How To (Legally) Circumvent Metadata Retention Laws

Australia’s data retention laws became compulsory yesterday, which means all telcos and internet service providers must now retain their customers' metadata for two years. This is supposed to assist law enforcement agencies in their war against homegrown terrorists and other criminals — but it arguably comes at the expense of normal Australians' privacy. Attempting to avoid these laws and send messages "off the gird" isn't easy, but it remains possible. Dr Philip Branch from the Swinburne University of Technology explains what you need to know.

There has been quite a lot discussion lately on how to avoid metadata retention, particularly in the context of leaking sensitive information to journalists.

In recent months, notable examples have come from journalist Laura Tingle and, rather surprisingly, Malcolm Turnbull, who as Communications Minster, gave the impression that avoiding metadata collection was trivially easy.

Is metadata retention really that easy to avoid? If so, what is the point of the legislation? Has parliament just passed a bill for a $400 million white elephant? Let us have a look at some of the suggestions for legally avoiding metadata collection and see how they stack up.

Third party protection?

One of Laura Tingle's suggestions is that whistleblowers use Skype to avoid metadata collection. The reasoning is that Skype communication is encrypted and the servers are located in Estonia, beyond the reach of Australian metadata collection.

Unfortunately, this suggestion confuses a number of things. It is true that the content of a Skype call is encrypted, and that the signalling to set up the call might go via servers located in countries beyond the collection capability of our intelligence agencies.

But Skype is a peer-to-peer protocol. Once the call is established, there will be a stream of packets containing the call content travelling between participants. The content of these packets might be indecipherable, but the metadata (i.e. the IP addresses) showing communication between participants may be collected and can be traced back to the identities of the participants.

Not my email

Another suggestion is to use Google's Gmail or another offshore email service provider. Communications to these email servers are encrypted, including the source and destination email addresses.

However, there are some ways in which emails that use such services might be able to identify the sender. Most of these service providers are based in the US and so come under the "Five Eyes" agreement.

Under this agreement the US, UK, NZ, Canada and Australia share intelligence data. Also, if the recipient's email server is located in Australia, once the email is delivered to it, the source email address will be visible and can be collected.

A messaging application favoured by Turnbull is Wickr. Using this is a much better suggestion. Wickr messages are sent to a server and then delivered to the recipient when they log in. The metadata captured for both the sender and receiver will only show that there has been communication with the Wickr server. There is no metadata directly linking the recipient and the sender.

Wickr also has some impressive features that secure it against the possibility of being compelled to hand over data from logfiles. But it too is not perfectly secure.

If the recipient is online when the message is sent, they will receive the message a very short time afterwards. An investigator with access to the metadata could get a good idea of who the sender was by finding a correlation between who sent messages to the Wickr server just before the recipient received them.

From WLAN to VPN

So how might metadata retention be avoided legally? As noted here, the fundamental problem is avoiding connections between your identity and the device the message is sent on, and any accounts used to send it. Using a work computer and any email address, social media handle or other identifier that is in anyway linked to the sender is not secure.

One possibility is to use a WLAN service that does not require registration, such as the Wi-Fi at your local cafe or shopping centre. The person who wishes to avoid detection takes their WLAN device to the local shopping centre and just joins it. So long as they do not have to register, they may avoid identification.

However, there are a few things to be wary of. Using WLAN access from a smart phone is probably not a good idea. At the time of purchase, a lot of identification information is supplied. The WLAN address is linked to that smart phone and might be able to be traced back to the owner.

Once again, using a device that cannot be traced to the sender would be necessary. Of course they would also have to use a secure service such as Wickr that could not be traced back to them.

Another approach might be to use a virtual private network (VPN). This will cause communications between the sender and the VPN server to be encrypted. As with Wickr, the only metadata that will be collected will show that the recipient's data came from the VPN server.

But, again, there are things to be wary of. As with email, using a VPN server that is based in one of the "Five Eyes" countries is probably not a good idea. Even if the server is overseas, the VPN provider may well retain logs of who connected and when, which might be seized by that country's law enforcement agency and, ultimately, identify the sender.

Entering the onion

A number of news organisations have a secure drop system based on Tor. Tor consists of a number of nodes within the internet through which communications is routed. It makes use of encryption techniques to ensure that communications between the nodes of Tor cannot be traced back to the source.

But again some caution is needed. Many organisations track use of Tor access and may ask awkward questions as to why the sender was using Tor around the time of a major leak. But, again, using a device that cannot be traced to the sender will make detection difficult.

So what can we make of this? Greens Senator Scott Ludlam may have been a little harsh when he reportedly told a group of university that metadata collection might only catch the stupid criminals.

But with a little care the legislation can, at the moment, be sidestepped. However, avoidance is reliant on services and devices that cannot be traced to an individual. It is unlikely that law enforcement agencies would tolerate such a gap in their capabilities.

