Metadata took centre stage in the national debate this week, in the context of the Government’s data retention proposals and as a result of George Brandis’s spectacular fail when attempting to explain what exactly he meant by metadata on Sky News. Tony Abbott has spent much of the week looking nervous and pronouncing ‘so called’ metadata very, very carefully. Brandis should have been properly briefed or they should have had a cabinet member with a clue about the intertubes speak on the proposals. That is not to say that referring to what is being put forward in clearer terms would make it any more palatable. But even if he had not mangled the explanation, it is still profoundly misleading for the government to keep up the ‘don’t worry it’s only metadata’ argument in seeking to expand the scope of the collection, retention and use of our personal information.
Those of us working in recordkeeping understand that metadata is just as rich in meaning as ‘content’; and that its blanket collection and retention is just as much an affront to the protection of personal privacy as other mass surveillance regimes. And yet the Australian public is being fed this rubbish. Not to mention the wrong-headed absolutism about what metadata is or what is not. Metadata can be any number of things, and indeed one man’s metadata is another’s content, depending on the context. In online and other digital systems a strict dividing line between the two is increasingly unhelpful. Let’s be clear: they are proposing forcing ISPs to collect data on all of us and what we do every day, so this information may be accessed at a whim without a warrant. Not a pleasant sensation for members of a so called free society
But back to metadata. Brandis, and the Government (as well as the previous Labor Government, with Nicola Roxon having a go at promoting data retention on You Tube in 2012) have kept up the ‘address on an envelope’ analogy in an attempt to explain what they are talking about. It’s been so widely used you have to suspect it’s about the only thing in this discussion that they seem to be able to get their heads around. The envelope analogy attempts to suggest that metadata is less important, a minor player compared to content. Certainly not as private. None of this is true. As Barbara Reed noted in her recent essay ‘Rethinking approaches to recordkeeping metadata’.
Metadata, and particularly metadata about records, which detail transactions and are routinely collected for business purposes, are the stuff of big data, data mining, semantic web relationship linking and other emerging analytic technologies coming down the line. Metadata is also at the core of the social concerns over privacy, the capacity of individuals to control their personal information and the acceptable limits of data linkage.
The analogy also creates a hard distinction between ‘content’ of a record (such as an email) and its metadata, and suggests that details such as recipients’ names, dates and subject lines are only ever metadata. This is of course not true; they way we generate and use information online is about assembling and presenting data in myriad ways, depending on our purpose. The same piece of information that is considered ‘metadata’ for one record may be the record itself in another instance. The thing that makes something metadata is not intrinsic; it is how and why it is used to provide vital context and linkages to other information. What business activity was conducted? How can we use data to link a transaction to that business and maintain that over time so we can call on evidence of that business down the track. What format was this record made in? Will we continue to support it or does it require migration? Who has a right to access this information? On what basis? All of this can be metadata when placed into a recordkeeping context.
It was interesting to see Thoughtworks’ Lindy Stephens in The Guardian this week talking about the practice of ‘data austerity’, saying:
When a company or government practises data austerity, the burden is on them to demonstrate a need for the data they store.
Exactly. In a time when it is possible to make and keep unfathomable quantities of data, what about the need for thinking up front about what to make and keep and why? What are the recordkeeping requirements for the business, taking into consideration things like the legal requirements affecting the business or government service, risk factors, the demands of efficiency and the needs and expectations of users of the service or people affected by it and more.
This analysis, known in Australia as appraisal, is a core activity of recordkeeping; understanding the context you operate in, and determining what should be made and kept as evidence of that business, metadata and all – the definition of recordkeeping requirements. This includes considering how long that information needs to be retained.
The proposed data retention could result in a significant new recordkeeping requirement for ISPs to meet on behalf of the government. Governments outsource all sorts of recordkeeping responsibilities; this is not new. However this requirement to have such a universal application, affecting virtually every Australian and their day to day lives. Metadata from our online lives, generated and collected en masse, is the same as the meticulous recording of movements and interactions of ‘persons of interest’ that we can now see in the ASIO files of the 1950s through to the 80s. The difference now is that we are all ‘persons of interest’, and this data is easily analysed and constructed to tell myriad stories from our lives. The balance of considerations in determining the most appropriate retention and use of this (meta)data must include our right to privacy. Our civil liberties must not be thrown away with the use of an artfully timed fear campaign. Our stories should remain our own.
Update: 30 October, 2014
“Information about phone and computer use would be kept by telecommunications companies for two years, under new counter-terrorism legislation introduced to federal Parliament this morning
..Attorney-General George Brandis said the information to be kept included:
- the identity of the subscriber to a service
- the source and destination of a communication
- the date, time and duration
- the type of communication
- the location of the equipment used”
ABC News, ‘Federal Government introduces legislation for controversial data retention plan’
Excellent, Cassie particularly for putting the government’s “discussion” in the context of business appraisal and Recordkeeping.
As a privacy officer, I would add the considerable risk to our privacy which everyone of us using a phone or computer will be exposed to, of unauthorized access to the giant volumes of personal information the ISPs will accumulate. Under the limited privacy regime the Commonwealth has provided they are not even obliged to report breaches of their data to the Privacy Commissioner. And this is without taking into account the literally hundreds of thousands of legal requests for access to the ISPs’ records which do not require a warrant right now.
All this from a government that nobody trusts, in either their competence or just to tell the truth.