Live: Samsung Unpacked Live Updates Galaxy S23 Ultra First Look Apple's iOS 16.3 Release 9 Ways to Celebrate Black History Month Best Indoor Plants HomePod 2nd-Gen Review 12 Best Cardio Workouts Salami, Sausage Recalled
Want CNET to notify you of price drops and the latest stories?
No, thank you

The metadata debate: What you need to know about data retention

The former head of the CIA has said "we kill people based on metadata", but as Australia introduces new data retention laws, the country's security chief says he's "not quite sure" what the fuss is about. So what is the truth behind data retention, and why does it matter?

Image by Alexandre Normand, CC BY 2.0

It's been just over a year since documents leaked by Edward Snowden first made their way into headlines, revealing the NSA had been indiscriminately collecting the call data of millions of Verizon customers.

Now, the Australian Federal Government is looking to introduce a bill that will legislate for the mandatory collection of metadata by the country's telecommunications providers and ISPs, for use by law enforcement and security agencies.

In doing so, the Australian Government has initiated public debate on the value of metadata, making claims about data retention that have drawn the ire of both privacy advocates and ISPs. Chief among them are claims that the data is already being collected by telecommunications providers and already being used by law enforcement and security agencies to target criminals and suspected terrorists.

But as post-Snowden awareness of government surveillance grows, the proposed legislation is raising major concerns for Australian citizens who are increasingly conscious of the way their digital identity has the potential to be used, and abused.

'Metadata is the envelope, not the letter'

Simply put, metadata is the digital information that accompanies electronic communication. When you make a mobile phone call, your provider records the time, date, location, and duration of this call, largely for billing purposes.

The definition of online metadata largely remains the same -- the information that accompanies online communications -- but things become more complicated here. Online communications aren't single tin-can connections, they're far more complex and bring with them greater amounts of metadata -- data that can potentially reveal much more about the user than the time they made a phone call.

The familiar metaphor being trotted out by police, the Australian Security Intelligence Organisation, and politicians on both sides of this debate is that metadata is the envelope containing a letter, rather than the letter itself, and that Australians need not be concerned that their 'letters' are being read.

However this statement has been refuted time and again, most notably by Steve Dalby, chief regulatory officer of one of Australia's leading ISPs, iiNet.

"The complex, voluminous, often sensitive and private nature of the data sought under a mandatory data retention regime exposes the hollowness of the claim that communications data or metadata is 'just like the envelope without its contents'," Dalby told a Senate Committee review on Australia's Telecommunications Interception and Access Act.

Dalby is not the first person to emphasise the importance of metadata. Speaking at a Foreign Affairs Symposium debate in the United States on "Re-evaluating the NSA," former director of the CIA and NSA General Michael Hayden uttered the now famous words: "We kill people based on metadata".

Privacy experts have also refuted the seeming simplicity of the envelope rhetoric, arguing that although it may be analogous to telephone metadata, an envelope is not a valid metaphor for the internet age.

Brendan Molloy, president of the privacy-focused Australian political party, the Pirate Party, said that "storing 24 months' worth of metadata from Internet-based communications is not comparable to storing the time and phone number of a phone call" and was a "grotesque attack" on privacy.

But even telephone metadata is not as simple as it may seem.

In 2009, German politician Molte Spitz sued Deutsche Telekom to get access to 6 months worth of his metadata. Displayed in graphic form, this information depicts Spitz's every movement in a 6-month timeline, mapping his movements across Berlin and showing when and where he made calls and sent text messages. It goes to show just how much can be gleaned from one person's metadata, without even listing who Spitz called or texted.

When you do overlay this 'who' with the 'where' and 'when', you can learn a lot more. The Electronic Frontier Foundation, a major group advocating for privacy in the US, has made this argument about "why metadata matters" -- while their comments relate to the NSA, they're also germane to the Australian debate:

The Electronic Frontier Foundation outlines just how much you can learn from metadata. Electronic Frontier Foundation

Speaking to CNET, EFF senior global policy analyst Jeremy Malcolm said metadata could provide invaluable information.

"A pattern of different communications can fit together like a jigsaw puzzle, revealing a bigger picture," he said. "Often metadata is easier to analyse using computerized tools, whereas content cannot be analysed in that way. So collecting the metadata is really skimming the cream."

'The ISPs are already storing metadata'

After the architect of Australia's data retention policies, Attorney-General George Brandis, stumbled through an uncomfortable interview on the definition of metadata, the AFP and ASIO held a joint press conference aimed at clearing up the confusion.

Joining AFP Deputy Commissioner for National Security Andrew Colvin was Director-General of Security and ASIO chief David Irvine, who said he was "not quite sure why" there was so much concern about proposed data retention legislation.

"This is not some great mass surveillance exercise or mass invasion of privacy of every citizen in Australia," he said. "It is very, very carefully targeted."

However, mandatory data retention would require ISPs to retain data on all of its customers, not just a targeted few -- what the Pirate Party's Brendan Molloy described as "a blanket Internet surveillance regime [that] treats us all as suspects".

Beyond the surveillance question, mass data retention also raises the serious issue of storage.

