Australia's Attorney General Says Metadata Collection Won't Track Your Web Surfing, Just The Web Addresses You Visit (Huh?)

from the say-what-now? dept

Australian Attorney General George Brandis seems to be working extra hard to demonstrate just how completely clueless he really is. On both copyright and surveillance, it’s pretty clear that he doesn’t even remotely understand the details, but is willing to go all in to support some misleading claims that someone told him. On the surveillance front, he recently claimed (incorrectly) that data retention rules are a must (and that whistleblowers should be thrown in prison). The data retention rules are getting some attention because it’s pretty clear that Brandis is advocating for a massive expansion in data retention and collection for many different purposes (i.e., expanding it to cover “crime-fighting in general” as opposed to just terrorism/national security).

However, it’s pretty clear that he has no idea what this all means. He gave an absolute train-wreck of a TV interview on SkyNews, trying to defend the policy, in which he claims that the metadata rules won’t track your web surfing habits, but just what websites you visit — as if that’s a different thing. You can see the video here. It’s quite incredible. First he claims that the telcos “already collect this data” for billing purposes, but they want to change the law because now flat rate plans mean telcos might not track this data. But then he jumps to internet metadata (which, uh, has never required tracking for billing purposes) and things get ridiculous quickly.

SkyNews host: Well, the Prime Minister today said “it’s not what you’re doing on the internet, it’s the sites you’re visiting.” So will it be the sites you’re visiting?

George Brandis: Well, well, it… it wouldn’t extend, for example, to web surfing. So, what people are viewing on the internet is not going to be caught.

Host: So it’s not the sites you’re visiting.

Brandis: Well… um… what people are viewing on the internet when they web surf is not going to be caught. What will be caught is the… is the… is the, um… the web address they communicate to.

Host: Okay, so it’s only the… I’m sorry… the web address? If I go to an internet site, that will be recorded and available?

Brandis: The web address… um… is… is part of the metadata.

Host: The website.

Brandis: Well, the web address. The electronic address of the website.

Host: Okay. If I go to the SkyNews website, the Australian website, a more questionable website, that will be… is that what we’re talking about here?

Brandis: Well, I… b… m… m…. m… the… what you’re viewing on the internet is not what we’re interested in. And that’s not what we’re…

Host: You’ll be able to see whether I’ve been to that website or that website or that website.

Brandis: Well, what we’ll be able… what the security agencies want to know… to be retained… is the… is the electronic address of the website that the web user is visiting.

Host: So it does tell you the website.

Brandis: Well… well… it tells you the address of the website.

Host: That’s the website, isn’t it? It tells you what website you’ve been to.

Brandis: Well, when… when you visit a website you… you know, people browse from one thing to the next and… and… that browsing history won’t be retained or… or… or… there won’t be any capacity to access that.

Host: Excuse my confusion here, but if you are retaining the web address, you are retaining the website, aren’t you?

Brandis: Well… the… every website has an electronic address, right?

Host: And that’s recorded.

Brandis: And… um… whether there’s a connection… when a connection is made between one computer terminal and a web address, that fact and the time of the connection, and the duration of the connection, is what we mean by metadata, in that context.

Host: But… that is… telling you… where… I’ve been on the web.

Brandis: Well, it… it… it… it… it… it… it records what web… what at… what electronic web address has been accessed.

Host: I don’t see the difference between that and what website I’ve visited.

Brandis: Well, when you go to a website, commonly, you will go from one web page to another, from one link to another to another, within that website. That’s not what we’re interested in.

Host: Okay. So the overarching… if I go to… SkyNews website, it’ll tell that, but not necessarily the links within that that I go to?

Brandis: Yes.

I wouldn’t normally include stuttering and false starts in a transcript, but in this case it seems somewhat necessary to show the level at which Brandis was clearly uncomfortable with the subject matter. The conversation then goes on to metadata for social media, and Brandis takes the easy out here saying that the rules are still being discussed. However, he does admit that metadata will be used for criminal investigations.

