It was metadata that first linked El Sayed to the 2009 terror plot to launch a suicide attack on Australian soldiers at Sydney’s Holsworthy army base, a plot for which he is now serving an 18-year jail term.

Until a fateful phone call El Sayed made on April Fool’s Day 2009, authorities had no idea that the then 25-year-old Australian of Lebanese background would be a key target in their counter-terror investigation dubbed Operation Neath. It was so-called metadata — the information that reveals what numbers were dialled, who owns the phones used and where the calls were made from — that identified El Sayed as a player in the plot to kill Australian soldiers.

The debate over metadata centres on whether telecommunications companies, which collect this metadata automatically, should be required to keep such information for up to two years to assist security and law-enforcement agencies. Critics argue there is no evidence that metadata has helped to capture terrorists and that keeping it for up to two years poses an unwarranted threat to privacy and civil liberties.

Before April 1, 2009, officials did not know that an Australian Army base was being targeted in a terror plot. Their investigation until then had been focused on two Melbourne men, Wissam Fattal and Saney Aweys. Aweys was suspected of helping to organise people to travel to Somalia to fight with terrorist group Al Shabaab. Fattal was suspected of having tried to enter Somalia to join the insurgency.

The Australian army became the focus of the group after five children were killed in a gun battle between Australian special forces and Taliban militants in February 2009. In early March 2009 a program was screened on SBS TV called “A survivors tale: How 5 children were killed by Australian troops”. Two days after the program aired, Fattal discussed the killings with an associate and in mid-March he left Melbourne and went to Sydney by train.

On March 24, 2009, investigators received the first hint that something else might be afoot when Fattal sent an SMS to a colleague that said: “can u give the address of Australian a ... And name of train station.”

Although metadata would have registered the sending of this text, authorities only knew the content of the text because they already had a warrant to monitor it. Fattal was in Sydney for several weeks and, unknown to authorities, planned to case out the Holsworthy base while he was there. On March 27, Fattal received a text saying: “Holdsworthy train station the base is right in front of Macarthur Drive.”

Once again, investigators were able to intercept the content of this text because they had a warrant to do so. Even so, there was no clear way to connect the dots to a planned terror attack.

The next morning, Fattal left his rented room in Lakemba wearing casual clothes and carrying a blue plastic bag and caught the train to Holsworthy. For the next hour Fattal wandered around, walking along the boundary of the barracks and to the entrance before catching a train back to Lakemba. His movements on this day were pieced together later using CCTV footage obtained from the NSW rail network.

Four days after visiting the base, Fattal received a phone call from a mystery number that had not been on the radar of investigators. They requested and immediately received the subscriber metadata to identify who owned the telephone being used to call Fattal, who was their prime suspect. They did not need a warrant to do this.

The name El Sayed came up, but he was only vaguely familiar to them. They knew El Sayed to be an acquaintance of Fattal who was involved in a physical training group with him but there had been nothing in their four-month investigation to suggest that El Sayed had played any role in the plot.

Their curiosity about this potential new player quickly turned to alarm once they received the transcript of their phone call, which had been intercepted because authorities acting on warrants were listening to Fattal.

The two men spoke in veiled terms about the visit to Holsworthy. Fattal told El Sayed that he saw something that is “very easy ... to enter the work is very easy”.

“Thanks to Allah, that’s very good,” El Sayed replied.

Fattal: “I went there, I strolled .’’

El Sayed: “Yeah. be careful, be careful on the ...”

Fattal: “Yeah, yeah, I understand. I strolled, it’s a nice stroll there is work and to enter into the business, for one to do business it’s good.”

El Sayed: “Allah willing. We want Allah to facilitate it for us.”

It was the moment that turned Operation Neath on its head. Investigators were able to link the dots; the plot was no longer about support for Al Shabaab in distant Somalia, but a potential terror attack on an army base in Sydney.

If the Holsworthy attack had been imminent, then the immediate identification via metadata of El Sayed’s role could have been crucial to help prevent such an attack. In this situation, any requirement to obtain warrants to access metadata would have slowed down an investigation with potentially dangerous consequences.

The El Sayed example shows how metadata played an important role in identifying potential terrorists but it is not directly relevant to the proposal that telcos be required to keep metadata for up to two years, because it unfolded within days. However much of the eight-month Operation Neath relied on working backwards through old metadata to identify the wider circle of connections to the three men who were eventually convicted.

More related stories

Opinion

Miners change tune on climate change

Peak mining industry body The Minerals Council of Australia has joined the fight on climate.

Read more

National Affairs

Labor to turn up heat on Taylor

Labor will use the final two weeks of parliament to heap pressure on Energy Minister Angus Taylor.

Read more