Simon Palombi is a Master of Laws candidate at the University of Sydney.

When news broke that the US National Security Agency has been collecting meta-data off social networking and telecommunications companies, discussion instantly turned to whether PRISM, the NSA's data collection program, was an overreach of power. Some condemned it as a severe breach of privacy while others shrugged their shoulders.

It is important to understand the legal reasons why programs like PRISM have come to exist; why metadata, and a streamlined approach to obtaining that data, is valuable to law enforcement.

In most criminal codes, terrorism offenses are written as inchoate offences. This type of offense looks to the conduct done (planning) rather than the substantive act (attack) in order to establish criminal liability. In essence, an inchoate terrorist offense ensures that preparatory actions towards a terror plot, regardless of whether an attack occurs, are acts of terrorism that can send an individual to gaol for life.

Understandably, law enforcement must work extraordinarily hard to prove the offence beyond reasonable doubt; it's not easy to send someone away for life when a robust judiciary is on watch. This is where metadata comes into play.

For example, say an architect obtains the plans of the Sydney electricity grid. He then sends faxes about chemical prices for a detergent manufacturing business he wants to start. In the meantime, he sets up a post office box under an unregistered business name. These are seemingly innocuous and certainly not criminal acts. But then, say a co-worker sees something suspicious on the person's computer screen and alerts the authorities. This constitutes a reasonable cause to suspect, giving the authorities a right to investigate.

A warrant to search the person's metadata, via access to his communications service providers, is then obtained. Through the process of enquiry, the authorities find out that the order for the Sydney electricity grid was made under an alias and a false address, and that an irregular signature was used on the fax to the chemical company. They also find that the person has accessed a server linked to distributing al Qaeda's Inspire magazine and that they have accessed jihadist forums on a regular basis.*

With this extra information, the seemingly innocuous acts now represent a premeditated plan to carry out a terrorist attack.

Now, the elephant in the room is where that metadata is obtained and from whom. Traditionally, law enforcement has relied on communications service-providers handing over a person's metadata when shown a warrant. But what if law enforcement has come to believe that there is a more expedient way to obtain the data, and that having to deal with the service-providers at critical points of an investigation is a hindrance?

This is where PRISM comes in – it's a central storage bank for everyone's metadata; a 'just in case we investigate you' databank. A warrant is still required to access the data, but the process is now mostly in-house.

Since 9/11, governments have believed that the risks of terrorism have come to possess a greater potential for harm, and this has resulted in exceptional security measures and excessive precaution. In this vein, PRISM and programs like it are representative of the clandestine nature of terrorist plots and a shift in the criminal law to a risk management role. And risk management demands surety in the form of having the data in one centralised and accessible location.

The overall legal landscape that has been shaped over the past 12 years has resulted in programs like PRISM. It was inevitable that law enforcement was going to seek the path of least resistance.

*This example is loosely based on the facts of R v Lodhi [2006] NSWSC 691.

Photo by Flickr user atomicshark.