Data Retention
Protection Guide



Alert: Australia's Data Retention regime started on 13th October 2015. Your data has been retained since at least ... !

What You Can Do

The new impending Data Retention regime in Australia puts you and your family's privacy at risk. To assist in preventing your personal information from falling into the wrong hands you should take action to protect yourself now. What follow is a simple guide to some sample technologies that can help protect your privacy.

For more in depth information on protecting your privacy that goes beyond this guide, a good starting point is the EFF's "Surveillance Self Defence" site. In fact, many of the links below in regard to specific items will send you there.

Please note that this guide is intended for average everyday citizens desiring to take some action to protect their metadata from the ubiquitous mass surveillance of the new Australian data retention regime. If you are a journalist, a dissident, a whistleblower or political activist, or have some other higher order threat model, then you should seek further more specific technical & professional advice than this guide.

But for an easily digestible overview of a range of options to minimise your risk from the incoming Australian Data Retention regime, see below.

How to protect yourself and your family from Data Retention

Web Browsing/Internet

Whether you are using your desktop computer, or a mobile device, you should protect your actions from indiscriminate surveillance. Despite claims that data retention does not intend to collect and store your browsing history, any interaction online that is not encrypted will leak private data about you, your activities and connections. The below options will go some way to protect your actions from some aspects of casual surveillance if set up correctly.

Important: How careful you are and what tools you choose to use will depend on decisions you make about your "Threat Model"

browser icons


  • What is a VPN?
    • VPN stands for Virtual Private Network.
    • VPNs work by creating an encrypted tunnel between your computer and another server.
    • Your ISP cannot read the traffic in this tunnel; they can only see that you are connected to the server and sending/receiving (encrypted) data.
    • VPNs are widely used in business: they allow people working from home to connect to their office network securely, which is vital for people working with sensitive information.
    • VPNs will also allow you to bypass website blocking from the government's new anti-piracy regime, including any sites that could be accidentally blocked due to collatoral damage.
    • VPNs can also be used to bypass geo-blocking restrictions. What does this mean?

      Have you ever been watching YouTube and seen that "This video is not available in your country" message? That's geo-blocking. If your IP address showed you as coming from country where that video was allowed to be seen, you could watch that video, but for various licensing reasons you cannot. Aside from privacy benefits, getting around geo-blocking to access services that aren't available in Australia had traditionally been one of the key uses for VPNs! (and doing so is not illegal)

      More info:

      For a more comprehensive censorship bypassing guide see here:

    • Using a VPN is legal.

  • Using a VPN
    • The easiest way to use a VPN is to purchase a service from a VPN provider.
    • The provider will manage the server and will usually provide you with software and simple instructions on configuring your connection.
    • Remember that a VPN provider outside of Australia would not be subject to Australian data retention requirements, but may still keep logs of your Internet use.
    • While a little dated, this article may also be of help in further securing your VPN connection:
    • For discussions on VPNs and some tools to help test and use your VPN you may wish to try looking here:

  • Choosing a VPN
  • Downsides & caveats to a VPN
    • You will need to pay monthly fees (although often not very high).
    • It can be slower - your traffic is routed through a server outside of Australia.
    • Content unmetered by your ISP will count towards your monthly quota.
    • Your traffic is only protected until it reaches the server. Instead of trusting your ISP, you are trusting the VPN provider: a disreputable provider could still log and monitor your traffic.
    • It only protects data in transit: if your computer is compromised (e.g. by a virus or snooping software), your data will still be vulnerable.
    • Loss of localised experience: some websites such as Google serve up different content based on your location. When your VPN is located outside of Australia, many websites may behave differently. For example, if using a German VPN connection, a website may give you its German language version.
    • Note: protecting yourself from the Australian data retention regime is not the same as protecting yourself from NSA programs. What does this mean?

