The Morality of Metadata

Once upon a time a phone call was transient. Triggered by a series of clicks from a rotary dial, mechanical switches at the exchange would route your call to its destination. Perhaps Peter Dunne and Andrea Vance talked to each other on the phone, but this mechanical switchboard had no record of that happening. In that world, monitoring communications probably required physically accessing the exchange and plugging in a tape recorder. It was a Big Deal.

Today, the simple act of dialling a number results in a database entry. Visiting a website leaves a trace. Touching your access card to a door panel drops a line in a text file.

We have been living under the misguided impression that we are not being watched because the actors who would watch us are inherently law-abiding and moral. The reality is that they haven’t been watching us because it required effort.

We now see the truth: with metadata so readily accessible, it is literally easier to hand over 30 days of phone and access data than to spend time asking if the original request is valid. This is a problem: humans are lazy. No law will fix that.

Spend enough time with any volume of data, and it’s incredibly easy to become desensitized. I remember working for an insurance company, working on calculations that included a field called “expected death strain”. Each (anonymous) row showed the probability, month by month, that the insured party would not be alive. It took a long time for me to realise the importance of those numbers.

A technician in some way attached to parliament sees access and phone records every single day. Someone wants a dump from those files? No big deal, it’s just a portion of those letters numbers they see every day.

I’ve been asked a lot over the last couple of days whether the recent spate of leaks, hacks and law changes are interrelated. My initial position was that no, the changes to TICS and GCSB legislation have nothing to do with a parliamentary inquiry.

I think I was wrong.

We must demand that our metadata is treated with the same level of respect as our personal property. Anything less is immoral.

Join the Conversation


  1. Very well said, Ben.

    This is doubly important when you consider that metadata includes location because we all carry tracking devices/cellphones that know exactly where they are at all times.

    It’s now possible to know not only who you called and when but where you were standing when you made that call.



    1. Relevant to this: Moscow police are installing SIM card tracking. Ostensibly to identify and locate stolen phones and sim cards.

      The legal justification, if the article is too long to read is that they’re not tracking a user’s property, the sim card belongs to the telco, whom it is legal to track.

      Not sure about NZ, but in Australia the SIM card belongs to the carrier too. Wonder if our Feds have identified that as a neat little legal loophole.

  2. I’ve been asked on Twitter variations on “what is a valid request?” and “is it a contractors job to question a request?”

    To clarify, my point is that the current default response to metadata requests seems to be “OK!”

    The default response should instead be “Are you really, really sure you want this data and have the authority to request it?”

    It’s a simple, subtle change, but it needs to happen. Treat it the same way as someone knocking on your front door asking to come inside.

    1. You’re assuming that this isn’t what happens though. You’ve got no knowledge of the contractual arrangement that is in place, you’re got no knowledge of whether that process does in fact take place. And besides, this is the customers data, not the contractors data. The person responsible for requesting & releasing the data is ultimately the one who needs to ensure that this is a valid thing to do.
      How is a contractor to determine whether the data is being used legitimately or not, and whether the data is being requested for an investigation or just IT planning purposes. This is a big can of worms for vendor/customer relationsips.

      1. The act of asking for confirmation is often enough to make people think twice. I’m not asking for insubordination.

        1. In this case, now that we’ve seen the email, it seems certain that it was a lax attitude to the value and privacy of that data that was at fault.

          There was no request made for Vance’s records, the IT guy involved seems to have thrown that in as a little helpful gesture on his own initiative.

          If we recalibrated our respect for metadata (or secondary data as some would call this) to be the same as our respect for primary data then these issues would be much less likely to occur.

  3. I wholeheartedly agree.

    I know where I work, we are very strict about to whom and under what circumstances we provide customer metadata.

    That is to say, basically, no official signed court order, no metadata.

    1. Remember that this isn’t a scenario where a third party is requesting customer metadata, this is a scenario where the customer is requesting their own data. That’s quite a different proposition.

  4. Agree Ben,

    This is why the lack of adequate oversight on such matters is so concerning and the apparent laissez faire attitude to privacy. We absolutely need strong law and an independent ( i.e. Panel of ex-Judges perhaps ) to oversee such information requests.
    Also, there needs to be real and serious consequences for those responsible if they are found to have broken the law. “I didn’t know it was illegal” should not be an excuse for anyone.
    Seems that no one in power ever carries the can for these “transgressions”
    This lack of accountability breeds the slack attitude and the potential corruption of Government power.

    1. Maybe we could appoint two retired judges. One could be in charge of approving warrants used by the security services, the other could be in charge of ensuring the security services complied with those warrants!

      We could call the first guy the Commissioner for Security Warrants, and the next guy the Inspector General of Intelligence and Security!

      Then for the rest of us, maybe we could have a commissioner, who had staff, and she could be in charge of investigating breaches of privacy! We could call her the Privacy Commissioner and give her an Office of the Privacy Commissioner full of staff!

    2. Remember where I said “humans are lazy. No law will fix that.”?

      I’m asking for personal responsibility, not additional laws.

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: