What is metadata, and how do you maintain your privacy?

Australia’s controversial metadata retention laws become effective from Tuesday, October 13.

If you do not take steps to maintain your privacy, the people you call and the websites you visit will be on record for two years for police and the government to see, without a warrant.

What does this mean for you, and how can you protect your metadata from being collected and stored?

Security 'obligation' to retain metadata
Attorney-General George Brandis says telcos have a national security obligation to keep consumer metadata for two years.

What are the law changes?

From now on, telecommunications and internet service providers (ISPs) must store their customers’ data for two years.

All federal and state police, the Australian Security and Intelligence Organisation (ASIO) and some government agencies will be able to access that metadata.

ISPs already stored the metadata of its customers, which Australian police have been able to access during their investigations. However, ISPs kept metadata for as long as they needed to for billing purposes.

Several sources have reported that most ISPs are not ready to start collecting metadata yet, and the Attorney General's (AG) Department has said providers have until 2017 to be fully compliant with the law.

On ABC's morning show AM, on October 13, Attorney General George Brandis said authorities needed surety in regards to accessing metadata.

"One of the problems that law enforcement and security agencies have had in the past is that there has been no uniformity across industry in terms of metadata retention practices," Mr Brandis said.

Police have said the irregular periods metadata was held meant catching criminals was harder.

The law change means the number of agencies that can access metadata has been reduced.

Yet, a range of government departments, including the Australian Border Force (ABF), will be able to access Australians’ metadata that ISPs must store for two years.

This may have an effect on journalists’ sources, who could be in trouble if they leak sensitive information and their metadata shows they called or emailed a journalist at around the time an article was published.

'Anybody can probably compromise it': world's most famous hacker on retained metadata
Kevin Mitnick was one of the world's first hackers. He's hacked in to the NSA and some of the biggest firms in the US, pioneering social engineering along the way. He spoke to Andy Park.

The AG Department says on its website that accessing a journalist's metadata would require a warrant

Greens Senator Scott Ludlam has said the two year data retention law was not needed.

"If you’re not doing anything wrong then the government has no business going through your stuff," he told SBS.

"The ‘if you have nothing to hide, nothing to fear’ doctrine was pioneered in East Germany and North Korea and it has no place in a democracy like Australia," Senator Ludlam said.

What is metadata?

While the Attorney General George Brandis famously could not explain what metadata was to viewers of Sky News, former Prime Minister Tony Abbott explained metadata as a metaphor; the name and address on the front of an envelope.

While it is true that metadata is the details of the message, not the contents, metadata is more detailed than just a name and address.

Infographic: Metadata and data retention explained
Metadata and data retention: what information is at risk?

Metadata for phone calls includes:

- Phone number of people you called or send SMS messages to

- Time and date of calls and SMS

- Duration of calls

- The location of the nearest cell tower when you sent or received a call or SMS

And for internet activity:

- The time, date, size, sender and recipients of emails

- Time and duration of your web connections

- Your IP address

- The law does not require carriers to retain ‘destination’ IP addresses, but a carrier may do so

- The volume of your uploads and downloads

- Location and geographical data

Preventing the collection and storage of your metadata is not illegal

It is not illegal to avoid your metadata being collected, and there are ways to do that.

People concerned about their internet use being recorded have an effective protection – virtual private networks (VPN).

VPNs extend private networks onto the internet, which is a public network.

They can be used to encrypt the internet data between your device – a mobile phone, tablet or home computer - and the VPN’s “exit point”.

Law to block pirate sites gets go ahead, but VPNs left out
A law that allows blocking websites should be passed, but the use of virtual private networks will not likely be affected, a Senate inquiry report has said.

This means that when you use the internet while using a VPN, your ISP can only see your connection to the VPN, software developer and privacy advocate Robin Doherty told SBS.

“I like to think of it as a tunnel,” Mr Doherty said.

“Your ISP can see only that you’re connected to that VPN.”

However, your data will not be hidden when it emerges from an exit point in another nation.

Mr Doherty said getting a VPN would not solve your privacy issues, and good security was a mindset.

However, he recommended people get VPNs if they were concerned for their privacy, and for their online security generally.

Mr Doherty also warned to think carefully about where the VPN was based and where the exit point is, since some countries do not have strong privacy laws.

European countries like Switzerland or Germany are good choices, since they have sound protections for privacy, Mr Doherty said.

Mr Doherty recommended people choose a VPN service that does not keep logs of its users' traffic.

Crikey has listed some of the most attractive VPN services for Australians to use.

Limitations of VPNs, and other technologies

While a VPN will encrypt traffic online, including on phones, VPNs will not mask the details of your phone calls and SMS messages.

The time and location of calls and SMS messages you make and receive over the ISP's network will be recorded, even with a VPN in use.

However, there are alternatives to calling and sending messages via the ISP's network, like Voice over IP (VoIP).

VoIP is a service that passes messages and calls through the internet, which can also be encrypted with a VPN.

BestVPN has a guide on the best VPNs for using a VoIP service.

For making calls on mobiles, Mr Doherty suggests some apps to replace your standard calls and SMS messaging. However, to use those apps your recipients must also have a similar app installed for the message to be decrypted.

The Australian Pirate Party has a guide on technologies for more private communications

Another popular tool for anonymous web browsing is the TOR browser (The Onion Router).

While a VPN encrypts your communications, TOR hides your IP address and the destination address by bouncing data off several nodes.

Each node in the process covers your tracks, so at no point can the source or destination of your message be seen.

Like VPNs, Tor is a tool, not a solution, to maintaining privacy and there are limits to how effective it can be.

To learn more about online security and privacy, there are events across Australia called Cryptoparties, where Australians can learn about technologies, their options and rights.

Image: FreeImages/Carsten Mueller