      There are a range of NSA programs such as PRISM which collect data from various social media and internet services. This can mean that once you log into a website like Facebook or Google, you could be traceable back to your point of origin utilizing the NSA's PRISM system and other voluntary agreements with the US and other Governments, due to the secretive nature of the systems and the revelations via whistleblower leaks, it would be prudent to assume this data accessible by Australian Authorities. Your level of caution or paranoia on this issue should relate to your threat model. For an average user, this could be an acceptable risk. For a dissident, activist or whistleblower you may wish to exercise more caution. Such as ensuring you never log into one of these services while using your VPN. (Note: if your actions are high risk enough that your freedom or life depends on your anonymity, then you should be using a more complex guide to your security than those available on this page)

      See also Threat Modeling

    • VPNs, while very useful and possibly one of the best front-line defences against data retention are not a magic bullet. For example

      Note that the legislation requires mobile internet providers to log each connection your phone makes, and the location of your device as it makes that connection. On a modern "smart phone", with a VPN turned on, the phone will still make frequent connections (on the order of every few minutes) to check email, push notifications, updates etc. and your location during each of these connections will be logged - there is nothing a VPN can do to protect you from the location-logging data retention issue.

      In addition, please note that this guide is intended for average everyday citizens desiring to take some action to protect their metadata from the ubiquitous mass surveillance of the new Australian data retention regime. If you are a journalist, a dissident, a whistleblower or political activist, or have some other higher order threat model then you should seek further, more specific and more technical & professional advice than this guide.

      VPNs will likely not protect you from a concerted attack or targeted efforts against you specifically.

  • Creating your own VPN
    • Unless you are an expert user and know exactly what you are doing, we would not recommend creating your own VPN.
    • Personally created VPNs may very well suit some people's use cases, with these people being happy to make some compromises:
      • Keep the server and all its software updated, and if necessary spend time recovering from breakages.
      • Generate and keep secure very strong certificates and keys.
      • Know that they're easily identifiable, should someone in their host country be listening.
      • Be comfortable knowing they aren't able to physically secure the server running their VPN.
    • You will however at least know for sure that the VPN company isn't keeping and sharing the logs with the NSA or ASIO, since the 'company' will be you. However this presumes any third party servers you use, or your own systems are secure and not compromised.
    • As unlikely as it is, content companies would love the government to ban the use of VPN service providers.
    • If you insist on trying it, here's a guide: - But do so at your own risk, and do your research.


  • Tor stands for The Onion Router.
  • Tor uses a wide network of voluntarily participating nodes to distribute your traffic to a number of anonymized exit nodes.
  • i.e. it Tunnels your browsing through several other nodes.
  • Makes it harder for someone to monitor your activities.
  • Is censorship-resistance due to how the protocol works.
  • Here's a Guide for Installation and usage:
  • Warning! There are some things Tor does not do. It:
    • Does not guarantee anonymity.
    • Does not protect you from unencrypted communication tampering at exit nodes.
    • Does not do operational security for you.
    • Tor can be slow. What does this mean?

      Due to its voluntary nature, whilst it is free and generally reliable it can be slow, frustratingly so, and is not recommended for high volume transmissions like file transfers, peer to peer (torrents) and the like. It is recommended to limit Tor use to web browsing if possible and to stuff you really wish to keep private. Because Tor is relayed through many extra locations and countries to disguise the true source of travel the distance travelled by the data is greater and goes through more 'hops' to get to you.

      A more detailed explanation is here:

    • It's not particularly safe to log in to your regular services with Tor, as the "Exit nodes" are impossible to trust with any of your credentials. Tor is for anonymous browsing, not every-day browsing that you want to keep private.
  • Tor is also available for Android mobile devices:
    • It is available for Android tablets and phones ONLY, via the Orbot package available on the Android Market.
    • Tor is NOT available for iOS Tablets and Phones, and any app you see on Apple's App Store claiming to be a Tor client at this stage is most likely a dangerous fake.
  • Note: please don't use Tor for data intensive activities like torrenting, streaming HD video or large innocuous downloads. Some people rely on Tor for their safety and protection from oppressive regimes and while more Tor users are useful, unnecessary congestion on the network could make things a lot more difficult for people who rely on it.
  • Also: Use Tor at your own risk. Using Tor itself is enough reason to flag you for further attention from security agencies and could increase the likelihood they may pay closer attention to your activities by presuming you have 'something to hide'.

  • If you are concerned enough about your privacy to use Tor you may also wish to consider using a specialised privacy protection oriented operating system, for example "Tails".

Tor Animation video from

How Tor works diagram from EFF

Beyond the basics: More privacy protection tools

If you are worried about Data Retention, then you may also be concerned about other means by which companies, security agencies, governments and so on can track what you do and build a picture via your online activity.

