The Case Against Metadata Retention : Part 2

The government's plan to force telecommunications providers to retain a set of metadata for every person has privacy advocates up in arms and police and security agencies telling us that this legislation is essential for fight crime in the 21st century.

So, who is right?

In the second part of our two part series we look at the negative side of the argument.

Scott Ludlam is an Australian Greens Senator and spokesperson for Broadband, Communications & the Digital Economy and Chair of the Senate's Legal and Constitutional Affairs References Committee. He was first elected in 2007.

Ludlam was one of the keynote speakers at the Tech Leaders forum held in Sydney in February 2015. He discussed why the proposed metadata retention legislation currently being debated is a bad piece of legislation for Australia.

In his view, many of the arguments used in support of the proposed metadata retention legislation are the same as those invoked when legislation proposing a filter is put on Australian's access to the Internet.

"Very similar arguments were being levelled around, basically, being able to keep up with corruption, with national security issues, with child pornography, with organised crime - that we need to control this vast, unwieldy and effectively control this out of control communications platform," said Ludlam.

Ludlam was at pains to tell the audience, most of whom seemed supportive of his opposition to the bill, that he did not have "a beef" with the various law enforcement agencies that support the bill. Rather he had a "strong but respectful disagreement" with the balance between privacy and security in the proposed bill and with whether there was supporting evidence from overseas jurisdictions.

He repeated many of the same that he has used in the Constitutional Affairs References Committee.

The policy's origins was in mid-2008 according to Ludlam, when the story was leaked by an ISP who was summoned to a secret meeting with the Attorney-General's office.

"This proposal for quite indiscriminate collection and archival of material for everybody, whether you're suspected of criminal activity or not, was on the cards'" he said.

Ludlam and colleagues from the coalition, who were in opposition at the time, launched a Senate inquiry into digital privacy and use that as the forum for bringing what was being looked at for further study.

Four years later the proposal reappeared, under pressure from the same officials in the Attorney-General's department, in the Parliamentary Committee for Intelligence and Security - a committee with no cross-bench representation at the moment.

Read more: The week in security: Data retention looms, Superfish gutted

The proposed data retention policy appeared a single paragraph according to Ludlam and was "slammed" by the committee asking the department to give more detail such as what data was potentially being retained and who would have access to it.

In referring to some of the history behind the current bill's introduction, Ludlam noted that while the current coalition government is strongly supportive of the legislation that has not been the case for much of the last six years that the matter has been under review.

"When our current Attorney-General jumps up and says this have been canvassed at length by the committee in 2012 and 2103 - it was. And they kind of slammed it," said Ludlam. "They didn’t say it was a great idea. They said be careful what you wish for".

Part of Ludlam's criticism of the bill come though criticism of the current Attorney-General who he said "the Attorney-General's department has finally found an Attorney-General weak enough to just proceed without any kind of critical thinking".

Ludlam further criticised the government's handling of the legislation by sending, and then leaking, a letter to the Labor opposition asking for bipartisan support - a move that Ludlam described as "threatening".

Stepping past the political history of the proposed data retention legislation, Ludlam noted that no one disputes the need for law enforcement agencies to be properly equipped to prevent crime and prosecute offenders and that no one disputes the importance of metadata in fighting particular forms of crime.

"No one disputes that telecommunications data is really important," he said.

Ludlam says that the dispute arises when looking at what data is collected.

Read more: Shadow IT threat lingers as ANZ businesses drag feet on cloud moves

"Where the dispute arises, to really clear about it, is the discrimination and targeting that's involved. We make it quite difficult for a small number of agencies to conduct targeted but extremely severe violations of individual privacy in order to protect the community. One of the balancing points that democracies have arrived at to sustain that tension between the overwhelming power of the state to do everything, to have extraordinary power over individual citizens, one of those points of balance is to have judicial oversight."

Ludlam's view is that the proposed legislation would unwind some of those protections.

Ludlam noted that there are about 5000 warrants applied for and received each year in Australia. These are requests for data, that access personal and private information that violate personal privacy in criminal investigations but are issued with independent judicial oversight through the court system. However, there are 580000 metadata authorisations that are reported to the ACMA.

In Ludlam's view this is a "hundred-fold expansion of warrantless surveillance over people, which could as simple as the digital equivalent as opening the White Pages".

The issue, according to Ludlam, is that "metadata in aggregate is content".

"In fact, it's more invasive than content. You can lie over a mobile phone handset. You can speak in code. You can misdirect. But your metadata doesn’t lie".

Ludlam said that since 2008, when a metadata retention regime was first proposed, he's been looking for some evidence that such a policy will actually be useful.

"We are dicing with some quite important premises of democracy here. Maybe if it does actually keep us safer or… think of the children, or think of the ICAC uses this material - it if actually makes us safer and improves society then maybe these are freedoms that we should in fact give up. We've been looking for evidence rather than anecdotes".

Ludlam says that there is no evidence that supports the effectiveness of a metadata retention policy from anywhere in the world.

"We just get the same, boring and, to my mind, quite offensive slogans from an increasingly shrill sounding Prime Minister who thinks it's the only way he's going to stay in his job is if can just terrify us into putting up with him," he said.

In summarising his concerns, Ludlam pointed to several significant issues he sees in the proposed legislation as it stands.

1. The effects on whistleblowers.

2. The effects on journalists.

3. The definition of metadata is not in the bill so the scope can be widened, "on a whim, by regulation, without coming through parliament".

He also noted that the costs of the regime are likely to be significant. A recent infographic released by iiNet suggested that a new data centre would be needed each month to cope with the data. Also, many smaller ISPs would be unable to cope with the increased costs and be forced to shut down.

In some cases, Ludlam says some smaller ISPs might find themselves procuring data centre capacity in order to affordably store this data. And the regulations around this seem to be such that it may be acceptable for that data to be held offshore.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags tech leadersAustralian Federal PoliceOperation DrakensbergAFPTim MorrisgovernmentOmbudsmanTelecommunicationsCSO Australiadatasetmetadata retention

More about Attorney-GeneralCSOEnex TestLabICACIT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place