Australian Tribunal Says User's IP Address And URLs Visited Are Not Personal Information

from the too-remote dept

Techdirt has been writing about the question of what constitutes personal information in an online context for over half a decade. A recent decision in Australia, reported by the Guardian, suggests that the matter is far from settled around the world. The case concerns a journalist, Ben Grubb, who has been trying to get his personal data from the mobile phone company he uses, Telstra. Initially, the Australian privacy commissioner ruled that Telstra had failed to comply with local privacy laws when it refused to hand over the data, but that decision was overturned on appeal by an administrative appeals tribunal (AAT) on the following grounds:
In the AAT decision deputy president Stephanie Forgie took a narrow approach to defining personal information. She said that information such as IP and URL data were too remote to be considered personal information.

"That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it. It is not about the content of the call or the message. The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb," she wrote.
That ignores just how much information even a single URL reveals about the visitor to the site and page in question. Moreover, putting all those URLs together can create an extremely detailed picture of the person concerned -- from things like their general character and beliefs to current concerns. It's an extension of the incorrect argument trotted out by governments that gathering and storing metadata isn't as intrusive as retaining content, when exactly the opposite is true. Since metadata is pre-sorted into handy conceptual categories, analysing and aggregating the information is extremely easy, even on a huge scale -- just ask the NSA and GCHQ.

However, the Australian privacy commissioner is not taking things lying down:

The privacy commissioner, Timothy Pilgrim, has launched a federal court challenge to a ruling that a journalist was not entitled to access parts of his personal mobile phone data.

The landmark challenge is believed to be the first time the Office of the Australian Information Commissioner has sought to appeal a case before the federal court.
As the Guardian rightly notes, the outcome of the case is likely to have important ramifications for future requests involving personal information under the country's privacy laws.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: australia, ben grubb, ip addresses, metadata, personal information, urls
Companies: telstra


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 19 Feb 2016 @ 12:05am

    Holy shit... can someone please rewrite this article to clearly indicate what the fuck the actual issue is? It reads like the problem is getting personal data from a carrier but it's really about being denied getting your OWN personal data from a carrier and then having some agency say your personal data isn't "personal". Or did I miss the entire point? Either way, wtf?

    link to this | view in chronology ]

    • identicon
      Glyn Moody, 19 Feb 2016 @ 12:10am

      Re:

      I've changed the relevant sentence.

      link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 19 Feb 2016 @ 12:12am

      Re:

      If all the urls & calls you made were no longer personal information none of the protections against that data being handed over to anyone who asked would apply.

      Would you like people to know you got a call from a doctor then googled HIV treatments?

      link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 19 Feb 2016 @ 12:14am

    To thine own self be true.

    Time to call upon Stephanie Forgie to provide all of her nonpersonal information, and all of the nonpersonal information of her staff.

    Lets take a look at all of the urls and then question why they are being visited, what personal calls are being taken on government time, and all of those meetings that look questionable being setup.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Feb 2016 @ 11:09am

      Re:

      you know better than that, this is only for the little people, the serfs the would be slaves. The elites hold themselves exempt from such petty things

      link to this | view in chronology ]

    • icon
      tqk (profile), 20 Feb 2016 @ 10:47am

      Re:

      In other words, hoist on her own petard.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Feb 2016 @ 12:21am

    Piracy

    If an IP address isn't a person for the purposes of suing for piracy, then an IP address can't then be a person for the purpose of private personal information, can it?

    link to this | view in chronology ]

    • icon
      samoanbiscuit (profile), 19 Feb 2016 @ 12:38am

      Re: Piracy

      Thank you! I logged in to ask this question, but I'm pleased someone else thought of it too.

      link to this | view in chronology ]

    • icon
      That One Guy (profile), 19 Feb 2016 @ 2:22am

      Re: Piracy

      This will probably come out rough, but I'll see if I can explain the difference.

      When an IP address is being used to 'identify' piracy, it's like taking a picture of a license plate without including a picture of the driver in the picture. At most the picture can be used to say that a given license plate was in a given spot at a certain time.

