Go to our Contact page for our office details.
Meta-exercised about metadata
Metadata collection was highlighted in a recent determination by the Australian Privacy Commissioner which found Telstra had breached the Privacy Act … But how relevant is it, given the government’s recent amendments to the Data Retention Act? Peter Leonard and Althea Carbon look at the big picture and the fine detail.
We all know that the Australian parliament recently enacted the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, which imposes far-reaching requirements for providers of communications services to collect and retain information about communications carried by their services.
The 2015 Act is a radical departure from previous law by being the first mechanism to require preservation of information about communications on a generic, service-wide basis, not case by case in response to a specific request.
The new requirements concern collection, retention and access to information about communications – Senator George Brandis’ (pic) “metadata” – and not interception or access to content of communications (content of emails, voicemails or SMS).
Given the lower level of perceived sensitivity of information about communications as compared to the content of communications, the procedures to permit lawful access to information about communications are a light touch as compared to the warrants regime for interception of communications content.
Australia has also not experienced an equivalent of the News of the World voicemail hacking.
Excessive access by law enforcement agencies may well consist of over-zealous collection of fines and statutory penalties rather than more troubling privacy invasions.
In any event, the access requirements are not subject to before-the-event scrutiny by judicial officers or other independent parties of any proposed exercise by enforcement agencies of their powers of powers of access to that data: the agencies are permitted to self-certify that access is necessary and within powers.
The debate about mandatory communications data retention has ventured down many interesting by-ways.
For example, we learnt that in the last reported year more than 80 federal and state enforcement agencies requested access to historical telecommunications data under the Telecommunications (Interception and Access) Act 1979 and that requests for such data resulted in an annual total of over 500,500 disclosures by service providers.
This statistic did not include an undisclosed number of accesses by intelligence agencies – reporting as to even the number of requests by intelligence agencies is classified (secret) – or accesses by agencies exercising powers under other federal, state or territory statutes, or accesses pursuant to subpoena and other court process.
We have also been entertained by Fairfax Media journalist Ben Grubb’s quest to find out what law enforcement or intelligence agencies might find out about him via forensic examination of his metadata, or as it is sometimes more colourfully described, “digital exhaust”.
Grubb’s quest ultimately resulted in a determination by the Australian Privacy Commissioner, Timothy Pilgrim (pic) that Telstra Corporation Limited had breached the Privacy Act 1988 (C’th) by failing to provide Grubb with access to requested metadata relating to his use of Telstra telecommunications services as collected and held by Telstra in various databases for various purposes, some purely technical and operational (relating to operation of the network and monitoring its performance).
This determination – Ben Grubb and Telstra Corporation Limited – is now under review, but it sparked unusual interest and some strong views.
The Communications Alliance criticised the determination as “regulatory overreach” and “creating unnecessary uncertainty for the telecommunications sector”.
Telstra announced that it will seek a review of the determination, stating in a media release that the determination “would require us to go well beyond the lawful assistance we provide to law enforcement agencies today [and] well beyond what we have to retain under the government’s data retention regime”.
It all started when on June 15, 2013 Grubb requested access pursuant to the Privacy Act 1988 (C’th) to “all the metadata information Telstra has stored” about him in relation to his mobile phone service, including (but not limited to) cell tower logs, inbound call and text details, duration of data sessions and telephone calls and the URLs of websites visited.
Because the request was made before the 2014 changes to the Privacy Act, the old definition of “personal information” and the National Privacy Principles applied.
Accordingly, the determination was made under old law and must be treated with caution in relation to possible application to the new definition of “personal information” and the markedly different Australian Privacy Principles now in operation.
In any event, the first question was whether metadata relating to Grubb’s use of Telstra telecommunications services, as collected and held by Telstra in various places for various purposes, was “personal information” under the old definition, being information about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
The old definition can be contrasted to the new definition of “personal information” which is information “about an identified individual or an individual who is reasonably identifiable”.
If it is determined that an organisation holds information about an individual whose identity can reasonably be ascertained from the information or opinion, under NPP 6.1 the organisation was required to provide the individual with access to the information unless an exception applies to the information in question.
The complexity of a request for personal information, in and of itself, does not constitute one of the exceptions provided under NPP 6.1(a)-(k).
The complexity and scope of an individual’s access request goes to the estimates of time in which an organisation might give access and the cost charged for provisioning that access.
Grubb did not contend that his identity was apparent on the face of the metadata sought.
Rather, he claimed that if law enforcement agencies and national security bodies can, on request, access metadata connected with his phone service, his identity must reasonably be able to be ascertained from that metadata, and on that view, is personal information for the purposes of the Privacy Act and therefore information to which he is entitled to access.
Telstra contended that the metadata provided to law enforcement bodies is generally extracted from call charge record systems which are distinctly separate systems to the network management systems used by Telstra’s Network infrastructure operations to extract customer information for network assurance purposes.
Telstra further contended that the process of ascertainment of an individual’s identity involving inquiries from and cross-matching against different network management and records management systems was sufficiently complex, impractical, costly and time-consuming for Grubb’s identity not to “reasonably be ascertained” from the information.
Telstra provided Grubb (pic) with certain information that it viewed as falling within the scope of his request, including call data records and itemised bills issued to the complainant and subscriber information.
However, Telstra refused access to:
* Network data (including IP address information, uniform resource locator (URL) information and cell tower location beyond the cell tower location information that Telstra retains for billing purposes).
* Incoming call records (including inbound call numbers and location information including the cell tower involved in the communication, details such as date, time, and duration of the communication, billing information of incoming callers and subscriber data in relation to incoming callers).
The commissioner found that network data and incoming call records were personal information, albeit that certain information about incoming callers was expected from disclosure because disclosure would prejudice the privacy of the incoming caller.
The most interesting aspect of the determination was its analysis of “reasonably be ascertained” in the context of network data.
Telstra’s NIO general manager explained to the commissioner that it is possible to extract the data held on various network elements and network management systems spread across Telstra’s mobile network to ascertain a customer’s identity with a good degree of certainty by cross-referencing this metadata with other data held in Telstra’s customer management and subscriber record systems.
The NIO general manager also stated that this type of metadata retrieval is currently undertaken to resolve complaints about connectivity service and performance.
In determining whether such metadata is personal information, the commissioner considered the meaning of “reasonably ascertainable” as “not exceeding the limit prescribed by reason; not excessive”.
He quoted Deputy President Coghlan in WL v La Trobe University (General) that such consideration requires examination of the complexity of the inquiries that would be needed to ascertain the information and the degree of certainty with which possible connections between that information and the individual’s identity could be made.
In that case, a question of whether or not an individual’s identity could reasonably be ascertained from health survey information that had to be extracted from different databases and then cross-matched twice was resolved by determination that this process was complex, but not exceeding reasonable limits or excessive in the context of the circumstances.
The commissioner accepted that network data may be linked to an individual by cross-matching it with other data held by Telstra, albeit that only some information was available at any particular point of time (because much metadata is transient and not retained) and significant manual effort was required to identify and extract all relevant data.
A key factor influencing the commissioner appears to have been that Telstra already had metadata retrieval procedures being used for network assurance purposes and for providing ad hoc assistance to law enforcement agencies and national security bodies, including more unusual law enforcement agency requests that apparently require time-consuming manual processes and inquiries to be made upon multiple databases and cross-matching across databases.
By reference to these existing access examples the commissioner was satisfied that Telstra had the ability to ascertain an individual’s identity from the metadata it holds.
The commissioner accepted that while some metadata may take more time to be retrieved and may require specifically qualified personnel, he found that Telstra has the resources to do so and that the process of ascertainment is not beyond what is reasonable.
There is limited precedent value in the determination (if affirmed following review) because it was based on the former definition of “personal information”.
Since March 12, 2014, the new definition of personal information has applied: information from which an individual is “reasonably identifiable”.
The commissioner has provided guidance in the revised Privacy Business Resource 4, which stated that factors to consider in applying the new definition to determine whether information is persistently and reliably de-identified (and therefore not personal information) include the cost, difficulty, practicality and likelihood of re-identification.
The determination rightly looks at the issue of what is personal information in the context of who is it that holds the personal information, so it is difficult to extrapolate the commissioner’s reasoning for anyone else other than telecommunications providers.
For non-telecommunications providers, the determination may also be of limited value.
This is because the service delivery and billing processes of telecommunications providers are reliant upon inter-linking of multiple operating systems and databases through metadata and the chains or inter-linkages of metadata across multiple systems potentially make cross-matching of information about communications from disparate data sources feasible – albeit often complex, impractical, costly and time-consuming.
Many non-telecommunications providers provide services in multiple silos to disparate customers and do not have similar abilities to cross-match data.
And, of course, they certainly do not have the inconvenient history of providing assistance to law enforcement agencies and national security bodies and therefore the possibility of that history being cited in answer to responses as to infeasibility of provision of access.
The determination does not conclude that all telecommunications metadata is personal information.
It does affirm what we knew already: the question must be determined case-by-case by examination of the complexity of the inquiries needed to ascertain the information and the degree of certainty with which possible connections between that information and the individual’s identity could be made.
The contention is not really whether that is the correct principle.
Rather, it is whether the process of ascertainment of Grubb’s identity involving inquiries from and cross-matching against different network management and records management systems was sufficiently complex, impractical, costly and time-consuming for Grubb’s identity not to “reasonably be ascertained” from information that was clearly non-identifying on its face.
The larger and more complex the organisation and the more disparate and complex its systems, the harder it will be to make that determination.
*Peter Leonard heads Gilbert + Tobin’s Communications, Media and Data Protection team. He was the Communication Alliance’s Communications Ambassador in 2012/13. Althea Carbon is a consultant in Gilbert + Tobin’s TMT + Project Services group.
To view the full article click here