Skip to content

Metadata

Update: March 29, 2015

Metadata, just the latest annoyance by the Australian Government to spy on our Internet use, they couldn't screw us over with the failed mandatory filtering attempt, so they'll try get us another way. Not sure what all the fuss is about however since we now know the United States's NSA and UK's GCHQ has been doing this a long time thanks to the Snowden Releases, so all Canberra need do is pick up the phone and call head office ;-)

Now, I'm not going to go into all the bungling of them trying to sell this to us, Bumbling George Brandis's comedy show has been doing the rounds for a while now, when he came out with his and Woger Wabbott's , I mean Tony Abbott's version, it was like the two stooges Larry and Moe, without curly - Malcolm Turnbull, who finally did have to join the duo and fix up their diabolical mess, sending relief down peoples spines knowing the Government did not want to know what websites you went to, just who had what IP on what date. Much more different to voice, since they do want to know who you called, and when and from where.

When this came about I was in two minds about it, didn't have strong objections, my IP's static so wont be too hard to find me in radius, and I've had it for nearly five years at home, so there's no doubting its accuracy, as for phone, well, I make/get SFA phone calls, I rarely use 3G data because it's about the same price as pure gold in Australia. Most of my communications from home is by IRC, IM (Jabber/Skype - so the U.S.'s NSA already know who I talk to anyway), Email, ramblings on Twitter, or this strange thing called ...
"in real life".

With Email, I've used PGP (actually GPG) digital signatures for well over a decade, I think I've only ever used encryption a couple of times, mostly just to piss off the U.S.'s NSA. I don't deal with sensitive material much these days, so I ask myself, despite being a very private person, is it really such a big deal? They are just going to keep this stuff for a couple of years, and to be honest I can pull Email server logs going back to around 2007, saying who at what IP, sent to who, but contrary to the Governments belief - no, we don't log subjects, because the Subject is in the DATA segment of a messages transaction, it has nothing to do with envelope header details which is all mail servers log (or need to know), basically this means the Subject is actually part of content, and no one logs that, but not that that's really much of a problem, since if I was a terrorist going to blow up some building, I'd hardly put in the subject "Re: that building we're gunna blow up"... All I can do is... shake my head... seriously, where do Governments get these ideas from, clearly pen pushers that have no clue.

The most common Mail Server software's, or more precisely, Mail Transport Agents (MTA) - the part of mail servers that accept inbound and outbound mail - postfix, exim, sendmail, and to much lesser extent other MTA's do not log anything other than envelope sender, recipient, size, time, message-id - stuff like that.

Updated Nov 16, because I've had a number of emails asking to show what a typical ISP/WebHost type mail server actually logs, I am adding a lightly sanitized copy (to protect the recipient from spambots), and for those confused about it loading twice, the second injection is to amavisd which handles all anti spam and virus detection...

