Your Metadata Isn't Private Personal Information, Federal Court Decides

Image: iStock

A long-running case on whether you're allowed access to view your own mobile phone metadata -- retained by Australia's telecommunications companies for government snooping, including comprehensive call logs and location data -- and whether that data is classified as "personal information" has come to an unceremonious end.

Australia's Federal Court has put a stop to a final attempt by Australia's peak privacy advocates to restrict the retention and access of information by Australia's telcos, and the judgment will have wide-ranging implications for what information is considered personal under the terms of the Privacy Act.

Spies Can Access My Metadata, So Why Can't I?

The judgment, delivered earlier this morning by the full bench of Justices Dowsett, Kenny and Edelman from Victoria's Federal Court, dismissed the appeal made against Telstra by the Privacy Commissioner just over a year ago. With that, the matter has been closed and a final ruling laid down on a long-running test case.

In 2013 Ben Grubb, at the time a technology journalist and editor at Fairfax Media, petitioned Telstra for access to the same metadata that Australia's largest telco already retained for access by government agencies on request, but was rejected by the telco's own privacy department. A complaint to Australia's Privacy Commissioner led to a protracted court stoush.

In May of 2015, the OAIC Privacy Commissioner Tim Pilgrim ruled that Telstra interfered with Grubb's privacy by failing to provide him access to the metadata, a position that Telstra immediately appealed. That appeal was upheld by the Administrative Appeals Tribunal, and then escalated to the Federal Court after the Privacy Commissioner appealed that.

In the appeals process which saw the initial ruling overturned in favour of Telstra, AAT deputy president Stephanie Forgie likened the metadata situation to her own car's service history, saying that the records kept at a mechanic responsible for maintaining the vehicle were about the vehicle but not the owner of the vehicle: "It is information about the car, or the repairs, but not about me".

Telstra's essential position was that the metadata attached to Grubb's mobile phone number and Telstra account was not metadata specifically about Grubb; it was "not information about an individual whose identity can reasonably be ascertained from the information in isolation". Instead, the metadata that Telstra retained -- and continues to retain -- is in reference to the account but not the account owner, even if the owner is inextricably tied to the account.

The Court's dismissal of the appeal and finalising of the existing judgment today effectively enshrines that into law, drastically narrowing the definition of "personal information" under the Privacy Act.

The Australian Privacy Foundation pushed hard, including in submitting documents to the Court, for telecommunications metadata to be classified as personal information under the Act -- saying its "highly revelatory" and valuable nature, as well as the potential for deidentified metadata to be re-linked with individual profiles through data matching, should necessarily impose limits on its collection and use by governments and private enterprises alike.

[ComCourts / AustLii]

What The Police Can Get From Mobile Phone Tower Data

WATCH MORE: Tech News


Comments

    Stephanie Forgie likened the metadata situation to her own car's service history, saying that the records kept at a mechanic responsible for maintaining the vehicle were about the vehicle but not the owner of the vehicle: "It is information about the car, or the repairs, but not about me".

    If that is the case, then if there is evidence of (say) terrorists acts, is the computer involved going to be dragged to the witness box and tried?

    No? Then when is something that is characterising me as a person not considered personal information?

    Thank you, courts, you have done what was deemed perviously impossible; you have made the meta-data retention even less accurate.

      Restricted access to your metadata is not a problem when you find a way out that stops data retention. Encryption is the way through which you can evade metadata retention.

    It reads like it's ok to stick a webcam in a public toilet cubicle because the cubicle could be used by more than one person. Therefore it's use is not personal/private to one individual (so long as users' faces are not recorded).

    And no reasonable person would expect their use of a public toilet cubicle to be private!

      What about tracking people through facial recognition? Surely a person's face is irrelevant in these circumstances. You're not actually interested in who's doing what, just what they're doing.

      Great news if you're into vigilantism. Citizens on patrol!

    And if the Attorney General manages to sneak the changes to meta data retention to allow access by litigations... other people would have more rights to access your information THAN YOU DO!!!

    Opposite to that if you can prove your phone is your metadata... whats to stop someone accessing the data of a phone they OWN but dont use.

    Example your employer owns your work phone, a husband that has all the family phones under their name. Is my wife cheating on me? quick to the metadata.

