Data retention 'ambiguity' sees cops given web browsing histories

Law enforcement agencies have been provided with the web browsing histories of some individuals under Australia’s controversial data retention regime, despite assurances by the government that web address identifiers would be out of scope.

Commonwealth Ombudsman Michael Manthorpe on Friday told the parliamentary committee reviewing the regime that “ambiguity around the definition of ‘content’” meant that the full URLs of web pages had, on occasion, been provided to agencies.

Under data retention legislation introduced in 2015, carriage service providers are required to store a particular set of customer metadata, or non-content data, for at least two years to aid law enforcement with their investigations.

This information includes the times and dates of communications, where that communication occurred and what kind of device or equipment was used for the communication, which is accessible by law enforcement without a warrant.

But the retention of web address identifiers such as URLs or destination IP addresses, which could amount to web browsing history and reveal the contents of an individual’s communications, were explicitly ruled out.

The disclosure of this information was banned despite previous comments by two government ministers, including the former Attorney-General George Brandis, that website addresses would be captured under the scheme.

However, Manthorpe said the ombudsman had identified occasions when web browsing histories have been provided by ISPs in response to metadata requests by law enforcement.

“The piece of ambiguity we have observed through our inspections is that sometimes the metadata in the way that it is captured – particularly URL data and sometimes IP address, but particularly URL data – does start to actually, in its granularity, communicate something about the content of what is being looked at,” he said on Friday.

“So just to be very clear, you get the URL? You get the full www dot, whatever it is, dot com, which can indicate what they’re looking at?" parliamentary joint committee on intelligence and security committee chair Andrew Hastie asked in response.

“That’s right. It can be quite long or it can be quite short, and in some cases the descriptor is long enough where we start to ask ourselves, ‘well that’s almost communicating content, even though its captured in the URL’,” Manthorpe said in reply.

“When the scheme commenced the concept of metadata was probably thought to be quite a clean, delineable thing, but we know that there is a greyness on the edges that we thought we should call out.”

Manthorpe's comments build on the ombudsman’s submission to the inquiry, which first highlighted the ambiguity around what constitutes ‘content’ and questioned “whether agencies should have access to this information when disclosed by a carrier under an authorisation”.

His concerns are also shared by Inspector-General of Intelligence and Security Margaret Stone, who told the committee that metadata is almost as intrusive as content.

“Because the nature of telecommunications have changed so much in recent years, there is this assumption that you get more from content than metadata,” she said.

“But when you look at the range of metadata, and what it tells you, there’s an argument that could be made that it is just as intrusive, or almost as intrusive, as content.”

She said she was not aware of any instances where content had been provided unlawfully.

“You can tell a lot about what a person is doing from that.”

The concerns follow submissions by policing agencies to increase the mandatory metadata retention period to help solve more complex criminal investigations.