Australian Tribunal Says User's IP Address And URLs Visited Are Not Personal Information
from the too-remote dept
Techdirt has been writing about the question of what constitutes personal information in an online context for over half a decade. A recent decision in Australia, reported by the Guardian, suggests that the matter is far from settled around the world. The case concerns a journalist, Ben Grubb, who has been trying to get his personal data from the mobile phone company he uses, Telstra. Initially, the Australian privacy commissioner ruled that Telstra had failed to comply with local privacy laws when it refused to hand over the data, but that decision was overturned on appeal by an administrative appeals tribunal (AAT) on the following grounds:In the AAT decision deputy president Stephanie Forgie took a narrow approach to defining personal information. She said that information such as IP and URL data were too remote to be considered personal information.That ignores just how much information even a single URL reveals about the visitor to the site and page in question. Moreover, putting all those URLs together can create an extremely detailed picture of the person concerned -- from things like their general character and beliefs to current concerns. It's an extension of the incorrect argument trotted out by governments that gathering and storing metadata isn't as intrusive as retaining content, when exactly the opposite is true. Since metadata is pre-sorted into handy conceptual categories, analysing and aggregating the information is extremely easy, even on a huge scale -- just ask the NSA and GCHQ.
"That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it. It is not about the content of the call or the message. The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb," she wrote.
However, the Australian privacy commissioner is not taking things lying down:
The privacy commissioner, Timothy Pilgrim, has launched a federal court challenge to a ruling that a journalist was not entitled to access parts of his personal mobile phone data.
As the Guardian rightly notes, the outcome of the case is likely to have important ramifications for future requests involving personal information under the country's privacy laws.
The landmark challenge is believed to be the first time the Office of the Australian Information Commissioner has sought to appeal a case before the federal court.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, ben grubb, ip addresses, metadata, personal information, urls
Companies: telstra
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Would you like people to know you got a call from a doctor then googled HIV treatments?
[ link to this | view in chronology ]
Time to call upon Stephanie Forgie to provide all of her nonpersonal information, and all of the nonpersonal information of her staff.
Lets take a look at all of the urls and then question why they are being visited, what personal calls are being taken on government time, and all of those meetings that look questionable being setup.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Piracy
[ link to this | view in chronology ]
Re: Piracy
[ link to this | view in chronology ]
Re: Piracy
When an IP address is being used to 'identify' piracy, it's like taking a picture of a license plate without including a picture of the driver in the picture. At most the picture can be used to say that a given license plate was in a given spot at a certain time.
The problem with attaching 'plates' to 'person' in the case of piracy however is that in this particular example it's laughably easy to swap out 'plates', such that there is no way to tell if the 'driver' was the person who is registered as owning a particular set of 'plates', and if you're going to charge someone with a crime, then you absolutely must be able to determine whether or not they are guilty of committing it or if it was done by someone who happened to use their 'plates' at the time.
In this case, and similar ones however, it's more along the lines of someone going to a company that takes the pictures of the plates, and asking for a record of where their plates were recorded as being. It's possible that some of those records weren't 'legitimate', as someone else might have been using his 'plates' at the time, but in general all he's asking for is a record of where his plates have been, as recorded by the company.
[ link to this | view in chronology ]
Re: Re: Piracy
[ link to this | view in chronology ]
Re: Re: Re: Piracy
In the license plate analogy, if the car is yours, you'd be the only person wit an actual right to get that information, even if never drove the car.
[ link to this | view in chronology ]
Re: Re: Re: Piracy
The evidence isn't accurate enough to meet the legal requirements, even if it can generally be used to track someone's activities online, assuming they're not taking steps to disguise their actions as those involved in copyright infringement generally are.
Put another way, IP addresses are accurate enough to track someone's activities in general, making them personally identifiable, but they're not accurate and reliable enough on their own to bring legal charges because they can be spoofed.
[ link to this | view in chronology ]
Telstra is crap
[ link to this | view in chronology ]
Re: Telstra is crap
[ link to this | view in chronology ]
Re: Telstra is crap
[ link to this | view in chronology ]
Re: Telstra is crap
[ link to this | view in chronology ]
This is a simple matter in the EU.
End of story. End of discussion. Contact your MP, get some real privacy laws.
[ link to this | view in chronology ]
Re: This is a simple matter in the EU.
You might know which house had the IP at the time but you don't know if it was the wife, husband, daughter, son or maybe someone who connected via wifi from outdoors who did something. And because you can't uniquely identify a person it isn't personal information.
Still simple?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Glyn?
[ link to this | view in chronology ]
Re: Glyn?
I'm trying to track down a troll who attempted to phish me, so believe me, I know. Nothing that I've found in the headers leads anywhere conclusive, but that email has gone all over the world! One of the senders in the list was Telstra, where the troll spoofed an email address on my (unused) domain. That was the last sender before the email ended up in my inbox. Via Mexico and Massachusetts. I'm not even joking...!
So no, Glyn is right. An IP address doesn't necessarily lead to a person.
[ link to this | view in chronology ]
Re: Re: Glyn?
Faking headers isn't the same as an ISP logging it's user's IPS and URLs visited.
By the way, what happened to you is called a "joe job" and is about as old as the internet. Don't fret it, it's not much really.
[ link to this | view in chronology ]
Re: Re: Glyn?
Anyone get those calls from yourself?
[ link to this | view in chronology ]
The IP address isn't the most important part
Let me explain by example. Consider every web site you visited yesterday: your bank, your doctor, your brokerage, TechDirt, the school your kids go to, the EFF, FreeBSD, DuckDuckGo, Weather Channel, etc. Let's call that set of URLs U(1).
Today you'll visit U(2). Tomorrow you'll visit U(3). And so on. There will be considerable overlap between each of these sets, especially if we collect a few hundred of them. We could then construct a set U' which is given by the set of URLs which appear in at least N of M sets -- e.g., URLs which show up in at least 10 of 30 sets, or 25 of 100 sets, or whatever (N, M) we wish to pick.
That set U' represents the set of sites that you go to often. It may well be unique, or close to unique, out of all possible sets U' across all Internet users. And you're going to take U' with you -- that is, if you use a VPN or you travel, you're still going to visit U'. There is thus a reasonable probability that you can be tracked by computing U' and then looking for it across the entire proposed database. (This isn't all that different from tracking people via browser fingerprinting.)
Note that this method may be considerably more effective depending on the definition of URL that's used. If it's just the name of host, e.g., http://www2.example.com, then that yields some information. But if it's a full URL, e.g., http://www2.example.com/people/fred-flintstone.html, then that may well be much more useful for individualized tracking. It may even identify the person, i.e., it may be their personal "home page" on some web site.
Note all that if this method includes timestamps, that also increases its efficacy for tracking: do you check your stock portfolio at your brokerage every weekday at the same time while you're having coffee? And, to bring IP addresses back into it, if it includes those as well, then it's going to be still more effective. (Note that exact IP addresses are very useful, but even knowing the CIDR of the block they reside in is probably enough. This accounts for things like dynamic address allocation by an ISP or business or school.) I wouldn't be in the least surprised if the combination of all of this information is sufficient to uniquely identify and track most Internet users.
[ link to this | view in chronology ]
Figure out the "IP Address" of the government agencies
Then watch as the reports are exposed showing that the Government itself loves scat, ISIS, goatse and tubgirl.
[ link to this | view in chronology ]