      The problem with attaching 'plates' to 'person' in the case of piracy however is that in this particular example it's laughably easy to swap out 'plates', such that there is no way to tell if the 'driver' was the person who is registered as owning a particular set of 'plates', and if you're going to charge someone with a crime, then you absolutely must be able to determine whether or not they are guilty of committing it or if it was done by someone who happened to use their 'plates' at the time.

      In this case, and similar ones however, it's more along the lines of someone going to a company that takes the pictures of the plates, and asking for a record of where their plates were recorded as being. It's possible that some of those records weren't 'legitimate', as someone else might have been using his 'plates' at the time, but in general all he's asking for is a record of where his plates have been, as recorded by the company.

      link to this | view in chronology ]

      • icon
        samoanbiscuit (profile), 19 Feb 2016 @ 3:14am

        Re: Re: Piracy

        If the link between IP and identity (and therefore legal liability) is "laughably" easy to obfuscate such that it shouldn't be used by a court for establishing guilt/liability, then doesn't the same logic follow for other reasons? Isn't it an easy defense to maintain that that IP is NOT tied to your identity?

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Feb 2016 @ 3:22am

          Re: Re: Re: Piracy

          It does kind of sound like having it both ways... Even then I'd side with caution and, perhaps begrudgingly, perhaps not, say it would be personal information.
          In the license plate analogy, if the car is yours, you'd be the only person wit an actual right to get that information, even if never drove the car.

          link to this | view in chronology ]

        • icon
          That One Guy (profile), 19 Feb 2016 @ 4:05am

          Re: Re: Re: Piracy

          It's like the difference between saying 'Your car was seen speeding' vs 'You were seen speeding'. The first isn't enough grounds to bring legal challenge because it's not necessarily tied to the person, the second is.

          The evidence isn't accurate enough to meet the legal requirements, even if it can generally be used to track someone's activities online, assuming they're not taking steps to disguise their actions as those involved in copyright infringement generally are.

          Put another way, IP addresses are accurate enough to track someone's activities in general, making them personally identifiable, but they're not accurate and reliable enough on their own to bring legal charges because they can be spoofed.

          link to this | view in chronology ]

  • identicon
    ponky tonk, 19 Feb 2016 @ 12:23am

    Telstra is crap

    You really shouldnt use this stupid backward bastard carrier if you live in australia. They are arrogant, monopoly seeking, asshats that believe all australians owe them a monopoly. Also they charge a lot of money for equipment my parents and grandparents paid off long before they became a private company. This sort of company should be dead and buried and should not have even been allowed to be made a parasite like the governments have done. parasitic fucking useless fuck of a company. piss it off.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Feb 2016 @ 1:31am

      Re: Telstra is crap

      Telstra: Australian for Comcast.

      link to this | view in chronology ]

    • identicon
      Aim deadener, 19 Feb 2016 @ 4:13am

      Re: Telstra is crap

      Sounds like this telstra mob's got a few galahs in the kingswood. Almost as bad as that drongo who breeds dingoes with hydatids. Maybe the kangaroos in the top paddock have kept the place a sandwich short of a picnic.

      link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 19 Feb 2016 @ 7:57am

      Re: Telstra is crap

      They also enable phishing. I had a phishing attack initiated via their servers. When I asked them for help tracking down the person responsible, I got no response.

      link to this | view in chronology ]

  • identicon
    Anonymous coward, 19 Feb 2016 @ 3:18am

    This is a simple matter in the EU.

    Data, or any combination of data which, by someone, can be used to uniquely identify a person is considered personal information.

    End of story. End of discussion. Contact your MP, get some real privacy laws.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Feb 2016 @ 4:05pm

      Re: This is a simple matter in the EU.

      Simple? Ok so an IP doesn't classify as personal information in the EU.
      You might know which house had the IP at the time but you don't know if it was the wife, husband, daughter, son or maybe someone who connected via wifi from outdoors who did something. And because you can't uniquely identify a person it isn't personal information.
      Still simple?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Feb 2016 @ 4:27am

    Your IP address is the digital equivalent to your home address and your car. The sites you've visited is digital equivalent to the places you've visited. Therfore, tracking what sites you've been to is the same as following someone around in your car or putting a GPS tracker on their car.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Feb 2016 @ 4:49am

    I thought we decided an IP is not a person? It's hard to have it both ways.

    link to this | view in chronology ]

  • icon
    wereisjessicahyde (profile), 19 Feb 2016 @ 5:31am

    Glyn?

