Australian government efforts to implement metadata retention laws are all over the news. If you read the newspapers or their websites, then you know that not even the Attorney-General seems to know what metadata will be collected, the Australian Federal Police says you have nothing to fear and they’re not interested in you, the government is only after terrorists, paedophiles and organised crime, and the data may or may not be used to see if you’re downloading movies. From the same sorts of sources, you’ll also know that the only possible problems with this regime are that journalists and whistleblowers might be more vulnerable, and that it will cost a lot of money to implement, even in this time of “budget crisis.”
Now don’t get me wrong, I can see why our law enforcement and intelligence agencies would like this bill implemented – if I can see a tool that will make my job easier, with no cost to me, I’d want it too. And yes catching terrorists and paedophiles (why does everything always come back to these two groups?) is a good thing. But just because you think spying on every citizen is a bad thing, does not mean you’re on the side of terrorists and paedophiles.
The argument of “if you’ve got nothing to hide, you’ve got nothing to fear” is pretty much pervasive, not just from our government, but also from the general public, but this strikes me as very shortsighted. For in-depth discussions of why this sort of argument is faulty, have a look here, here, here, here or here, or for a slightly more tongue-in-cheek view, try here or here (no, it’s not the real NSA, although they’re probably watching you go there). Note that these are all American sources – the Australian media doesn’t seem to care as much, apart from Crikey.
What metadata can do
There seem to be conflicting reports about this. The General Counsel of the NSA has said that “Metadata absolutely tells you everything about somebody’s life” and the former director of the CIA and the NSA has said that the USA will “kill people based on metadata.” But a German review found there was basically no increase in crime clearance rates (good luck proving that 0.006% is anything more than a wiggle) and a Danish review found that data retention was useless to the police (or here for the Danish language source file). So either it can tell you everything about everyone, or it’s useless for solving crimes – neither of which is an argument for implementing this regime.
Australian police have said that they used metadata whilst investigating a terror cell planning on bombing the MCG and a drug syndicate . But they did this using existing laws, rather than needing a whole new suite of powers. Even the new laws won’t really help catch most organised terrorists or child pornographers who are going to use VPNs or encrypted networks to avoid detection.
And let’s remember that one of the best examples of a criminal investigation involving an internet based business, Silk Road, was successful not because of data retention, but because of good investigative police work.
European countries are, in a number of cases, dismantling data retention legislation, with a number of courts ruling it unconstitutional. But that shouldn’t stop us, as those democratic Europeans do all sorts of crazy things, like have emissions trading schemes, have a right to be forgotten, like public transport and renewable energy, or have pretty strict privacy legislation.
Why it’s bad
For why your privacy is important, even if you think it isn’t, check out some of the earlier links debunking the nothing to hide argument. I also won’t go into the spying on people two steps removed from the real target just because you can scenario (thanks to “The Good Wife” for that one). For other reasons – read on.
With a big enough dataset, it’s pretty easy to find statistically significant correlations between completely unrelated things. Take the case of Andrej Holm who was arrested as a terrorism subject and detained for 3 weeks. And why was he a suspect? Because he used words such as “gentrification,” “marxist-leninist,” and “precarisation” in publications, and was therefore connected to criminals who were undertaking arson attacks and using some of the same words in their communications. Although if you use the word “precarisation” or even know what it means without looking it up, then there probably is something dodgy about you.
I’m not aware of this happening yet, but it will. Say a friend of yours (or even you) is in an abusive relationship. This friend is finally able to leave their partner, whether escaping to a shelter or a friend’s house. The problem is that their partner is a police officer. With this regime, they can obtain the metadata from your friend’s mobile phone carrier and see who they’ve called, sent texts or emails to, and from where. From there it’s just a short step to locating them. And your friend ends up dead or back in the abusive relationship.
But I don’t have any friends with partners in law enforcement or who are subject to domestic violence. With the prevalence of domestic violence, chances are you do and just don’t know about it. And the violent partner wouldn’t need to work in law enforcement – they could work for the RSPCA, a council, or a number of other organisations. Or just have a friend there – “Hi Bob, I’m worried about Jane. I haven’t been able to get hold of her all day and I just want to know she’s OK before I report it to the police.”
But police officers are all upstanding citizens who would never spy on an ex-partner. Sorry, but it’s already happened, at least in Ireland.
We’ve seen enough examples of hacking to know that no digital data is fully protected. Just ask Sony (at least twice), the American Target chain or Premera Blue Cross, an American health insurer. And this data retention regime will produce an absolute treasure trove of data, making it too good an opportunity for hackers and criminals to pass up.
But you don’t create any data that would be of any interest to other people. But if other people’s information is stolen and analysed, it can still affect you. How?
One of your local councillors, is not an overly technically educated type and doesn’t use a VPN or Tor. He does have a liking for legal but somewhat distasteful adult sites. While the metadata may not include a web-browsing history, it seems it will include the IP address of sites visited, which would be enough for an enterprising soul to discover our councillors preferences. This councillor could then be blackmailed into awarding a waste disposal contract, approving a property development, or closing a council service and selling the land to a certain party.
The private lives of public officials, law enforcement and intelligence agency employees will be a lot easier to investigate, providing more blackmail victims, which can be detrimental to all of us. It doesn’t have to be an obsession with “questionable” material, it could be someone having an affair, a mental health issue, a friendship (current or former) with a “person of interest” or anything that someone doesn’t want the world (or their wife) to know, the possibilities are enormous.
But it doesn’t stop at public officials. It could be a senior executive of the company that employs you. But they might not employ you for long, as they’ve just been “convinced” to outsource some of their operations, and your department is closing down. Or (with thanks to an episode of the Blacklist for this idea) someone in your neighbourhood is coerced into undertaking some illegal activities.
The metadata will show who is communicating with who. See a CEO, Chairman or business development / strategy executive communicating with a competitor? Buy the smaller company’s shares, as there is a better than average chance that they are being acquired.
See that a government agency or law firm is investigating a company? Then sell the shares as some scandal is likely to erupt.
Or you might learn that the Therapeutic Goods Administration or Food and Drug Administration is about to approve a new product from how the drug developer’s people are communicating.
If a couple of young guys can make millions from early access to economic data, imagine what more organised people can do with more data to mine.
The new regime will do nothing to protect us, and plenty to potentially harm us. There has been one “terror” attack in Australia, and metadata would have done nothing to prevent it, as he was known to the security agencies, who did nothing about it. Whilst existing powers have supposedly been critical in foiling other criminal activities. If someone can explain to me how extended surveillance of every person in the country will reduce crime in ways that the existing laws can’t, then I’m willing to reconsider. But a rudimentary review seems to me to show the costs well exceeding the potential benefits of being spied on 24×7.
And I’ll even go one step further. I’ll take a bet that more crimes will be enabled by mandatory data retention than are prevented by it. Feel free to take me on and we’ll work out the terms.