Junk Explained: How To Get Around The Government’s New Data Retention Laws

The new laws will cost us between $118-319 million, but you can basically defeat them with Facebook chat.

[UPDATE: April 13 2017]: After some delay through legal loopholes, the government’s controversial metadata retention scheme comes into effect today. Every telecommunications company in the country will now be required to retain their customers metadata for two years and hand it over to the government, no warrant required.

We figured a repush of this piece, which explains how easy the scheme is to get around, was in order.

Hi there. Would you mind if I followed you around with a notebook for the next two years and recorded the name of everyone you had a conversation with, the time, and the location? I also plan on giving this notebook to the police if they want it. But don’t worry — I’m not going to listen to the conversations. I’ll block my ears and avert my gaze. I wouldn’t want to invade your privacy.

Admittedly, this might be a bit of an overstatement of what the new data retention laws actually are, but at least I have your attention, which is good, because if you’re like me and you use the internet a lot, this issue is something you should know about.

So, How Paranoid Should I Be?

These new laws require Australian telecommunication providers to record and store phone and internet records for two years, and also give security agencies access to these records whenever they want, even if they don’t have a warrant. While Greens Senator Scott Ludlam voiced strong opposition, the legislation had bipartisan support, passing 43 votes to 16. This means that from next week, your internet service provider will be storing your metadata — information about where, when and with whom you have your conversations — and potentially passing this information onto the police without your knowledge.

The purpose of this, apparently, is to protect Australia from terrorist threats and child pornography, but this comes at the expense of placing the entire population under implicit surveillance. This is the first time in history such broad and comprehensive surveillance has even been possible, and therefore we really don’t even know what we’re getting ourselves in for, or how this bill will impact the very idea of democracy.

As it stands, there is no definition for the word “metadata” in Australian law, and George Brandis, who spearheaded the legislation, can offer you no explanation either. Tony Abbott has metaphorically described it as the envelope carrying the letter, rather than the content of the letter itself and he is right, in a typically old-fashioned sense. Metadata is the information about a conversation — who, when, where — without divulging what the conversation was about.

But an analogue definition of metadata fails in a digital age, because it is much more complicated to separate the who, when and where from the what in an online environment. This is because when we use the internet we’re constantly leaving traces of previously unimaginable forms of identifiable data, not just a name and address printed on the front of an envelope. For instance, according to the new legislation, metadata is your IP address, but not your browser history. And that’s all well and good, but how many Australian citizens know what an IP address is and what type of information it gives away?

Everyone’s been doing their best by publishing explainers and warnings, but once you start throwing around the word “data” a lot people understandably tune out.

This the heart of the issue. Because internet technology is constantly changing, no one knows exactly what internet metadata is. The whole conversation remains confusing and murky, and what we need with this new legislation is transparency and clarity. It’s a shame that this term causes so much confusion because the conversation around data retention is complex and involves more important questions about the future of privacy and anonymity.

In fact, this legislation is so problematic that the guy who introduced the bill into Parliament, Communications Minister-turned Prime Minister Malcolm Turnbull, has practically given you a guide for how to circumvent the scheme altogether.

While discussing the threat this posed to journalists on Sky News in March, he suggested Australians can use overseas communication services like Whatsapp and Skype in order to avoid detection. He willingly explained that Australian telcos can only track that you’ve connected with these servers, but not who you’re talking to.

Yes, it’s confusing that he would effectively invalidate a new $188-319 million system, but since Malcolm Turnbull’s clearly on board with the idea, here are four other ways that you can ensure your anonymity online.

1. Use An Overseas Email

This is a really simple one. Just use gmail or some other overseas email service to communicate. Or use Facebook or Twitter direct messaging. You probably already do this anyway. There is no way Google or Facebook or Twitter are going to give up their data to the Australian police because of this new legislation, so say whatever the hell you want.

2. Use Tor

Tor is a browser that operates by bouncing communications off servers around the world to make it difficult to detect the user’s IP address. An IP address is one of the most telling forms of metadata available online. Using this browser in the right way means that security agencies won’t be able to track where and when you’re using the internet.

Added bonus: their logo includes an onion.


Come at me, Tone.

3. Use VPN

A Virtual Private Network uses the public infrastructure of the internet to provide individual users with secure access. Basically, you subscribe to the VPN via a monthly payment, and then your internet activity becomes reliably anonymous. Your data is automatically encrypted at the sending end and decrypted at the receiving end. There are heaps of VPN-like services available for private use, and most will only set you back about $10 per month.

