Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Access to and retention of internet 'metadata'



Download PDFDownload PDF

Access to and retention of internet 'metadata'

Posted 18/08/2014 by Jaan Murphy

[Updated 19/08/2014]

Access to and retention of internet ‘metadata’

On 5 August 2014, the Government announced its intention to update Australia’s

telecommunication interception laws. This is part of broader efforts to enhance powers

available to security agencies ‘to combat home-grown terrorism and Australians who

participate in terrorist activities overseas’. This includes developing a mandatory ‘metadata’

retention system.

Whilst having a period of mandatory metadata retention would be new, the collection of

metadata by telecommunications companies and government access to it is not new and is

governed by the Telecommunications (Interception and Access) Act 1979 (TIA). Whilst the

need for such a scheme was linked to combating terrorism, it is worth noting that Australian

and European experience suggests that the most common law enforcement use of metadata

will be in non-terrorism criminal cases.

How does Australian law define metadata?

The TIA does not contain a specific, positive definition of metadata (referred to as

‘telecommunications data’). Instead, metadata is negatively defined in section 172 as

excluding any:

 information that is the contents or substance of a communication, or

 documents (to the extent they contain the contents or substance of a communication).

Put simply, metadata (in the context of web browsing) is what remains of a communication

or document after its contents and substance is excluded. As a result, the legal definition of

metadata is ambiguous; an oversight commentators suggest is surprising.

In part, the ambiguity arises from conflicting views on what constitutes ‘the content’ of a

communication. For example, one of the most contentious issues of the current Australian

regime is whether Uniform Resource Locators (URLs) are metadata. If they are, then

warrantless governmental access to individuals’ web browsing history is possible.

One view is that as URLs are user-generated, they are content. Another view - expressed by

the Attorney-General’s Department - is that metadata is ‘information that allows a

communication to occur’. As that is what URLs do, consequently they are not content. The

issue is that that some URLs can identify the substance of a communication.

For example, the URL of the FlagPost article on oversight of the Australian Intelligence

Community includes the text ‘Maintaining_oversight_of_the_AIC’ which arguably identifies

the ‘substance’ of the communication. Other URLs however, do not allow the substance of a

communication to be identified.

The Communications Minister indicated that the Government was developing a definition of

metadata in consultation with telecommunications providers, which may remove the

ambiguity.

Disclosure of metadata

While sections 276-278 of the Telecommunications Act 1997 prohibit the disclosure or use

of information or documents, Chapter 4 of the TIA outlines two circumstances where

metadata (as negatively defined by s 172 of the TIA) can be lawfully disclosed to ASIO and

enforcement agencies. Voluntary disclosure is permitted where an employee of a

telecommunications provider encounters information they regard as being 'in connection

with' ASIO's functions or 'reasonably necessary' for enforcing criminal law. Alternatively,

ASIO and enforcement agencies can themselves authorise disclosure of metadata from

telecommunications service providers, without a warrant.

Differing views

The current access scheme hinges on the meaning of ‘metadata’. Some submissions to the

Senate Committee on the Bill that created the current scheme expressed concern at the lack

of a definition of metadata and suggested there was 'unacceptable ambiguity and

uncertainty about the "reach" of the various powers' it confers on national security and law

enforcement agencies.

Similar observations were made in submissions to the Australian Law Reform Commission

review of privacy laws. However, the ALRC expressed the view that definitions should remain

‘technology neutral’, and hence metadata should not be defined. Likewise, the Attorney-General's Department considered that attempts to define metadata risked redundancy.

Since then, conflicting views of what constitutes metadata have emerged. For example, the

Replacement Explanatory Memorandum to the 2007 Bill states that metadata:

does not include content such as the subject line of an email, the message sent by email or

instant message or the details of Internet sessions, such as the Uniform Resource

Locator/Identifier (URL/URI).

This interpretation was reiterated by the Attorney-General’s Department in evidence to

Senate Estimates hearings, where it was stated that a warrant would be required to obtain a

URL from a person’s Internet records.

However, it would appear that as a matter of statutory interpretation, the URLs of websites

visited by Internet users may be considered metadata if they do not identify the substance

or content of a communication. This view is supported by current industry practice.

Industry practice

During the 2012 PJCIS inquiry into potential reforms of national security legislation, Telstra

indicated the type of data it is prepared to disclose to law enforcement and national security

agencies included ‘…(URLs) to the extent they do not identify the content of the

communication’.

Industry practice therefore illustrates that URLs may be provided to law enforcement and

national security agencies without a warrant.

Other jurisdictions

US legislation allows government access to metadata with or without a warrant, depending,

in part, on the type of service provider holding the information. The circumstances in which

metadata can be disclosed to various government agencies is linked to highly technical

definitions of ‘electronic communications service’ (ECS) and ‘remote computing service’

(RCS) providers. This complex, technically driven regime has been the subject of substantial

criticism.

In contrast to the US and Australia, Canada has adopted a technology neutral approach to

defining metadata. Under the Canadian Criminal Code unauthorised access to ‘private

communications’ is prohibited. The Canadian Supreme Court has ruled that certain types of

metadata are ‘private communications’, stating that:

It is not just the communication itself that is protected, but any derivative of that

communication that would convey its substance or meaning.

Conclusion

The current regime for access to metadata arguably allows law enforcement and intelligence

agencies to access URLs under the umbrella of ‘metadata’ (provided the URL does not

identify the content of the communication) despite stakeholders holding contradictory

perspectives. This ambiguity indicates that the proposed mandatory metadata retention

scheme, if modelled on existing laws, may exacerbate the confusion surrounding the

definition of metadata.

Note: the 'Industry Practice' section of this Flagpost was updated on 19 August 2014, to

reflect the use of the word 'may' in Telstra's submission to the PJCIS.