Skip to main content
SpringerLink
Log in

Metadata, Traffic Data, Communications Data, Service Use Information… What Is the Difference? Does the Difference Matter? An Interdisciplinary View from the UK

  • Chapter
Data Protection on the Move

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 24))

  • 3356 Accesses

Abstract

In the wake of the Snowden revelations, it has become standard practice to rely upon the dichotomies metadata/data or metadata/content of communications to delineate the remit of the surveillance and investigation power of law enforcement agencies as well as the range of data retention obligations imposed upon telecommunications operators and in particular Internet service providers (ISPs). There is however no consensual definition of what metadata is and different routes can be taken to describe what metadata really covers. The key question is whether or to what extent metadata should be treated akin to content data for the purposes of identifying the categories of data which shall actually be retained by telecommunications operators and to which law enforcement agencies can have access. In an attempt to answer the question, this paper provides an understanding of what metadata is and what their diversity is by following two steps. First, adopting an interdisciplinary approach, we argue that three types of metadata should be distinguished in relation to the nature of the activity of the service provider processing them and their level in a network communications—network-level, application-level metadata, and service-use metadata—and we identify three types of criteria to classify these metadata and determine whether they should be deemed as akin to content data. Second, we compare these categories with legal concepts and in particular UK legal concepts to assess to what extent law-makers have managed to treat content data and metadata differently.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    See section 2 infra for a definition of this notion.

  2. 2.

    2014 No. 2042.

  3. 3.

    Jemima Stratford QC and Tim Johnston, “The Snowden ‘Revelations’: Is GCHQ Breaking the Law?”, E.H.R.L.R. 2 (2014): 132.

  4. 4.

    Ibid.

  5. 5.

    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, pp. 37–47 amended two times by Directive 2006/24/EC of the European Parliament and the of the Council of 15 March 2006 and Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 [e-privacy Directive].

  6. 6.

    The Article 29 Data Protection Party stated in a recent working document on surveillance of electronic communications for intelligence and national security purposes that “Contrary to the general exemptions from the scope of application of the Directive laid down in its Article 3(2), the derogations to specific principles, rights and obligations provided by Article 13(1) or included in other provisions of the Directive assume that the Directive applies in principle to the processing in question. As explicitly required by the Directive such exceptions should then be laid down by Member State's laws, which in many cases also need to provide additional safeguards”. The Article 29 Data Protection Working Party, “Working Document on surveillance of electronic communications for intelligence and national security purposes”, adopted on 5 December 2014, WP 228, accessed December 27, 2014, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp228_en.pdf, at [4.4.3]. If we apply this logic to the e-privacy Directive, it should follow that exceptions to the principle of confidentiality of communications (to be found in Article 5) require a clear legal basis with appropriate safeguards.

  7. 7.

    (2007) 45 E.H.R.R. 37 (Copland).

  8. 8.

    Copland at [43–44].

  9. 9.

    Copland at [54].

  10. 10.

    (1985) 7 E.H.R.R. 14 (Malone).

  11. 11.

    Malone at [84].

  12. 12.

    This is how the Court defines the technique of metering in this case: “the use of a device (a meter check printer) which registers the numbers dialled on a particular telephone and the time and duration of each call”. Malone at [84].

  13. 13.

    Malone at [84].

  14. 14.

    2014 No. 2042.

  15. 15.

    There is an exception to this principle for local authorities which must receive prior judicial approval. See s. 23A and 23B of RIPA (as amended by the Protection of Freedoms Act 2012). Note that for interceptions (revealing the content of communications), it is the Secretary of State who issues the warrant. See s. 5 of RIPA.

  16. 16.

    Australia would also be worth examining, as the recent decision of the Privacy Commissioner in Ben Grubb and Telstra Corporation Limited (2015) AICmr 35 shows it. The purpose of this paper was however to shed light upon one specific interpretation and implementation of the EU legal framework.

  17. 17.

    See for example articles 60-2 and Article 77-1-2 of the French Code of Penal Procedure.

  18. 18.

    See for example Article L246-1 of the French Code of Internal Security.

  19. 19.

    See Article 6.II of the Loi No. 2004-575 du 21 juin 2004 pour la confiance dans l’économie numérique and Article 1 of Décret No. 2011-219 du 25 février 2011 relatif à la conservation et à la communication des données permettant d'identifier toute personne ayant contribué à la création d'un contenu mis en ligne.

  20. 20.

    See Article L34-1 (VI) of the Code of the Post and Electronic Communications. This comes from the transposition of Article 1 of the data retention Directive. See also the Spanish Act 25/2007 on the retention of data related to electronic communications and public communications networks, which applies to traffic and location data of both legal entities and natural persons and to the related data necessary to identify the subscriber or registered users (Article 1).

  21. 21.

