Home > Boneheaded stupidity, Oz Politics > We forgot to tell you we were tapping your metadata

We forgot to tell you we were tapping your metadata

August 11th, 2014

The Abbott government has reached the stage where it can’t take a trick, even with things that ought to be surefire winners for a conservative government. We saw this not long ago with the attack on dole bludgers. And it’s emerged again with the attempt to cover the retreat on Section 18C with new anti-terror measures (or, in the government’s telling the dumping of 18C to secure support for the anti-terror measures).

After the Brandis fiasco, the government wheeled out the chiefs of ASIO and the AFP to explain that there was nothing to worry about: police were already storing and searching our metadata on a massive scale (300 000 requests last year) and just wanted to ensure this continued.

Unfortunately, the environment has changed since the revelations made by Edward Snowden and others on the extensive (and, in aspiration, total) surveillance of communications by the US NSA. It seems likely that the end result of this will be a rolling back of the extreme surveillance powers grabbed by the authorities over the last decade.

And, while I’m at it, can we stop talking as if we are facing a massive existential crisis because of the threat of terrorism. For most of the 20th century we were threatened with invasion or nuclear annihilation, and we managed to maintain our liberties. We should do the same this time.

Categories: Boneheaded stupidity, Oz Politics Tags:
  1. yuri
    August 11th, 2014 at 20:48 | #1

    Agreed except that I take the view that what is required is not (almost certainly ineffectual) curbs on storage or access to the stores by police or security or spy services but adequate watching of the watchers and protection by deterrence and otherwise against public or private misuse of surveillance info.

    With that major proviso I am all in favour, absent detailed arguments to confound me, of using technology to, e.g. make sure there are records of the sight and sound of burglars and their vehicles in my street, and recognise faces of wanted people in the crowds going to and from, as well as at, sports grounds (opera and gallery exhibition openings might lack cost-benefit justification even if properly PC).

  2. kevin1
    August 11th, 2014 at 20:55 | #2

    I think the sting is in the tail in this post. Living in the shadow of nuclear Armageddon has been forgotten, though I remember in the early 80s, with Reagan’s Starwars fantasies and nuclear power more favoured, ’twas a scary time.

    Current fear and loathing towards terror protagonists makes for an unbalanced sense of proportion. Are there any commentators or political leaders working to put these fears into measured context? Or does a permanent sense of paranoia suit too many powerful interests?

  3. bjb
    August 11th, 2014 at 21:07 | #3

    The big difference between then and now, is that threats in the past were largely from nation states, now it could be from any bunch of nutters down the road.

  4. Peter Chapman
    August 11th, 2014 at 21:07 | #4

    For much of the 20th Century “we” did our fair share of invading, dominating, hegemonising, colonising and – yes – terrorising other parts of the earth. Maintaining “our” liberties was perhaps possible in large part because of the dominant world role we played, especially in the second half, to feed our long period of growth and relative prosperity. We did not extend those liberties to others and frequently visited violence upon people (overseas and at home) who organised themselves to demand the same freedoms. How quickly we forget.

  5. rog
    August 11th, 2014 at 21:21 | #5

    When security organisations like the CIA admit that they kill people based on metadata it’s understandable that ordinary citizens become concerned about those organisations.

  6. Ikonoclast
    August 11th, 2014 at 21:27 | #6

    IIRC, the police pulled stuff on Gerard Baden-Clay that he had done on internet and phones BEFORE he was a person of interest and this was not just metadata but data (content) too. That is very revealing if you think about it.

  7. yuri
    August 11th, 2014 at 22:03 | #7

    @rog
    On the face of it what you say about the CIA is implausible if construed as it logically must be to mean that they killed someone based on nothing but metadata. Can you provide verifying spources please?
    I can easily conceive of the situation where metadata is used (reliably or to whatever level of probability the CIA chooses) to locate someone that the CIA is intending to kill if it can’t capture him. But that wouldn’t seem to support your point I think.

  8. yuri
    August 11th, 2014 at 22:13 | #8

    @rog
    Sorry. I missed your link.

