Category Archives: DATA ACCESS & STORAGE


This is how much access Australian police already have to your data

The Australian government now wants further powers to access encrypted communications, but does it need them?

Police and intelligence agencies already have significant abilities to access data about our emails, phone calls and text messages if we’re suspected of committing a crime, although it can be difficult to tell exactly what they’re doing with them.

The government argues existing interception capabilities are inadequate to protect national security. According to Attorney-General George Brandis, backdoor access to encrypted communications would redress the “degradation of our intelligence capability” to prevent terrorism.

Many Australians are unaware of current police and intelligence powers when it comes to accessing our data. As the government lobbies for new levels of access, that needs to change.

‘Backdoor’ access

The government’s proposal to compel technology companies to provide access to encrypted messaging services is modelled on laws passed by other members of the Five Eyes surveillance alliance, of which Australia is a member.

Deputy US Attorney-General Rod Rosenstein recently announced the Department of Justice intends to demand interception of encrypted communications. New Zealand already requires technology companies to grant access. In the UK, authorities may force decryption where it is technologically feasible.

As with our allies, it is unclear if Australia’s laws will require so-called “backdoor” vulnerabilities to be built into messaging applications like Facebook Messenger or WhatsApp.

They could compel access via decryption keys or they might enable remote access to devices for interception of communications “at the ends”.

In response, cryptographers argue it is not mathematically possible to access end-to-end encrypted messages via interception without undermining online privacy for everyone.

The current state of telecommunications surveillance

The government already has various powers to access metadata, the contents of digital conversations and computer networks.

The Attorney-General’s Department recently released its annual report on telecommunications surveillance.

Thanks to the Telecommunications (Interception and Access) Act (TIA Act), law enforcement and other agencies can access stored communications with a warrant. This can include “email, SMS or voice messages stored on a carrier’s network”. In other words, the contents of any communication not encoded via encryption.

Agencies may also apply for “preservation notices” to compel telecommunications companies to preserve data.

During the 2015-16 financial year, there were 712 warrants issued for access to stored communications. Data is not available about the types of offences these warrants were used for. It is also not clear how the telecommunications information was used in investigations.

Applications for stored communications warrants (issued)

Agency 2014-2015 2015-2016
ACC 4 2
AFP 94 80
CCC (WA) 5
DIBP 10 1
NSW CC 3 4
NSW Police 290 345
NT Police 16 11
PIC 7 16
QLD Police 123 132
SA Police 38 19
TAS Police 29 17
VIC Police 40 41
WA Police 38 35
Total 696 712

Source: Telecommunications (Interception and Access) Act 1979 Annual Report 2015–16

The issue of metadata retention

A controversial 2015 amendment to the TIA Act requires telecommunication service providers to retain metadata for two years.

This allows authorised law enforcement agencies warrantless access to information about digital communications such as the recipient or time sent, but not their content.

However, some agencies that aren’t meant to be able to access metadata are still making requests under different legal regimes, according to the Communications Alliance, and there have already been reported breaches where an Australian Federal Police officer accessed a journalist’s metadata without an appropriate warrant.

The 2015-16 financial year was a grace period for service providers to comply with retention requirements. During this time, there were 332,639 authorisations by criminal law-enforcement agencies.

Authorisations occurred most for drugs or homicide investigations. It’s possible this may indicate police are relying on ready access to metadata rather than pursuing traditional investigatory methods.

FBI charges Chinese national with distributing malware used in OPM hack attack

The malware has been linked to both the data breach of the US Office of Personnel Management as well as the Anthem breach.

The FBI has filed charges against a Chinese malware broker named Yu Pingan, alleging that he provided hackers with malware, including the Sakula trojan, to breach multiple computer networks belonging to companies in the US

The FBI alleges that Yu, also known as “GoldSun,” conspired with two unnamed hackers from around April 2011 through around January 2014 to maliciously target a group of US companies’ computer networks.

The complaint filed does not name which companies were targeted but notes that the different companies were headquartered in San Diego, California; Massachusetts; Los Angeles, California; and Arizona.

The rarely-used Sakula malware has been linked to both the 2014 breach of the US Office of Personnel Management as well as the 2015 breach of the health insurance firm Anthem.

