- Parliamentary Business
- Senators and Members
- News & Events
- About Parliament
- Visit Parliament
Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Access to and retention of internet 'metadata'
Access to and retention of internet 'metadata'
Posted 18/08/2014 by Jaan Murphy
Access to and retention of internet ‘metadata’
On 5 August 2014, the Government announced its intention to update Australia’s
telecommunication interception laws. This is part of broader efforts to enhance powers
available to security agencies ‘to combat home-grown terrorism and Australians who
participate in terrorist activities overseas’. This includes developing a mandatory ‘metadata’
Whilst having a period of mandatory metadata retention would be new, the collection of
metadata by telecommunications companies and government access to it is not new and is
governed by the Telecommunications (Interception and Access) Act 1979 (TIA). Whilst the
need for such a scheme was linked to combating terrorism, it is worth noting that Australian
and European experience suggests that the most common law enforcement use of metadata
will be in non-terrorism criminal cases.
How does Australian law define metadata?
The TIA does not contain a specific, positive definition of metadata (referred to as
‘telecommunications data’). Instead, metadata is negatively defined in section 172 as
ï· information that is the contents or substance of a communication, or
ï· documents (to the extent they contain the contents or substance of a communication).
Put simply, metadata (in the context of web browsing) is what remains of a communication
or document after its contents and substance is excluded. As a result, the legal definition of
metadata is ambiguous; an oversight commentators suggest is surprising.
In part, the ambiguity arises from conflicting views on what constitutes ‘the content’ of a
communication. For example, one of the most contentious issues of the current Australian
regime is whether Uniform Resource Locators (URLs) are metadata. If they are, then
warrantless governmental access to individuals’ web browsing history is possible.
One view is that as URLs are user-generated, they are content. Another view - expressed by
the Attorney-General’s Department - is that metadata is ‘information that allows a
communication to occur’. As that is what URLs do, consequently they are not content. The
issue is that that some URLs can identify the substance of a communication.
For example, the URL of the FlagPost article on oversight of the Australian Intelligence
Community includes the text ‘Maintaining_oversight_of_the_AIC’ which arguably identifies
the ‘substance’ of the communication. Other URLs however, do not allow the substance of a
communication to be identified.
The Communications Minister indicated that the Government was developing a definition of
metadata in consultation with telecommunications providers, which may remove the
Disclosure of metadata
While sections 276-278 of the Telecommunications Act 1997 prohibit the disclosure or use
of information or documents, Chapter 4 of the TIA outlines two circumstances where
metadata (as negatively defined by s 172 of the TIA) can be lawfully disclosed to ASIO and
enforcement agencies. Voluntary disclosure is permitted where an employee of a
telecommunications provider encounters information they regard as being 'in connection
with' ASIO's functions or 'reasonably necessary' for enforcing criminal law. Alternatively,
ASIO and enforcement agencies can themselves authorise disclosure of metadata from
telecommunications service providers, without a warrant.
The current access scheme hinges on the meaning of ‘metadata’. Some submissions to the
Senate Committee on the Bill that created the current scheme expressed concern at the lack
of a definition of metadata and suggested there was 'unacceptable ambiguity and
uncertainty about the "reach" of the various powers' it confers on national security and law
Similar observations were made in submissions to the Australian Law Reform Commission
review of privacy laws. However, the ALRC expressed the view that definitions should remain
‘technology neutral’, and hence metadata should not be defined. Likewise, the Attorney-General's Department considered that attempts to define metadata risked redundancy.
Since then, conflicting views of what constitutes metadata have emerged. For example, the
Replacement Explanatory Memorandum to the 2007 Bill states that metadata:
does not include content such as the subject line of an email, the message sent by email or
instant message or the details of Internet sessions, such as the Uniform Resource
This interpretation was reiterated by the Attorney-General’s Department in evidence to
Senate Estimates hearings, where it was stated that a warrant would be required to obtain a
URL from a person’s Internet records.
However, it would appear that as a matter of statutory interpretation, the URLs of websites
visited by Internet users may be considered metadata if they do not identify the substance
or content of a communication. This view is supported by current industry practice.
During the 2012 PJCIS inquiry into potential reforms of national security legislation, Telstra
indicated the type of data it is prepared to disclose to law enforcement and national security
agencies included ‘…(URLs) to the extent they do not identify the content of the
Industry practice therefore illustrates that URLs may be provided to law enforcement and
national security agencies without a warrant.
US legislation allows government access to metadata with or without a warrant, depending,
in part, on the type of service provider holding the information. The circumstances in which
metadata can be disclosed to various government agencies is linked to highly technical
definitions of ‘electronic communications service’ (ECS) and ‘remote computing service’
(RCS) providers. This complex, technically driven regime has been the subject of substantial
In contrast to the US and Australia, Canada has adopted a technology neutral approach to
defining metadata. Under the Canadian Criminal Code unauthorised access to ‘private
communications’ is prohibited. The Canadian Supreme Court has ruled that certain types of
metadata are ‘private communications’, stating that:
It is not just the communication itself that is protected, but any derivative of that
communication that would convey its substance or meaning.
The current regime for access to metadata arguably allows law enforcement and intelligence
agencies to access URLs under the umbrella of ‘metadata’ (provided the URL does not
identify the content of the communication) despite stakeholders holding contradictory
perspectives. This ambiguity indicates that the proposed mandatory metadata retention
scheme, if modelled on existing laws, may exacerbate the confusion surrounding the
definition of metadata.
Note: the 'Industry Practice' section of this Flagpost was updated on 19 August 2014, to
reflect the use of the word 'may' in Telstra's submission to the PJCIS.