    I can see that enough info about who calls who and when (except when it is Peter Reith’s son using his Dad’s phone) could add up to a compelling case – in war time – that X was at Peenemunde and was indeed a key scientist responsible for the V2….. Good bye Werner von Braun.

  9. yuri
    August 11th, 2014 at 22:16 | #9

    @Peter Chapman
    That reminds me of the General Confession of the Book of Common Prayer. Could you please go Catholic and produce further and better particulars as if in the confessional.

  10. August 11th, 2014 at 22:18 | #10

    Yuri, my recollection of the case is that Mamdouh Habib was taken by the CIA simply for being in Pakistan. They had no evidence that he had done anything wrong, but once they had him they raped him and held him in solitary confinement to try to get him to reveal the content of what he had been doing. He was ultimately released, right? You should probably care about one of your compatriots being arrested simply on the basis of where he had been, without any prior cause, tortured for 7 years, and then released without charge. Could be you next. But my guess is you don’t care, because Mamdouh Habib was a Muslim. Amiright?

  11. J-D
    August 12th, 2014 at 07:26 | #11

    @faustusnotes

    Does the information that Mamdouh Habib was in Pakistan count as metadata?

  12. Ikonoclast
    August 12th, 2014 at 08:14 | #12

    @faustusnotes

    In my experience, people don’t care when they think it can’t happen to them. When bad things start happening to so many people that a critical mass of discontent is reached: then agitation for change starts happening.

  13. calyptorhynchus
    August 12th, 2014 at 09:12 | #13

    I’m a technological dummy, but the other day my son was explaining to me that as we have dsl then every time we restart the router we have a new IP address. Is this true, and if so, why can’t every would-be evil-doer simply get dsl?

  14. Blair Phillips
    August 12th, 2014 at 09:36 | #14

    @calyptorhynchus
    Part of the metadata to be collected will be which dynamic IP address is assigned to each customer and for what period.
    Any aware bad guys will use an anonymising web site, so much of the metadata will be fairly useless (until the NSA/CIA etc compromise the anonymiser)

  15. Collin Street
    August 12th, 2014 at 10:06 | #15

    > (until the NSA/CIA etc compromise the anonymiser)

    There are numbers of people who believe that one of the key things holding back IPv6 rollout is that IPv6 will permit home users to run home servers and bypass the centralisation that’s mandated by the current IPv4′s reliance on NAT and dynamic IP.

    It’s a lot harder to “compromise the anonymiser” if anyone can set one up in their living-room.

    [there aren't enough telephone numbers to go around -- four billion -- so only a few computers -- the central servers, mostly, facebook.com and all the web-hosts -- have permanent fixed ones. Everyone else just uses party lines [NAT] and pooled numbers [dynamic IP]; you can dial to a fixed-number telephone with one of these, but noone can contact you because they don’t know what your number is at any point. IPv6 dramatically increases the number of numbers, meaning that all computers can be assigned fixed ones that can be dialed to as well as can dial out.]

    @calyptorhynchus: it’s extremely likely you’re getting the same dynamic IP each time, and certain that whatever it is at any time will be logged.

  16. Jim Birch
    August 12th, 2014 at 11:03 | #16

    @calyptorhynchus
    You might get a new ip address each time you connect, but the ISP allocates it and records it to charge your account for usage, among other things. Determining who requested what is built into the system design.

    To make anonymous web requests you would have to set up an encrypted connection to an “anonymizer” – a server that makes requests on your behalf and send the results back to you. These things are around on the net and offer a free service. In this case, the government snooper could detect that you and a bunch of others have encrypted connections to an anonymizer, and that the anonymiser has connected to a bunch of downstream sites, but who connected to what cannot be determined directly. Often the anonymiser might be in a different jurisdiction or may be part of a federated group that randomly chains requests through multiple servers to further hinder analysis.

    However, I certainly wouldn’t recommend this without your eyes wide open. This stuff is for experts. The anonymiser may potentially be already compromised by the government or crooks – or, government crooks – so your activity may actually already be being logged. Or your computer might get taken over by the not-so-nice people running the anonymiser who are already operating at the edge of the law. There’s no guarantee of anything. There are various other mechanisms for secure communications but none are perfect. They are also likely to emit telltale smoke even if the actual content can’t be decoded.