    For the sake of clarity it is important to note that we understand data as numbers, characters, symbols that can be processed by a computer. Data can thus be stored and/or transmitted through the means of a communication process which in our case takes the form of an electronic communication issued by a sender to a recipient. Data becomes information when it is possible to ascribe a semantic meaning to it, e.g. when it is possible to derive the identity of the sender or recipient, or when it is possible to derive what is said or thought by the sender or recipient.

  22. 22.

    For a full analysis of DPI technologies see Sophie Stalla-Bourdillon, Evangelia Papadaki and Tim Chown, “From Porn to Cybersecurity Passing by Copyright: How Mass Surveillance Technologies Are Gaining Legitimacy… The case of Deep Packet inspection Technologies”, Computer Law & Security Review 30 (2014): 670–686.

  23. 23.

    Article 8 of the Data Protection Directive. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, pp. 31–50 lists the different categories of sensitive data.

  24. 24.

    In this sense metadata relating to electronic communications are different from traditional metering information such as phone numbers.

  25. 25.

    To be sure, drawing a distinction between these two types of question is not without problem as it might be possible to infer the content of communications (i.e. what is said) from “merely” who speaks with whom.

  26. 26.

    See however Neil Brown, “An Assessment of the Proportionality of Regulation of ‘Over the Top’ Communications Services under Europe’s Common Regulatory Framework for Electronic Communications Networks and Services”, Computer Law & Security Review 30 (2014): 368, arguing that “there appears to be an obvious case for the extension of the requirement of data retention to over the top providers”.

  27. 27.

    2003 No. 2426.

  28. 28.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L 281, 23/11/1995, pp. 31–50.

  29. 29.

    Qosmos, “DPI and Metadata for Cybersecurity Applications”, White Paper, January 2012, accessed October 10, 2014, http://www.accumuli.com/pages/files/datasheets/DPI-and-Metadata-for-Cybersecurity-Applications_Qosmos.pdf.

  30. 30.

    Nadeem Unuth, “What is a Data Packet?”, accessed October 5, 2014, http://voip.about.com/od/glossary/g/PacketDef.htm.

  31. 31.

    Qosmos, “DPI and Metadata for Cybersecurity Applications”.

  32. 32.

    IANA, “Service Name and Transport Protocol Port Number Registry”, accessed October 18, 2014, http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.

  33. 33.

    TCP stands for Transmission Control Protocol and IP for Internet Protocol.

  34. 34.

    Andrew S. Tanenbaum and David J. Wetherall, Computer Networks, 5th Edition (US: Pearson, 2010), 45.

  35. 35.

    Alison Cooper, “Doing the DPI Dance: Assessing the Privacy Impact of Deep Packet Inspection”, in Privacy in America: Interdisciplinary Perspectives, ed. William Aspray and Phillip Doty (Maryland: Scarecrow Press, 2011), 139.

  36. 36.

    Gary Kessler, “An Overview of TCP/IP Protocols and the Internet”, accessed October 12, 2014, http://www.garykessler.net/library/tcpip.html.

  37. 37.

    Christian Fuchs, “Societal and Ideological Impacts of Deep Packet Inspection (DPI) Internet Surveillance for Society”, Information Communication & Society 16(8) (2013): 1334.

  38. 38.

    For a full analysis of DPI technologies see Stalla-Bourdillon, Papadaki and Chown, “From Porn to Cybersecurity Passing by Copyright”.

  39. 39.

    CPU stands for Central Processing Unit.

  40. 40.

    Most remote sites do not give out this information for security reasons. If this field is disabled by the host, there is a dash (–) instead of the login/full name. If the server requires a user ID in order to fulfil an HTTP request, the user ID will be placed in this field.

  41. 41.

    Daniel Butler, “Log File Analysis: The Ultimate Guide”, accessed January 16, 2015, http://builtvisible.com/log-file-analysis/.

  42. 42.

    There is an argument that emails or user names could be considered as belonging to the same category as network-level metadata as they can be used to determine who speaks more than what is said. However, as emails addresses or user names are to be found in the payload and if used to determine who is speaking they can directly identify individuals, they could be deemed closer to content data.

  43. 43.

    It is true however that IP addresses can then be combined with port numbers, protocols and eventually MAC addresses and thereby allow the reaching of specific devices, even when IP addresses are shared.

  44. 44.

    S. 21(6).

  45. 45.

    Home Office, “Code of practice for the acquisition and disclosure of communications data”, published on September 8, 2010, accessed October 10, 2014, https://www.gov.uk/government/publications/code-of-practice-for-the-acquisition-and-disclosure-of-communications-data (Acquisition of Data Code of Practice).

  46. 46.

    Acquisition of data Code of practice, [2.19].

  47. 47.

    Acquisition of data Code of practice, [2.20].

  48. 48.

