back to article Want to hide your metadata? You probably can't

With every development in Australia's data retention debate, the question arises: “how can I stop the government getting its hands on my metadata?” Routinely, often non-technical journalists give the glib answer to “use encryption”, rattle off their favourite list of technologies, and over-simplify things to the point of …

  1. dan1980

    <em."If you're not, then the data collected about you probably won't be used."</em>

    Probably won't be used by the government or law enforcement agencies in the current regime under this version of the laws.

    That, as the author says, doesn't prevent use by (civil) third-parties but nor does it prevent use by future governments for any and all purposes because there just aren't sufficient safeguards. It also doesn't mean that whatever limitations are put in place now won't be watered down and eventually removed at a later date in the continuing expansion of government surveillance and consequential erosion of personal privacy.

    The reason is that there are no constitutional protections of privacy, nor limitations to police powers here, as there are in the US. Sure, those protections seem to be worth less-and-less each year as they are circumvented and outright broken but they do exist and a law can - at least in principle - be struck down by the courts on those grounds.

    In the US, the standard for a search (for example) is "probable cause", which is actually rather different to our 'reasonable suspicion'. Indeed in some circumstances police can use any number of extremely generic factors as 'reasonable suspicion'. For example, if you are at a music festival, police can search you for drugs if they want, because simply being there is apparently enough for them to suspect you may have illegal drugs on you.

    They need provide no justification to search your car if you are pulled over, quite unlike the US. Of course, in practice, the police in the US may just do this anyway but more than one case has been thrown out on these grounds.

    A little tangential, but only slightly - in Australia we have no innate protections against law enforcement.

    1. Mark 85

      Yikes... and here I thought we had it bad in the States. Given the way things are headed, I suspect we'll all end up in the same place anyway, Constitution or no Constitution. The spooks have already found their work arounds... the simplest being "we collect your citizens metadata and hand it over and you do the same for us". Once the suspicion or probable cause is there, you're just one secret court ruling away from having all your data absorbed.

      1. dan1980

        That said, our police are generally very good but we have no protections if our governments decide to grant new powers.

        We've even followed the UK and removed the traditional 'right to silence':

        http://nswcourts.com.au/articles/the-right-to-remain-silent/

        Well, we still have it of course - you can't be compelled to speak but if you don't then there is no longer any prevention from applying prejudice to later responses in court.

        For example, if you are pulled stopped by the police and asked why you are somewhere and subsequently arrested but don't give an explanation, the explanation you do later give in court will be not seen as trustworthy.

        But, as it is not codified anywhere, all that was required to dismiss centuries of tradition* and reams of case law was a collection of stuffy politicians sitting in stuffy chambers filled with bad carpet and over-lacquered wood.

        And what was the catalyst? Police were 'frustrated'.

        What it neatly ignores is the genesis of the 'right to silence' and the reason it is important, which is that there is a HUGE, nearly unbridgeable disparity between the power and resources of the police and those of someone they are talking to. The police have physical powers as well as specialist legal training and experience using both. They are able to intimidate and lie in order to get you to tell them what they want and have the right to get you to leave a public place or let them search you or your belongings or vehicle but are 'frustrated' that sometimes people don't answer their question and would rather wait until they are formally charged - if possible - and able to present their case to an (essentially) impartial legal system.

        Again, it's a bit tangential but serves to illustrate that without explicit protections, any and all freedoms and rights are fair game.

        * - In Australia and, through our shared heritage, the UK.

  2. Mark 85

    The "right to silence" is great in theory, but from what I've seen in these parts is that the prosecution will lead the jury to believe that by not incriminating themselves (i.e.: declaring the 5th and right to silence") that the accused is hiding something and therefore guilty. I was taught by parents and military to say nothing. Even if it's a logical explanation... just keep quiet. Many of us were taught that. We have that right but it gets worked about and the accused gets burned for exercising that right. As I said.. we're all ending up the same place. <not a happy camper>

    1. Anonymous Coward
      Anonymous Coward

      The right to silence was always going to be looked on unfavourably in court anyway. Shutting up is still the best thing to do until a lawyer arrives though.

