Your ISP stores 2 years of who you contacted, when, where you were, and how long you talked — accessible to dozens of agencies without a warrant.
The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 forces ISPs and telcos to store 2 years of metadata for every Australian — accessible to law enforcement without judicial oversight.
Telcos must retain: phone numbers called and received, duration of calls, email addresses contacted, IP addresses assigned, location of your device at the start of each communication, and the amount of data uploaded/downloaded. Not content — but everything else. Over 80 government agencies can access this data. Until 2019 even local councils could request it. A 'warrant' from a senior officer (not a judge) is sufficient for most agencies.
In 2020-21, there were 314,000 authorisations to access stored metadata. That's 860 per day. The AFP, state police, ASIC, ATO, and Border Force are the heaviest users. Journalists have had their metadata accessed to identify confidential sources — in 2017, the AFP accessed a journalist's call records to find a whistleblower who'd leaked information about Australia's refugee policy.
Metadata reveals patterns that content cannot. Two years of location data shows where you sleep, who you visit, your doctor's address, whether you attend a mosque or a union meeting, who you're having an affair with. The Australian Federal Police told a parliamentary inquiry that metadata is 'more useful than content' for building cases. And unlike content interception, there's no warrant requirement from a judge.
In 2017, AFP accessed a journalist's metadata to identify a source who'd leaked information about conditions on Manus Island. A subsequent inquiry found multiple agencies had accessed journalists' data without using the special journalist information warrant process. In 2019, the Home Affairs department revealed that metadata had been accessed for purposes as minor as investigating illegal fishing and unpaid council rates.