    Home Office, “Code of practice for the acquisition and disclosure of communications”, December 9, 2014, accessed March 25, 2015, https://www.gov.uk/government/publications/code-of-practice-for-the-acquisition-and-disclosure-of-communications-data, [2.24–2.25] (New acquisition of data Code of practice).

  49. 49.

    NRO, “Free Pool of IPv4 Address Space Depleted”, February 3, 2011, accessed October 15, 2014, https://www.nro.net/news/ipv4-free-pool-depleted.

  50. 50.

    New acquisition of data Code of practice, [2.26].

  51. 51.

    RIPA s. 21(4)(c).

  52. 52.

    New acquisition of Data Code of practice, [2.21].

  53. 53.

    RIPA s. 21(4)(b).

  54. 54.

    New acquisition of data Code of practice, [2.29].

  55. 55.

    See e.g. New acquisition of data Code of Practice, [7.4–7.5]: “There is no provision in RIPA preventing CSPs from informing individuals about whom they have been required by notice to disclose communications data in response to a Subject Access Request made under section 7 of the DPA. However a CSP may exercise certain exemptions to the right of subject access under Part IV of the DPA. Section 28 provides that data are always exempt from section 7 where such an exemption is required for the purposes of safeguarding national security”.

  56. 56.

    2009 No. 859.

  57. 57.

    Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC OJ L 105, 13.04.2006, pp. 54–63. See for the declaration of invalidity by the Court of Justice of the European Union (CJEU) Joined cases C-393/12 and C-594/12 Digital Rights Ireland Ltd v Minister for Communications, Marin and Natural Resources et al. and Kärntner Landesregierung, Micheal Seitlinger, Christof Tschohl and others of 8 April 2014 (Digital Rights Ireland).

  58. 58.

    This was one the purposes of the Counter-Terrorism and Security Bill 2014-2015, (HC Bill 127), and in particular Part 3, available at http://services.parliament.uk/bills/2014-15/counterterrorismandsecurity/documents.html. See also the Explanatory Notes at http://www.publications.parliament.uk/pa/bills/cbill/2014-2015/0127/en/15127en.htm, which states at [50] that “Part 3 enables the Secretary of State to require communications service providers (CSPs) to retain data that would allow relevant authorities to link a public internet protocol (IP) address to the person or device using it at any given time”. See also Home Office, “Internet protocol address resolution: the Addendum to the retention of communications data code of practice, Draft for public consultation”, December 9, 2014, accessed December 17, 2014, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/383403/Draft_Data_Retention_Code_of_Practice_-_IP_resolution_addendum_-_for_pub….pdf. The Counter-Terrorism and Security Act 2015 was enacted on 12 February 2015, and its section 21 expands the category of relevant communications data by adding the category of relevant Internet data.

  59. 59.

    One could argue that this should not happen as section 2 (section 1 supplementary) of DRIPA excludes data which “may be used to identify an internet communications service to which a communication is transmitted through an internet access service for the purpose of obtaining access to, or running, a computer file or computer program”.

  60. 60.

    See s. 5. Prior to DRIPA, the majority view was that data retention obligations did not concern over-the-top service providers as the 2009 Regulations referred to the definition to be found in section 151 of the Communications Act 2003(1). See s. 2(e).

  61. 61.

    Home Office, “Retention of communications data code of Practice”, accessed March 25, 2015, https://www.gov.uk/government/publications/code-of-practice-for-the-acquisition-and-disclosure-of-communications-data (Retention of communications data code of Practice).

  62. 62.

    Retention of communications data code of Practice, [2.21].

  63. 63.

    See Chambers v DPP (2012) EWHC 2157 (Admin) which interpreting s. 127 of the Communications Act 2003 seems to have a broad understanding of public electronic communications networks. But see the restrictive view of the Experts Group, “The platform for electronic data retention for the investigation, detection and prosecution of serious crime” established by Commission Decision 2008/324/EC, DATRET/EXPGRP (2009) 2 FINAL—03 12 2009, http://ec.europa.eu/home-affairs/doc_centre/police/docs/position_paper_1_annexe_09_12_03_en.pdf. S. 2(1) of RIPA defines telecommunication system as “any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy”.

  64. 64.

    See Geek.com, “Facebook stores up to 800 pages of personal data per user account”, accessed January 10, 2015, http://www.geek.com/news/facebook-stores-up-to-800-pages-of-personal-data-per-user-account-1424807/; “LinkedIn Privacy Policy”, accessed January 10, 2015, https://www.linkedin.com/legal/privacy-policy#info-collected; “Skype Privacy Policy”, accessed January 10, 2015, http://www.skype.com/en/legal/privacy/#collectedInformation.

  65. 65.

    The e-privacy Directive should not be applicable since under Article 3 “[t]his Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks”.

  66. 66.

    Article 1.

  67. 67.