    Your biggest source of anonymity is actually the humungous volume of data passing around the Internet – it’s impossible to analyse every exchange. What the spies want is access to the mass of raw data so that they can pick out people or sites of interest and follow related communication networks, aka “metadata”. This network analysis approach was apparently sufficiently successful against AK (we hear) that they stopped using the Internet, except to buy household commodities on eBay.

  17. Rob
    August 12th, 2014 at 14:20 | #17

    This whole thing gets worse the more I think about it….

    What is “meta data”? I mean in the general sense, not specifically in terms of these so-called anti terror measures. Sure, it’s “data about the data”. So “meta-data” is also “data”. So really we’re talking about data. Good! The issue then simplifies: the government wants to collect more data.

    Which data? Well the government has done a very confusing job of (not) answering that question. Let’s use the Turnbull one: who has been assigned a given IP at a certain time? I would describe this as “account data”. This makes me wonder: surely the government *already* has the power to compel ISP’s to provide that information via a warrant or subpoena, no?

    Will this be effective? If anyone really wants to hide their internet activity, wouldn’t they simply sign up for a VPN service?

    If so, then this is simply a new regulation, which will cause operational costs for ISPs to rise (which will be passed on to users, like a “big new tax”) and will simply push the baddies further underground. It also creates new (or extended) repositories of personal information, which like all data, is at risk of being released to the world via hacking or accident.

  18. John Quiggin
    August 12th, 2014 at 15:29 | #18

    It’s hard for me to see the use of retrospective access to IP addresses unless the government is also tracking and storing browsing history. Can anyone explain this? To spell it out, suppose my IP address in 2012 was 1.1.1.1 and it’s now something else. I pop up on the ASIO radar somehow, and they can compel my ISP to give them the old IP address. But what use is that, unless they can find out what sites were visited by 1.1.1.1 back then?

  19. Collin Street
    August 12th, 2014 at 16:38 | #19

    It’s hard for me to see the use of retrospective access to IP addresses unless the government is also tracking and storing browsing history.

    They want to log IP addresses [web hosts] that you connect to, but not specific URLs.

    They’ve said so, it’s just that Brandis doesn’t understand the technology and is also a cretin.

    [there's pretty good technical and legal reasons for distinguishing between IP addresses and URLs here, which is how you can tell it comes from the department and not Brandis himself.]

  20. Collin Street
    August 12th, 2014 at 16:40 | #20

    Not to say that the whole logging scheme is smart, but setting aside the fundamental imbecillity of the whole idea it’s reasonably well-conceived.

    And thus clearly not thought up by anyone in federal cabinet.

  21. Rob
    August 12th, 2014 at 16:47 | #21

    John Quiggin :
    It’s hard for me to see the use of retrospective access to IP addresses unless the government is also tracking and storing browsing history. Can anyone explain this? To spell it out, suppose my IP address in 2012 was 1.1.1.1 and it’s now something else. I pop up on the ASIO radar somehow, and they can compel my ISP to give them the old IP address. But what use is that, unless they can find out what sites were visited by 1.1.1.1 back then?

    My understanding is that when one of our allies, or even a law enforcement agency in Oz says to the AFP, “we busted this ring of baddies and found they had a webserver that had been accessed by these IPs in the Oz geography, go check it out” the feds will track it down to a ISP, and then ask the ISP who that IP was assigned to on a certain date/time.

    ISPs probably have this data already. They seem to have been moving toward fixed IPs over the years (away from dynamic assigned IPs, discussed above). But they may discard their records after a billing cycle or two, because that’s a lot of data to store, which is expensive.

  22. Rob
    August 12th, 2014 at 16:48 | #22

    They want to log IP addresses [web hosts] that you connect to, but not specific URLs.

    This has been contradicted by Turnbull.

    http://www.abc.net.au/am/content/2014/s4063286.htm

  23. Jim Birch
    August 13th, 2014 at 13:09 | #23

    The ip address history is useful to match with the historical access log of a site. The access log will have ip addresses but unlikely names. The user would need to logs in with some kind of real or traceable name (unlikely, especially for terorists) and name logging would have to be enabled (which it wouldn’t be by default as it slows the site.)

