Both have resorted to using the analogy with letters. “metadata is the material on the front of the envelope, and the contents of the letter will remain private”.
Web metadata is not like the material on the front of a letter. A URL, the address of a website that you type into the address bar encodes far more information than the simple address. First of all, the address points to information that can be publicly accessed and so if you know the URL, you know what people have seen. Second, URLs quite often have other information that tells the website things like what you are doing. As I am writing this, the URL has information in it saying that I am editing a document and in fact details the exact document that I am editing:
Of course even with letters, we know something about the content and this is why the security agencies are happy with just having the addresses. If I receive a letter from the tax office or a gas company, I have a pretty good idea what the letter is about. And so it is with websites, just knowing that you have visited Amazon tells you something about what you intend to do. If you have the other addresses that were used to access the site, then you would know exactly what someone was doing.
Brandis and Abbott could have saved themselves some angst and caused less confusion if they had talked about IP addresses rather than web addresses, or URLs. If it is the intention of the security agencies to record the numeric address of the sites people visit, then that is different from the text address which encodes other information. The problem with recording a number like 220.127.116.11 (the IP address of https://docs.google.com) is that it can refer to any number of other actual web addresses. So http://cuddlycats.com could be at the same IP address as http://facebookforterrorists.com.
However, it is not clear that the Government is proposing keeping just the IP addresses and it is far more likely that they mean the URLs.
Other arguments that have been put forward have been that keeping the address of the site is different from the browsing history. Again, this shows a fundamental lack of understanding of how the basics of the web works. If you search for something on Amazon, you will click on a link and are likely to go straight into the site with an address like http://www.amazon.com/Best-Sellers/zgbs Although you could make an attempt to strip off everything other than www.amazon.com, it is unlikely that this will be the case and the entire URL will be kept. The processing required to analyse and make sense of URLs is not trivial and is going to prove even more burdensome than simply recording the entire URL.
It is of concern when politicians (and business leaders) talk about technologies that they clearly don’t understand and then try and argue the merits of. At best it ends up confusing and alarming industry and the public, at worst, it signals another activity that is going to threaten privacy and end up as another form of “Tax” that consumers will be asked to pay. If ISPs have to collect this data, it will prove expensive to manage and that cost will be passed on to their customers.
In terms of the benefits, will this help catch terrorists? Again, in a word, no. The average high school student understands how to use technologies to get around filters that block certain sites. The technology they use, called proxies and VPNs, allows anyone to browse whilst masking what they have been browsing. Using technologies like Tor someone can go even further to mask what they are doing.
The idea that the cost of this proposed system, even if the Government can get the design clear would justify what they might find is a very long stretch.