The Anthem breach impacted 78.8 million current and former customers of the company, while the OPM hack affected more than 22 million records of Americans who had applied for security clearance to work for the government.

Telstra launching cybersecurity centres internationally

Telstra is utilising its ‘deep, deep skills in cyber’ by launching security operations centres in Sydney, Melbourne, and across the globe, as well as likely upgrading its existing facility in Canberra.

Telstra will be opening cybersecurity centres internationally following the launch of its security operations centres (SOCs) in Sydney and Melbourne over the next few weeks, CEO Andy Penn has announced.

Speaking during Telstra’s FY17 financial results call, Penn said Australia’s incumbent telecommunications provider is currently looking at locations for international SOCs, but would not disclose the sites.

However, he added that the two new Australian centres will be launching “very soon … in the coming weeks”.

“There’s no doubt that large enterprises and even smaller enterprises today are becoming increasingly concerned by cybersecurity risks that they face,” Penn told ZDNet.

“There’s virtually no technology innovation that’s happening today that isn’t intended to be connected. That means it’s across a network, and what’s critical is those innovations and that technology is protected from a cyber perspective.

“We’ve got deep, deep, deep skills in cyber because of our own need to protect our networks, but also we provide a very significant dynamic service for our enterprise customers, and this is really a significant investment in really building that service for our enterprise customers.”

Penn told ZDNet that Telstra will also likely upgrade its existing SOC in Canberra.

“We have a dynamic product offering which is integrated with some of the best data analytics globally and the best access to data globally, so that’s actually the fundamental offering, and then the security operations themselves actually enable ourselves on behalf of our customers, or our customers, to monitor 24/7 effectively the cyber activity on their networks,” Penn told ZDNet.

“You need the data analytics and you need the artificial intelligence and the machine learning capabilities to process what’s actually happening deeply at the network level, and you need the sensors deep within the network, and that’s the dynamic security offering that is already launched. We’ve already got customers on that who are very pleased with that offering, and then we’re supporting that with the security operations centres.”

Penn said Telstra has the “smartest” network in Australia, with the telco currently also upgrading its fibre-optic network to allow for terabit capacity.

“We have commenced the rollout of our next-gen optical fibre and transmission network; Tasmania was the first state to benefit from this upgrade,” the chief executive said.

“This will increase Telstra’s network capacity to 1 terabit per second, and has already done so on each of Telstra’s two subsea cables running across the Bass Strait. We’re already rolling this out to the rest of the country, and there is future potential to increase the capacity to 100 terabits per second.”

In addition, Penn spruiked the company’s Cat-M1 Internet of Things (IoT) network, built in conjunction with Ericsson and switched on earlier this month on the 4GX network.

“Cat-M1 will give us the platform for the significant growth we expect to see in IoT,” Penn said.

Telstra currently has more than 8,600 mobile towers, 5,000 telephone exchanges, 200,000 switches and routers, 240,000km of optical fibre cable, and 400,000km of submarine cable.

Telstra TV 2

Penn also announced the launch of the Telstra TV 2, saying that Telstra remains “committed to Foxtel” despite its dropping revenue and is in discussions with co-owner News Corp on how best to structure and arrange Foxtel in future.

“We’re about to dial it up again,” Penn said, detailing that the Telstra TV 2 will include all streaming and catch-up TV services along with a linked mobile app, making it “a real Australian first”.

“Access to the best content is critically important to us as demand for media continues to grow. At the same time, the media market is changing with new participants and increased competition,” Telstra added.

Telstra’s media revenue grew by 8.2 percent to AU$935 million thanks to uptake of both the Telstra TV and “Foxtel from Telstra”. Foxtel from Telstra made AU$777 million in revenue, growing by 8.1 percent due to 57,000 additional subscribers, and there are now 827,000 Telstra TV devices in the market.

Underpinning Telstra’s SOCs is its suite of managed security services announced in March and launched in July, Penn said, in addition to the company’s 500 “cybersecurity experts”.

The Telstra TV originally launched in October 2015.

Around AU$200m later, data retention mostly used for chasing drugs, not terror

The Attorney-General’s Department has exposed a report outlining the opening months of Australia’s data retention scheme.

Australia’s telecommunications companies have been left with a funding hole of over AU$70 million to cover the capital costs of Australia’s data retention scheme, according to the Telecommunications Interception And Access Act 1979 Annual Report 2015-16 [PDF], while data authorisations for terrorism ranked below those for illicit drug offences.