Nov 16 11:38:14 valhalla postfix/smtpd[8807]: connect from omp.email.flybuys.com.au[12.130.139.106]
Nov 16 11:38:15 valhalla postfix/smtpd[8807]: 76D3EC0EBCA: client=omp.email.flybuys.com.au[12.130.139.106]
Nov 16 11:38:15 valhalla postfix/cleanup[8814]: 76D3EC0EBCA: message-id=<0.0.0.6D.1D0013DFB60D810.0@omp.email.flybuys.com.au>
Nov 16 11:38:16 valhalla postfix/qmgr[5996]: 76D3EC0EBCA: from=<flybuys@edm.flybuys.com.au>, size=83006, nrcpt=1 (queue active)
Nov 16 11:38:16 valhalla postfix/smtpd[8807]: disconnect from omp.email.flybuys.com.au[12.130.139.106]
Nov 16 11:38:19 valhalla postfix/smtpd[8818]: connect from localhost[127.0.0.1]
Nov 16 11:38:19 valhalla postfix/smtpd[8818]: 12A55C0EBCB: client=localhost[127.0.0.1]
Nov 16 11:38:19 valhalla postfix/cleanup[8814]: 12A55C0EBCB: message-id=<0.0.0.6D.1D0013DFB60D810.0@omp.email.flybuys.com.au>
Nov 16 11:38:19 valhalla postfix/qmgr[5996]: 12A55C0EBCB: from=<flybuys@edm.flybuys.com.au>, size=87818, nrcpt=1 (queue active)
Nov 16 11:38:19 valhalla postfix/smtpd[8818]: disconnect from localhost[127.0.0.1]
Nov 16 11:38:19 valhalla amavis[979]: (00979-05) Passed SPAMMY {RelayedTaggedInbound}, [12.130.139.106]:43915 [12.130.139.106] <flybuys@edm.flybuys.com.au> -> <deletethis@ausics.net>, Queue-ID: 76D3EC0EBCA, Message-ID: <0.0.0.6D.1D0013DFB60D810.0@omp.email.flybuys.com.au>, mail_id: uvPRGJls45Du, Hits: 3.302, size: 82970, queued_as: 12A55C0EBCB, dkim_sd=flybuys2:edm.flybuys.com.au, 2572 ms
Nov 16 11:38:19 valhalla postfix/smtp[8817]: 76D3EC0EBCA: to=<deletethis@ausics.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.2, delays=1.6/0.02/0/2.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 12A55C0EBCB)
Nov 16 11:38:19 valhalla postfix/qmgr[5996]: 76D3EC0EBCA: removed
Nov 16 11:38:19 valhalla postfix/pipe[8819]: 12A55C0EBCB: to=<deletethis@ausics.net>, relay=dovecot, delay=0.43, delays=0.19/0.01/0/0.22, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 16 11:38:19 valhalla postfix/qmgr[5996]: 12A55C0EBCB: removed

..Dovecot logs show nothing more:
Nov 16 11:38:19 lda(deletethis@ausics.net): Info: sieve: msgid=<0.0.0.6D.1D0013DFB60D810.0@omp.email.flybuys.com.au>: from=flybuys@edm.flybuys.com.au: stored mail into mailbox 'INBOX'


So no, I'm sorry Mr's Brandis, Abbott, and Turnbull (who should know better given his ISP background), there is no logging of subjects for the very reason given above - it's in the DATA (content) component, but to sprout that ISP's already log subjects (as in your claims ISP's already log all this stuff) is plain wrong, in fact, one could say an outright lie, but perhaps Windows MTA's might log subjects, however since they are in use in in only about 6% of the worlds mail servers, pretty much all of which would be corporate (private) organisations and not ISP's, they are irrelevant and can not be used as an example of an existing industry standard.

Anyway, I then thought more about it, as has been clearly shown in news articles around the globe that you don't need content to build a persons profile, the metadata is all about names, dates, and locations. Think about it, a trend as to who my friends are, where we meet, do we go out on the same day(s) every week or weekend, after a while they can tell where I shop, what my favourite restaurant is, what sports I like, and what my hobbies may be and where, so they don't need to read the content of my Email's or listen to my phone calls to learn enough to build a picture of me, this is recently supported by comments made by United Nations German ambassador Harald Braun:

"Metadata can be as privacy sensitive as the content of communications," said Braun, who raised concerns about how easy it is to compile personal profiles by collecting metadata.

Updated Dec 20, 2014, an example on what can be found out, and a very small example was demonstrated in this SMH article, remember, what was found here is by publicly available tools, just imagine what the government and its tools could do.

Yet another scary thought is ISP's and Telcos are going to be required to store this data, so what if they get hacked, the hacker can sell off our information to some crime gang(s), who then get the same life profile as the Government can, perfect recipe for identity theft amongst other nasty things, and don't be so naive to think once this is law, a little while down the track hackers wont be concentrating on breaking into those systems, because they will, anyone who doesn't think so, is only fooling themselves, this would still be the case even if Governments stored the data.

So, now I'm less in favour of this plan, but I want to know who has access to it all, on one hand we have the Attorney General George Brandis saying things like

The laws will apply "only to crime and only to the highest levels of crime," the attorney-general said. "Breach of copyright is a civil wrong. Civil wrongs have got nothing to do with this scheme."