      Employers/Husbands have access to itemized bills for calls and texts anyway, which is plenty to catch a typical indiscretion, just ask my father. If the subject is cheating/about to jump ship and are doing it properly, they'll use a second service in their own name, or a fake name.

        Itemised bills dont cover data access or emails... but I was using that as an example that metadata isnt your private data its anyobe who uses that computer /phone / access point.

      Yeah, correct me if I'm wrong but the article is about the right to access your own metadata?

      So you have no way to check whether there is something dodgy going on with it until it's too late.
      "Records show you made 37 emails to known Isis agents 18 months ago."
      "What? Who? Shit I can't remember what I was doing last week. How do I remember that? Do you have the emails?"
      "Nope. But the meta data is enough to get you dragged in for questioning. Come with us!"

        You have a right to access your personal information including your billing history, the recorded name on your account and activity that occurs on your account.

        Telecos, in their day to day business operations, record more information about their network, including which cell towers a text was sent from and where the recipient was at the time. You don't have a right to access that information out of idle curiosity because it's not your personal information.

        As for being 'dragged in for questioning' no State in Australia has laws that allow police to arrest a person simply for the purpose of questioning them. You're watching too many US TV shows.

          Hello,
          I was arrested for questioning in regards to a crime that was committed. I know the law states that you are not to be arrested merely for questioning, but courts do not throw out cases for that, and you used to have a right to silence too. If you exercise that right, you are arrested for non-compliance and conveyed to a police station for further questioning. Too much US TV? No, that would be a fair slur if skrybe had said you had Miranda Rights and the right to an Attorney. In Australia, we have no rights, and rely on the integrity of the Police, courts and government to remain safe from unlawful and intrusive searches and arrests. Not always a successful strategy, as the Royal Commission made clear in 1995-1996.

            If you truly believe you were arrested for no reason other than for questioning lodge a complaint with the Ombudsman or any oversight body in your State that deals with this matter.

            Then sue the State police force. Then buy a solid gold flava-flav clock with the money you made.

            If you're right, you will make a fortune. If you're lying when you make a formal complaint, you'll be committing a criminal offence and subject to up to 2 years in gaol. If you're simply mistaken then you'll be explained why you're wrong and sent on your way.

            You CANNOT, and WILL NOT be arrested for the single purpose of being questioned. This is so fundamentally true that if you're guilty of a crime you should BEG for the police to arrest you merely for the purposes of questioning, as the case will collapse at Court and you will get away scott-free.

            We'll take an example, NSW (because it's the most populous State), here is the section listing all the reasons you can be arrested without warrant. Note "Cause he didnt say nuffin" isn't on the list. Illegal arrests taints any evidence located upon arrest and can lead to unlawful imprisonment and malicious prosecution findings which make falsely arrested people very rich.
            http://www.legislation.nsw.gov.au/#/view/act/2002/103/part8/sec99

            'Miranda Rights' in the US are not actually rights, they're a procedure that police in the US are required to inform you of two already existing rights, including the right to silence and the right to speak to legal representation. Australia has exactly the same thing.

            Again, because I don't know where you're from we'll go with NSW again. Here is the 'formal caution' required to be given before anything you tell police can be used in evidence in Court. The law is actually written to say that any admissions a person makes is automatically deemed improperly gathered UNLESS they follow the rules set out.
            http://www.legislation.nsw.gov.au/#/view/act/1995/25/chap3/part3.11/sec139

            As for a right to a lawyer, you do. Again, back to NSW. Here's a list of rights (and responsibilities) on every person in custody in NSW, including your right to speak to a lawyer. You get read these rights and sign a piece of paper saying that you understand them on at least 1 occasion whilst in custody (though generally at least twice). Every time you are read these rights it is recorded electronically on either voice, video, or both.
            http://www.legislation.nsw.gov.au/#/view/act/2002/103/part9

            The Act that most of this is taken from (which codified existing laws) was enacted in 2002 and hasn't changed significantly since then. Unless you're talking about things that occurred 20+ years ago then I can't really comment because my knowledge only extends to the turn of the century.

