‘Be paranoid’: How one reporter learned the danger of metadata

There are probably more than a few journalists – and I used to be one of them – who scoff at the idea that they have to do any more than they’re currently doing to protect their sources.

In fact I think for a lot of us “metadata” sounds like a bit of a bore.

I think we all reassure ourselves that police and intelligence services have more important things to worry about than who is leaking information to journalists.

But I am here to disabuse you of that notion.

For at least 36 years, Australian police agencies, government departments and a plethora of other bodies have been allowed to request – without a judicial warrant – the telecommunications records of journalists to chase the sources of leaked government information.

Those records, known as metadata, include phone bills, the phone numbers called and the numbers that are calling us, it includes the name and address of every subscriber behind those numbers, even location data – where the phone is located. It includes the email addresses and whoever we’ve been exchanging texts or messages with.

Metadata doesn’t include the content of any communication. But it is the digital trail between you and any person you’re communicating with. And it’s an incredibly powerful weapon to hunt down whistleblowers who leak information.

Just how frequently this power to access your and my metadata is used is extraordinary: In 2012 no less than 40 Australian government agencies made nearly 300,000 individual requests for metadata.

Now we have to hope most of those requests were for solid law enforcement or security reasons, and not to track whistleblowers and government leaks. But we don’t know because the government says that information is secret.

The metadata issue seems to be getting traction because of recent changes to the law in Australia that now requires metadata to be stored for two years.

And even though the new laws tighten access to this sensitive data, the estimate is that about 2500 bureaucrats will still be able to sign off on accessing metadata – without a court warrant.

If they want to search a professional journalist’s metadata in pursuit of a source then they will now have to seek a journalist information warrant from a judge or magistrate.

But even if they do go to a judge to get a journalist warrant, it’s not like the journalist is actually allowed to know about it to argue against it. Incredibly, the whole process will be kept secret. The journalist will never know about it.

Sixteen years ago, I was given an alarming insight into just how often journalists are actually spied on using such powers. It changed forever how I operate as a journalist.

"What the Commissioner didn’t disclose was that most requests for metadata aren’t made by the police at all…"

Back then, in 1999, I was doing an investigation into the Australian Tax Office for the then Sunday Program.

There was huge concern from many inside the ATO then, as there is now, that while your average taxpayer was  chased for every dollar, the big end of town was often allowed to settle huge tax bills for  considerably less than what the taxman said was due. 

A lot of ATO staff were very concerned about it. They were even suggesting corruption and I was being leaked a lot of confidential documents.

The turning point for me, my metadata-paranoid-privacy moment, was when a very senior tax office manager insisted on meeting me in a Canberra hotel room.

I thought he was absurdly paranoid because he wouldn’t let me call him and he wouldn’t phone me… his first contact with me, and all subsequent, was actually organised by ordinary post –  still one of the safest ways to communicate with a journalist.

The Federal Police Commissioner has publicly played down the number of times the agency seeks a journalist’s metadata. But what the Commissioner didn’t disclose was that most requests for metadata aren’t made by the Federal Police at all.

Ross Coulthart.This is what that senior tax office manager wanted to show me: in actual fact, he said, leaks investigations are generally done by the internal security section of each government department.

My ATO source told me that for years it had been almost a routine practice in the public service when there was any leak to the media for there to be a check on that journalist’s or the suspect public servant’s phone records to find out who had leaked the information.

He also warned me that the laws around the leaking of information were so broad that pretty much any information passed to a journalist – down to the office Christmas Party invitation on a public servant’s desk – could be used to trigger a request for a journalist’s metadata.

But my source had left the best till last. He’d brought along a copy of my metadata – my private phone records.

To educate me about the risks of metadata he’d asked for mine. It detailed all my calls out and all the calls in on my phone.

Sources I’d spoken to for several stories over the previous months were clearly identified by their subscriber name, number and address on that list.

There in front me of was evidence that could send several public servants to jail or at least lose them their jobs.

What shocked me most of all though was the cultural attitude that his request for that paperwork revealed; for this senior public servant – mercifully, a friendly source – he knew that the accountability controls on the ballooning number of metadata requests were so pathetic that he’d obtained my phone  records knowing there would be absolutely no blow-back for him.

And there wasn’t, even after I broadcast a story using information he’d leaked to me.

I’d like to be able to say that Australia is the bad apple among Western democracies with its dogged pursuit of whistleblowers through metadata but truth is, it’s happening everywhere.

Anti-surveillance rally, Washington DC.What we’re seeing is the revenge of the national security agencies, who seem to have nothing but contempt for journalistic scrutiny of what they do, and the evidence suggests governments are wrapping themselves in the flag with questionable claims of national security to try to shut down often legitimate journalistic investigation of government wrongdoing.

The former General Counsel for the US National Security Agency Stewart Baker has said: Metadata tells you everything about somebody’s life. If you have enough metadata you don’t really need content.

The former head of the NSA and the CIA Director Michael Hayden agreed. He said: Absolutely correct. We kill people based on metadata.

So how do we protect ourselves against government surveillance of our metadata? It’s almost impossible. But here are a few tips:

  • Try to ensure that ‘first contact’ with a sensitive government source is off the grid – don’t use your phone, email, SMS, or any kind of digital communication.
  • Educate potential whistleblowers through your website that they can be tracked through their metadata – and suggest alternatives (like writing a letter).
  • Don’t carry your phone with you when you can go and see them because it’s breathtakingly easy to ‘geo-locate’ a phone and show that a journalist and a source were in the same place at the same time.
  • Cover your tracks with encryption and obfuscation: I use an encrypted messaging app called Wickr that claims to keep no metadata. I also use the TOR Browser to hide the metadata trail that would otherwise be left by my web browsing on my computer.

The bottom line is that no solution will ever be secure unless it’s a face-to-face meeting with no digital traces for the spooks to follow. Be paranoid.

This is an edited excerpt from a speech given by ICIJ member Ross Coulthart at the 2015 Press Freedom Australia Dinner. Ross is an award-winning investigative reporter for Channel Nine's 60 Minutes program, and has also authored two books on organized crime in Australia.

Watch the full speech:

2015 Press Freedom Dinner Address – Ross Coulthart from Walkley Foundation on Vimeo.

Read more about ICIJ's members, and find out how you can support our investigations

Email newsletter Find out first! Receive ICIJ's investigations by email