Access to and retention of internet ‘metadata’
On 5 August 2014, the Government announced its intention to update Australia’s telecommunication interception laws. This is part of broader efforts to enhance powers available to security agencies ‘to combat home-grown terrorism and Australians who participate in terrorist activities overseas’. This includes developing a mandatory ‘metadata’ retention system.
Whilst having a period of mandatory metadata retention would be new, the collection of metadata by telecommunications companies and government access to it is not new and is governed by the Telecommunications (Interception and Access) Act 1979 (TIA). Whilst the need for such a scheme was linked to combating terrorism, it is worth noting that Australian and European experience suggests that the most common law enforcement use of metadata will be in non-terrorism criminal cases.
How does Australian law define metadata?
The TIA does not contain a specific, positive definition of metadata (referred to as ‘telecommunications data’). Instead, metadata is negatively defined in section 172 as excluding any:
- information that is the contents or substance of a communication, or
- documents (to the extent they contain the contents or substance of a communication).
Put simply, metadata (in the context of web browsing) is what remains of a communication or document after its contents and substance is excluded. As a result, the legal definition of metadata is ambiguous; an oversight commentators suggest is surprising.
In part, the ambiguity arises from conflicting views on what constitutes ‘the content’ of a communication. For example, one of the most contentious issues of the current Australian regime is whether Uniform Resource Locators (URLs) are metadata. If they are, then warrantless governmental access to individuals’ web browsing history is possible.
One view is that as URLs are user-generated, they are content. Another view – expressed by the Attorney-General’s Department - is that metadata is ‘information that allows a communication to occur’. As that is what URLs do, consequently they are not content. The issue is that that some URLs can identify the substance of a communication.
For example, the URL of the FlagPost article on oversight of the Australian Intelligence Community includes the text ‘Maintaining_oversight_of_the_AIC’ which arguably identifies the ‘substance’ of the communication. Other URLs however, do not allow the substance of a communication to be identified.
The Communications Minister indicated that the Government was developing a definition of metadata in consultation with telecommunications providers, which may remove the ambiguity.
Disclosure of metadata
While sections 276-278 of the Telecommunications Act 1997 prohibit the disclosure or use of information or documents, Chapter 4 of the TIA outlines two circumstances where metadata (as negatively defined by s 172 of the TIA) can be lawfully disclosed to ASIO and enforcement agencies. Voluntary disclosure is permitted where an employee of a telecommunications provider encounters information they regard as being 'in connection with' ASIO's functions or 'reasonably necessary' for enforcing criminal law. Alternatively, ASIO and enforcement agencies can themselves authorise disclosure of metadata from telecommunications service providers, without a warrant.
The current access scheme hinges on the meaning of ‘metadata’. Some submissions to the Senate Committee on the Bill that created the current scheme expressed concern at the lack of a definition of metadata and suggested there was 'unacceptable ambiguity and uncertainty about the "reach" of the various powers' it confers on national security and law enforcement agencies.
Similar observations were made in submissions to the Australian Law Reform Commission review of privacy laws. However, the ALRC expressed the view that definitions should remain ‘technology neutral’, and hence metadata should not be defined. Likewise, the Attorney-General's Department considered that attempts to define metadata risked redundancy.
Since then, conflicting views of what constitutes metadata have emerged. For example, the Replacement Explanatory Memorandum to the 2007 Bill states that metadata:
does not include content such as the subject line of an email, the message sent by email or instant message or the details of Internet sessions, such as the Uniform Resource Locator/Identifier (URL/URI).
This interpretation was reiterated by the Attorney-General’s Department in evidence to Senate Estimates hearings, where it was stated that a warrant would be required to obtain a URL from a person’s Internet records.
However, it would appear that as a matter of statutory interpretation, the URLs of websites visited by Internet users may be considered metadata if they do not identify the substance or content of a communication. This view is supported by current industry practice.
During the 2012 PJCIS inquiry into potential reforms of national security legislation, Telstra indicated the type of data it is prepared to disclose to law enforcement and national security agencies included ‘…(URLs) to the extent they do not identify the content of the communication’.
Industry practice therefore illustrates that URLs may be provided to law enforcement and national security agencies without a warrant.
US legislation allows government access to metadata with or without a warrant, depending, in part, on the type of service provider holding the information. The circumstances in which metadata can be disclosed to various government agencies is linked to highly technical definitions of ‘electronic communications service’ (ECS) and ‘remote computing service’ (RCS) providers. This complex, technically driven regime has been the subject of substantial criticism.
In contrast to the US and Australia, Canada has adopted a technology neutral approach to defining metadata. Under the Canadian Criminal Code unauthorised access to ‘private communications’ is prohibited. The Canadian Supreme Court has ruled that certain types of metadata are ‘private communications’, stating that:
It is not just the communication itself that is protected, but any derivative of that communication that would convey its substance or meaning.
The current regime for access to metadata arguably allows law enforcement and intelligence agencies to access URLs under the umbrella of ‘metadata’ (provided the URL does not identify the content of the communication) despite stakeholders holding contradictory perspectives. This ambiguity indicates that the proposed mandatory metadata retention scheme, if modelled on existing laws, may exacerbate the confusion surrounding the definition of metadata.
Note: the 'Industry Practice' section of this Flagpost was updated on 19 August 2014, to reflect the use of the word 'may' in Telstra's submission to the PJCIS.