          At what point did I say arrested? Being dragged in for questioning doesn't require a charge to be laid. My neighbour was grabbed in one of the recent drug swoops because of association. A friend of his friend apparently had bikie ties so he himself was two steps removed, yet he was dragged out of bed at about 5am one day by armed police taken away for questioning and released hours later. They wouldn't even drive him back home.

          It's pretty easy to see that it happens in Australia regularly, especially when there's a hint of "terror". Watch the news and you'll see people swept up as "terror suspects" without charges laid and held for questioning.

          Anyway, I wasn't talking about the billing information your telco holds. I was talking specifically about the metadata being held for the govt. This is different and above what they normally hold for billing purposes. The article reads (to me at least) that you cannot access that information, and you should be able to.

            I'm sorry but you have confused a number of different points.

            There is no such thing as "dragged in for questioning". You go to a police station only two ways. 1) Voluntarily, 2) You're under arrest for a crime.

            Arrest and charge are two separate processes. Arrest is the process of being deprived of liberty, charge is the formal process of sending a person to Court to answer for a crime they're alleged to have committed. You can be arrested and released without charge, you can be arrested then charged and you can even be charged without being arrested (i.e. being summoned to Court).

            If you are arrested you are required by law to be invited to answer questions about why you've been arrested. You are under no obligation to answer any questions, but police are obliged to ask you. The reason they're required to ask you is because there may be a very good reason for your behaviour and each arrested person is entitled to answer any allegations against them. So being arrested and being questioned almost always occur together, but they are different things regardless.

            So your friend being dragged in for questioning was arrested and released pending further investigations. That means police suspected that your friend had committed an offence and their arrest was justified for one of the number of reasons (Note: 'for questioning' is not a reason). They were then released without charge as police felt they did not have (at that stage) enough evidence to prove beyond reasonable doubt that they were guilty of an offence.

            "I was talking specifically about the metadata being held for the govt". Metadata is NOT HELD BY THE GOVERNMENT. 'metadata' is a business record held by whatever business generated it. So information about Telstra's subscribers and Telstra's network operations are owned by Telstra and stored by Telstra. Just like your tax business records are held by you, Bunnings hold their own business records and so on.

            Police agencies can request Telstra send them singular bits of data held by that company for a specified purpose. So if a person receives threatening text messages from an unrecognised number, police can ask Telstra to send them the subscriber details of that particular phone number.

            Police don't have access to any of these databases. Telstra and other Telcos maintain their own records and when they receive a request for information, they search their own databases, pull out the small amount of information requested and send it over.

            Also, just a nitpick, the Government and police are different. The Government has no legislative power to access any of these records, police do.

      This is straight out of John Brunners dystopian novel Shockwave Rider - a brand new reason for paranoia, what does someone know about you that you dont know?

    Glad its so tough to get metadata... hope the AG doesnt errode that to please anti piracy litigations.

      Are you kidding? Of course the MPAA et al will, in due course, have unfettered access to everyone's metadata (if you have done nothing wrong then you have nothing to fear).

    This is just a test to see if I can post as a guest, because I sure as hell can't post using my log-in.

    By that logic, does that mean metadata can't be used against me as evidence for alleged criminal acts if activities on a particular account isn't necessarily linked to the owner?
    You can't have it both ways.

      Proof will also be on you using tat device / access point at that time.

      Like a speeding ticket, the owner of the vehicle gets the notice and the penalty goes to the driver of the vehicle, so the owner can turn around and prove they aint driving (usually by dobbing in the person that was) like with log books etc.

      If the police suspect your device was used for a crime one of the first questions will be who had access to it.

      The ruling does kind of cement that opinion that a person is not their phone.

        Wouldn't you be able to claim someone borrowed your device, left the wifi hotspot on or someone stole your phone to get around that argument?

          Sure, it works all the time at Court as a defence.

          "I didn't breach my AVO Your Honour. I was drunk at a party and someone got hold of my phone and typed out a text to my Ex."

          Gets people off all the time. The Courts have repeatedly stated that a text or other activity from a device does not conclusively prove who was using the device at the time.