Perhaps we will see further legislation in this area yet.

Philip Branch is Senior Lecturer in Telecommunications at Swinburne University of Technology.

This article was originally published on The Conversation.

This story has been updated since its original publication.


    Perhaps we will see further legislation in this area yet.I hope to Christ they don't make VPN's illegal.

      A lot of people use VPNs everyday to connect to their business. I doubt they would try and ban VPNs for personal use as people will simply move onto another technology. E.g changing DNS, Thor, etc.

        I guess "Thor" could throw his mighty hammer at Abbot! Maybe then we'd get a real PM. :)

        Last edited 31/03/15 12:12 pm

        Thor? Please elaborate/link me to wikipedia

          You are a smarta$$ eejiot. Here, I will link you to Wikipedia -

          Now leave Thor alone and stop being such a smug smarta$$ pain in the a$$.

        This meta data retention thing is really not good. Its like Govt. wants every individual lives 24/7. I mean there is no privacy thing at all. Thank GOD I have PureVPN that I can use to hide my identity, social profiles, location, and online activities.

          Thanks PureVPN spam bot. Ill be sure to never use your service!

        it's basically impossible to ban VPNs unless you completely ban encryption, china are still trying and failing to get rid of them and they've been at it for years.

      Correct me if I'm wrong but they could follow the old NZ example where the govt (i.e. the DSD our equiv of the NSA) would require backdoor access to VPNs.....

        yes true but they can only have backdoor access to VPN services that are based in Australia and NZ. I guess they can't ask for backdoor access to services that are located somewhere else, let's say Netherlands, Hong Kong, US, etc.

      They can't make VPNs illegal without a crippling economic impact. You can start a SOCKS proxy to any server you can SSH into by chucking "-D 1080" on the end of the command, such a proxy would be indistinguishable from a genuine connection, and SSH is universally used throughout the tech industry. You can forward traffic over HTTPS. You can forward traffic over bogus DNS requests. You can forward traffic over bloody anything.

      In short, to make VPNs illegal, you'd have to ban all cryptography, including economically critical forms. That can't and won't happen.

    Has parliament just passed a bill for a $400 million white elephant?
    Yes. End of article.

    Use a combination of these technologies. You could use Tor over a VPN hosted in the Netherlands to send your wickr email.

    What about people running nodes of a giant muddy-the-metadata service on each PC and Phone they use ? Technology gone mad, it's like two organisms fighting to survive.

    VPN to your VM in the Netherlands, setup a linux based TOR gate and client, enter TOR and use a TOR mail site. Use software to encrypt the contents of the mail.

    Done neither the FBI or AFP will know what you do from there.

    We should all run robots to access random sites and random times to confuse what's real traffic & what's not.
    That'll fill the meta data coffers with junk, while your at it add some random and intermittent header messages that thank tony abbbot for making us pay for this warrantless mass surveillance of the entire population.

    You can encrypt your data all you want, if your recipients dont use circumvention it is they who will expose your activities (relating to them).


    Microsoft gave the NSA a backdoor to their call encryption for the PRISM program. I don't know if that means Australian authorities can access skype calls too, but I guess it might....

    How on earth do journalists concerned about this issue not know this?

    Agreed with the above

    Also Skype based out of Estonia ... in the past maybe prior to it being purchased by Microsoft maybe but not today.

    Data Retention Law going to be implemented from tomorrow (13th October 2015). The easiest way to secure your online identity and privacy with the help of a VPN.

    Majority of ISPs not ready for metadata laws that come into force today

    It would be amusing if in the future the government went to obtain this data only to find out that the ISPs hadn't even bothered to make sure they were properly collecting the data.

    $400M down the gurgler &, in a way, a win for fundamentalist religious wackos who've been able to give Western governments flimsy arguments to expand their presence and surveillance over our lives which jeopardises our liberties.

    By far the most effective way to prevent your web activity being spied upon is to use a good VPN service, as this encrypts all communications between your computer (or smart phone etc.) and the VPN provider’s servers. This means that your ISP (and therefore the government, unless it targets you specifically) cannot know what you get up to on the internet. It also prevents anyone watching on the internet from knowing your true IP address, as they will simply see the IP address of your VPN server. It is unclear at this time whether VPN providers and their servers are subject to the new Data Retention Bill, but to be on the safe side we strongly suggest choosing a provider that is not subject to Australian laws, and using a VPN server located outside Australia,
    Some vpn providers are:

    The current Australia Metadata retention force the telecommunication and ISPs to keep and monitor every user's internet activities for couple of years. It's good because this will create a complete check and balance of all things but on the other side the law is disturbing the privacy on Australian users.

Join the discussion!

Trending Stories Right Now