's embedded in the current price. It's already factored into current pricing structures.
“We're not asking people to do anythink [sic] new, we're just asking people to do what they're currently doing. We're just asking them to keep doing what they're currently funding from the charges that they currently apply.
“I have no doubt that the civil libertarian brigade will do their best to stop this, but my responsibility as prime minister is to keep our country safe. That's my responsibility, and all the expert advice from every single counter-terrorist agency is that this information is absolutely essential if we are to maintain our vigilance against terrorist activity.” ®
Sponsored: Becoming a Pragmatic Security Leader