Despite handing out AU$128 million in grants last year, the report, released on Monday, states that the capital cost to industry will total AU$198 million by the end of the 2016-17 financial year.

“Information collected from industry through the Data Retention Industry Grants Programme indicates that the estimated capital cost of implementing data retention obligations over the period between 30 October 2014 and 13 April 2017 is AU$198,527,354,” the report said.

“[Costs] relate to the anticipated direct upfront capital costs and not the recurring or indirect costs associated with compliance.”

In 2015, Attorney-General George Brandis said he expected the average ongoing cost for telcos to run their data retention system would be around AU$4 per month.

The report said the Attorney-General’s Department (AGD) received 210 applications for funding, of which 10 were withdrawn, and 180 telecommunications providers were found to be eligible for funding. Of that 180, “most” were awarded a grant to cover 80 percent of their costs.

It was also detailed that during the implementation period for the data retention scheme, AGD received 402 data retention implementation plans from 310 providers.

Under Australia’s data retention laws, passed by both major parties in March 2015, telecommunications carriers must store customer call records, location information, IP addresses, billing information, and other data for two years, accessible without a warrant by law-enforcement agencies.

Over the period from October 13, 2015 to June 30, 2016, the report said the offence for which the highest number of authorisations to telco data was made was illicit drug offences, with 57,166. This was followed in ranking by miscellaneous, homicide, robbery, fraud, theft, and abduction.

Terrorism offences ranked below property damage and cybercrime, with 4,454 authorisations made.

As part of the data retention laws, the spirit of the legislation was to restrict access to stored metadata to a list of approved enforcement agencies, with those agencies not on the list theoretically having access removed on October 12, 2015.

Overall, the report said 63 enforcement agencies made 333,980 authorisations for retained data, of which 326,373 related to criminal law.

“In 2015-16, law enforcement agencies made 366 arrests, conducted 485 proceedings, and obtained 195 convictions based on evidence obtained under stored communications warrants,” the report said.

During 2015-16, 3,857 telecommunication interception warrants were issued, with interception data used in 3,019 arrests, 3,726 prosecutions, and 1,812 convictions. Total cost for interception warrants was AU$70.3 million, at an average cost of AU$619,200 per warrant.

Australia Post accounted for 64 authorisations between June 30 and October 12, 2015, compared to none the year before; and the Victorian Department of Economic Development, Jobs, Transport and Resources made 173 authorisations in 3.5 months compared to 226 the entire financial year prior.

It was also noted that on six occasions, warrants were exercised by people not authorised to; in three instances, the Ombudsman could not determine whether stored communications related to the person named on a warrant; and in one instance, it could not determine who had received stored communications from a carrier.

It was also revealed that during the 2015-16 year, the Western Australia Police had received a pair of journalist warrants, which saw 33 authorisations of data made.

“These authorisations were for the purpose of enforcing the criminal law,” the report said.

In April, the Australian Federal Police (AFP) revealed that it had “mistakenly” accessed a journalist’s call records without a warrant in breach of the data retention legislation.

It was subsequently learned that AGD had advised government departments to skirt metadata laws and rely on coercive powers.

In May, the Commonwealth Ombudsman found the AFP to be handling metadata in a compliant manner, but noted a number of exceptions.

“We identified two instances where a stored communications warrant had been applied for and subsequently issued in respect of multiple persons, which is not provided for under the Act,” the report said.

In response, the AFP said its warrant templates were not clear enough.

Henry Sapiecha

Report states Australians do not trust Telcos keeping their data safe & private

A report from Essential Research has emphasised that Australians do not trust telcos and ISPs storing their data, even though trust is rising for governments, law enforcement, and other businesses.

Australians are losing trust in telecommunications and internet service providers’ (ISPs) ability to store their data safely and securely, with a report from Essential Research highlighting only 4 percent of respondents have “a lot of trust” in the industry.

29 percent of the 1,020 respondents surveyed for the report [PDF] said they have some sort of trust in telcos and ISPs, a 3 percent drop from the previous year’s results.

Security agencies such as the Australian Federal Police (AFP), local police, and ASIO were found to be trusted by 64 percent of respondents, an increase from the 49 percent that said they trusted security agencies to store personal data safely and in a way that would prevent abuse in 2015.

