Australia's Attorney General Says Metadata Collection Won't Track Your Web Surfing, Just The Web Addresses You Visit (Huh?)
from the say-what-now? dept
Australian Attorney General George Brandis seems to be working extra hard to demonstrate just how completely clueless he really is. On both copyright and surveillance, it's pretty clear that he doesn't even remotely understand the details, but is willing to go all in to support some misleading claims that someone told him. On the surveillance front, he recently claimed (incorrectly) that data retention rules are a must (and that whistleblowers should be thrown in prison). The data retention rules are getting some attention because it's pretty clear that Brandis is advocating for a massive expansion in data retention and collection for many different purposes (i.e., expanding it to cover "crime-fighting in general" as opposed to just terrorism/national security).However, it's pretty clear that he has no idea what this all means. He gave an absolute train-wreck of a TV interview on SkyNews, trying to defend the policy, in which he claims that the metadata rules won't track your web surfing habits, but just what websites you visit -- as if that's a different thing. You can see the video here. It's quite incredible. First he claims that the telcos "already collect this data" for billing purposes, but they want to change the law because now flat rate plans mean telcos might not track this data. But then he jumps to internet metadata (which, uh, has never required tracking for billing purposes) and things get ridiculous quickly.
SkyNews host: Well, the Prime Minister today said "it's not what you're doing on the internet, it's the sites you're visiting." So will it be the sites you're visiting?I wouldn't normally include stuttering and false starts in a transcript, but in this case it seems somewhat necessary to show the level at which Brandis was clearly uncomfortable with the subject matter. The conversation then goes on to metadata for social media, and Brandis takes the easy out here saying that the rules are still being discussed. However, he does admit that metadata will be used for criminal investigations.
George Brandis: Well, well, it... it wouldn't extend, for example, to web surfing. So, what people are viewing on the internet is not going to be caught.
Host: So it's not the sites you're visiting.
Brandis: Well... um... what people are viewing on the internet when they web surf is not going to be caught. What will be caught is the... is the... is the, um... the web address they communicate to.
Host: Okay, so it's only the... I'm sorry... the web address? If I go to an internet site, that will be recorded and available?
Brandis: The web address... um... is... is part of the metadata.
Host: The website.
Brandis: Well, the web address. The electronic address of the website.
Host: Okay. If I go to the SkyNews website, the Australian website, a more questionable website, that will be... is that what we're talking about here?
Brandis: Well, I... b... m... m.... m... the... what you're viewing on the internet is not what we're interested in. And that's not what we're...
Host: You'll be able to see whether I've been to that website or that website or that website.
Brandis: Well, what we'll be able... what the security agencies want to know... to be retained... is the... is the electronic address of the website that the web user is visiting.
Host: So it does tell you the website.
Brandis: Well... well... it tells you the address of the website.
Host: That's the website, isn't it? It tells you what website you've been to.
Brandis: Well, when... when you visit a website you... you know, people browse from one thing to the next and... and... that browsing history won't be retained or... or... or... there won't be any capacity to access that.
Host: Excuse my confusion here, but if you are retaining the web address, you are retaining the website, aren't you?
Brandis: Well... the... every website has an electronic address, right?
Host: And that's recorded.
Brandis: And... um... whether there's a connection... when a connection is made between one computer terminal and a web address, that fact and the time of the connection, and the duration of the connection, is what we mean by metadata, in that context.
Host: But... that is... telling you... where... I've been on the web.
Brandis: Well, it... it... it... it... it... it... it records what web... what at... what electronic web address has been accessed.
Host: I don't see the difference between that and what website I've visited.
Brandis: Well, when you go to a website, commonly, you will go from one web page to another, from one link to another to another, within that website. That's not what we're interested in.
Host: Okay. So the overarching... if I go to... SkyNews website, it'll tell that, but not necessarily the links within that that I go to?
Brandis: Yes.
We've long argued that metadata is incredibly revealing, and anyone who claims it's "just metadata" has no clue what they're talking about. But here, Brandis takes that cluelessness to a new level. It's pretty clear that he is totally and completely ignorant of what he's discussing. At times it suggests he thinks that the web address doesn't reveal what you've been reading, and I thought maybe he thought that there's a real distinction between the web address and what you see on the page (which would be ridiculous). But at the end, he seems to imply that ISPs will only be asked to record the top level domain of pages you visit... which is... equally unlikely and almost certainly false. Everywhere else he says the "web address" which would be a lot more than the top level domain.
Either way, it seems abundantly clear that he doesn't understand the details, yet is pushing for legislation to make things happen when he is either completely ignorant of what it means, or he knows exactly what it means and knows that people would revolt over it, so he's trying to mislead everyone.
No matter what the truth is, he has no business setting up these rules.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, data retention, george brandis, metadata, surveillance, web surfing
Reader Comments
Subscribe: RSS
View by: Time | Thread
Dotcom, anyone?
So they'll use your Skype, your lifestyle, and your cell phone to convict you while not informing you of the rules they follow.
So how long until a new Kim comes into the mainstream?