But then we also have the AFP boss (Colvin) saying

the stored data of Australians could be used for a whole number of things, including anti-piracy

Confused? So are we, on one hand you have the head of legal saying no it can't be used outside serious crime, but then you have the head of the AFP saying it can, Colvin's statement was however backup up by Communications Minister Malcolm Turnbull who admitted that the stored data would be accessible through the court process, and the mandatory data-retention legislation would not prevent that from happening.

"They can through civil proceedings. Sure, as they always have done. They can go to court, and they can seek discovery of the records that disclose the account to which a particular IP address was allocated at a particular time, but they do not have warrantless access to metadata in the way the police and ASIO and Customs have," he said.

Looking at the key bits of The Bill

Schedule 2—Restricting access to stored communications and telecommunications data
Part 1—Main amendments

Telecommunications (Interception and Access) Act 1979

1 Subparagraphs 107J(1)(a)(i) and (ii)
Omit “an enforcement agency”, substitute “a criminal law?enforcement agency”.

2 Subsection 110(1)
Omit “An enforcement agency”, substitute “A criminal law?enforcement agency”.

3 After section 110
Insert:
110A Meaning of criminal law?enforcement agency
(1) Each of the following is a criminal law?enforcement agency:
(a) the Australian Federal Police;
(b) a Police Force of a State;
(c) the Australian Commission for Law Enforcement Integrity;
(d) the ACC;
(e) the Australian Customs and Border Protection Service;
(f) the Crime Commission;
(g) the Independent Commission Against Corruption;
(h) the Police Integrity Commission;
(i) the IBAC;
(j) the Crime and Corruption Commission of Queensland;
(k) the Corruption and Crime Commission;
(l) the Independent Commissioner Against Corruption;
(m) subject to subsection (7), an authority or body for which a declaration under subsection (3) is in force.

(2) The head of an authority or body may request the Minister to declare the authority or body to be a criminal law?enforcement agency.

(3) The Minister may, by legislative instrument, declare:
(a) the authority or body to be a criminal law?enforcement agency; and
(b) persons specified, or of a kind specified, in the declaration to be officers of the criminal law?enforcement agency for the purposes of this Act.

(4) In considering whether to make the declaration, the Minister must have regard to:
(a) whether the functions of the authority or body include investigating serious contraventions; and
(b) whether access to stored communications, and the making of authorisations under section 180, would be reasonably likely to assist the authority or body in investigating those serious contraventions; and
(c) whether the authority or body:
(i) is required to comply with the Australian Privacy Principles; or
(ii) is required to comply with a binding scheme that provides a level of protection of personal information that is comparable to the level provided by the Australian Privacy Principles; or
(iii) has agreed in writing to comply with a scheme providing such a level of protection of personal information, in relation to personal information disclosed to it under Chapter 3 or 4, if the declaration is made; and
(d) whether the authority or body proposes to adopt processes and practices that would ensure its compliance with the obligations of a criminal law?enforcement agency under Chapter 3, and the obligations of an enforcement agency under Chapter 4; and
(e) whether the Minister considers that the declaration would be in the public interest; and
(f) any other matter that the Minister considers relevant.

(5) In considering whether to make the declaration, the Minister may consult such persons or bodies as the Minister thinks fit. In particular, the Minister may consult the Privacy Commissioner and the Ombudsman.

(6) The declaration may be subject to conditions.

(7) Without limiting subsection (6), a condition may provide that the authority or body is not to exercise:
(a) a power conferred on a criminal law?enforcement agency by or under a specified provision in Chapter 3; or
(b) a power conferred on an enforcement agency by or under a specified provision in Chapter 4.
The authority or body is taken, for the purposes of this Act, not to be a criminal law?enforcement agency for the purposes of that provision in Chapter 3, or an enforcement agency for the purposes of that provision in Chapter 4, as the case requires.

(8) The Minister may, by legislative instrument, revoke a declaration under subsection (3) relating to an authority or body if the Minister is no longer satisfied that the circumstances justify the declaration remaining in force.
(9) The revocation under subsection (8) of a declaration relating to an authority or body does not affect the validity of:
(a) a domestic preservation notice given by the authority or body; or
(b) a stored communications warrant issued to the authority or body; or
(c) an authorisation made by an authorised officer of the authority or body under Division 4 of Part 4?1;
that was in force immediately before the revocation took effect.


