Australia’s Dystopian Data Law Is Changing the Internet Spying Game

Metadata collection isn't just for secret government programs anymore.

Aug 31 2015, 6:53pm

Image: Flickr/Alexandre Dulaunoy

The Australian government passed a law in March that lets law enforcement collect, store and access potentially revealing information about its country's internet users without a warrant.

The law is set to finally take effect on October 13th, just over a month from now, giving some experts the feeling that a privacy dystopia is on the horizon down under. Given that the FBI has been crying wolf about the internet "going dark" for years, it also sets a worrying precedent that will likely be closely watched by other Five Eyes nations.

The law requires internet companies in Australia to collect and store metadata—detailed information about your internet usage—like who you email and when, your IP address, the duration of your browsing sessions, and how much data you download and upload. The data must be stored for two years and shared with numerous government agencies, including law enforcement like regular police, for investigative purposes.

"Data retention in and of itself is an intrusive obligation that has yet to be proven to be effective"

"Data retention in and of itself is an intrusive obligation that has yet to be proven to be effective," Tamir Israel, a privacy lawyer for the Canadian Internet Policy and Public Interest Clinic, wrote me in an email, "[It's] wholly unnecessary in light of existing preservation powers, starts from the basic presumption that every individual is going to do something wrong one day, and generally undermines online anonymity, leaving customer data vulnerable to malicious hacking and lawsuits."

Government metadata collection programs have operated in a legal grey zone for some time, but Australia's new law will be a quantum leap in terms of government-sanctioned spying. Israel noted that the key difference between the NSA's XKEYSCORE initiative, for example, and the new Australian program is that user information will no longer just be available to spy agencies. Now, police could access it to investigate even petty crimes.

The program would also essentially create a massive trove of user information just waiting to be hacked, and the costs associated with securing it were noted by Australian telecom iiNet as a drawback of the initiative. For example, the report notes the need for new hardware and regular maintenance to store the massive database.

Watch more from Motherboard: America's Ex-Drone

Metadata might seem like pretty sanitary stuff, but it can be easily used to reveal personal details about users. Police would be able to see that someone, perhaps a journalist, downloaded gigabytes of data while visiting Pastebin after a data dump by hackers, for example. By way of a more personal example, law enforcement would also be able to see that a woman emailed an abortion clinic.

But that's not all that can be done with metadata. In one test initiative, CSEC (Canada's CIA) used metadata collected over an airport's public WiFi network to track users for days after their initial connection. It's unclear whether this program was put into wider practice.

Despite its invasiveness, the effectiveness of bulk metadata collection when it comes to actually stopping crime is dubious. A 2014 report by the New America Foundation found that just 17 of 227 cases involving people or groups charged with committing an act of terror in the US post-9/11 were credited to NSA surveillance. The report concluded that metadata collection had "no discernable impact" on preventing terror attacks.

Regardless, Australia has changed the game when it comes to online spying. From here on out, metadata collection will not be some abstract thing, the purview of secretive government programs. In Australia, it's about to become a routine fact of life.