Governments were found to be trusted 3 percent more than they were a year prior, with 43 percent having faith in those elected into office to protect their personal information.

It was revealed last week that Medicare card information was up for sale on the dark web, with the federal government responding swiftly to the claims with a statement that said reports are being taken seriously. The system used to access Medicare card details is now undergoing a review.

However, a remark was made by Minister for Human Services Alan Tudge that downplayed the seriousness of the issue, with Tudge commenting that the only information available was a Medicare card number and the information available was not sufficient to access any personal health record.

The federal government accidentally published the full names, nationalities, locations, arrival dates, and boat arrival information of nearly 10,000 asylum seekers housed both on the Australian mainland and Christmas Island in February 2014.

KPMG said human error and a push to get immigration data up on deadline resulted in the details being published on the Department of Immigration and Border Protection’s website by mistake.

Last month, the Queensland Crime and Corruption Commission (CCC) alleged that two male police officers accessed the state’s criminal records database on a handful of unauthorised occasions.

According to the CCC, a 60-year-old former sergeant undertook checks on the Queensland Police Records and Information Management Exchange (Qprime) for personal purposes. The 31-year-old serving sergeant was accused of accessing Qprime on 10 occasions.

A 43-year-old serving detective senior constable from State Crime Command was similarly charged in March, and another was fined in May for 80 instances of unauthorised Qprime access.

A report from the Office of the Australian Information Commissioner (OAIC) in May revealed that only 53 percent of people it surveyed were able to nominate an organisation to report the misuse of their information to.

The OAIC said that when asked, only 47 percent admitted awareness of a Privacy Commissioner — either federal or state level — but a mere 7 percent said they would report misuse of information to a Privacy Commissioner. Rather, 12 percent would prefer to report such acts to the police, and 9 percent would rather directly contact the organisation involved.

The survey found that Australians have awarded the highest level of trust to health service providers, followed by financial institutions, and then both state and federal government departments.

Of the 1,800 Australians surveyed, 16 percent said they would avoid dealing with a government agency because of privacy concerns, while 58 percent would avoid dealing with a private company for the same reasons.

Another question asked by Essential Media was whether the individual surveyed had fallen victim to a handful of cyber-related crimes.

33 percent said they had a computer virus that damaged their computer or data; 22 percent admitted to having their credit card information stolen; 14 percent had been the victim of online fraud; cyber bullying was experienced by 10 percent of respondents; online stalking, invasion of privacy, or high levels of harassment was reported by 9 percent; and 6 percent claim to have had their identity stolen.

50 percent — 510 individuals — said they had not fallen victim to any of the cyber-related crimes.

A computer virus was reported by more males than females, while cyber bullying was experienced by more females than males, with those aged 18 to 34 the most susceptible to be at the receiving end of the anti-social behaviour. Similarly, online stalking was experienced more by females, with those aged 18-34 again the most targeted.


Henry Sapiecha

Organisations need a ‘moral imagination’ to build ethical data services that are fair for all punters. That’s where Centrelink said .OOPS.!

Many recent discussions on privacy and data governance have focused on the practical, and on the short term. That’s understandable, given that here in Australia our mandatory data breach notification regime looms large, and Europe’s General Data Protection Regulation (GDPR) follows soon after. But balance is a good thing.

I was pleased, therefore, that the Data + Privacy Asia Pacific conference in Sydney on Wednesday kicked off with a look at the ethics of data stewardship. Not the everyday what, where, and how of data operations, but the why of doing any of these data things in the first place.

This framing was deliberate, Australia’s Information and Privacy Commissioner, Timothy Pilgrim, told ZDNet.

“There is no irony in the fact that often the most personal information is the richest in its potential for public data use,” said Pilgrim in his opening remarks. Therein lie the ethical problems.

How do we balance personal risks with the opportunity for public good, or at least the good of the organisation collecting the data? What counts as having a “genuine interest” in collecting the data, as opposed to sucking in as much as possible as soon as possible?

New ways of analysing data, re-identifying supposedly anonymous data, and reaching conclusions are being developed rapidly. Even the biggest players like Google and Facebook would admit they’ve no idea what might be possible even a few years ahead.

