05 May 2015

What metadata laws mean for your business?

With the passing of the Government’s contentious metadata laws, Australian individuals and businesses will need to be aware that their ISP – regardless of ISP – will need to retain and store all metadata information for their activities online. This data has a specific use in theory – to allow law enforcement agencies to better predict, prevent, or resolve crimes, but the ramifications for the law are as significant for businesses as they are for individuals.


For Individuals

Unless you’re a journalist, there are no protections under the new laws that prevent the eligible law enforcement agencies for accessing your metadata information without a warrant. This includes any and all metadata information related to your personal computer, your work computer, your home phone, mobile phone, or any tablet or laptops you might be using.

Metadata, of course, doesn’t mean specific information on what you’re doing. The information that will be kept include the time in which you make phone calls, the number being called, what time an email is being sent (and to who), and the time you logged into the Internet and how long you were logged in for.

In theory this data will only be used to prevent serious crime and terrorism, but the recent victory that the owners of the Dallas Buyer’s Club IP had at court, forcing ISPs to hand over the details of those had illegally downloaded the movie, and the broad powers that the Attorney General has to determine which bodies are allowed to access the metadata, has many concerned that this data retention will be used across a wide range of purposes that do not have to do with national security or counter-terrorism.

The basic reality of these laws will be that individuals need to assume that whatever they do is being monitored. It might indeed mean that you don’t download that episode from Game of Thrones from a torrent (and don’t assume that you’ll be able to use a VPN, as the government is investigating how to prohibit use of those), but the ramifications for many businesses are much more significant.


For Business

If you’re a journalist, or a company that employs journalists, then you’ve got some level of protection, which was added in to the metadata laws to provide protection for confidential interactions and conversations. These protections were immediately criticised, however, since the law enforcement agencies can simply bypass the protections by tracking the metadata of those contacting journalists, and on top of that freelance journalists are not protected. The expectation is whistleblowers will still become a rare breed, and those that do will need to avoid using technology to communicate with a journalist.

The real problem, however, is that journalists are not the only ones holding sensitive data. Doctors, lawyers, and even the clergy are all ethically bound to preserve confidentiality in those that they serve, and the metadata laws provide no protection whatsoever for these organisations. This has been a real concern in nations where metadata or surveillance laws already exist, and various institutes for organisations that handle sensitive data have already expressed concerns in Australia as well.

Data breaches are possible, if not likely, with even the largest and most secure ISPs and telcos in Australia having already reported breaches for matters unrelated to metadata retention. From a privacy point of view, this means that organisations handling sensitive data can no longer assure customers that it will be entirely secure, as they will not be able to control how it is stored outside of their businesses.

Metadata laws may well have an impact on any business that collects customer data for its own use, too. It is expected that there will be a significant uptick in consumers making use of privacy tools, from Wickr (which destroys messages after they are read), to Ghostery, Disconnect, and Privacy Badger. As well as VPNs themselves, of course. These tools, as a consequence, will impact on the ability for a business to collect good information about a customer, and serve them with the kind of personalised service that they expect. Small businesses, marketers, retail, media, and corporations alike will struggle from the impact of the increasing use of these tools by their customers.

And so, while it’s easy enough (for now) for an individual to work around the metadata laws, businesses throughout Australia will have to struggle with the implications that these laws have for their businesses, from both a customer privacy point of view, and how the businesses themselves will operate moving forwards.