      That is a valid assertion, and I would love to see it tested in court. Hypocrisy in this situation as espoused by the Court that dismissed the case, is merely a lie to convince us that we are safe from prying eyes.
      The truth will be suppressed, and when someone is harmed by this intrusion into our privacy, there are laws in place to gag any dissenting comments.

    Sheesh...

    I wonder how long it will be before they start to sift metadata to catch potential breakages of the law...

    This could potentially get all minority report shit if you started applying algorithms against search patterns etc.

      Law enforcement agencies in Australia don't have access to the data in that way.

      'metadata' are business records held, maintained and stored by the businesses that generate them (the telcos and ISPs).

      Police can request, one and at time, access to specific bits of the information if, and only if, they can demonstrate a specific need for that segment of information. Law enforcement make requests like "Who owns this phone number?" and "Can I have a copy of Customer X's phone bill for the month of June."

      So there's no ability (or need) to 'sift' and there's no searching through phone records. Just like the cops don't have carte blanch access to KFC's customer database either.

      In the US, the NSA had access similar to what you were describing above with the US phone companies. Though that program has since folded. It doesn't work that way in this country.

    Wonder if all those people who voted LNP feel good about their decision.

    Increased cost of living,
    Centrelink sending out false debt notices to the poor potentionally causing suicide
    No action on SSM

    And now this.

    Let the telco's have the metadata - why worry? Facebook, Microsoft, Google, Yahoo, etc.. always have a substantial about of it in other forms.

    If you're overly concerned, use encryption over these mediums; PGP for email, Signal as a messaging/calling app, etc...

      That just makes you look worse. Instead of meta data saying this dude sent a bunch of plain text emails it's likely to say he sent a lot of encrypted messages. And remember in the govt's mind encryption = terrorism or paedophilia, or both.

        I was more on the notion of the people up in arms over this, but in the vein probably don't bother to read the privacy statements for apps/services and are being tracked, profiled, data-mined, if not worse.

        You raise an interesting point, but how's it any different to someone VPN'ing all the time - worse, their activities are masked.
        The difference is, this sort of behaviour probably wouldn't flag any concern/wrongdoing...

        There's no utopia with encryption; as much as it helps the innocent, it's as equally resourceful to the evil - this is why back-doors are constantly desired by the Five Eyes...

        Last edited 20/01/17 5:18 pm

          Which of course reinforces the point - if it's encrypted the govt think you're a bad guy.

          I don't bother with encryption for standard emails, but if I was doing business/research and worried about leaks I'd definitely be doing it, even on fairly basic email. Plenty of good, legitimate reasons to want to use it that don't involve terrorism. Heck, it could be for nefarious means like cheating on your partner, but that still doesn't mean the police/NSA needs to see it :)

            Point taken and I agree, use when appropriate :)

            In any case, the authorities can look through my emails on request - my correspondeces on catching up with mates for lunch and bills are quite interesting...

              I think that's what most people feel. Like you highlight "On request", not whenever they feel like it. I wouldn't be worried about them seeing my correspondence either, but I'd rather they had to go through a warrant procedure (like phone tapping).

                The issue with only encrypting when needed, is that it calls you our as "needed". If however you encrypt all the time, and everyone encrypted all the time, it wouldn't be suss. Checking the weather, or reading Gixmodo: encrypt. Eventually the ISP data would be worthless.
                The reality is that the people who this data is catching out are not the high value marks. Those people buy second phones at coles, and anon credit cards at the post office. We never catch the real baddies, we just eat away at our rights.

        That probably explains why the government and police encrypt all their data and communications.

    Just to be clear, this ruling means that you do not have a legal right to access telecommunications company business records. The journalist was attempting to say that business records generated by the use of his Service were considered his personal information. This included business records such as which cell tower the receiver of text messages sent by the journalist were connecting to. The Court disagreed.

    The journalist could still access private information held about them by the telco including records on their name and address and billing information, but that wasn't the information they were after.

    The Court decided that the particular records the journalist was after were not personal information and therefore he didn't have a right to access out of idle curiosity. Just like you don't have a legal right to walk into JB HiFi and look through their business records.

    You (and that same journalist) still have the ability to subpoena the records if you need them in a Court matter. You just can't access them for idle curiosity - and neither can police.

    Last edited 21/01/17 4:19 pm

Join the discussion!