    So if kenspancakes.com.au was found to be say a front for a terrorist bomb plot, and their access log history was obtained, the ip addresses in the log could be matched to the historical ip data from the ISP at that time. This allows you to build the connection network information the other way around: users of site X, rather that sites that user Y went to.

    * * *

    One thing that I find more than a little weird about this discussion in general is that commercial organisations will have a lot of this information already. Google knows every site I visit, partly because I let them (which provides benefits to me) and partly because they can build a lot of this information up anyway. Are we worried about giving the government information that Google and an bunch of unknown and out-of-jurisdriction web ad outfits build anyway?

    The stuff that Google etc don’t get would be things that are “off web” like me using an encrypted connection to a private site or a point-to-point connection into to someone’s private computer. These connections are someone exceptional at present but will become very common with applications like video chat and intelligent devices. It seems to me that it would be smarter to allow the government to collect the data, but have clear principles for who can use it, how and for what, what oversight systems are needed and what sanctions apply for misuse.

    Exactly what use this data could be put to is the debate we are not having. Really, if you were writing the constitution today, that’s just the sort of stuff that should go in. A blanket no monitoring” approach is naive and historically quaint.

  24. Rob
    August 13th, 2014 at 13:31 | #24

    @Jim Birch,

    You do yourself a discredit but using the “xyz corp has all my data already, so what’s the difference?”

    The difference is you opted in for Google tracking, and may opt out.

    But this is all missing the big picture. Tony Abbott has said himself that there has been no change to the threat of terrorist acts here in Australia. Which begs the question, why then do we need a change to the law to counter this non-change?

    I was trying to think up a clever paraphrase to one of his great quotes: “It’s a so-called market in the non-delivery of an invisible substance to no-one.” … but couldn’t quite get there…

  25. John Quiggin
    August 13th, 2014 at 14:22 | #25

    I’m still having trouble here. If I’m the operator of a dodgy site, wouldn’t I and my users benefit from wiping the access logs on a daily basis (or maybe weekly if you want to some kind of troubleshooting). I’m not saying there aren’t people dumb enough not to do this, but surely AQ and similar aren’t going to among them.

    So, it seems as if the only way historical access logs are going to be kept is if ISPs keep them, or if the government taps them directly.

  26. Rob
    August 13th, 2014 at 14:46 | #26

    John Quiggin :
    I’m still having trouble here. If I’m the operator of a dodgy site, wouldn’t I and my users benefit from wiping the access logs on a daily basis (or maybe weekly if you want to some kind of troubleshooting).

    Quite right! That’s one of the many ways this proposal is ineffective. On the other hand, consider the many monumental IT stuff-ups by organisations with massive IT budgets. So you never know…

    Even some of the popular VPN services have logs, which kind of defeats the purpose (I assume they want logs so they can detect clients sharing their account, etc.)

    On the other hand, some authorities (e.g. NSA) might do some “packet-sniffing” prior to taking down the baddies. This will show traffic between two IPs, regardless of any logging on the server side.

    On the other, other hand, many of my friends have access to my Wi-Fi when they come visit. Further, my WiFi connection might be open to the public, so it could be anyone in walking past, a neighbor, etc. So just because some traffic went between my IP and some baddies server, doesn’t mean it was me doing it.

    So this data might yield evidence, but certainly not proof.

    p.s. I’m using “baddies” here to describe the the government target. This might be a child porn ring (a favoured example of government spruikers). But it’s likely to include whistle-blowers like Wikileaks, or even journalists. In that case, the authorities might be more inclined to allow the service/journalist to continue, but just monitor traffic so they can pounce on a whistle-blower when and if it suits…

  27. Megan
    August 13th, 2014 at 14:52 | #27

    @Rob

    I would add: as a general rule Google can’t have you extra-judicially killed, disappeared or held in indefinite detention without charge.

  28. Rob
    August 13th, 2014 at 14:57 | #28

    Megan :
    @Rob
    I would add: as a general rule Google can’t have you extra-judicially killed, disappeared or held in indefinite detention without charge.

    haha! No not yet!