[ link to this | view in thread ]
There is a distinction between the address an the content
Let's say the record shows I went to mail.google.com. I have several Google accounts, including my primary personal, primary work, admin work, and throwaway. If I understand how this system works, they only know which address I went to, but not which account I used and therefore they don't know specifically what content I viewed.
The same could be said for any dynamic content site (like a news site or video site), that adjusts content based on users' implicit or explicit preferences. They could know that I went to CNN but not necessarily that I saw the article about a doctor cleaned out and sewed up a festering pus hole on John Brennan's face (née his mouth).
That said, the fact that someone went to a site like emptyclosets.com speaks volumes.
[ link to this | view in thread ]
Yabba Dabba Doo!
Now I know!
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: There is a distinction between the address an the content
For example, if you go to a blogging site, it is not the site itself that is important as much as which URI you got to.
So, just guessing, I would regard his statements as "grabbing the whole nine yards"; he just did not know enough to say that . Or not say it.
[ link to this | view in thread ]
Thought
For example: It says I went to https://www.techdirt.com/articles/20140806/06322428125/australias-attorney-general-says-metadata-col lection-wont-track-your-web-surfing-just-web-addresses-you-visit-huh.shtml, but not that the page contained the following sentence:
"No matter what the truth is, he has no business setting up these rules."
As is always, TECHNICALLY he is right.
HOWEVER. He is glossing over the fact that a separate program or a time consuming "copy/paste" will provide completely legal access to that content. He's trying to argue that they don't have access to the content through that program while helpfully omitting that they have access to the content via other means.
[ link to this | view in thread ]
Re: There is a distinction between the address an the content
If it's the latter, then they DO know whether you saw that John Brennan article. Perhaps they can't actually read your email this way, but just because the invasion of privacy isn't absolute doesn't mean it's acceptable.
[ link to this | view in thread ]
What he might be saying
With name-based hosting, IP addresses can be misleading, so I think that if he means this, he has been mislead by his handlers/advisers.
Of course, with the URLs, if he means this, he is thinking that what is stored is the URL that the user sees in the URL bar, but of course, a browser fetches many, many URLs in order to display a single page and every one of those URLs will be stored.
Summary: he has been briefed by someone who doesn't not want him to understand the real nature of the tracking.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: There is a distinction between the address an the content
They will be tracking website addresses, but not the links you click on once you visit a site? That sounds like someone who doesn't understand that a link clicked is generally a new website address, and the browser will request it just as if you're visiting a new site entirely. This sounds like someone who is either intentionally misleading people, or has absolutely no clue how anything works.
The reason this legally "works" by their definition of metadata vs content, is that the website address doesn't necessarily indicate what content was viewed - it is conceivable (although somewhat unlikely, and even frowned upon) that the same URL/web address might take you to different content the next time it is visited. So they can stand back and claim that they're not tracking what you actually viewed on the internet, while at the same time, tracking everywhere that you went.
[ link to this | view in thread ]
Re: Re: There is a distinction between the address an the content
[ link to this | view in thread ]
Re: There is a distinction between the address an the content
It's the difference between the address on a letter and the contents of the letter itself. (with the obvious exception that in a URL's case you can then go get the content if you wish)
Without the specific details of the program, it would likely be collecting the textual URL so they'd know which articles you visited on a site like TechDirt. For more dynamic/scripted sites it might be a bit harder to reconstruct the content that the subject actually saw from the URL and any other header data you might collect.
[ link to this | view in thread ]
[ link to this | view in thread ]
duration?
[ link to this | view in thread ]
He just lost hollywood/RIAA backing
[ link to this | view in thread ]
[ link to this | view in thread ]
You know, since they're the same thing and all... *shrugs*
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
They just suck at it.
[ link to this | view in thread ]
Re: There is a distinction between the address an the content
[ link to this | view in thread ]
Re: Re: There is a distinction between the address an the content
So they can see that I parked my car at the local brothel parking lot.
But they cannot see if I went into said brothel.
[ link to this | view in thread ]
Re: There is a distinction between the address an the content
Yes, that's what I thought he was (badly) trying to saying at first too, but later on he contradicts that, by saying they're just collecting the TLD...
I think the honest answer is he has no clue.
[ link to this | view in thread ]
Re: Re: There is a distinction between the address an the content
Though not knowing correct terminology makes it not unlikely that he is mistaken...
[ link to this | view in thread ]
Re: Re: Re: There is a distinction between the address an the content
[ link to this | view in thread ]
Re: Re: Re: There is a distinction between the address an the content
On a more serious note, tracking of this data is why web proxies will become more popular. If it looks like we all parked at a brothel then they won't know if we all went in or just walked to another business.
[ link to this | view in thread ]
Embarassed to be Australian
[ link to this | view in thread ]
Re: Re: Re: Re: There is a distinction between the address an the content
...and will
[ link to this | view in thread ]
Not saying this is good thing either.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: There is a distinction between the address an the content
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Thank you.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: duration?
yes right because the contents of the website or the server is likely overseas and does not keep a history of all changes.
- The contents might have changed since the site was visited the last time.
- The server does not log visitors IP addresses.
- The logs are only kept for a short duration.