We’ve long argued that metadata is incredibly revealing, and anyone who claims it’s “just metadata” has no clue what they’re talking about. But here, Brandis takes that cluelessness to a new level. It’s pretty clear that he is totally and completely ignorant of what he’s discussing. At times it suggests he thinks that the web address doesn’t reveal what you’ve been reading, and I thought maybe he thought that there’s a real distinction between the web address and what you see on the page (which would be ridiculous). But at the end, he seems to imply that ISPs will only be asked to record the top level domain of pages you visit… which is… equally unlikely and almost certainly false. Everywhere else he says the “web address” which would be a lot more than the top level domain.

Either way, it seems abundantly clear that he doesn’t understand the details, yet is pushing for legislation to make things happen when he is either completely ignorant of what it means, or he knows exactly what it means and knows that people would revolt over it, so he’s trying to mislead everyone.

No matter what the truth is, he has no business setting up these rules.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Australia's Attorney General Says Metadata Collection Won't Track Your Web Surfing, Just The Web Addresses You Visit (Huh?)”

Subscribe: RSS Leave a comment
Dave Cortright says:

There is a distinction between the address an the content

I hate to stand up for and ignorant government jackboot like him, but he does have a point, he’s just not communicating it very eloquently.

Let’s say the record shows I went to I have several Google accounts, including my primary personal, primary work, admin work, and throwaway. If I understand how this system works, they only know which address I went to, but not which account I used and therefore they don’t know specifically what content I viewed.

The same could be said for any dynamic content site (like a news site or video site), that adjusts content based on users’ implicit or explicit preferences. They could know that I went to CNN but not necessarily that I saw the article about a doctor cleaned out and sewed up a festering pus hole on John Brennan’s face (née his mouth).

That said, the fact that someone went to a site like speaks volumes.

cerda (profile) says:

Re: There is a distinction between the address an the content

yes indeed. But… the real meat on metadata is in the HTTP headers.

For example, if you go to a blogging site, it is not the site itself that is important as much as which URI you got to.

So, just guessing, I would regard his statements as “grabbing the whole nine yards”; he just did not know enough to say that . Or not say it.

Anonymous Coward says:

Re: There is a distinction between the address an the content

That depends. Are they recording that you went to, or are they recording that you went to ?

If it’s the latter, then they DO know whether you saw that John Brennan article. Perhaps they can’t actually read your email this way, but just because the invasion of privacy isn’t absolute doesn’t mean it’s acceptable.

Anonymous Coward says:

Re: There is a distinction between the address an the content

Some of what he says may be true – that what people do on the site will not be tracked (or cannot be tracked, in the case of HTTPS) – but some of what he said is clearly misleading…

They will be tracking website addresses, but not the links you click on once you visit a site? That sounds like someone who doesn’t understand that a link clicked is generally a new website address, and the browser will request it just as if you’re visiting a new site entirely. This sounds like someone who is either intentionally misleading people, or has absolutely no clue how anything works.

The reason this legally “works” by their definition of metadata vs content, is that the website address doesn’t necessarily indicate what content was viewed – it is conceivable (although somewhat unlikely, and even frowned upon) that the same URL/web address might take you to different content the next time it is visited. So they can stand back and claim that they’re not tracking what you actually viewed on the internet, while at the same time, tracking everywhere that you went.

Anonymous Coward says:

Re: Re: Re: There is a distinction between the address an the content

Actually, more like they saw you go into said brothel, but they don’t know what you saw or did while you were there. If they walk into the same brothel, they’re likely to see what you saw at the very least – although they can’t guarantee that what they see is exactly what you saw when you walked in – they can only assume such.

Anonymous Coward says:

Re: Re: Re: There is a distinction between the address an the content

Hey a brothel that services the customer in the car!!!

On a more serious note, tracking of this data is why web proxies will become more popular. If it looks like we all parked at a brothel then they won’t know if we all went in or just walked to another business.

Ed Allen (profile) says:

Re: Re: Re: There is a distinction between the address an the content

Even top level domains would not get him the tracking they are after. If you limit to IP address for trackin/block then what about ?

