Metadata definition going deep down under? 

Australia has recently thrown a spotlight on the issue of metadata, a topic we have talked about already on this blog as a buzzword in today’s digital discourses that all too often lacks clear legal definition.

Earlier this year, a leaked confidential discussion paper by the Australian Government became public news because it gave details regarding plans for a new Australian data retention regime. The proposals, which are now formalised within a new legislative Bill – the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 – include the imposition of obligations on providers of telecoms and internet services in Australia to retain the communications metadata of their customers for a mandatory two years in order to assist law enforcement and national security agencies. Furthermore, government agencies will not need a prior judicial authorisation (a warrant) on a standard of reasonable and probable cause that a crime has been, or will be, committed to access such metadata.

Has the ensuing debate provided some answers to our questions already outlined on this blog, or has it added yet more questions to the mix? It is clear that the proposed scheme hinges on the meaning of metadata, but critics of the Bill have voiced concern over the imprecision of its scope due to the lack of a legal definition of metadata. (Indeed, as with UK telecoms legislation, the governing Australian legislation – the Telecommunications (Interception and Access) Act 1979 – does not define metadata. Instead, it only specifies which it is not in section 172 as excluding any information that is or contains the contents or substance of a communication). Yet, disagreements abound over what this ‘contents or substance of a communication’ should constitute exactly.

The discussion paper attempts to appease some of the concerns by outlining certain requirements regarding the information that should be encompassed by the term metadata under the new scheme, as specified by the department of the Attorney General (AG). The first category to be included involves information necessary to identify, and supplementary information regarding the subscriber or user of a service (including subscriber name, address information, contact information (such as phone number), financial records (such as billing account state and billing type), and usage information (such as the type of service used and upload/download volumes and allowances)). Also included is information sufficient to trace and identify the source and destination of communications and the devices used, in turn giving clues to location. For example, this is likely to include network identifiers of the party receiving a communication (e.g. ‘IMSI’ – the international mobile subscriber identity) and identifiers regarding the device used to receive a communication (e.g. ‘IMEI’ – the international mobile station equipment identity) and MAC addresses, as well as dates and times regarding communication.

Beyond that, many questions are unanswered. For example, will the Bill cover data contained in IP packet headers and will it also include the ‘packet payload’ containing application-level metadata related to the contents of packets (e.g. the subject line and sender and receiver e-mail addresses for an email, or specific uniform resource locators (URLs) for a web browser request)? If it includes the latter, as Sophie points out in her earlier blog post, the collection of such application-level metadata and not just network-level metadata by Internet service providers requires the implementation of deep packet inspection technologies, i.e. the peeping into the content of communications [Peep Beep!].

The picture is made even less clear by the fact that some of AG department’s metadata ‘wish-list’ has not been mentioned as part of what the government says it might consider metadata retention obligations to encompass. In turn, such outstanding ambiguities lend themselves to allegations of over-reach regarding what precisely can be retained and accessed by national security and law enforcement agencies. Thus, the distinction between metadata and the contents of an electronic communication is a crucial one in law precisely because of the stringent legal constraints that exist around what cannot be done with content.

For example, a contentious issue is whether URLs related to a person’s web browsing history should be considered content or metadata. One view is that as URLs are content, e.g. because some URLs can identify the substance of a communication and they may be considered to be user-generated. (By way of comparison in the UK, URLs are considered to be content data. In particular, the Code of Practice for the Acquisition and Disclosure of Communications Data provides that the part before the first slash in a website address is communications data, and what comes after the first slash is content; therefore, full URLs are regarded as content). An opposing view is that metadata is information that allows a communication to occur, which would include URLs, making warrantless governmental access to individuals’ web browsing history possible. The discussion paper states (page 4) that that destination web address identifiers – such as URLs and “destination IP addresses” – are excluded from the new rules, but confusion remains on this point as evidenced by numerous online stories on this topic (see e.g. ‘Explanation of just what will be collected is still confusing and incomplete’).

Other than ambiguity leading to allegations of overreach by authorities, a further point of ‘so what?’ over the scope of metadata’s coverage in Australian law is the associated erosion of privacy by the Australian users whose metadata is being collected. It can be argued that metadata can now actually tell you more about a person than content ever could, covering details about where you go, who you speak with or write to that can reveal significant parts of your life. This information – providing significant insights into who we are, what we do, with whom, when and where – can be far more revealing about our lives than what we say nowadays in our hyper-connected societies. This is even clearer when application-level metadata are collected as they are metadata directly linked to individuals and not to computers.

The Bill is currently going through the Australian parliamentary process. In the meantime, it will be interesting to see if a statutory definition of metadata becomes part of the legislation and, if so, whether it includes technical specifications. (A point of comparison here can be made with the highly technical specifications found in US legislation regarding when online service data deemed ‘electronically stored’ can be accessed by governmental authorities, in turn the subject of some criticism for that reason, e.g. see ‘The Stored Communications Act: An Old Statute for Modern Times’). Some critics remain vehemently opposed to a technical specification approach on the basis that definitions should remain technology neutral, and hence metadata should not be defined otherwise it risks later redundancy.

Even with technologically neutral definitions, however, improvements of clarity and protection against greater privacy-invasion can be made. For example, the Canadian Supreme Court ruled last year that it is not just a communication itself that should be protected, but also any derivative of that communication that would convey its substance or meaning. The European Court of Human Rights has also issued a clear message on this topic in a 2007 judgement: “emails sent from work should be similarly protected under Article 8 [the right to right to respect for private life and correspondence], as should information derived from the monitoring of personal internet usage”. The debate rumbles on…

Alison Knight