Even if the hosting provider logs that IP address xxx.xxx.xxx.xxx visited myforum.com this information is worthless if the forum does not log visitors or purges the logs after one week.
In most nations, the attempts to force ISPs to retain metadata have only covered IP addresses.
The definition of provider often depends on whether it provides the connection to the internet.
If it's not a telecommunications provider, it is often outside the scope of the data retention law.
[ link to this | view in thread ]
Re: Re: There is a distinction between the address an the content
But they cannot see if I went into said brothel.'
Actually they can't even see who parked the car, only that the car registered in your name was used to park at said brothel.
Of course, someone could have cloned your car with its license plate and committed a crime, but that's very unlikely.
But ten other persons could use your internet connection without your knowledge or permission.
And this is the real reason why data retention is waste of money -- unless the next step is forcing everyone to lock down their internet connection.
[ link to this | view in thread ]
Re: Re:
They don't make numpty's Queens Counsels, and he has a Bachelor of Civil Law from Oxford, and according to wikipedia: He is pretty bright.
So he's not dumb, he's merely dealing in an area (Internet, networking in general) outside his expertise.
No, it makes him a luddite...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re:
Brandis is as corrupt as they come, he is nothing more than a Hollywood puppet. Why else would be listen to Hollywood rather than the Australian Law Reform Commission?
[ link to this | view in thread ]
domain name
Further to the point in this article, it's worth pointing out that when filling out a form, posting a comment or any other activity in which personal info may be revealed, this is also part of the web address, as GET variables, and as such the metadata is compeletely indistinquishable from sensitive content.
However, this article contains one mistake: A top level domain name is only the last section of the domain name, for example "com" in www.cnn.com. What is implied, rather than that only the top level domain is logged, is that the hostname is logged. A maybe more accessible and less incorrect (but still incorrect) term would be "domain name". I'd like to suggest that you correct the use of "top level domain" there.
I concur that it seems ridiculous though, of course they aren't only recording the hostname (except that with https, sometimes, they may be able to get the hostname only by checking the certificate, so in some cases, that is all they /can/ log).
[ link to this | view in thread ]
Re: Re: Re: There is a distinction between the address an the content
[ link to this | view in thread ]
Re: Re: Re: There is a distinction between the address an the content
Interesting.
[ link to this | view in thread ]
Re: Re: Re: Re: There is a distinction between the address an the content
[ link to this | view in thread ]
There is a larger issue at play here!
Any request can redirect your browser anywhere it wants. You could go to http://www.techdirt.com/fluffy_kittens and if Mike was an evil person he could make that respond ..
HTTP/1.1 302 Found
Location: http://www.underwear-terrorists.com/
.. and just like that your browser would have been directed to a flagged site.
BAM! You're on a watch-list and scrutinized likely for the rest of your life.
Additionally an IFrame on a legit page can make you send requests to other domains. This is the biggest problem because the metadata isn't really effective at explaining anything, yet they're making life-changing decisions based on this faulty dataset.
[ link to this | view in thread ]
Re: He just lost hollywood/RIAA backing
Whilst the government may not be interested in using metadata for tracking illegal downloads their financial puppet masters such as Rupert Murdoch are most certainly interested.
It has already been stated that the Victorian Taxi Council & the RSPCA have access to metadata, although for what reasons no one seems any the wiser, especially as it was stated that they do not need a warrant to access the metadata they need.
http://www.theguardian.com/news/datablog/2014/aug/08/warrantless-metadata-access-is-already-tak ing-place-at-higher-rate-than-ever
[ link to this | view in thread ]
Re:
FTFY, Whatever. Don't turn into OotB now.
[ link to this | view in thread ]
Re: There is a distinction between the address an the content
Even if you were correct. You think they would bat an eye to just get your info from gmail if they wanted it?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: There is a distinction between the address an the content
[ link to this | view in thread ]
Re: Re: Re: There is a distinction between the address an the content
Web Sites Sharing IP Addresses: IPs Hosting 225 to 249 Domains http://cyber.law.harvard.edu/archived_content/people/edelman/ip-sharing/list-24.html
So if they block by IP address then one baddie on a particular IP gets up to 248 innocents punished for no action of their own.
Plus that puts the "metadata" at the level of the pages you looked at and the time till your next click.
If the data collected and archived (for how long ?) is harmless then he should be willing to release a week's
worth of his own "metadata" for everybody to see just how unintrusive it really is.
If they really intend to limit to IP address then lots of innocents will be guilty by being in the same neighborhood.
[ link to this | view in thread ]
Re: duration?
Both will be in the log he wants ISPs to keep.
Of course the next panic will be when they realise that https only allows tracking to the IP address.
Then they will insist that the ISP must be able to decrypt everything because "good" sites and "bad" ones can share the same IP address.
That means that everybody inside a firewall must be branded "guilty until proven innocent" by the firewall logs.
All your home routers track all URLs and encryption keys don't they ?
Brings to mind the case where my Wi-Fi connection, totally encrypted, is hacked because of a bug in the manufacturer's
software. Am I "guilty" because somebody accessed kiddie porn through it ?
[ link to this | view in thread ]