Here is a hypothetical situation for you. Imagine that your government passed a bill saying that every car was to have a monitoring device installed that recorded the car’s metadata. Aspects of your daily activities like how fast you travel, where you go, when you go, when you chose to indicate, when you choose to brake and any number of other aspects of your interaction with a car will be saved and made available to government agencies without a warrant. Would you be happy with this?
There is a popular video on Youtube where a law professor explains why your should never talk to the police. His makes some excellent points, but it is actually this comment (at 29:30 minutes in) by a police officer who was providing the other side of the story that stuck with me the most:
I can follow a car, and eventually they’re going to do something illegal.
Let’s face it, we’re not robots, and every time you hop in a car, you’re probably going to break the law. In fact, even if you are a robot you might still find yourself being pulled over.
Here is a very real situation along the same lines. The Australian government has passed a bill that requires ISPs phone companies to record metadata about your online activities including:
- Who you email
- The date and time of the email
- Attachment data sizes
- The phone number of everyone you called
- Missed numbers
- 1800 numbers
- The number of everyone you SMS
- Duration of calls
- You location when you make a call or SMS
- Your IP address
- Optionally the destination IP address
- Time and duration of web connections
- The volume of uploads and downloads
All of this information is available without a warrant because:
Warrants are typically reserved for the most intrusive powers, such as the power to use force to enter a home, to intercept phone calls, or to arrest a person. Many powers, including access to metadata, simply do not rise to that level.
Would you be happy with this? You shouldn’t be.
Just like driving, it is very likely that by being online you will eventually break some law. And it is often not as easy as you think to know when you are breaking the law. Did you just download a movie without paying for it. Surely you are breaking the law, right? But what if you downloaded it from a service hosted in Antigua?
The World Trade Organisation has granted Antigua and Barbuda the right to sell US media downloads without compensating its makers, after allowing a suspension of US intellectual property rights in the Caribbean country.
So sometimes downloading movies is legal, sometimes it’s not? I actually don’t know. Presumably if you were an international copyright lawyer who also happened to be an IT expert who could determine the source of a particular file, maybe you would have a chance of knowing if you were doing something illegal or not. For the other 99.9999999% of us, there is almost no hope.
It’s tempting to think that these metadata laws are just formalising what big companies have been doing for years anyway. There would be no need for the right to be forgotten if web giants like Google and Facebook were not collecting your private details in the first place. But there is one important difference between a company like Google and a government agency:
Then you make another statement that somehow these companies are not credible because they collect private data. Here's the difference: Apple and Google don't have coercive power.
There is also the misunderstanding that metadata is not specific enough to extrapolate your exact actions. This is just not true, and you can prove this to yourself with a service from the Electronic Frontier Foundation called Panopticlick, which determines if your browser’s fingerprint is unique amongst the millions who have tested so far. My browser’s fingerprint was unique, which means that with nothing more than metadata, I could be tracked all over the web.
This ability to extrapolate information from metadata is of such concern that the Law Institute of Victoria issues this warning:
In a video post that's available on Youtube, president Katie Miller explains that "under the data retention scheme, law enforcement agencies can access [data about] the communications of lawyers and their clients without a warrant". Criminal lawyers, the president says, are concerned that "if law enforcement agencies know which witnesses you're talking to, then they can piece together your defence strategy."
Fortunately there is a relatively easy ensure that law enforcement agencies can not simply query your online behaviour any time they want to. With a VPN and a router that includes a VPN client, it is possible to ensure that your online activities are not saved as part of these new metadata laws. I’ve done just that myself, and in another article I’ll explain the pros and cons after a year living behind a VPN.