Monday, 04 May 2015 21:42

Telstra to appeal Privacy Commissioner metadata ruling about personal information


Ben Grubb, Fairfax technology journalist, requested Telstra provide his metadata. What followed has been an almost two year journey which is not over yet, with Telstra set to appeal a Privacy Commissioner ruling. At heart is the question about just what constitutes personal information?

As a Telstra customer, and under metadata retention legislation, Telstra records information about its customers. Not the actual content of phone calls - that's "data", but the information about those calls, and about location, and duration, and so on. That's the "meta" part of "metadata", coming from the Greek word "meta" meaning "after" or "beyond". In English the term has come to mean "about". So, it is the information about the actual data while not being that raw data itself.

The Government has passed metadata retention legislation. According to Ben Grubb the RSPCA, local Councils, ASIO, the tax office, law-enforcement agencies and other organisations can obtain phone and Internet metadata information. So Grubb sought to obtain his own metadata.

Telstra stated Grubb would need to issue a subpoena. Not having the funds to do so Grubb appealed to the Privacy Commissioner. This began a fascinating and landmark journey that ultimately ended in Grubb's favour. Yet, Telstra is now poised to appeal that decision.

What does metadata tell you? It won't divulge what you discuss with your Doctor, because such a phone call is the underlying data. It will, however, reveal you phoned your Doctor, and when, and for how long, and where you were roughly physically located at that time. It won't divulge what you discussed with your insurance company but will similarly reveal that you phoned your insurance company, and when, and for how long, and where you were. Perhaps inferences can be made if you call your insurance company immediately after calling your doctor.

According to Grubb, Internet metadata may also be stored which potentially records websites you have visited, who has e-mailed you, who you have e-mailed and more.

Grubb states this type of information is accessed by agencies without judicial oversight some 330,000 times every year.

Yet, according to Telstra, Grubb himself should not have access to his own metadata.

Grubb was motivated to make his request on 15th June 2013 after considering Edward Snowden's revelations about the extent of spying by the U.S. and other spy agencies.

He thus requested Telstra provide him with all the metadata stored about his mobile phone account. He reminded Telstra they were obliged to do so under the Privacy Act's National Privacy Principles of the Privacy Act 1988. Since Grubb's journey began these principles have been replaced by the Australian Privacy Principles. Ultimately, and either way, the principles govern how individual's private data is to handled by Australian Government agencies and some private sector organisations. These are freely available from the Office of the Australian Information Commissioner.

Of particular interest to Grubb is the right the principles give Australian citizens to access their private information from a company, and to have that information corrected if it is erroneous, incomplete or outdated.

After some to and fro where Grubb had to chase up a response Telstra ultimately refused access and stated a subpoena was required.

As a regular person, not a high-wealth individual nor a business, Grubb wasn't in a position to sue Telstra and get a court issued writ he complained to the Federal Privacy Commissioner with the argument Telstra was breaching the privacy act.

This began a lengthy journey during which time Telstra approached Grubb and provided him a printed and bound record of his phone bills dating back to January 2011. An accompanying CD included more granular information such as which mobile phone tower he was connected to when making calls. Yet, this did not answer all of Grubb's request, and was simply information which he mostly already had access to online.

Grubb's hearing took place in October 2014 before Privacy Commissioner Timothy Pilgrim, at which time Telstra argued the company's belief that his metadata is not personal information because it is not information about an individual whose identity can reasonably be ascertained from the information in isolation. Yet, this author notes, that information does centre around Grubb's mobile phone number.

Additionally, it must be noted Attorney-General George Brandis' department explicitly called metadata "personal information" when, in an unrelated matter, journalist Josh Taylor submitted a freedom of information request for George Brandis' metadata.

Telstra argued that identifying, gathering and providing this metadata access would be difficult, time consuming and costly, and this would adversely affect its network operations. Yet, this very information is provided regularly - daily - to Government agencies for a fee - a fee that Grubb states he would have been prepared to pay.

Telstra argued that part of providing this full metadata would include identifying who has called his number, and it must be noted this information is not included in telephone bills. Telstra stated providing such information would breach someone else's privacy if they called from an unlisted number. To this point Grubb agreed and stated Telstra should remove unlisted numbers from the metadata, though Telstra replied that would be too difficult to do, a claim which seems difficult to believe.

Late last week Pilgrim made his ruling that Telstra had in fact breached the Privacy Act 1988 by failing to provide the complainant with access to his personal information. This ruling was published today and stipulates Telstra must provide Grubb with access to his personal information held by Telstra in accordance with his 15th June 2013 request.

This information includes IP address information, URL information, cell tower location, the mobile phone number of a text he received, the time it was received, who phoned him, who he phoned and so on.

Telstra's Chief Risk Officer, Kate Hughes, blogged that the company will seek a review of Pilgrim's decision, making the assertion this determination requires Telstra to go well beyond the lawful assistance provided to law enforcement agencies, and that it goes beyond what Telstra must retain under the Government's data retention regime.

Hughes states the ruling has broad implications on the Australian economy and an impact on the volution of new technologies and Telstra thus requires clarification on important points, which, she states, will be gained through a review process.

Pilgrim's ruling states "If an organisation holds personal information about an individual, it must provide the individual with access to the information unless an exception applies to the information in question. There are no exceptions to the obligation to provide access that are relevant to the metadata sought after by the complainant which Telstra has labelled 'network data'. Accordingly I find that Telstra's refusal to provide that information in breach of [the Privacy Act]."

The Communications Alliance has sided with Telstra stating a decision that all metadata is personal information will layer additional costs and complexity on telecommunications service providers, but offer no tangible benefit in terms of protecting privacy.

The Alliance asserts that a decision which claims every single trace of network data, no matter how obscure or unintelligible, is captured under the Privacy Act is impractical, unnecessary and will be costly for industry to manage.

"This is a stark example of regulatory overreach," the Alliance states.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.



Recent Comments