“We kill people based on metadata,” former US National Security Agency director Michael Hayden told a panel at John Hopkins University last year.
That statement brings sharply into focus the current Australian debate about Telcos being mandated to retain metadata. This information is powerful and can be used in ways not expected by the community.
How metadata is used depends upon how it is defined; one of the worrying parts of the Australian debate is just how nebulous the definition of ‘metadata’ is.
Defining metadata
The basic definition of metadata is that it is ‘data about data’, every packet of data that’s transmitted across the internet is wrapped in information to help the network deliver it to its intended location in a useful form.
Strictly speaking this is where the glib ‘address on the envelope’ line so beloved by clueless politicians promoting data retention comes in; this information is useful but not private as anyone can see it.
That view underlies the defining metadata case, the 1979 US Supreme Court’s Smith v Maryland case, that held telephone numbers are not private information as they’ve been disclosed to the phone company.
Metadata everywhere
With the rise of digital technologies, metadata became much more than just phone numbers and addresses; digital cameras encode photographs with EXIF information that includes details of the date, time camera, shutter speed, focal length and increasingly the location where the photo was taken.
The smartphone you might take that photo with is logging into base stations which telcos are tracking, this is one of the applications law enforcement agencies regularly use to catch criminals, and increasingly near field communications like BlueTooth are being logged by everything from toll gates to bus shelters to track phone usage.
Every email sent has dozens of lines of metadata describing the servers, routing and software used in sending it. Only a tiny fraction of a Twitter message is the 140 character content, the rest is metadata.
This site has hundreds of lines of metadata to tell your browser how to display it and your browser itself is storing dozens of cookies that tell other sites where you’ve been – all of this is metadata.
When we add the Internet of Things to the metadata debate things get even more complex. As home devices, smartcars and wearable technology generating packets of data, it becomes far easier for governments and private enterprise to stitch together a complete picture of an individual even without looking at the actual content of the packets.
The risks for service providers
As Australian ISP iiNet raised in an excellent submission to the Senate committee on data retention, collecting all of this data creates costs and risks for service providers as they have to store, manage and protect massive amounts of data.
Most of that data will never be looked at, but agencies want the information stored because they can. The bizarre thing is that under Australian law, specifically section 313 of the Telecommunications Act, is that a public servant – not just a a law enforcement officer – only has to ask for the information.
For most people the dangers of government surveillance are remote however all of this information is also available to private organisations ranging from health insurers to credit checking bureaus; the real debate is just how much data do we want others to have on our private lives.
At present we’ve defined metadata too broadly and private information too narrowly.
What’s notable in every discussion about increasing government or police powers is the mantra of getting the laws to catch up with technology.
In the case of metadata it may well be the definition of individual rights has to catch up with modern technology, not the powers of government.
Paul, you are right that in everyday discussion we can conceive of “private information” too narrowly. But the funny thing is, in the law, the operable term is “Personal Information” and this is broadly defined – very broadly!
Any data which is potentially identifiable, now or in the future, on its own or in combination with other data, counts as Personal Information in the Australian Privacy Act 1988 (as amended in 2013). We should not be distracted by “metadata” as something special or innocuous. If any piece of data is potentially identifiable, then it comes under the Australian Privacy Principles, and as such, the data custodians are accountable for the necessity for collection, ongoing safekeeping, and restrictions on re-use.
Good points, Steve. One of the other problems we have with the law’s current setup are those definitions.
It’s not hard to have sympathy with the internet service providers as they are caught in the overlap of those definitions.