4. Encrypt Your Own Shit

This is a lifestyle choice rather than a paragraph, but there are a bunch of sites that will teach you how to get started. If this is the life you choose, hit me up with some hot tips. Clearly, you’re not going to have any problems with these new laws.



  1. pto says:

    All well and good but this still misses an awful lot of metadata you leave behind. Your phone records wherever you go, for example. Also, metadata doesn’t record your browser history, it’s true. But that’s because it doesn’t need to. Every site you visit gets recorded, so it builds its own 2 year browser history anyway.

    One of the reasons I hate this data retention bill so much is that I like having a smart phone, I like the benefits of GPS maps or instant internet access wherever I go, etc. I know there are ways to circumvent getting my metadata recorded, but there are so many individual steps that I would need to take to seal all leaks, and with most of those it would simply be a temporary fix anyway. I have no interest in getting into an arms race here.

  2. Tie Demon says:

    Good to see yet another article by someone who has not even read any of the actual documentation describing the law. I tip my hat to you.

  3. Evan Hopkins says:

    Perhaps this only proves your point, but I have only read identical accounts as to what this new bill will mean for Australian internet privacy. Care to inform us/me what the bill REALLY says?

  4. Tie Demon says:

    After having spent about 4-6 hours reading not only the bill itself, but the recent amendments to the bill, the PCJIS Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation, PCJIS Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 I can say, with absolute certainty, that there is only a single occurrence of the word ‘metadata’ in the bill itself, and that single occurrence is a reference to the first PCJIS report. If you want to know more, read the damn thing yourself.

  5. Kirsten says:

    Never encrypt you own shit!!! I did and then forgot the goddamned password and then my hard drive crashed and, if it wasn’t for google drive I would have lost 18 months of PhD. I’ve only lost my endnote library which is a bummer but not the road to a messy nervous breakdown like it could have been. And using TOR with internet speeds lower than a war torn failed African state (outer urban fringe of large city) is a recipe for going postal.

  6. e_brown says:

    Pretty sure that was a valid question. If you don’t want to elaborate on an assertion that flies contrary to everything that has been reported so far, there’s no point making the comment in the first place. All that was done in the end was to ask for an explanation of where the inconsistencies lay. ¯_(ツ)_/¯

  7. asdfa says:

    TOR is not a browser, do you mean Tails?

  8. Tie Demon says:

    Fair enough. 2 points: the first is that there is a specific list of what data is required to be retained under 6 categories, most of such is retained by a given service provider as part of providing the service. See 187AA @;query=Id:%22legislation/amend/r5375_amend_bb5b4d2f-8bf3-4654-8df5-b4095d7d3ee0%22 the second is of who retains the data. Your ISP only retains data for what essentially seems to be ISO level 4 services it provides, in fact the provider of any of those services had to record that data. This means your browsing history is only retained by the websites you visit and the sites you use to get there, like Google. As for weather trusting your data to foreign bodies is good enough to secure it, so long as they don’t own infrastructure in this country, the only way your data gets to this government is probably for means on national security via fiveeyes. If you trust your data to, for instance Google, who could be argued as having infrastructure in the country, then your data can be accessed by any of the 14 (down from over 80) agencies that have access to your other telecommunications data.

  9. Tie Demon says:

    I also apologise for the outburst to your innocent question. It’s just that everywhere I see it’s just people echoing the information that was either not sourced reliably or was misinterpreted by people who didn’t understand the underlying concepts.

  10. Tie Demon says:

    TOR does have a browser component though, yes, is not specifically a browser itself. The browser component I believe is a modified version of Firefox. Tails on the other hand is an operating system which has Tor as a core component using it to route as much information as possible when required to.

  11. Morgan says:

    Technically not 100% true, Skype uses direct ip to ip, have a look using netstat some time. These IP’s could trace a communication with a certain person, but it would show up that connection as the user comes online in your contacts, so it can’t be used to do much except that you have user X in your contacts.

  12. Maybe “Never forget your password” or perhaps note it down somewhere in a safe.

  13. Dany Bravo says:

    The use of VPNs and other methods to bypass mandatory data retention regimes in Australia will be a challenge for government. Australian communication minister Malcolm Turnbull has acknowledged that VPNs would limit the ability of law enforcement to match up a user’s IP address.

    I have recently seen an Australian VPN service provider Purevpn, has launched the data retention security feature within their VPN apps. They claimed and I quote “PureVPN is the only VPN that has engineered ‘Data Retention Security’ feature in its VPN apps. With this feature turned on, you can easily avoid your IP address, identity and browsing activities being recorded. This feature also encrypts your VoIP communication and data moving in and out of your device.” If this is the case the Australian law enforcement would face some serious difficulty in logging our online data.