From today, 13th April 2017, all Australian telecommunication providers are now required to collect a whole range of your telecommunications data ('metadata') and retain it for two full years, so that it can be requested by government agencies.
This data includes information about your phone usage (including texts and your location) and about your Internet connection. This information allows very detailed conclusions to be made about many aspects of your life and there are almost no protections against investigative "fishing expeditions" or systemic abuse of power.
With the exception of journalists' data, no warrants are required for access to this data, and there is little effective oversight. The data retention scheme therefore represents a genuine threat to the privacy of all Australians.
That’s why we’re supporting today as a national day of action – we’re calling on Australians to educate themselves about the scale of this surveillance and take appropriate precautions.
So, we're declaring today, Thursday 13 April as 'National Get A VPN Day'.
1. What is a VPN and why do I need one?
A Virtual Private Network (VPN) is an online service that creates an encrypted 'tunnel' from your computer to a remote Internet gateway, which will often be in a different country. The encryption means that your Internet Service Provider (ISP) will not know which sites you are visiting - they will only see that you are communicating with a single address, that of your VPN.
Let's say you're active with an environmental group that the government is interested in, and the government has obtained access to the list of addresses that have visited that group's website. If you're using a VPN, they will not be able to identify you as having visited that site as they'll only have the address of the external gateway of your VPN.
Simply put, using a VPN breaks the identifying links between your computer and the websites you visit, thereby protecting you from government surveillance.
Because they encrypt your traffic, VPNs also provide protection from eavesdropping. If your traffic is ever directly intercepted, the encryption means it will be unreadable. This is particularly important if you're using a public wi-fi service.
2: Which VPN should I choose?
Different VPN services vary significantly in terms of quality, and particularly in terms of how much privacy protection they include.
For a better understanding of how VPNs can (and sometimes can’t) be trusted to protect your anonymity, see this article from Brian Krebs.
Some things to think about include:
- What data does the VPN record? Is the VPN retaining web logs? Does the VPN know your IP address and the times that you connect to their servers? Also, what kind of advertising data does the VPN service store and does it hand that data over to third parties?
- How long does the VPN store data? Nearly all VPNs will store some data in order to troubleshoot network issues. However, the duration of that storage plays a key role in terms of the privacy protection afforded to users. After all, if the data has been deleted, then it cannot be accessed by a third party. Ideally, a VPN should be wiping user data within hours of it being recorded. If a VPN is storing data for anything more than a few days then beware.
- What country are they based in? For example, you may want to avoid services based in Australia, UK, US, New Zealand or Canada (the so-called 'Five Eyes' countries, which have comprehensive intelligence-sharing arrangements in place). You may also want to avoid services based in countries with authoritarian governments.
- What payment methods do they support? Using BitCoin or other digital currencies will provide you with an extra layer of anonymity.
Here are some good reviews and guides that will help you find the right VPN provider for you:
- As part of their Surveillance Self-Defense site, our friends at EFF have an excellent guide to choosing the VPN that’s right for you.
- Torrent Freak’s 2017 provider list is focused on VPN services that take anonymity seriously.
- PC Mag’s 2017 review list gives an up-to-date list and review of the major VPN providers
- That One Privacy Site’s VPN Comparison Chart is another good source
- Privacy Tools IO’s updated list is a good source for VPNs outside of the 'Five Eyes' countries
- The Best VPN provides a comprehensive review of 20 of the most popular VPN providers
Or, if you're technically-minded, you can roll-your-own. Here’s a handy guide for creating your own VPN service from Crypto Australia.
3: Help spread the word - tell your friends to #GetaVPN
Once you've got yourself sorted, don't forget about your friends, family and work colleagues.
- Send them a link to this page
- Retweet our link on Twitter, using the #GetaVPN hashtag
- Share our Facebook post
- Write to your local newspaper - letters to the editor can be an effective way to highlight an issue. See the contact section on your chosen media outlet. Keep it short and to the point.
4: Tell your MP and Senators what you think of mandatory data retention
We've been lobbying MPs and Senators over the last few years about the dangers of mandatory data retention, but adding your voice will help us to achieve the review of this legislation that we're seeking.
See our guidance on lobbying parliamentarians for ideas on how to be most effective, and for links to find your local MP and Senators from your state.
You may want to mention the following points when you contact them:
- All access to this data should require a warrant - not just for journalists' data. A majority of European Union countries require some form of independent, judicial authorisation for access to this sort of data, so there's no reason why Australians shouldn't enjoy the same protection.
- It's important that additional agencies aren't added to the list that are allowed access to this data. The one good part of the data retention legislation is that it reduced the number of agencies able to access this data from literally hundreds to less than two dozen (Police and anti-corruption bodies mainly).
- The two year retention period is unjustifiably long and must be reduced to at most six months.