  3. poopypants

    Amazing

    I read the entire article and all the comments so far and saw no mention of VPNs.

    1. ruscook

      Re: Amazing

      My first thought as well.

    2. Anonymous Coward
      Anonymous Coward

      Re: Amazing

      "I read the entire article and all the comments so far and saw no mention of VPNs."

      You didn't read it very well. The part about Crytome hints at why a VPN might not help. Especially if you're trying to hide from Brandis by handing all your traffic to the US government instead.

      Unless you've done a lot of research into where your VPN endpoint is, you may be simply sending your packets out of the pan and into the fryer.

      Posting anonymously because Brandis might be watching.

  4. deadfamous
    Holmes

    corruption is the issue...

    Whatever we individually want regarding privacy we need to insist on one thing above all others...

    Protection of the innocent :: Verification.

    It must be possible for the 'suspect' to be able to independently validate that all sources of information have not been tampered with.

    Suggestions?

  5. Greyeye

    How does a gov going collect metadata when SMTP these days are via TLS and TCP payloads are encrypted ?

    Same for SSL/TLS, a browser doesnt even give URL until handshake is complete.

    1. Tim Bates

      "How does a gov going collect metadata when SMTP these days are via TLS and TCP payloads are encrypted ?"

      I think they're wanting the SMTP server logs packaged up and stored.

      I'm still curious what will happen with storage of things like ICMP and UDP traffic. In some cases, the metadata will take more room to store than the size of the content. I seriously don't think anyone who voted for this legislation actually understands how traffic flows on the internet.

  6. Anonymous Coward
    Anonymous Coward

    Brandis...

    ...is a phekhin' Khant...

  7. seanf

    Like Greyeye's comment I don't get it.

    With most the major email providers now providing SSL connection as a default how *IS* the gov't going to collect useful metadata, about (say) who emails whom, anyhow? All a journo has to say to a whistle blower is "use Gmail webmail" and (without Google handing over the actual email contents) the sender's identity or IP address cannot be known.

    As for halfway competent* terrorists and kiddy fiddlers - they probably already use TOR or at least a VPN.

    So I am thinking that the only probable value for 140 million (taxpayer) dollars worth of "IP address on a given day" data is as a reverse lookup database for Big Content to identify file sharers from their <insert favorite torrent client name here> activity.

    So who influences our pollies most? Not the taxpayer clearly. It's pathetic!

    * The user of "competent" in this context does not indicate or even vaguely suggest approval.

    1. Anonymous Coward
      Anonymous Coward

      I posit that this article is click-bait. Sure, if your are a person of extreme interest for the NSA then things will get very difficult. However Snowden proved what can be achieved. I think a lot of the points are flimsy straw-man arguments at best.

      The average user is not going to be de-anonymised on Tor.

      VPNs are handily ignored/not addressed.

      Email encryption - seriously who believes that gets around metadata? Most people I know are using GMail, Hotmail etc. In order to get any metadata Brandis would need to ask the NSA as, chances are, that the email transits through Googles infrastructure. If you are getting up to anything naughty over email then chances are you'd go through a VPN then Tor to create the account and use the account. Tie that fucker back Brandis, I dare you.

      Public WiFi - the only time I'd use public Wi-Fi is through a VPN to prevent ads or other packet inspection/insertion. They are untrustworthy at best and I'm pretty sure that is well known.

      Location information - my home internet connection is, shock, at my home. My phone location, again shock, is known when it connects to a tower to make a call. Bizarre, I know. If I don't want anyone to track my location I leave my phone behind like, say, in the late nineties when I didn't have one and still managed to get shit done. It is a convenience, rarely a necessity.

      Secure drop site - a real peach this one

      In giving this advice, security advisors are once again confusing content and non-content data. The secure drop-site is designed to protect your identity and content at the server end, but it does not intrinsically protect non-content data at your end – your connection to the Internet, your location, the fact that you made a connection to an IP address associated with the drop site, and so on.

