The Australian Government Started Tracking Your Online Moves Last Night

Everything you need to know about metadata retention and how you're affected.

by Samuel Tate
Oct 13 2015, 12:00am

Last night at midnight data retention laws became active across Australia. This step is regarded either as a necessary to combat terrorism, or an incredibly invasive nationwide breach of privacy, depending on who you listen to.

The law requires your telco and internet provider to retain that ubiquitous buzzword—metadata—which is a record of your activity online or over the phone, for up to two years. Leading up to the enactment of the law the Government came under fire for not being able to describe what metadata is. You might recall Attorney General George Brandis completely failing to define it, then sweating a lot.

The Government has finally defined metadata as the IP addresses of sites you've visited, who you've called, where you used the service, and the duration. George Brandis referred to the IP address as the envelope, but not the contents, however it's argued that these basic pieces of information paint a fairly clear picture of a person's behaviour.

If you don't believe that, follow this link to one of Google's least publicised and creepiest tools, Google Location History, to find out how your phone has flagged your every move. Then to see how much your IP says about you, visit this link, to get suitably creeped out all over again.

How did this all begin?

The telecommunications (Interception and Access) Amendment (Data Retention) Bill was first introduced late 2014 and received bipartisan support from both the ALP and the LNP. Both parties have come under fire for their lack of clear definitions, engagement with stakeholders, and for acting contrary to privacy and human rights conventions, yet the bill passed in early 2015. The law is now active although many Telcos have claimed they're not ready to retain so much data. These companies are being given a 18-month grace period, so long as they submit a plan to prove they'll be ready within 18 months.

How will this impact you?

You may feel that if you have nothing to hide, you have nothing to fear, and you may or may not be swayed by the threat this poses to activists and journalists. But the mandatory retention of your data will mean that there will be a history of times, locations, browser types, durations of sessions, and who you talked to.

In a worst-case scenario, let's say you're trying to escape a violent partner. No one can see what you've read online, but they can see you visited a shelter's website, made a phone enquiry, and then visited later that day. Now imagine that person's partner was a police officer. Considering leaks showed NSA members were sharing naked photos trawled in America's data retention program system, it's not a far leap to imagine how these powers could be abused.

While it has largely been enacted to aid law enforcement and counterterrorism bodies, this claim has been challenged. In the entirety of the NSA data collection program, data retention hasn't been attributed to stopping a single terrorist attack.

Concerns arise that the dragnet acquisition of data could be used to prosecute other offences, as well as threaten the privacy of high-risk citizens, such as activists and journalists. Journalists and whistle-blowers are now able to be jailed for disclosing a "special intelligence operation." This means a journalist would have the choice of being gagged or risk going to jail, simply for shedding light on an issue the Government doesn't want released. An obvious example is the pressure now faced by journalists who leak information from offshore detention centres. This has already happened. Journalists discussing Nauru have been referred to the Australian Federal Police for investigation, because they argued government contractors have been complicit in child abuse.

While the main bodies who will access it are the AFP and ASIO, enforcement bodies from the ATO to Centerlink will also be able to access the data. A tax agent, for example, could track your behaviour to prove you are living outside of your means. And while catching criminals and tax evaders is a noble pursuit, the metadata requests are warrantless, meaning an official from any department given access could review the most intimate aspects of your life, with very little official oversight.

There is also the concern that by collecting wholesale data, individuals will be exposed to risk from hacking and data leaks. A cyber criminal who got access to these files could quite easily commit identity theft, blackmail, and a host of other things that can pretty easily ruin your life. This is the same government that accidentally leaked President Obama's passport details, as well as the details of 30 other world leaders, last year, because they didn't know how to use email properly.

The final downside is that this will also hit your wallet, regardless of whether it's paid through tax or by telcos, users will end up being the ones footing the bill. Price Waterhouse Coopers estimated the upfront costs as being between $188 and $319 million dollars, while iiNet estimates the flow on costs will be $130 per user, per year.

How can I get around this?

It's funny because this $300-million-a-year program can be avoided using a simple VPN. A Virtual Private Network reroutes your IP address to some other part of the world, making it look as though you're thousands of miles from where you actually are, and therefore not you. An example of this in action is the Dallas Buyers Club case in which the movie studio, Voltage Pictures, requested that telcos turn over the IP address of anyone who downloaded it illegally. Yet anyone using a VPN would have appeared to be surfing in a different country, with their location masked.

On his website Greens Senator Scott Ludlam, active opponent of the law since its inception, outlines some easy ways you can set up a VPN, mask calls, text messages, and maintain data privacy. This won't just protect you from the government, but from other malicious online players.

The last criticism of the program, and this one should be fairly comforting, is that using an offshore service such as Gmail or Fastmail will mean your email and other services fall outside the scope of Australia's laws and won't keep your data—or at least not for the Australian Government. Also voice-over IP services (like Facetime) won't be tracked in the same way as a normal calls. This means anyone using a foreign service can avoid the impacts of data retention.

If you're still not sure how to avoid getting tracked online, watch Malcolm Turnbull (when he was still Communications Minister and not PM) explain how the layman can avoid phone based data retention.

Is this forever?

Similar laws in the UK have been overturned as being "inconsistent with European Union Law," there's no talk of a court challenge and all attempts made by The Greens to add extra layers of protection were defeated in the Senate. Whether evidence procured through metadata retention will be admissible in court also remains to be seen.

For now, metadata is the new norm and it's your choice about how much you want to maintain some privacy.

Follow Samuel on Twitter

Image via

Vice Blog
data retention
IP addresses