WRITTEN BY: Mark Burdon, Mandy Lim and Rebecca Chong
The use of telecommunications and Internet metadata for law enforcement purposes is currently a highly contested and complex issue, as exemplified by Attorney-General George Brandis’s disastrous attempts to explain the concept of metadata. Metadata, in the simplest of terms, can be described as ‘data about data’. In telecommunication terms, metadata refers to data that is generated during phone calls such as the duration of a phone call, the location the call was made, the phone number called etc. Metadata therefore does not include the actual content of the phone conversation or an email message. Whilst police and government agencies are required to obtain a warrant in order to lawfully gain access to personal content, no such requirement is necessary to access metadata.
This distinction was previously justified because the extent, scope and availability of metadata did not reveal identity or provide an insight into personal and private communications. Today, however, that is not necessarily the case. Technological capacities and the availability of an increasingly greater number of metadata sources now means that law enforcement agencies and other bodies can use metadata to identify intricate details of an individual’s life without having to access personal content.
To complicate matters further, recent media articles have recently cast light on a new law enforcement practice involving metadata generated from mobile phones and devices, called ‘tower dumps’. This technique allows agencies to collect information from mobile phones on a mass scale by requesting telecommunication providers to provide all data collected by a particular mobile phone tower over a period of time. Data collected from such operations includes the identity, location and activity of the mobile phone devices, even when a call is not being made.
While phone carriers have stressed that it is only metadata that is being collected and not the actual conversations and text messages, the sheer number of persons whose data is collected from a tower dump merits consideration. It has been reported that over ninety nine per cent of individuals whose mobile phone data was collected through tower dumps were not targets for law enforcement or national security considerations. Despite the obvious comparisons to a ‘fishing exercise’, law enforcement agencies nevertheless argue that tower dumps are a powerful tool that assists law enforcement activities. So where should the balance lie between the investigatory requirements of law enforcement agencies and individual privacy rights? Let’s examine tower dumps.
So What’s a Tower Dump?
The telecommunications infrastructure that is readily accepted today as part of our everyday existence is significantly different to the ‘landline’ infrastructures of the relatively recent yesteryear. Our insatiable demand for mobile technologies, and mobile phones in particular, has required the development of a new technological infrastructure. Mobile phone usage is made possible by the use of radio communications that link an individual’s mobile phone to their respective carrier network. The carrier network is constructed around a large number of radio base stations that facilitate phone to network radio communications over geographical areas. The base stations are generally located on mobile phone towers and the number of phone towers required for a given geographical area depends on the configuration of topological surrounds and population concentration.
Furthermore, as an individual transits from one location to another, the individual’s mobile phone will periodically identify itself to the nearest mobile phone tower in order to maintain constant radio communication and thus ensure the phone continues to operate whilst on the move. Each phone tower has a fixed capacity on the number of phone calls that be taken or data downloaded by individual phone users. Consequently, in urban areas with high density populations, a greater number of towers is required in order to manage and compensate for heavy local network use, which in turn means that such towers have the capacity to record and store details of a greater number of individual phone users.
This new infrastructure has in turn given rise to new law enforcement investigation and data collection practices. For example, the New York Police Department used mobile phone tower data to track protestors and intercept tweets posted as part of the Occupy Wall Street demonstration. Cell tower data has also been used in successful police investigations for bank robberies and murders and even car thefts and break-ins. Investigations by the American Civil Liberties Union (ACLU), USA Today and Massachusetts senator Ed Markey reveal significant use of tower dumps by US law enforcement agencies. The use of tower dumps in Australia has only lately come to light. Recent articles published by Fairfax Media indicate that law enforcement and other government agencies have engaged in the practice of tower dumps in Australia. Details about how exactly law enforcement agencies are using the tower dump technique, however, remain minimal. Nevertheless it is important to consider tower dump use in Australia and the effect of the data being used.
Is Tower Dump Data Really Just Metadata?
Current technological infrastructures are potentially a source of mass personal information collection and surveillance due to wide-scale developments, such as the vast extent of mobile phone tower networks, which now generate and record different types of metadata. It is the combination of amount, extent and context that is creating a situation in which the clear distinctions between metadata and content are now being blurred particularly in relation to location-based metadata collection. It is therefore becoming possible to identify individuals and their behavioural patterns from metadata.
For example, researchers from Stanford University have recently demonstrated that metadata generated from mobile phone usage can be used to reveal details of the phone owner’s ‘familial, political, professional, religious, and sexual associations’, as well as ‘potential drug use, medical conditions, political associations and after hours activities with strip clubs’. The Stanford study involved the use of a specifically designed Android app that recorded metadata details of phone use. The simple act of phoning a certain organisation was sufficient to enable the researchers to infer sensitive aspects of an individual’s life. Moreover, calling patterns were also highly indicative of activities of a sensitive or personal nature, as indicated by this example:
These examples appear to demonstrate that highly sensitive and personal information can be revealed through mobile phone metadata analysis.
Given the potential for mobile phone metadata to reveal highly sensitive and intrusive information about an individual, it could be argued that such data should be recognised as personal information. If that is the case, it may be necessary to revisit the current access regime and question whether warrants should be required for access to telecommunications data generated by tower dumps. This question is especially important considering the breadth of agencies in Australia that currently access this data without a warrant. At present, it is unclear which of these agencies engage in tower dumping practices, but as no further requirements on top of authorisation to access metadata are necessary for a tower dump, it seems that these agencies would be able to engage in this practice if they wanted to.
It is important to have increased accountability and transparency regarding the use of tower dumps as an investigatory mechanism. Informed and public discussions on access to tower dump data are required to fully understand the complexities that arise. Only then will it be possible to have a forthright and considered dialogue about the difficult balance between law enforcement and privacy that tower dumps entail.