So that says for Criminal Investigations, it doesn't say only serious crime, and after all the mumbo jumbo a civil body will likely still get access through a court, lets use Copyright infringement as one of those outside possibilities.

In rare cases Copyright infringement can be, if deemed on a commercial scale, included under the Crimes Act, so becomes a criminal offence, but who decides what is commercial scale? One person uploading a song, not for gain, knowing that song will be dissected and distributed further, maybe after a while thousands of times - that to me is of a commercial scale regardless of any monetary gain, so pretty much everyone who partakes in that activity could be included under the Criminal Code.

Let's look at it another way, the AFP tell some rights holder to sod off they are not interested (I recall last decade a Commander in the AFP saying publicly the AFP have far more important things to do than go after kids who do online sharing), so the rights holder goes to a court and says we want to know who these people are, they know the ISP will have this information stored under law, so sue the ISP for this information.

My take on this is a court shouldn't have the right to do that based on the Bill as it stands, but courts will see it that way and decide they have the right to order that data released to a civil party, it may not be copyright matters, it could be ugly divorce matters, insurance claims, the list goes on, if this does succeed in its current form, because it's so holey, it is very dangerous, oh it goes to great lengths to tighten the rope around what Government departments can access it and when, but not civilly, I do envisage a High Court challenge the moment civil use gets granted access by a lower court.

I call on the Government to amend the Bill to clear up these matters, they could easily add into the Bill conditions that tighten this up and make it clear to courts that they can only order the release for criminal investigations, or serious crimes, as the Attorney General keeps saying, or civilly up to a reasonable date.

There must be no loopholes, civil matters must not have access to the stored data past a reasonable time frame, or made available to them for discovery or for any other reason after a reasonable time frame, I'd think 28 days.

I say 28 days because it would be reasonable to expect an ISP would already keep user data handy for short periods of time, such as four weeks, for operational purposes, like billing, spam and abuse complaints, so a partition to a civil court for the users data within 28 days I think is not unreasonable.

However, it could be considered unreasonable to expect that a typical ISP would keep this data longer than four weeks and they may only then be doing so because of lawful requirement under this Metadata Bill allegedly for serious criminal investigations, so the rights of discovery, or any civil access, must end after 28 days (since courts deem one month as 28 days) for everything other than serious, criminal investigations.

I hope I'm not confusing you now, because (as written elsewhere in my blog from the iitrial days) I have always believed that rights holders should target the offenders - not ISP's, and only by means of going to a court and seeking the details of a particular user, based on an IP address at a specific date/time, and the court must approve each user/IP match - none of this blanket discovery access.

Anyway as it stands, The Bill is dangerous, so I decide I no longer support it in its current form, therefore, I would hope when it comes time, The Bill is voted down.



Updated March 29, 2015

This past week, the Senate has approved the data retention Bill, although it had some 30 odd changes from its original, it is now Law (as soon as it gets royal accent which will be soon).

Both the Liberal Govt and the sell-outs of the Australian Labor Party agreed to its passing in a major vote win, however, this was a done deal long ago, and despite many attempts to tighten it up, for instance, Sen Leyonhelm, tried to have an amendment to the Bill to ensure it was only used for serious crimes - As Sen George Brandis A.G has been telling us it would only ever be used for, but Brandis and the Libs and Sen Jacinta Collins on behalf of the ALP, both refused that amendment, later on Brandis even admitted that his promise of the serious crimes only access was false since even with PJC's recommendations, it is still very possible for courts to allow access to civil litigants. A move most of us know was deliberate, well, Brandis isn't known as the Minister for U.S. and Hollywood for the fun of it!

One thing is clear however, the Govt has learned that Subjects in Email are part of content and are exempt. not that it makes much difference since as we and despite denials, the Govt and ALP fully know that you can tell more about a person with metadata than content, so who needs that.
  • Twitter
  • Google Bookmarks
  • Bookmark Metadata at YahooMyWeb
  • Bookmark Metadata at reddit.com
  • Bookmark using any bookmark manager!
  • Print this article!
  • E-mail this story to a friend!
  • Identi.ca

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options

Submitted comments will be subject to moderation before being displayed.