  29. August 13th, 2014 at 15:46 | #29

    Since this all come under “bone headed stupidity” allowance must be made for commenting. It seems to be that metadata presumes the existence of algorithms that can capture data relevant individual internet data en masse. Even if content can be tapped, it is more difficult to analyse, and often not as useful in terms of understanding behavior. Metadata can create a picture of the individual user, and raises issues of privacy. There is a divided between the age of the printing press and internet. A search warrant is irrelevant if the data has not been stored. Why should ISP be responsible for collecting and storing information, and who is to define what algorithm should be used? Who does the data belong to, who can use it for possible commercial and other possible purposes, and who can have access, and under what conditions? The fact that metadata is being collected does not make it right, legal, or a violation of privacy.

  30. 2 tanners
    August 13th, 2014 at 17:31 | #30

    If my understanding is correct, part of the plan is to compel ISPs to hold this information at their own expense. That does give rise to the interesting constitutional problem of whose property it is when the government compulsorily acquires it. They can’t argue that the ISP still has it and therefore nothing has been acquired, as that would seem to undermine the entire basis of copyright law (although IANAL).

    On anonymisers, the US government is reportedly trying to penetrate TOR and target users as suspects because they are using an anonymiser. So unless you can assure your anonymity as a user first, it may not be worth the effort.

  31. Rob
    August 13th, 2014 at 17:42 | #31

    2 tanners :
    If my understanding is correct, part of the plan is to compel ISPs to hold this information at their own expense. That does give rise to the interesting constitutional problem of whose property it is when the government compulsorily acquires it. They can’t argue that the ISP still has it and therefore nothing has been acquired, as that would seem to undermine the entire basis of copyright law (although IANAL).

    Most (if not all) business have to operate within some sort of regulatory boundary, which in most cases increase costs (that are normally passed onto the customer). E.g. banking, healthcare, even the local fish-and-chip shop (they have to pay for proper disposal of their frying oil).

    I don’t think the proposed data retention plan is different in that regard…

  32. 1234
    August 13th, 2014 at 18:19 | #32

    My concern is the parallel discussions the government would be having wih ISPs on data retention for national security purposes and making ISPs more of a player in countering copyright infringement. As I understand it much of the metadata could be used for both purposes.

  33. 2 tanners
    August 13th, 2014 at 22:36 | #33

    @Rob

    All businesses should operate within regulatory boundaries, and I suspect that I am probably the most extreme on this forum in actually supporting the right of the state to scrutinise mail in all forms and other activities to prevent crime. The big BUT is that these powers need to be overseen by an independent judiciary and as I understand it this is what these laws propose to circumvent.

    The point I was making was that in forcing ISPs to keep what is clearly intellectual property and then demanding access to that property does not differ from demanding access to Fax TV’s Game of Thrones series (or come that, a digital version of Debbie Does Dallas). At best, the metadata belongs to the ISP who must be compensated, but in all likelihood the metadata belongs to the creator who must be both notified and compensated under the constitution. There is no right to prevention of acquisition and equally there is a constitutional guarantee of compensation. Again, IANAL but it would make for an entertaining High Court case.

  34. Megan
    August 13th, 2014 at 23:37 | #34

    @2 tanners

    I am probably the most extreme on this forum in actually supporting the right of the state to scrutinise mail in all forms and other activities to prevent crime.

    I understand, and accept, your “BUT” (ie: oversight by an independent judiciary) – but….

    My great concern is with the concept of doing things to “prevent crime”. Sure, lock your doors to help prevent burglary and so on. But total surveillance and invasion of internet activity by the government – or its 5 eyes partners doing so and feeding it back to them filtered in a way to make it ‘legal’ – is something that I see less to do with crime prevention and more to do with silencing dissent.

    Using ASIO to detain, and deport, the non-violence protest activist Scott Parkin under Howard or using ASIO to spy on climate activists under the ALP are examples of the basis for such concern.

    I would be happy – with a proper court process etc.. – for all sorts of spying to be used in solving crimes, but less happy to give it a free pass for “prevention”.