Web Sites Sharing IP Addresses: IPs Hosting 225 to 249 Domains

So if they block by IP address then one baddie on a particular IP gets up to 248 innocents punished for no action of their own.

Plus that puts the “metadata” at the level of the pages you looked at and the time till your next click.

If the data collected and archived (for how long ?) is harmless then he should be willing to release a week’s
worth of his own “metadata” for everybody to see just how unintrusive it really is.

If they really intend to limit to IP address then lots of innocents will be guilty by being in the same neighborhood.

pixelpusher220 (profile) says:

Re: There is a distinction between the address an the content

I agree. Either the host is actively playing into his lack technical details, or the host is equally as stupid.

It’s the difference between the address on a letter and the contents of the letter itself. (with the obvious exception that in a URL’s case you can then go get the content if you wish)

Without the specific details of the program, it would likely be collecting the textual URL so they’d know which articles you visited on a site like TechDirt. For more dynamic/scripted sites it might be a bit harder to reconstruct the content that the subject actually saw from the URL and any other header data you might collect.

Mike Masnick (profile) says:

Re: There is a distinction between the address an the content

Let’s say the record shows I went to I have several Google accounts, including my primary personal, primary work, admin work, and throwaway. If I understand how this system works, they only know which address I went to, but not which account I used and therefore they don’t know specifically what content I viewed.

Yes, that’s what I thought he was (badly) trying to saying at first too, but later on he contradicts that, by saying they’re just collecting the TLD…

I think the honest answer is he has no clue.

ysth (profile) says:

Re: Re: There is a distinction between the address an the content

I think he has a clue and knew exactly what he meant, but just didn’t know the correct terminology. He either meant IP address or domain name by “website address” and meant the actual returned content by “website”.

Though not knowing correct terminology makes it not unlikely that he is mistaken…

Eldakka (profile) says:

Re: Re: Re:

TO be fair, he isn’t actually dumb.

They don’t make numpty’s Queens Counsels, and he has a Bachelor of Civil Law from Oxford, and according to wikipedia:

The Oxford BCL and MJur are widely considered to be among the most academically demanding postgraduate taught law courses in the Common Law world.

He is pretty bright.

So he’s not dumb, he’s merely dealing in an area (Internet, networking in general) outside his expertise.

No, it makes him a luddite…

Trevor says:


What if he was trying to say that the surveillance does not collect the content of the pages, but merely the address that content is located at?

For example: It says I went to, but not that the page contained the following sentence:

No matter what the truth is, he has no business setting up these rules.

As is always, TECHNICALLY he is right.

HOWEVER. He is glossing over the fact that a separate program or a time consuming “copy/paste” will provide completely legal access to that content. He’s trying to argue that they don’t have access to the content through that program while helpfully omitting that they have access to the content via other means.

Whoever says:

What he might be saying

I think that he is either trying to say that only the URL is stored (and not the data coming back from the website), OR he is trying to say that only the IP address is stored.

With name-based hosting, IP addresses can be misleading, so I think that if he means this, he has been mislead by his handlers/advisers.

Of course, with the URLs, if he means this, he is thinking that what is stored is the URL that the user sees in the URL bar, but of course, a browser fetches many, many URLs in order to display a single page and every one of those URLs will be stored.

Summary: he has been briefed by someone who doesn’t not want him to understand the real nature of the tracking.

Ed Allen (profile) says:

Re: duration?

Just time when you started viewing this page subtracted from time of next click gives the duration.

Both will be in the log he wants ISPs to keep.

Of course the next panic will be when they realise that https only allows tracking to the IP address.

Then they will insist that the ISP must be able to decrypt everything because “good” sites and “bad” ones can share the same IP address.

That means that everybody inside a firewall must be branded “guilty until proven innocent” by the firewall logs.

All your home routers track all URLs and encryption keys don’t they ?