So how do we work within the ocean of future possibilities when data can be bought, sold, lost, stolen, or leaked?

“I think you’re exactly right in pointing to this as the main challenge, not just for us in this discussion, but for all of us here today,” said Rob Sherman, deputy chief privacy officer at Facebook. “We don’t know 20 years down the road what technology is going to look like.”

“You have to be willing to iterate. We have to have principles that are established, that reflect our views on the way to do this, independent of technology, and independent of specific use of data.”

Great. But how do you develop principles in the abstract?

According to Dr Simon Longstaff, executive director of The Ethics Centre, a useful tool here is the “veil of ignorance”, a thought experiment proposed in 1971 by American philosopher John Rawls.

Imagine that you’re developing the operating principles for, say, an on-demand transport service.

Now imagine that you know nothing about yourself, your natural abilities, or your position in society. You know nothing about your gender, race, language skills, health … none of these things. The veil of ignorance has descended.

How would you set up the rules for this service when you could be any of the people involved — driver, passenger, shareholder, brown-skinned, pregnant, mentally ill, drunk, whatever? Or even people not directly involved, such as vehicle manufacturers, regulators trying to minimise their overhead, or residents dealing with any environmental effects?

What principles would be fair and reasonable for everyone involved?

“[By doing that] you can start to get a sense of what you would build, that is technology-neutral, and effective in terms of dealing with our interests,” said Longstaff.

Such a “moral imagination”, as Longstaff described it, would go a long way towards addressing one of Startupland’s most obvious problems — that services are imagined by, built by, and built for a narrow demographic that’s mostly male, mostly white, mostly privileged, mostly aged under 30, and mostly besotted with their own “understanding” of how the world works.

Such a moral imagination might have helped create an on-demand transport service very different from Uber.

Remember the real reason for Uber?

“We wanted to get a classy ride. We wanted to be baller in San Francisco. That’s all it was about,” said founder Travis Kalanick in 2013.

Such a moral imagination might have helped the creators of the service which, it is alleged, discouraged poor students from university, rather than suggesting ways to help them follow their dream. They might have imagined how a teenager might feel being told, “Nah, I wouldn’t bother.”

And such a moral imagination might have helped human services minister Alan Tudge navigate his way through the Centrelink robodebt debacle, where shoddy algorithms and processes led to unreasonable demands for money being sent to welfare recipients. He might have imagined what it’d be like on the receiving end.

Things work very differently in Canada.

“Governments want to link data, so it might be to cut off somebody’s benefits, for example, because you’re declaring income which was not [previously] known,” said Michael McEvoy, Deputy Commissioner in the Office of the Information and Privacy Commissioner for British Columbia.

“What we’re working with government on that is to say that you can do that by machine process, but if you’re doing to disentitle somebody, or in some way be prejudicing that individual, a human being has to look at that before any decision is made.”

While imagining Tudge with a moral imagination may be a stretch of the imagination, it’s not quite as unrealistic to expect a organisation’s board to include these issues under the heading of corporate social responsibility.

Henry Sapiecha

Twitter abandons ‘Do Not Track’ privacy protection

Is this the end for ‘Do Not Track’, the web-tracking privacy service?

The most shocking internet privacy laws.

Twitter was one of the first companies to support Do Not Track (DNT), the website privacy policy. Now, Twitter is abandoning DNT and its mission to protect people from being tracked as they wander over the web

DNT seemed like a good idea. By setting DNT on in your web browser, websites that supported DNT could neither place nor read advertising cookies on your device. Well, that was the idea anyway.

Any web browser or application that supported DNT added a small snippet of code to its request for a web page: DNT=1. This meant websites and services that observed DNT shouldn’t track you on the internet.

This would protect your online privacy. You might think that meant “Don’t collect and store any information about me without my explicit permission.”


From day one in 2012, that isn’t how it worked. According to Sarah Downey, an attorney and privacy advocate, the Interactive Advertising Bureau and the Digital Advertising Alliance (DAA), which represent most online advertisers, have their own interpretation of Do Not Track: “They have said they will stop serving targeted ads but will still collect and store and monetize data.”

However, Twitter played fair by the spirit of DNT rather than the law. Unfortunately, they were one of the few companies that did. DAA, for example, publicly abandoned DNT in 2013. With the advertisers and privacy advocates unable to agree on basic principles, DNT increasingly offered users no privacy protection worth the name.

