Nullifying Metadata Retention
Late last year the Australian parliament pushed through a metadata retention plan which would see ISPs and mobile service providers retain and share metadata of every Australian with Government agents as requested without the need for a warrant.
This scheme was put in place to ‘protect the country against organised crime and terrorism’, but it is also a pretty sizable invasion of privacy. While the much advertised data retention includes data about phone calls that can be used to link people and events together, there is a raft of other information being collected.
For example, did you ever hear anyone mention the ability for the metadata to be used to monitor…
Every email you send and to whom, what time, where you sent it and the subject of it.
- The location you took a photo, the settings you took the picture with and the camera model
- The IP address of the websites you visit (AKA your internet history)
On the surface, it appears like a great scheme to protect the country, but I believe it is the biggest invasion of privacy in Australian history and a massive security risk, given this metadata will have to be stored somewhere. Imagine what that could be worth to a hacker! Furthermore, there is absolutely no evidence to support the scheme actually makes the public safer at all.
Collection of metadata is not going to improve public safety, but rather provide a platform for prying eyes to examine the habits of an individual and make assumptions about the contents of communication.
My attention turns to utilizing services and developing habits that will make my metadata as useless as humanly possible.
Signal uses Curve25519, AES-256, and HMAC-SHA256. The security of these algorithms has been tested over many years of use in hundreds of different applications. Messages sent via Signal are end-to-end encrypted, which means that they can only be read by the intended recipients. Signal is also open source software, enabling anyone to verify its security by auditing the code.
Buffered are a well-regarded VPN provider with servers to route through in 26 countries around the world. While this may not sound huge, they refuse to log connection data and fight back against attempts to force them to turn on any form of logging. The cryptographic strength of the connection is also quite high, using OpenVPN rather than PPTP or L2TP/IPsec. The VPN client is very simple to use as well.
Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor comes as an easily-installed software bundle that includes a privacy-conscious version of Firefox, together with the low-level component that connects the browser into the “bouncing your communications around” part of the Tor network. My only issue with it is that, at present, the network is quite slow.
Cyphershed is an open source encrypted container application similar to TrueCrypt - After creating an encrypted file or disk drive, the encrypted volume is mounted through CipherShed. The mounted volume shows up as a regular disk that can be read and written to on-the-fly. The encryption is transparent to the operating system and any programs. When finished, the volume can be unmounted, and stored or transported elsewhere, fully secured. Encryption volumes can be moved from OS-to-OS (e.g., Windows to Mac) with full compatibility. It has made it onto this list because you can secure communications within the volume and share them with other people while sending the password via another secure channel – Particularly useful if you need to send a file from one device to another.
Using a mixture of any, or better yet all, of the above products can greatly decrease the value of your metadata. Of course, the metadata will identify that you are using encrypted communications services, but unlike the plaintext counterparts in common use, the contents of the communications will be encrypted. And in a world of ever increasing monitoring, that is likely the best we are going to get.
If you have any other ideas, please feel share to discuss!