Brings to mind the case where my Wi-Fi connection, totally encrypted, is hacked because of a bug in the manufacturer’s
software. Am I “guilty” because somebody accessed kiddie porn through it ?

Anonymous Coward says:

Re: He just lost hollywood/RIAA backing

As this Lying Nasty Party has proven that every time they open their mouths that they are lying (currently at least one lie a day since being elected back in September 2013) nobody in their right minds will believe that.
Whilst the government may not be interested in using metadata for tracking illegal downloads their financial puppet masters such as Rupert Murdoch are most certainly interested.
It has already been stated that the Victorian Taxi Council & the RSPCA have access to metadata, although for what reasons no one seems any the wiser, especially as it was stated that they do not need a warrant to access the metadata they need.

Anonymous Coward says:

Re: Re:

No. What he is saying is that they are only recording that you spent 6 minutes and 33 seconds on and trying to spin it as nothing more than an address. Like where Abbot stays that it is just like the address on an envelope, but omits that if you type the address on the envelope into a computer, you can read the letter within.

Kronomex (profile) says:

I nearly fell out of my chair laughing at George “Insert Corporate Brand Name Here” Brandis’s interview. This clueless, gormless, technology free barbarian, and all round git is our one term Attorney-General. Him and the rest of his cronies running…ruining…this country are goners and the sad part is that we still have another two years of massive damage to come before we can vote them out. Mind you I certainly won’t be voting for little Billy Shorten and his gang of incompetents.

Anonymous Coward says:


‘He says metadata includes duration. How are they tracking duration at a website? That’s not something that an ISP generally has in their business records. ‘

yes right because the contents of the website or the server is likely overseas and does not keep a history of all changes.

– The contents might have changed since the site was visited the last time.

– The server does not log visitors IP addresses.

– The logs are only kept for a short duration.

Even if the hosting provider logs that IP address visited this information is worthless if the forum does not log visitors or purges the logs after one week.

In most nations, the attempts to force ISPs to retain metadata have only covered IP addresses.

The definition of provider often depends on whether it provides the connection to the internet.

If it’s not a telecommunications provider, it is often outside the scope of the data retention law.

Anonymous Coward says:

There is a distinction between the address an the content

‘So they can see that I parked my car at the local brothel parking lot.
But they cannot see if I went into said brothel.’

Actually they can’t even see who parked the car, only that the car registered in your name was used to park at said brothel.

Of course, someone could have cloned your car with its license plate and committed a crime, but that’s very unlikely.

But ten other persons could use your internet connection without your knowledge or permission.

And this is the real reason why data retention is waste of money — unless the next step is forcing everyone to lock down their internet connection.

Anonymous Coward says:

domain name

That’s funny, and a great demonstration how the politicians are just puppets to their own intelligence agencies.

Further to the point in this article, it’s worth pointing out that when filling out a form, posting a comment or any other activity in which personal info may be revealed, this is also part of the web address, as GET variables, and as such the metadata is compeletely indistinquishable from sensitive content.

However, this article contains one mistake: A top level domain name is only the last section of the domain name, for example “com” in What is implied, rather than that only the top level domain is logged, is that the hostname is logged. A maybe more accessible and less incorrect (but still incorrect) term would be “domain name”. I’d like to suggest that you correct the use of “top level domain” there.

I concur that it seems ridiculous though, of course they aren’t only recording the hostname (except that with https, sometimes, they may be able to get the hostname only by checking the certificate, so in some cases, that is all they /can/ log).

ReAn says:

There is a larger issue at play here!

Even if they’re just collecting the TLD, browsing to a link does not signify intent.

Any request can redirect your browser anywhere it wants. You could go to and if Mike was an evil person he could make that respond ..

HTTP/1.1 302 Found

.. and just like that your browser would have been directed to a flagged site.

BAM! You’re on a watch-list and scrutinized likely for the rest of your life.

Additionally an IFrame on a legit page can make you send requests to other domains. This is the biggest problem because the metadata isn’t really effective at explaining anything, yet they’re making life-changing decisions based on this faulty dataset.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...