As of April 13, 2017, Australian internet service providers (ISPs) and telecommunications companies are officially required to collect “metadata” about their customers’ communications. According to the legislation, this data includes:
- name, address, date of birth, email addresses and other identifying information of the person that holds an account
- details of any communication, including:
- the mode of communication (voice, sms, email, chat, forum, social media)
- the location of the person at the start and end of the communication
- the address and details of the receiver of the communication
- the network used for the communication (ADSL, Wi-Fi, VoIP, cable, etc).
What it does not include is details of websites a person visits, and nor does it include information about what they did on those sites.
There is still confusion on this point amongst the public and media, and more generally about what the data retention law really means for Australians. There is still talk about the need to “hide online browsing” because of this legislation, when in fact ISPs are not required to save such information.
Even in the US where privacy rules have been overturned by the House of Representatives – theoretically allowing ISPs to sell or market customer’s browsing history – in practice, ISPs have a vested interest in maintaining customer privacy.
There is still a strong argument to be made regarding being concerned about the metadata being stored, and consequently about the steps Australians can make to protect their privacy.
The list of Australian government departments that have requested access to metadata, or have explicit authority to request access to the metadata, collected by the ISPs and telecommunications companies is extensive and wide ranging. This means that a larger part of Australians’ lives could become accessible to these agencies, and the information collected could potentially be used against them.
The most effective way of protecting privacy of communications on the Internet is to use a virtual private network (VPN), which will quite simply prevent all details of communications (and yes, also browsing history) from being visible to an ISP.
Although the use of a VPN is a good idea for protecting privacy, there are still some risks involved in using this technology. Firstly, VPN users have to trust that the company providing the services is actually doing what they claim and really protecting their customers. Recently, a large number of Android VPN apps have been shown to have significant privacy and security issues with them. Even with the better-known VPN providers, customers are required to simply trust that the VPN provider is doing what they claim and not keeping records or logs.
There are a set of well known and well regarded VPN providers that have “mostly” operated without controversy. VPN software has become extremely simple to operate on PCs and mobile devices. With growing numbers of customers, VPN providers have made an effort to scale servers and bandwidth to make the potential slow-downs from using a VPN less noticeable.
Theoretically, a VPN can be set up to operate continuously whenever there is a network connection. This would mean that any subsequent communications done over that network would be entirely private. Using a mobile VPN would allow even the fact that Facetime or WhatsApp was used to communicate with someone to be hidden from an ISP.
Without a VPN, the ISP would record that a Facetime conversation occurred between the customer and another person, the length of the connection and the location of the customer at the time. Of course, identifying the person that the customer talked to would still take some work in tracking down an internet address and again, this information might yield only the address of a VPN provider and not the individual.
VPNs are becoming an essential part of being on the internet. Apart from the privacy aspect, there is the added security they provide, especially when using unknown wireless networks such as in cafes, airports, or even at work. They also provide the ability to avoid geolocked content on services like Netflix, which up until the advent of metadata retention was the main reason for most people using a VPN, especially in Australia.
Given the commitments to privacy and security made by companies like Apple and Google, it would not be at all surprising if they started to provide their own VPN services to customers that were seamlessly built into their devices.
Updated 18th April 2017 at 14:30 to reflect a clarification by a senior media adviser for the Office of the Attorney General on the organisations that have explicit authority to request access to metadata under section 110A of the Telecommunications (Interception and Access) Act 1979