And here is the first Peep Beep! post:
The Snowden revelations have transformed the word “metadata” into a buzzword. The question that many are asking these days is who can collect and retain metadata. Can law enforcement agencies and intelligence services collect and retain metadata at their will? Can Internet access providers do what they want with metadata? Interestingly, the UK government has just acknowledged for the first time that its intelligence services have been accessing both metadata and the content of communications actually collected in bulk by other foreign intelligence agencies such as the NSA without a warrant and have been retaining the data for about 2 years [Peep Beep!]. But before determining what public or private actors can do with metadata it would be good to have a start of an understanding of what relating legal concepts cover. This is the very purpose of this post [a longer co-authored article is on file with the author who would be very happy to distribute it on request].
Looking at the rules comprising the legal framework, the word “metadata” is nowhere to be found. What one finds at least under UK law are the words communications data, traffic data, data relating to the use of a service (what is called ‘service use information’ by the 2010 Code of practice for the acquisition and disclosure of communications data).
Technically speaking [thanks to Tim Chown at the University of Southampton for his explanations] there are at least two types of metadata: network-level metadata and application-level metadata. Network-level metadata comprise the ‘who, what, when and where’ of network traffic, specifically which devices are communicating (by IP address), port numbers (which give a hint to which applications are involved), the packet count, data volume and duration of such a flow.
Application-level metadata is to be found in the payload of packets and cover e.g. for an email the sender and receiver email addresses, and a subject line; or for a web request, the website or domain name being accessed and a fortiori the specific file name or image being requested from the server.
Application-level metadata thus cover much greater specifics about the communication. Importantly, the collection of application-level metadata by Internet service providers (ISPs) require the implementation of deep packet inspection technologies, i.e. the peeping into the content of communications [Peep Beep!].
As a result, although the drafters of the Acquisition of data Code of practice seem to confuse two distinct concepts (traffic data and ‘service use information’) while adopting a broad understanding of traffic data (since they appear to comprise domain names), traffic data within the meaning of section 21 of the Regulation of Investigatory Powers Act 2000 (RIPA) should not include application-level metadata (by definition traffic data excludes the content of communications). This means that ISPs should not be asked to implement deep packet inspections to collect so called traffic data. [Well this is exactly what the Draft Communications Data Bill of 2012 wanted to achieve by the way!].
It is true that one way of circumventing the prohibition to collect application-level metadata by ISPs is to ask over-the-top service providers (an ISP providing a webmail service acts as an over-the-top service provider) to give away their logs, i.e. service use information. However up until now most over-the-top service providers were not under any data retention obligations. Only Internet access providers had to retain service use information and service use information was defined restrictively: it did not cover (this is very important) browsed information or lists of Facebook friends or Twitter followers.
Unfortunately the newly adopted Data Retention and Investigatory Powers Act 2014 may change the scene by enlarging the category of service providers concerned by data retention obligations. Section 21(4) of RIPA has been amended to include services which consist in or include “facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system”. Reading the notes referring to the Data Retention and Investigatory Powers Bill it seems that the intention was to make sure services “such as webmail” [what does ‘such as’ really mean?] were included within the definition.
Not to be misleading, the systematic collection and retention of traffic data (i.e. network-level metadata) is problematic and should require adequate legal safeguards [Peep Beep!]. It is certainly arguable whether Chap 2 of Part I of RIPA offers such safeguards. But what should be clear now is that even though the procedure for authorising the acquisition of communications data is light-touch (so to speak) not everything is communications data and certainly not application-level metadata.