Twitter finally had enough of fighting an already lost battle. In a note to its revised privacy policy, the company stated: “Twitter has discontinued support of the Do Not Track browser preference. While we had hoped that our support for Do Not Track would spur industry adoption, an industry-standard approach to Do Not Track did not materialize. We now offer more granular privacy controls.”

Under its new privacy rules, Twitter is extending how long its tracking cookies are active, from 10 days to 30 days as of June 18. You can also switch off Twitter ad personalization. From the same page, you can also disable geolocation and data sharing with third parties.

It’s a pity DNT has come to this. As Jason Kint, CEO of Digital Content Next, pointed out in an email interview: “Do Not Track still remains an elegant and simple consumer signal to not be tracked across the broader web.”

Kint remains hopeful about DNT: “Twitter dropping its support is disappointing as they were a leader here, but the standard is written regardless of what Twitter says and will continue to move forward. In the desire to regain consumer trust and reduce ad blocking, the ad tech world would be wise to embrace Do Not Track rather than ignoring it. Ultimately consumers win. No business has ever succeeded long-term without meeting consumer demands.”

I’m not at all optimistic. DNT has been spinning its wheels for years now with little progress. Online privacy remains an issue that upsets people, but at day’s end, neither companies nor the Trump administration have any real interest in protecting privacy.

Henry Sapiecha

Police illegally accessed journalist’s phone files under new metadata retention regime

The Australian Federal Police illegally obtained a journalist’s phone records under the Turnbull government’s new metadata retention regime, the agency announced on Friday.

The breach took place as part of an investigation into a leak of confidential police material – and the incident will now be investigated by the Commonwealth Ombudsman.

AFP commissioner Andrew Colvin said the police officers investigating the leak did not realise they were required to obtain a warrant to access the journalist’s metadata.

“This was human error. It should not have occurred. The AFP takes it very seriously and we take full responsibility for breaching the Act,” Mr Colvin said.

“There was no ill will or malice or bad intent by the officers involved who breached the Act. But simply it was a mistake.”

The journalist in question had not been informed their data had been accessed, Mr Colvin said, due to sensitivities around the ongoing investigation into the leak.

The breach occurred “earlier this year” and was reported to the Ombudsman on Wednesday.

Under the revised data retention regime, police are required to obtain a warrant from a judge to seek metadata from a journalist.

“The vulnerability is the investigator needs to understand that that’s their requirement,” Mr Colvin said on Friday. “On this occasion, the investigator didn’t.”

The phone records in question were relevant to the investigation, Mr Colvin said, but “what was improper was that the right steps weren’t taken to gain access to it”.

The breach is the first such incident that has come to light under the government’s new metadata retention regime, which requires service providers to store their customers’ data for two years.

Acknowledging the policy was “controversial”, Mr Colvin said Australians should nonetheless have “full confidence” in both the police and the policy.

He conceded the AFP’s internal procedures had not anticipated and prevented the error and therefore those practices would be subject to “significant changes”.

Access to metadata would now be restricted to more senior officers, he said, and the number of officers who can approve access to metadata will be reduced. Training will also be bolstered.

Asked if the unlawfully-obtained phone records would still be relied on to inform the actions of investigators, he acknowledged that once seen it could not be unseen.

“Clearly they can’t unsee it. They’ll need to consider … what weight they put on what they saw,” Mr Colvin said. “But that material was accessed illegally, so it can have no bearing on the conduct of the investigation.”

He stressed the content of the journalist’s phone calls were not accessed, just the call records. But Paul Murphy, chief executive of the Media, Entertainment and Arts Alliance, said that was not a mitigating factor.

“It’s another demonstration that the AFP do not understand the sensitivities here, the vital importance of protecting journalists’ confidential sources,” he said. “It’s an absolute disgrace.”

South Australian senator Nick Xenophon, who lobbied for extra safeguards for journalists when the laws were formulated, said he was “furious” about the revelation and would seek further amendments to the law.

“This is outrageous. There’s been a flagrant breach of the law here,” he said. “The safeguards have been completely trashed. This should chill the spine of every journalist in this country.”