According to Steve Dalby, iiNet's phonecall metadata could be stored on a USB stick; however, when it comes to online browsing activity, iiNet's customers generate "petabytes" of metadata every day. Dalby emphasised that this data is not currently being stored by the ISP. He said the proliferation of online metadata was doubling every 18 months to 2 years, and that retaining this data would cost iiNet AU$100 million ($92 million, £56 million) in the first 2 years alone.

iiNet has illustrated just how much data can be generated by a simple communication, using the example of a tweet. A single 140-character tweet carries with it the tweeter's username, screen name, location and online bio as well as who the person is replying to and even the full text of the tweet. According to Dalby, something as simple as a tweet could be accompanied by "thousands of characters in the metadata".

iiNet has pulled out all the metadata contained in a tweet. iiNet

The issue of a surfeit of data naturally raises the question of how it is stored and analysed. Should the ISPs bear the cost of government regulation in storing this data? Considering major data breaches that have shaken online confidence across the world, can private companies be trusted with this data (especially considering Australian law does not require companies to inform customers if their data has been hacked)? And is a wide-sweeping dragnet that retains data on every Australian internet and telephone user the best way to target the select few criminals?

At some point, there is a law of diminishing returns. As Al Gore said in 2013 when commenting on the mass NSA surveillance exposed by Edward Snowden, "When you are looking for a needle in a haystack, it's not always wise to pile more hay on the haystack".

The fight against terrorism

The justification for mass data retention in Australia has been strongly framed in terms of counter terrorism. The legislation was drafted by the Government's National Security Committee -- a team that includes the country's Immigration Minister, Foreign Affairs Minister, and Attorney-General -- and was revealed as part of a suite of measures to target a terrorist threat that is "as high as it has ever been".

However, the international example indicates that mass data retention is not always the best method of combating home-grown terrorist threats.

Citing research published earlier this year by the New America Foundation, EFF's Jeremy Malcolm said metadata collection had "provided minimal benefit in combating terrorism, and that traditional investigation techniques remain the most effective".

"There is no reported case in which metadata collection has helped prevent an actual terrorist attack or helped dismantle a terrorist network," he said.

Angela Daly, a research fellow in media and communications law at Swinburne University of Technology also said the link between mass surveillance and prevention of terrorist activity "ought to be debunked".

"At least the government should be forced to provide evidence of when this has directly been manifested in practice, since experience so far tells us that mass surveillance has not been effective in preventing terrorism such as the Boston bombings (despite the United States' dragnet surveillance)."

Daly noted that the European Union's Data Retention Directive (after which Australia has broadly modelled its legislation) has also had limited success.

"Earlier this year, the highest court in the EU pronounced that directive invalid for various reasons, including it being disproportionate to the aim of fighting serious crime, it being a mass surveillance scheme of all communications users...and so a disproportionate invasion of the law-abiding citizens' privacy, and there were not enough safeguards around how the data would be secured," said Daly.

Metadata as a tool against crime 'more generally'

It's not just terrorists that are being targeted in the Australian metadata sweep -- the country's Prime Minister and Attorney General have both indicated that Australians' metadata could be accessed for "crime fighting more generally".

According to statistics from the Attorney-General's Department (PDF), more than 300,000 authorisations were made in the 2012-2013 financial year for law enforcement agencies (such as police) to access metadata in order to enforce a criminal law. But it wasn't just police and ASIO -- local councils and animal welfare groups were also authorized to access metadata.

Deputy leader of the minority Australian Greens political party Adam Bandt recently told the ABC that "if the government is concerned about illegal activity, then it should do what it does elsewhere and get a warrant" rather than enacting "a plan to spy on every Australian".

Similarly, Swinburne's Angela Daly said weeding out criminals was not an excuse for mass surveillance:

If data gathering and surveillance is deemed necessary to protect society as a whole against certain serious crimes and 'terrorism'...then it needs to be targeted at people who are suspected of committing or preparing such crimes and a warrant should be sought to conduct the surveillance.

This ensures the rule of law is followed, that the vast majority of law-abiding citizens' privacy is respected.

There has to be more critical questioning of why all of this is necessary and why the government is seeking such a wide ranging and intrusive scheme rather than powers to perform targeted surveillance of suspects.

But what of the argument that mass data retention is not a problem if individuals don't have anything to hide?

"We know that smear campaigns are often used against those who have committed no crime, especially whistleblowers and dissidents," said Jeremy Malcolm of the EFF. "Additionally, data collected for law enforcement purposes may be misused, either by wayward government agents or by hackers or criminals who obtain the data, and this may result in identity theft, financial losses or even physical danger for those whose data is revealed."

'This is not a new power...'

Perhaps the biggest concern raised for many in this debate is the realisation that data retention has already been commonplace across Australia for years. At the recent ASIO-AFP joint press conference, after ASIO's chief said he was unsure why the debate was making news, AFP deputy commissioner Andrew Colvin reiterated that data retention was nothing new.

"This is not a new power for law enforcement and security agencies in this country, it's a consolidation and an attempt to get consistency in the storage provisions for data that we already collect and that we already use," he said.

Mass data retention will always be a divisive topic -- it is attractive as a crime-fighting tool for police and spooks, but also raises the hackles of privacy advocates who argue that the ends do not justify the means.

But there could be a looming battle on the Government's hands as it tries to sell this legislation to the Australian public.

Australians are becoming increasingly aware of how much of their digital identity they leave behind when they go online, and that these seemingly innocuous fragments of metadata create more of a complete picture than they'd imagined.