    See Stalla-Bourdillon, Papadaki and Chown, “From Porn to Cybersecurity Passing by Copyright”, 672.

  68. 68.

    It might be argued that at this stage data is generated as the ISPs process the logs to produce derived data, unless one considers that data is generated each time it is logged.

  69. 69.

    Ibid. 675.

  70. 70.

    Ibid. 671.

  71. 71.

    See e.g. Court of Justice of the European Union (CJEU), Case C-101/01, Bodil Lindqvist, 6 November 2003, ECLI:EU:C:2003:596 at [25] (“According to the definition in Article 2(b) of Directive 95/46, the term processing of such data used in Article 3(1) covers any operation or set of operations which is performed upon personal data, whether or not by automatic means…”).

  72. 72.

    Cm 8359. The solution the Government proposed was to agree with the UK telecommunications operators to place data probes on their networks to collect the required communications data as it traversed to the end user. The probes would be programmed to generate information from network links within the communication service provider’s network, while deep packet inspection would be used to isolate key pieces of information from data packets in a communication service provider’s network traffic.

  73. 73.

    But see s. 2(1).

  74. 74.

    As it is defined as “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof” under Article 2(b), although the adjunct “or the billing thereof” is problematic.

  75. 75.

    Of RIPA.

  76. 76.

    See e.g. Stratford QC and Johnston, “The Snowden ‘Revelations”; Sophie Stalla-Bourdillon, “Privacy vs Security… Are we done Yet?”, in Privacy vs security , ed. Sophie Stalla-Bourdillon, Joshua Phillips and Mark D. Ryan (London: Springer, 2014), 1–90. Compare with Liberty et al. v CGHQ et al. (2014) UKIPTrib 13_77-H and Liberty et al. v The Secretary of State for Foreign and Commonwealth Affairs et al. (2015) UKIPTrib 13 77-H.

  77. 77.

    Note that judicial approval is not always considered to be an appropriate safeguard. See Interception of Communications Commissioner’s Office, “Evidence for the Investigatory Power Review”, December 5, 2014, p. 35 (ICCO’s Report), accessed January 21, 2015, http://www.iocco-uk.info/docs/IOCCO%20Evidence%20for%20the%20Investigatory%20Powers%20Review.pdf.

  78. 78.

    Ibid. 18–19.

  79. 79.

    See Intelligence and Security Committee of Parliament, “Privacy and Security: A modern and transparent legal framework”, Presented to Parliament pursuant to section 3 of the Justice and Security Act 2013, Ordered by the House of Commons to be printed on 12 March 2015, accessed March 25, 2015, http://isc.independent.gov.uk/committee-reports/special-reports at [143] (“‘Communications Data Plus’—this goes further than the basicwho, when and whereof CD. So, for example, this would encompass details of web domains visited or the locational tracking information in a smartphone”).

  80. 80.

    Such a finding thus echoes Lee A. Bygrave’s claim. This author argues that legal definitions of basic but crucial information concepts on which the entire regulatory edifice is based are often too poorly understood and thereby interpreted. See Lee A. Bygrave, “Information Concepts in Law: Generic Dreams and Definitional Daylight”, Oxford Journal of Legal Studies 35 (2015): 91–120.

Bibliography

Download references

Acknowledgments

We would like to thank the anonymous reviewers.

Author information

Authors and Affiliations

  1. School of Law, University of Southampton, Southampton, SO17 1BJ, UK

    Sophie Stalla-Bourdillon & Evangelia Papadaki

  2. ECS, University of Southampton, Southampton, SO17 1BJ, UK

    Tim Chown

Authors
  1. Sophie Stalla-Bourdillon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Evangelia Papadaki
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tim Chown
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sophie Stalla-Bourdillon .

Editor information

Editors and Affiliations

  1. Law, Science, Technology and Society (LSTS), Faculty of Law and Criminology, Vrije Universiteit Brussel, Brussels, Belgium

    Serge Gutwirth

  2. Tilburg Institute for Law, Technology, and Society, Tilburg University, Tilburg, The Netherlands

    Ronald Leenes

  3. Law, Science, Technology and Society, Faculty of Law and Criminology, Vrije Universiteit Brussel, Brussels, Belgium

    Paul De Hert

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer Science+Business Media Dordrecht

About this chapter

Cite this chapter

Stalla-Bourdillon, S., Papadaki, E., Chown, T. (2016). Metadata, Traffic Data, Communications Data, Service Use Information… What Is the Difference? Does the Difference Matter? An Interdisciplinary View from the UK. In: Gutwirth, S., Leenes, R., De Hert, P. (eds) Data Protection on the Move. Law, Governance and Technology Series(), vol 24. Springer, Dordrecht. https://doi.org/10.1007/978-94-017-7376-8_16

Download citation

Publish with us

Policies and ethics

Search

Navigation