Henry Sapiecha

Federal Court rejects application for Telstra to supply ‘personal’ metadata

A long-running battle over whether or not telcos should have to provide stored metadata to customers on request — which evolved over numerous appeals into a battle over which data should be considered personal — appears to have come to an unsatisfying end this week in Australia’s Federal Court.

The case between the Privacy Commissioner and Telstra was sparked two years ago when the former ordered the telco to supply metadata on request, on the grounds that it was the personal data of the customer. With this latest decision, Telstra will not be obliged to obey that order.

telstra-logos-on-site image

As the government was preparing to introduce new rules in 2013 that would oblige telcos to store the data generated when customers used their services (for example not your voice or articles you read online, but information on your calls, location and IP addresses of sites you visit), Ben Grubb, then a journalist at Fairfax Media, asked his telco Telstra for a copy of the data.

Telstra provided some information, but not the complete set it would be required to give to law enforcement if asked under the retention laws.

In 2015 the Privacy Commissioner ruled against Telstra, ordering it to provide the missing data, but the decision was overturned when Telstra appealed to the Administrative Appeals Tribunal (AAT).

A counter appeal from the Privacy Commissioner saw the issue taken to the Federal Court, where it was ultimately dismissed this week.

“It’s obviously a disappointing outcome,” Grubb says, “but I’m really grateful that the Privacy Commissioner followed this through by going to the Federal Court to appeal it”.

Grubb says he believes the protracted, public legal stoush may have influenced the system to change for the better, even if Telstra was ultimately vindicated.

“The point of this case was to get my telco to hand over what they were already providing to law-enforcement agencies on a case-by-case basis. In effect, the case achieved most of this, with Telstra eventually allowing consumers to access a lot of what they had on file about their users,” Grubb says, referring to a change the telco made in 2015.

Still, this week’s decision means his original request for metadata will ultimately not be fulfilled.

“At first, Telstra refused me access to information beyond my billing information. They then provided further information, but not all of what I was requesting. Wednesday’s decision means that I won’t be provided with that further information, which included, among other information, IP addresses, URLs, and specific cell tower location information,” Grubb says.

“I still worry about scope creep with regards to data retention. The recent discussion paper put out just before Christmas by the government to enable even more entities to access our highly personal information is worrying, and something many privacy advocates warned would likely end up happening once the data retention laws were passed.”

Anna Johnston, director of Salinger Privacy and former deputy privacy commissioner for NSW, says people shouldn’t interpret this week’s decision as the court “gutting” the definition of what “personal information” is. Rather, the court has just declined to resolve questions still up in the air.

In a detailed blog post explaining the case, Johnston argues that the AAT’s interpretations in its decision in favour of Telstra were “ridiculous”, and “completely undermined our privacy laws”. The AAT’s view that some metadata was not personal information, and so need not be provided to customers, hinged on the fact that the data was about connections between mobile devices, rather than about a person.

But, Johnston writes, surely the data can be both things at once.

“Even car repair records, which certainly have been created for the primary purpose of dealing with a car rather than a human being, will have information about the car owner”, like their address, phone number and car make, Johnston writes.

In this case, though, the Privacy Commissioner failed to make this distinction in its appeal to the Federal Court.

“Instead of arguing that information could be ‘about’ more than one thing, i.e. that metadata could be ‘about’ both the delivery of a network service and the customer receiving that service,” Johnston wrote, “the Privacy Commissioner’s legal team argued that the phrase ‘about an individual’ was redundant, and should simply be ignored,” and the argument was ultimately rejected by the court.

Speaking to Fairfax Media, Johnston said the situation is complicated by the fact that definitions in the Telecommunications (Interception And Access) Act have changed in the time since Grubb first lodged his complaint.

Johnston believes Telstra was in the wrong in refusing to supply the information, but the privacy commissioner went the wrong way about setting things right (although she says the door is not closed for a fix to come in future with another complaint).

With the rules as they currently are, Johnston believes the case could be made for information to be provided if the complainant could show why the data was personal.

“I would argue that the Federal Court left open the possibility that the data Ben Grubb and Telstra were arguing about would be ‘personal information’, because they said that the individual needs to be a subject matter, not the subject, as the AAT said,” Johnston says.

“The judges stressed the need to consider “the totality of the information”. In other words, linkability to an identifiable individual might still make something ‘personal information’, and thus within the scope of our privacy laws.”


Henry Sapiecha