CNET también está disponible en español.

Ir a español

Don't show this again


Surviving data retention: What you need to know

Every Australian with a mobile phone or an Internet connection is now having their digital activity recorded. As the government's new data retention laws come into effect, we give you the run down on what it means and how you can maintain your privacy.


When data retention laws passed in March, implementation seemed a long way off. But just like that awful leopard-print jacket you bought on eBay, it's finally here, along with that sinking feeling that it could have been a terrible move.

As mandatory data retention was debated in parliament and in the public sphere, many politicians struggled with technical terms trying to define metadata. Did it include browsing history? Was it just the writing on the back of a digital envelope? And is Skype really just a phone for your computer?

On Data Retention Day Zero, CNET has your guide on what the scheme involves, and what you can do to maintain your digital privacy.

What is metadata?

Metadata is essentially the information that accompanies the content of a digital message. This might be the timestamp on a text message, or the cell tower that you're mobile pings when you make a phone call.

While proponents insist metadata is not the content of a message, civil liberties advocates have argued that, on the scale that it will be collected, metadata can build up a very accurate picture of an individual user. In the words of one iiNet exec, "If you have the metadata, you have the content."

What do the laws require?

ISPs and telcos will be required to retain particular data points for all their subscribers for a minimum of two years.

The full data set included in the laws can be found in section 187AA of the legislation [PDF] (happy reading!) but includes the name and address of a subscriber to a telco service; the source and destination of communications; the date, time and duration of a communication; the type of communication or service used for connection (think SMS or Wi-Fi); and the location of equipment (such as cell towers) used to make the communication.

The laws don't apply to services provided through internal networks not available to the general public (such as company or university networks) or 'single place' services such as Wi-Fi in cafes.

But even as data retention comes into force, a Communications Alliance survey of more than 60 telecommunications service providers found that only 16 percent of companies are 'ready' to retain and encrypt data as required.

Why does the Government want your data?

The debate began on national security grounds, with politicians saying data retention would help police combat terrorism. The police and Australia's top security agency ASIO took a similar line, but also argued that data access could be used to target criminal activity more generally and could be used in civil cases (though the AFP backtracked on saying metadata could be used to find pirates).

They also argued that the laws maintained the status quo, and that police would not get access to new data.

Under the radar, over the top

A virtual private network can be used to hide your online location. VPN Unlimited

Get a VPN

A VPN is essentially a way to mask your location online.

While data retention laws and the recent iiNet v Dallas Buyers Club case have seen VPN use spike, using a virtual private network is also a good idea if you use public Wi-Fi frequently or you want to stay secure online.

You can check out our full guide to getting a VPN here, but factors to consider are device compatibility, the location of the provider's servers and their policies on logging user activity. There are also free VPN providers, but it's worth bearing in mind what you might be trading off for free access.

Over-the-top messaging

Just before the data retention laws were passed in March, then-Communications Minister Malcolm Turnbull revealed he thought traditional SMS was "insecure" and instead used secure messaging apps such as Wickr.

Communications carried "over the top" of a traditional Internet connection are not subject to the laws, so ISPs and telcos don't have to store metadata relating to a range of apps. These include over-the-top services like iMessage, WhatsApp and even Snapchat.

There are also plenty of apps, such as Wickr and ChatSecure, that target privacy-conscious users with features such as randomly-generated keys or open-source encryption.


Just like messaging apps such as Wickr and WhatsApp, VoIP calls are sent via internet connection, so ISPs aren't required to log call times, or caller/recipient details. As a result, apps such as FaceTime and Skype will keep you out of the metadata net.

The Australian Pirate Party has also put together a good how-to guide on maintaining your digital privacy, broken down by device type, with step-by-step instructions care of the Electronic Frontier Foundation.

If you have nothing to hide you have nothing to fear?

It's a common phrase bandied about in pub-politics discussions. But those at the centre of the issue have raised legitimate concerns about what some have described as state-sanctioned "surveillance".

Beyond the major privacy questions, Telcos and ISPs have pointed out that they'll face increased costs around admin and storage with the scheme, suggesting it may be cheaper to look overseas for data storage. Critics argue that when costs for service providers go up, customer bill hikes can't be far behind.

The bulk collection of personally-identifiable information also raises questions about security, with some saying metadata could become a . Australia doesn't currently have laws requiring companies to disclose data breaches, so even a large-scale hack could go under the radar.

Finally, opponents of the data retention scheme have warned about the potential for scope creep. The scheme was extended just two months after passing Parliament to give the Australian Border Force access to metadata, a move Greens Senator Scott Ludlam described as "extremely distressing."

What else can you do?

If you want to know just how much of your digital life can be accessed, why not request the data from your telco? As of April, Telstra customers are able to request access to the metadata that it provides to law enforcement agencies without a warrant.

But with iiNet anticipating that data retention could lead to petabytes of data being stored every day, service providers may soon be looking for a needle in a very large haystack of metadata.