As a Telstra customer, and under metadata retention legislation, Telstra records information about its customers. Not the actual content of phone calls - that's "data", but the information about those calls, and about location, and duration, and so on. That's the "meta" part of "metadata", coming from the Greek word "meta" meaning "after" or "beyond". In English the term has come to mean "about". So, it is the information about the actual data while not being that raw data itself.
The Government has passed metadata retention legislation. According to Ben Grubb the RSPCA, local Councils, ASIO, the tax office, law-enforcement agencies and other organisations can obtain phone and Internet metadata information. So Grubb sought to obtain his own metadata.
Telstra stated Grubb would need to issue a subpoena. Not having the funds to do so Grubb appealed to the Privacy Commissioner. This began a fascinating and landmark journey that ultimately ended in Grubb's favour. Yet, Telstra is now poised to appeal that decision.
What does metadata tell you? It won't divulge what you discuss with your Doctor, because such a phone call is the underlying data. It will, however, reveal you phoned your Doctor, and when, and for how long, and where you were roughly physically located at that time. It won't divulge what you discussed with your insurance company but will similarly reveal that you phoned your insurance company, and when, and for how long, and where you were. Perhaps inferences can be made if you call your insurance company immediately after calling your doctor.
According to Grubb, Internet metadata may also be stored which potentially records websites you have visited, who has e-mailed you, who you have e-mailed and more.
Grubb states this type of information is accessed by agencies without judicial oversight some 330,000 times every year.
Yet, according to Telstra, Grubb himself should not have access to his own metadata.
He thus requested Telstra provide him with all the metadata stored about his mobile phone account. He reminded Telstra they were obliged to do so under the Privacy Act's National Privacy Principles of the Privacy Act 1988. Since Grubb's journey began these principles have been replaced by the Australian Privacy Principles. Ultimately, and either way, the principles govern how individual's private data is to handled by Australian Government agencies and some private sector organisations. These are freely available from the Office of the Australian Information Commissioner.
Of particular interest to Grubb is the right the principles give Australian citizens to access their private information from a company, and to have that information corrected if it is erroneous, incomplete or outdated.
After some to and fro where Grubb had to chase up a response Telstra ultimately refused access and stated a subpoena was required.
As a regular person, not a high-wealth individual nor a business, Grubb wasn't in a position to sue Telstra and get a court issued writ he complained to the Federal Privacy Commissioner with the argument Telstra was breaching the privacy act.
This began a lengthy journey during which time Telstra approached Grubb and provided him a printed and bound record of his phone bills dating back to January 2011. An accompanying CD included more granular information such as which mobile phone tower he was connected to when making calls. Yet, this did not answer all of Grubb's request, and was simply information which he mostly already had access to online.
Grubb's hearing took place in October 2014 before Privacy Commissioner Timothy Pilgrim, at which time Telstra argued the company's belief that his metadata is not personal information because it is not information about an individual whose identity can reasonably be ascertained from the information in isolation. Yet, this author notes, that information does centre around Grubb's mobile phone number.
Additionally, it must be noted Attorney-General George Brandis' department explicitly called metadata "personal information" when, in an unrelated matter, journalist Josh Taylor submitted a freedom of information request for George Brandis' metadata.
Telstra argued that identifying, gathering and providing this metadata access would be difficult, time consuming and costly, and this would adversely affect its network operations. Yet, this very information is provided regularly - daily - to Government agencies for a fee - a fee that Grubb states he would have been prepared to pay.
Telstra argued that part of providing this full metadata would include identifying who has called his number, and it must be noted this information is not included in telephone bills. Telstra stated providing such information would breach someone else's privacy if they called from an unlisted number. To this point Grubb agreed and stated Telstra should remove unlisted numbers from the metadata, though Telstra replied that would be too difficult to do, a claim which seems difficult to believe.
Late last week Pilgrim made his ruling that Telstra had in fact breached the Privacy Act 1988 by failing to provide the complainant with access to his personal information. This ruling was published today and stipulates Telstra must provide Grubb with access to his personal information held by Telstra in accordance with his 15th June 2013 request.
This information includes IP address information, URL information, cell tower location, the mobile phone number of a text he received, the time it was received, who phoned him, who he phoned and so on.
Telstra's Chief Risk Officer, Kate Hughes, blogged that the company will seek a review of Pilgrim's decision, making the assertion this determination requires Telstra to go well beyond the lawful assistance provided to law enforcement agencies, and that it goes beyond what Telstra must retain under the Government's data retention regime.
Hughes states the ruling has broad implications on the Australian economy and an impact on the volution of new technologies and Telstra thus requires clarification on important points, which, she states, will be gained through a review process.
Pilgrim's ruling states "If an organisation holds personal information about an individual, it must provide the individual with access to the information unless an exception applies to the information in question. There are no exceptions to the obligation to provide access that are relevant to the metadata sought after by the complainant which Telstra has labelled 'network data'. Accordingly I find that Telstra's refusal to provide that information in breach of [the Privacy Act]."
The Communications Alliance has sided with Telstra stating a decision that all metadata is personal information will layer additional costs and complexity on telecommunications service providers, but offer no tangible benefit in terms of protecting privacy.
The Alliance asserts that a decision which claims every single trace of network data, no matter how obscure or unintelligible, is captured under the Privacy Act is impractical, unnecessary and will be costly for industry to manage.
"This is a stark example of regulatory overreach," the Alliance states.