    Is it not true that an IP address is not a person? You can't have it both ways mate.

    link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 19 Feb 2016 @ 8:02am

      Re: Glyn?

      IP addresses can't be used to accurately identify individuals. They generally lead back to the router being used, but that doesn't necessarily mean anything.

      I'm trying to track down a troll who attempted to phish me, so believe me, I know. Nothing that I've found in the headers leads anywhere conclusive, but that email has gone all over the world! One of the senders in the list was Telstra, where the troll spoofed an email address on my (unused) domain. That was the last sender before the email ended up in my inbox. Via Mexico and Massachusetts. I'm not even joking...!

      So no, Glyn is right. An IP address doesn't necessarily lead to a person.

      link to this | view in chronology ]

      • icon
        Whatever (profile), 19 Feb 2016 @ 11:00am

        Re: Re: Glyn?

        Wendy, email headers can be entirely faked from end to end, with only a single entry that might be marginally valid one of the many IPs you will see. That is generally taken care of now by running your spam / phish mailer through TOR or similar "exit portal" sites. Generally it makes email just about entirely untracable.

        Faking headers isn't the same as an ISP logging it's user's IPS and URLs visited.

        By the way, what happened to you is called a "joe job" and is about as old as the internet. Don't fret it, it's not much really.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Feb 2016 @ 11:24am

        Re: Re: Glyn?

        Yup - rather easy to do in email, and now callerId.
        Anyone get those calls from yourself?

        link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 19 Feb 2016 @ 5:55am

    The IP address isn't the most important part

    It's the URLs.

    Let me explain by example. Consider every web site you visited yesterday: your bank, your doctor, your brokerage, TechDirt, the school your kids go to, the EFF, FreeBSD, DuckDuckGo, Weather Channel, etc. Let's call that set of URLs U(1).

    Today you'll visit U(2). Tomorrow you'll visit U(3). And so on. There will be considerable overlap between each of these sets, especially if we collect a few hundred of them. We could then construct a set U' which is given by the set of URLs which appear in at least N of M sets -- e.g., URLs which show up in at least 10 of 30 sets, or 25 of 100 sets, or whatever (N, M) we wish to pick.

    That set U' represents the set of sites that you go to often. It may well be unique, or close to unique, out of all possible sets U' across all Internet users. And you're going to take U' with you -- that is, if you use a VPN or you travel, you're still going to visit U'. There is thus a reasonable probability that you can be tracked by computing U' and then looking for it across the entire proposed database. (This isn't all that different from tracking people via browser fingerprinting.)

    Note that this method may be considerably more effective depending on the definition of URL that's used. If it's just the name of host, e.g., http://www2.example.com, then that yields some information. But if it's a full URL, e.g., http://www2.example.com/people/fred-flintstone.html, then that may well be much more useful for individualized tracking. It may even identify the person, i.e., it may be their personal "home page" on some web site.

    Note all that if this method includes timestamps, that also increases its efficacy for tracking: do you check your stock portfolio at your brokerage every weekday at the same time while you're having coffee? And, to bring IP addresses back into it, if it includes those as well, then it's going to be still more effective. (Note that exact IP addresses are very useful, but even knowing the CIDR of the block they reside in is probably enough. This accounts for things like dynamic address allocation by an ISP or business or school.) I wouldn't be in the least surprised if the combination of all of this information is sufficient to uniquely identify and track most Internet users.

    link to this | view in chronology ]

  • identicon
    DigDug, 19 Feb 2016 @ 8:00am

    Figure out the "IP Address" of the government agencies

    Then spoof those IPs to access all sorts of nasty, bad, oh my gosh really bad stuff.

    Then watch as the reports are exposed showing that the Government itself loves scat, ISIS, goatse and tubgirl.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.