Even if the current definition of what is to be retained under the data retention regime is limited to certain information, there is the likelihood that this definition will expand at a later date. Additionally there is the threat that innocuous activity could inadvertently raise suspicion through false positive identification. This could in turn increase the amount of warrants issued on innocent people, warrants which will then cause the retention of extra content in relation to these people. Thus, average users could be more likely to come under the increased scrutiny of a preservation order so protecting data that is outside the purview of the mandatory data retention regime may be advisable.

Keeping these expanded threats in mind, there are some other general tools and practices that you may also wish to start employing as a result of the new data retention regime and a general increase in surveillance of communication activities.

(Don't forget there are also the wide ranging NSA programs, copyright violation monitoring, censorship efforts, and criminal activities such as identity theft, in addition to our new domestic data retention regime).

This article from the Sydney Morning Herald gives a general overview of why just masking your IP address through a VPN may not be enough to protect you: Will Australia's metadata retention scheme track your digital browser fingerprints?

browser icons

General Good Online Practice

    • HTTPS Everywhere.
    • A simple browser extension made by the EFF.
    • Will automatically push your browser to the HTTPS URL when a website supports HTTPS.
    • This forces an encrypted connection when connecting to a website that supports such encryption.
    • Guide for Installation and usage:
    • Mobile support is available for this extension only for the Firefox Browser, and only on Android devices.

  • Ad-blocking

    Note. This section is under review. Adblock has been sold and there are questions in regard to how much it should be recommended now due to the "acceptable ads" program and other reasons.

    In the meantime uBlock Origin has been suggested as an alternative:

    • Adblock or Adblock plus.
    • These are Browser extensions.
    • Despite name similarity, they are separate competing software products.
    • Blocks popup ads, some ad banners and some tracking.
    • Blocking ads and associated items like tracking cookies etc will cut down on the amount of 'metadata' you generate and assist in protecting your privacy.
    • Adblock:
    • Adblock plus:

  • Tracker Blocking
    Note: tracker blocking plugins often break the functionality of image galleries, video playback, commenting/discussion systems and social media widgets. You may have to whitelist trusted websites.
    • Ghostery
      • An add-on for your browser which detects and blocks tracking which a website may be trying to do.
      • Ghostery is proprietary, but cost-free.
      • Available for all major browsers.
    • Privacy Badger
      • A browser extension for the Firefox and Chrome that will block all non-consensual tracking.
      • Privacy Badger is open source, cost-free, a project of and in Beta.
      • As the Tor Browser is based on Firefox, Privacy Badger will also work with that.
    • Disconnect
      • A browser extension which blocks advertising, analytic and social media requests which are without consent.
      • Disconnect is open source and cost-free. Disconnect also offer additional non-free services, like limited VPN access.
      • Disconnect is available for all major browsers.
https everywhere logo


The proposed Australian Data Retention regime does not purport to retain the contents of your email communication. Whereas the key methods for protecting your email communication will primarily protect the contents.

The proposed Data Retention regime will however potentially store the time you send an email, to whom you send it, what path it travels to get there, from where you sent it and the subject. The means of protecting this information starts to get beyond the scope of this site/guide.

While one could argue it is not 'necessary' to protect the contents of all your email with the below methods, you should always be aware of the potential for harm should the contents of emails become public or fall into the hands of unintended recipients (especially emails that contain sensitive information). Keep in mind that there are also a range of other government programs outside of Australia that may seek to obtain your email contents. However the encryption of all your emails, especially for an average user, could be considered overkill. Your levels of desired protection should reflect your threats and the contents of your emails.

For the various reasons detailed above, we will not go into too much detail on protecting email. But due to common queries about protecting emails, we provide some information and links below.


Other services

Technically if you use an offshore webmail provider such as gmail, your data will not be included in the data retention regime, whereas if you use your local ISP email services it will be.

Anyone can see the issue with this insofar as any purported effectiveness of the data retention regime. However, don't forget that many services such as gmail may be accessible to Australian authorities via information sharing agreements with US agencies as part of the five-eyes surveillance programs. Also note, that if you use your foreign hosted email to email someone using an Australian hosted service, then that metadata will be available via retention of your recipents data.

This is an ever changing area as email services come and go, and so we will not provide any specific product or service recommendations here since what is ostensibly safe today, may not be tomorrow. If your personal threat model requires security of your email contents and metadata then we suggest you get further advice beyond this guide.

