The controversial data retention scheme made its way through the Senate last night, meaning that the levels of surveillance of Australian citizens are about to increase. If you're privacy minded, what can you do?
Shield picture from Shutterstock
It should be noted that privacy in the Internet age is never an entirely assured matter, whether you're actually involved in nefarious deeds or simply inclined towards keeping your own private matters actually private. Services which were assumed to have high levels of privacy have been shown to be either buggy or compromised by security agencies of various nations. As always, the golden Internet rule applies, namely that if you don't want it to be potentially compromised or eavesdropped upon, don't put it on the Internet in the first place.
Which is fine as a sentiment, but it's not exactly practical if you want to keep yourself as private as feasible while still having an Internet connection that's useful to you. Nothing is 100 per cent secure, but here are some starters to make your online world more private.
Consider encryption, but know its limitations
Encrypting your communications will do nothing to stem metadata collection, and as has been noted elsewhere the metadata around an online interaction may tell another party everything they need to know in any case.
If you're constantly visiting an online resource for venereal diseases and the IP of those sites is logged along with a lot of phone calls to the local VD clinic, it's pretty clear that something's got you itching.
Still, in a general sense it's worth encrypting your own data to maintain its relative privacy and the security of your information. Lifehacker's Beginner's Guide To Encryption can guide you through the basics.
But I thought VPNs provided encryption?
A VPN (Virtual Private Network) encrypts the traffic you send over the Internet, but again it's worth pointing out that a VPN isn't an absolute silver bullet when it comes to maintaining your privacy online.
Firstly, there's the obvious point that from a metadata standpoint, you've still got to use your Internet connection to hook into the VPN itself. That's data that gives at least some detail of what you're up to. Then you've got to make certain that your VPN is actually encrypting your data properly. Some browser/VPN combinations can leak your IP address anyway, and if you're using a VPN for privacy purposes it's worth keeping in mind that other indicators might give your identity away.
Then there's the issue of who your VPN provider is, and where their endpoints are, because that can again reveal all sorts of data about you, whether it's at the metadata level, or security agencies -- Australian or otherwise -- having any kind of backdoor access to VPN traffic. Torrentfreak runs an annual survey of VPNs to assess their relative privacy policies, which makes for interesting reading, but again you've got to keep in mind that these are simply the public positions of these VPN providers. There's still a level of risk here if you're particularly privacy minded.
Aren't overseas apps exempt from the metadata legislation?
That's the line that communications Minister Malcolm Turnbull takes, noting that "If on the other hand I communicate with you via Skype for a voice call or Viber, send you a message on WhatsApp or Wickr or Threema or Signal or Telegrammer — there’s a gazillion of them — or indeed if you make a FaceTime call, then all that the telco can see is that my device has had a connection with the Skype server or the WhatsApp server."
There's some serious privacy limitations to this kind of thinking, however. For a start, if you're just using an app straight up with no other privacy software in place, then the legislation as it stands can capture the metadata around its initial connection path, the same as any other Internet interaction. That data still has serious privacy implications, and that's precisely the point of having the legislation in the first place.
While it's true that the security agencies only have limited redress when it comes to accessing data from overseas services, you're also open to whatever deals they have in place with the security agencies in their countries of origin. Security agencies that could well quietly talk to Australian security agencies in any case.
Again, there's nothing stopping you from using a more theoretically secure communications application to maintain a level of privacy, but it would pay to do your research on how each application handles its data logging.
What about public Wi-Fi?
As it stands, public Wi-Fi is exempt from metadata collection under the legislation as it stands, so in one very limited sense it may be a better way to avoid having certain aspects of your data collected. At the same time, however, there's all sorts of privacy and security issues with using a public Wi-Fi hotspot to consider, and at least in the metadata sense any other interaction you do could be used to build a profile on you.
As The Register's Richard Chirgwin notes, if you took a call while using public Wi-Fi at a cafe, the metadata around that call could be used to point out that this was where you were. There's no real way with Public Wi-Fi to ensure that everything else isn't being logged or sniffed out, so you'd be trading a very limited metadata subset for possibly your entire right to privacy. It's precisely why banking from public Wi-Fi hotspots is such a bad idea.
Use Flight Mode when you can
A lot of the location services on your smartphone rely on having an active SIM connection, and this can be remarkably useful. It's useful, but it's also metadata that points out exactly where you are at pretty much all times. You can limit the logging on individual apps on most smartphones, but your telco's still obliged to log this kind of information, and as such, Flight Mode can give you an amount of additional privacy, while still using Wi-Fi connections for data
I have nothing to hide. Why should I worry?
The spin put on the current run of metadata legislation is that it's a vital tool for tracking down the actions of terrorists, although there's a lot of data that says that it's perhaps a negligible tool in a larger pool of information collection techniques; German Metadata collection was said to aid crime clearance rates by a piddling 0.006 per cent.
The current legislation as it stands is exceptionally vague in its scope and execution, and as with any law, it's open to further amendments and changes in the future as well.
That's leaving aside the rather more obvious point that the "nothing to hide" argument is bollocks anyway. Everyone's got a very simple right to privacy online in the same way that they do in the real world. Unless you'd be absolutely happy having cameras sprinkled through your house broadcasting to anyone who cared to watch with no redress, it's madness to think any other way.
So what can I do to stay private online?
The practical reality is that your options are limited. Tools such as VPNs and encryption clients can help, as can the use of applications outside the immediate reach of Australian government security services, but they're in no way a bulletproof privacy shield, because as with any security-centric solution, there's no such thing as perfect security. The best you can hope for is "good enough".