  35. Megan
    August 14th, 2014 at 00:31 | #35

    I got the “bold” a bit wrong there. I wanted to emphasize “solving” crimes as OK but “prevention” as dangerous.

    To “prevent” a crime you have to know that it is going to happen.

    To “know” it is going to happen you must have a reason.

    Suspicion is not good enough. The US is currently killing innocent people, including Australians, without any legal process based on something that is essentially an algorithm. They call it the “disposition matrix”.

    They often don’t even know who they’ve obliterated. It just “feels” right, because the minced person “fits” a category they have fallen into by meta-data: contacts, movements, numbers called, location, websites visited etc…

    I’m frankly terrified that my fellow Australians think this is quite OK.

  36. Ikonoclast
    August 14th, 2014 at 07:41 | #36

    @Megan

    You got the bolding pretty right I thought. Yes, it is terrifying, the direction the US is headed. I just hope a relatively peaceful, democratic reversal of these US trends will be initiated by the US populace. That is the best we can hope for. Realistically, nobody outside the USA has any chance of modifying these US policies.

  37. Rob
    August 14th, 2014 at 09:46 | #37

    2 tanners :
    @Rob
    The point I was making was that in forcing ISPs to keep what is clearly intellectual property and then demanding access to that property does not differ from demanding access to Fax TV’s Game of Thrones series (or come that, a digital version of Debbie Does Dallas)….

    I don’t understand why my internet address would be considered intellectual property. Is the street address of my house intellectual property, and if not, how is it different to my internet address?

  38. August 16th, 2014 at 23:48 | #38

    kevin1 @ #2 wrote:

    Living in the shadow of nuclear Armageddon has been forgotten, though I remember in the early 80s, with Reagan’s Starwars fantasies and nuclear power more favoured, ’twas a scary time.

    We owe it to the late Lieutenant-Colonel Robert Bowman (1933-2013) for preventing nuclear war during the Reagan Years. Robert Bowman was Director of Advanced Space Programs Development for the U.S. Air Force in the Ford and Carter administrations, but had retired before Reagan was elected. Because he had retired before Reagan was elected, he was, unlike may he worked with, able to blow the whistle on plans of people in the Reagan administration to launch war. Had he not retired, he would have had to remain silent or risk imprisonment. Bowman toured the United States and gave speeches to packed meetings against the war plans and forced the Star-Warriors to back down.

    Robert Bowman tried to win preselection as Democratic Presidential Candidate in 2006 but was beaten by the rorts in the preselection system in Florida.

  39. August 16th, 2014 at 23:53 | #39

    (Second attempt. I forgot to put a “/’ in my second ‘blockquote’ tag, above. Please delete the above post, Professor Quiggin.

    kevin1 @ #2 wrote:

    Living in the shadow of nuclear Armageddon has been forgotten, though I remember in the early 80s, with Reagan’s Starwars fantasies and nuclear power more favoured, ’twas a scary time.

    We owe it to the late Lieutenant-Colonel Robert Bowman (1933-2013) for preventing nuclear war during the Reagan Years. Robert Bowman was Director of Advanced Space Programs Development for the U.S. Air Force in the Ford and Carter administrations, but had retired before Reagan was elected. Because he had retired before Reagan was elected, he was, unlike may he worked with, able to blow the whistle on plans of people in the Reagan administration to launch war. Had he not retired, he would have had to remain silent or risk imprisonment. Bowman toured the United States and gave speeches to packed meetings against the war plans and forced the Star-Warriors to back down.

    Robert Bowman tried to win preselection as Democratic Presidential Candidate in 2006 but was beaten by the rorts in the preselection system in Florida.

  40. J-D
    August 23rd, 2014 at 16:27 | #40

    @James

    There was no Presidential election in 2006. In 2006 Robert Bowman sought and won nomination as the Democratic candidate for the House of Representatives from Florida’s 15th Congressional District but was beaten in the general election by the incumbent Republican Dave Weldon.

    Your suggestions about the effects of his speeches on the subject of the so-called Strategic Defence Initiative: are they any more accurate? I don’t know.

Comments are closed.