Some general information, articles of note are provided below:

Encrypted Phone Calls

There are a number of services like Wickr (as used by Malcolm Turnbull recently, he has since moved on to Signal) which provide endpoint to endpoint encryption; or encryption between their servers and all endpoints. These provide an unknowable level of protection and it cannot be guaranteed that there are no backdoor agreements between these services and any governments.

One should be especially careful when using a service that does not run on open source or freely auditable code as you are placing trust entirely within the organisation to deliver what they advertise. There have been examples where a company claims to protect your security and privacy have been found wanting when exposed to closer scrutiny.

The value of these services is often pinned on your trust of the company in question. The below apps are widely considered the best options at this time (but make your own judgement call).

for Android

  • Redphone
    • Android mobile app that allows for encrypted voice calls.
    • Uses wi-fi or data connection.
    • Allows you to use your mobile phone number.
    • Made by Open Whisper Systems.
    • Free and open source!
    • Uses end-to-end encryption, forward secrecy. What does this mean?

      End-to-end encryption (E2EE), which is non-certified or uncertified, is a digital communications paradigm of uninterrupted protection of data traveling between two communicating parties without being intercepted or read by other parties except for the originating party encrypting data to be readable only by the intended recipient, and the receiving party decrypting it, with no involvement in said encryption by third parties. The intention of end-to-end encryption is to prevent intermediaries, such as Internet providers or application service providers, from being able to discover or tamper with the content of communications. End-to-end encryption generally includes protections of both confidentiality and integrity.

      In cryptography, forward secrecy (FS; also known as perfect forward secrecy, or PFS and also key erasure) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.

    • Note: Can only encrypt calls between two RedPhone users (or RedPhone and Signal users).
    • Familiar interface, get from the Play Store.
    • Guide for Installation and usage:

for Apple iOS

Encrypted Text Messaging

for Android

for Apple iOS

  • Signal
    • Signal 2.0 has recently been released for iOS that now includes TextSecure support.
    • More information:
    • Get it from the Apple App Store.
    • Note that they are phasing out support for encryption for traditional SMS/MMS, so if you use signal to send standard SMS text messages they will not be encrypted. But you can get the same functionality by using Signal to send and receive "TextSecure" messages in encrypted formats.
      More info: So please make sure you are aware of which version you are using and what it does and doesn't encrypt.

Other options

  • The Electronic Frontier Foundation have released a Secure Messaging Scorecard for voice and text messaging apps.
  • Telegram rates well on this scorecard, and is open source, cost free and available on all for all major mobile and desktop operating systems.
  • There are also proprietary and for-fee services available, like that offered by Silent Circle.

Encrypted Instant Messaging

for Windows/Linux

  • Pidgin + OTR Plugin
    • Open source "universal chat client".
    • Can be used with Google Hangouts/XMPP, Yahoo, and apparently Facebook accounts.
    • With OTR you get end-to-end encryption and forward secrecy. What does this mean?
    • Note that OTR is a separate plugin that you need to obtain separately and add to Pidgin.
    • Guide for Installation and usage:
    • Note: OTR will not provide secure end-to-end encryption if you're the only one using it. Make sure those you talk to also install the plugin.

for Apple OSX

  • Adium + OTR Plugin
    • Adium is a free and open source instant messaging client for OSX.
    • It is based on the same core as Pidgin but has a shiny Mac interface.
    • OTR is a protocol that will encrypt your conversations.
    • With OTR you end-to-end encryption, forward secrecy. What does this mean?
    • OTR comes built into Adium, you do not have to install it as a separate plugin.
    • Guide for Installation and usage:
    • Note: OTR will not provide secure end-to-end encryption if you're the only one using it. Make sure those you talk to also use OTR.

for Mobile (Apple iOS/Android)

Disclaimer: Note that all of the above products, options, tools and technologies are part of a fluid and everchanging field. The information above is accurate to the best of our knowledge at time of writing, however products change, technologies change, threats change. Securities get compromised and new best practices appear with regularity. Please view the above as a series of introductory options. You alone are responsible for your security and you should ensure you do your own research into the best options and tools for your own unique situation & needs. Please double check the current status of any of the above options before trusting them with sensitive communications.

Authorised by: D Judge, Party Secretary, Pirate Party Australia
65 Burg Street, East Maitland, New South Wales, 2323, Australia

Copyright © 2015 Pirate Party Australia Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License
This site does employ the use of analytics code so we can get an idea of traffic numbers etc... oh the irony. ;-P