      If you are a whisteblower after the inception of these laws WTF would you have an unsecured computer when full disk encryption is simple. Your location? Really? You are going to just go over your home connection to the secure drop site and dump a file that isn't encrypted from an unsecured computer? Please put your straw-man back in its case before I torch the bastard. What security advisors, Gartner? FFS.

      The main point, and the most important one, is that as you increase the level of data capture you increase in incentive to avoid. As you move towards capturing everything about everyone in your Orwellian wet dream technology evolves to make the World go dark for you. At this point you have successfully moved from being able to see detailed information regarding targeted individuals to capturing every packet and yet not knowing what it means. The internet will soon enough be flooded with instructions on how exactly to go about your life whilst keeping them out of it. Snowden's escapades and the film about it have brought this information to light. Please don't confuse the opsec of Joe Public with that required by Osama.

      1. dan1980

        @AC

        "I think a lot of the points are flimsy straw-man arguments at best."

        Only if you don't understand the premise of the article, which is that the current advice being given in the media on how to avoid this collection of your metadata skips over a lot of issues and is thus dangerous to rely on

        "VPNs are handily ignored/not addressed."

        Quite. And why? Because they are not addressed by those who are giving this advice in the media - usually people whose regular segment tells viewers about the new tablets and smart watches and just what 'cloud' means. These 'gurus' are being brought in for 5 minute question-and-answer segments where the presenter will ask: "what is metadata?" and "so what can I do to keep my information private?" and the producer wants 30 second answers so they can move onto the next story about Kim Kardashian or cross-promotional plug for whatever series or reality TV show is airing.

        They give explanations and tips that are easily-digestible by the layperson and so those people go away thinking that they understand it but don't because many of the important details have been glossed-over and ignored.

        I don't know where you sit in IT but I have had numerous instances where people have infected their PC with a virus or malware and said: "but I have anti-virus; isn't that supposed to stop this happening?" They believe this to be the case because they haven't understood that anti-virus offers only a measure of protection, not some perfect defence against any and all that the web can throw at them.

        "The average user is not going to be de-anonymised on Tor."

        Unless I am mistaken, this is precisely what Richard said: the government is unlikely to go to that effort but if you are actually of interest, it is possible, so if you are giving the advice "use Tor", then it is responsible to at least mention that it is not bulletproof.

        Regarding the lack of security when using a public wifi connection, you say that you are pretty sure this is "well known". To who? I can tell you that next to zero non-technical people I know understand why public wifi is insecure. Remember again that Richard is commenting on the technical advice that is being given by the kind of people the media bring on to explain it and tell people "what it all means for you and how you can stay safe".

        With your comment about leaving your mobile phone behind, do you really think the average person - at whom this information is being aimed - actually does this? What you think is obvious ("shock") is not always so to the non-technical.

        When you ask "what security advisors" are giving this information about secure drop sites, perhaps that was the wrong term for Richard to use. He is, again, talking about the kind of information provided to the public be journalists and "IT Guys" who routinely go on breakfast and current affairs shows but also newspaper and web journalists. At least I think he is. When I read this article, I had a few such people specifically in mind.

        So, while I accept that a proper 'security advisor' would be a little more thorough, I think the author is using the term not as a job description but to denote the people he is talking about who are advising the public about security. That's how I read it - I could be wrong.

        Richard's points do not present a 'straw man' at all; they are presented as comment on the advice given by those in the media giving advice to the public. They are over-simplifying in an attempt to avoid their viewers having to think too much before they cross to the weather person presenting from whatever local event has paid them for the publicity or cutting to "Steve in the kitchen" who will tell audiences all about how amazing the latest plastic time-saving food-preparation gadget is.

        And if you think that people don't take such advice seriously and without further research then I'm afraid you have a rather inaccurate (though pleasantly optimistic) view.

  8. ChrisInAStrangeLand

    "I do not speak to police without the presence of legal counsel. This conversation is recorded on my dashcam. Am I being detained or am I free to go?"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon