Australian Tribunal Says User's IP Address And URLs Visited Are Not Personal Information
from the too-remote dept
Techdirt has been writing about the question of what constitutes personal information in an online context for over half a decade. A recent decision in Australia, reported by the Guardian, suggests that the matter is far from settled around the world. The case concerns a journalist, Ben Grubb, who has been trying to get his personal data from the mobile phone company he uses, Telstra. Initially, the Australian privacy commissioner ruled that Telstra had failed to comply with local privacy laws when it refused to hand over the data, but that decision was overturned on appeal by an administrative appeals tribunal (AAT) on the following grounds:
In the AAT decision deputy president Stephanie Forgie took a narrow approach to defining personal information. She said that information such as IP and URL data were too remote to be considered personal information.
“That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it. It is not about the content of the call or the message. The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb,” she wrote.
That ignores just how much information even a single URL reveals about the visitor to the site and page in question. Moreover, putting all those URLs together can create an extremely detailed picture of the person concerned — from things like their general character and beliefs to current concerns. It’s an extension of the incorrect argument trotted out by governments that gathering and storing metadata isn’t as intrusive as retaining content, when exactly the opposite is true. Since metadata is pre-sorted into handy conceptual categories, analysing and aggregating the information is extremely easy, even on a huge scale — just ask the NSA and GCHQ.
However, the Australian privacy commissioner is not taking things lying down:
The privacy commissioner, Timothy Pilgrim, has launched a federal court challenge to a ruling that a journalist was not entitled to access parts of his personal mobile phone data.
The landmark challenge is believed to be the first time the Office of the Australian Information Commissioner has sought to appeal a case before the federal court.
As the Guardian rightly notes, the outcome of the case is likely to have important ramifications for future requests involving personal information under the country’s privacy laws.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: australia, ben grubb, ip addresses, metadata, personal information, urls
Companies: telstra
Comments on “Australian Tribunal Says User's IP Address And URLs Visited Are Not Personal Information”
Holy shit… can someone please rewrite this article to clearly indicate what the fuck the actual issue is? It reads like the problem is getting personal data from a carrier but it’s really about being denied getting your OWN personal data from a carrier and then having some agency say your personal data isn’t “personal”. Or did I miss the entire point? Either way, wtf?
Re: Re:
I’ve changed the relevant sentence.
Re: Re:
If all the urls & calls you made were no longer personal information none of the protections against that data being handed over to anyone who asked would apply.
Would you like people to know you got a call from a doctor then googled HIV treatments?
To thine own self be true.
Time to call upon Stephanie Forgie to provide all of her nonpersonal information, and all of the nonpersonal information of her staff.
Lets take a look at all of the urls and then question why they are being visited, what personal calls are being taken on government time, and all of those meetings that look questionable being setup.
Re: Re:
you know better than that, this is only for the little people, the serfs the would be slaves. The elites hold themselves exempt from such petty things
Re: Re:
In other words, hoist on her own petard.
Piracy
If an IP address isn’t a person for the purposes of suing for piracy, then an IP address can’t then be a person for the purpose of private personal information, can it?
Re: Piracy
Thank you! I logged in to ask this question, but I’m pleased someone else thought of it too.
Re: Piracy
This will probably come out rough, but I’ll see if I can explain the difference.
When an IP address is being used to ‘identify’ piracy, it’s like taking a picture of a license plate without including a picture of the driver in the picture. At most the picture can be used to say that a given license plate was in a given spot at a certain time.
The problem with attaching ‘plates’ to ‘person’ in the case of piracy however is that in this particular example it’s laughably easy to swap out ‘plates’, such that there is no way to tell if the ‘driver’ was the person who is registered as owning a particular set of ‘plates’, and if you’re going to charge someone with a crime, then you absolutely must be able to determine whether or not they are guilty of committing it or if it was done by someone who happened to use their ‘plates’ at the time.
In this case, and similar ones however, it’s more along the lines of someone going to a company that takes the pictures of the plates, and asking for a record of where their plates were recorded as being. It’s possible that some of those records weren’t ‘legitimate’, as someone else might have been using his ‘plates’ at the time, but in general all he’s asking for is a record of where his plates have been, as recorded by the company.
Re: Re: Piracy
If the link between IP and identity (and therefore legal liability) is “laughably” easy to obfuscate such that it shouldn’t be used by a court for establishing guilt/liability, then doesn’t the same logic follow for other reasons? Isn’t it an easy defense to maintain that that IP is NOT tied to your identity?
Re: Re: Re: Piracy
It does kind of sound like having it both ways… Even then I’d side with caution and, perhaps begrudgingly, perhaps not, say it would be personal information.
In the license plate analogy, if the car is yours, you’d be the only person wit an actual right to get that information, even if never drove the car.
Re: Re: Re: Piracy
It’s like the difference between saying ‘Your car was seen speeding’ vs ‘You were seen speeding’. The first isn’t enough grounds to bring legal challenge because it’s not necessarily tied to the person, the second is.
The evidence isn’t accurate enough to meet the legal requirements, even if it can generally be used to track someone’s activities online, assuming they’re not taking steps to disguise their actions as those involved in copyright infringement generally are.
Put another way, IP addresses are accurate enough to track someone’s activities in general, making them personally identifiable, but they’re not accurate and reliable enough on their own to bring legal charges because they can be spoofed.
Telstra is crap
You really shouldnt use this stupid backward bastard carrier if you live in australia. They are arrogant, monopoly seeking, asshats that believe all australians owe them a monopoly. Also they charge a lot of money for equipment my parents and grandparents paid off long before they became a private company. This sort of company should be dead and buried and should not have even been allowed to be made a parasite like the governments have done. parasitic fucking useless fuck of a company. piss it off.
Re: Telstra is crap
Telstra: Australian for Comcast.
Re: Telstra is crap
Sounds like this telstra mob’s got a few galahs in the kingswood. Almost as bad as that drongo who breeds dingoes with hydatids. Maybe the kangaroos in the top paddock have kept the place a sandwich short of a picnic.
Re: Telstra is crap
They also enable phishing. I had a phishing attack initiated via their servers. When I asked them for help tracking down the person responsible, I got no response.
This is a simple matter in the EU.
Data, or any combination of data which, by someone, can be used to uniquely identify a person is considered personal information.
End of story. End of discussion. Contact your MP, get some real privacy laws.
Re: This is a simple matter in the EU.
Simple? Ok so an IP doesn’t classify as personal information in the EU.
You might know which house had the IP at the time but you don’t know if it was the wife, husband, daughter, son or maybe someone who connected via wifi from outdoors who did something. And because you can’t uniquely identify a person it isn’t personal information.
Still simple?
Your IP address is the digital equivalent to your home address and your car. The sites you’ve visited is digital equivalent to the places you’ve visited. Therfore, tracking what sites you’ve been to is the same as following someone around in your car or putting a GPS tracker on their car.
I thought we decided an IP is not a person? It’s hard to have it both ways.
Glyn?
Is it not true that an IP address is not a person? You can’t have it both ways mate.
Re: Glyn?
IP addresses can’t be used to accurately identify individuals. They generally lead back to the router being used, but that doesn’t necessarily mean anything.
I’m trying to track down a troll who attempted to phish me, so believe me, I know. Nothing that I’ve found in the headers leads anywhere conclusive, but that email has gone all over the world! One of the senders in the list was Telstra, where the troll spoofed an email address on my (unused) domain. That was the last sender before the email ended up in my inbox. Via Mexico and Massachusetts. I’m not even joking…!
So no, Glyn is right. An IP address doesn’t necessarily lead to a person.
Re: Re: Glyn?
Wendy, email headers can be entirely faked from end to end, with only a single entry that might be marginally valid one of the many IPs you will see. That is generally taken care of now by running your spam / phish mailer through TOR or similar “exit portal” sites. Generally it makes email just about entirely untracable.
Faking headers isn’t the same as an ISP logging it’s user’s IPS and URLs visited.
By the way, what happened to you is called a “joe job” and is about as old as the internet. Don’t fret it, it’s not much really.
Re: Re: Glyn?
Yup – rather easy to do in email, and now callerId.
Anyone get those calls from yourself?
The IP address isn't the most important part
It’s the URLs.
Let me explain by example. Consider every web site you visited yesterday: your bank, your doctor, your brokerage, TechDirt, the school your kids go to, the EFF, FreeBSD, DuckDuckGo, Weather Channel, etc. Let’s call that set of URLs U(1).
Today you’ll visit U(2). Tomorrow you’ll visit U(3). And so on. There will be considerable overlap between each of these sets, especially if we collect a few hundred of them. We could then construct a set U’ which is given by the set of URLs which appear in at least N of M sets — e.g., URLs which show up in at least 10 of 30 sets, or 25 of 100 sets, or whatever (N, M) we wish to pick.
That set U’ represents the set of sites that you go to often. It may well be unique, or close to unique, out of all possible sets U’ across all Internet users. And you’re going to take U’ with you — that is, if you use a VPN or you travel, you’re still going to visit U’. There is thus a reasonable probability that you can be tracked by computing U’ and then looking for it across the entire proposed database. (This isn’t all that different from tracking people via browser fingerprinting.)
Note that this method may be considerably more effective depending on the definition of URL that’s used. If it’s just the name of host, e.g., http://www2.example.com, then that yields some information. But if it’s a full URL, e.g., http://www2.example.com/people/fred-flintstone.html, then that may well be much more useful for individualized tracking. It may even identify the person, i.e., it may be their personal “home page” on some web site.
Note all that if this method includes timestamps, that also increases its efficacy for tracking: do you check your stock portfolio at your brokerage every weekday at the same time while you’re having coffee? And, to bring IP addresses back into it, if it includes those as well, then it’s going to be still more effective. (Note that exact IP addresses are very useful, but even knowing the CIDR of the block they reside in is probably enough. This accounts for things like dynamic address allocation by an ISP or business or school.) I wouldn’t be in the least surprised if the combination of all of this information is sufficient to uniquely identify and track most Internet users.
Figure out the "IP Address" of the government agencies
Then spoof those IPs to access all sorts of nasty, bad, oh my gosh really bad stuff.
Then watch as the reports are exposed showing that the Government itself loves scat, ISIS, goatse and tubgirl.