Australian Tribunal Says User's IP Address And URLs Visited Are Not Personal Information

from the too-remote dept

Techdirt has been writing about the question of what constitutes personal information in an online context for over half a decade. A recent decision in Australia, reported by the Guardian, suggests that the matter is far from settled around the world. The case concerns a journalist, Ben Grubb, who has been trying to get his personal data from the mobile phone company he uses, Telstra. Initially, the Australian privacy commissioner ruled that Telstra had failed to comply with local privacy laws when it refused to hand over the data, but that decision was overturned on appeal by an administrative appeals tribunal (AAT) on the following grounds:

In the AAT decision deputy president Stephanie Forgie took a narrow approach to defining personal information. She said that information such as IP and URL data were too remote to be considered personal information.

“That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it. It is not about the content of the call or the message. The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb,” she wrote.

That ignores just how much information even a single URL reveals about the visitor to the site and page in question. Moreover, putting all those URLs together can create an extremely detailed picture of the person concerned — from things like their general character and beliefs to current concerns. It’s an extension of the incorrect argument trotted out by governments that gathering and storing metadata isn’t as intrusive as retaining content, when exactly the opposite is true. Since metadata is pre-sorted into handy conceptual categories, analysing and aggregating the information is extremely easy, even on a huge scale — just ask the NSA and GCHQ.

However, the Australian privacy commissioner is not taking things lying down:

The privacy commissioner, Timothy Pilgrim, has launched a federal court challenge to a ruling that a journalist was not entitled to access parts of his personal mobile phone data.

The landmark challenge is believed to be the first time the Office of the Australian Information Commissioner has sought to appeal a case before the federal court.

As the Guardian rightly notes, the outcome of the case is likely to have important ramifications for future requests involving personal information under the country’s privacy laws.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Filed Under: , , , , ,
Companies: telstra

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Australian Tribunal Says User's IP Address And URLs Visited Are Not Personal Information”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Holy shit… can someone please rewrite this article to clearly indicate what the fuck the actual issue is? It reads like the problem is getting personal data from a carrier but it’s really about being denied getting your OWN personal data from a carrier and then having some agency say your personal data isn’t “personal”. Or did I miss the entire point? Either way, wtf?

That Anonymous Coward (profile) says:

To thine own self be true.

Time to call upon Stephanie Forgie to provide all of her nonpersonal information, and all of the nonpersonal information of her staff.

Lets take a look at all of the urls and then question why they are being visited, what personal calls are being taken on government time, and all of those meetings that look questionable being setup.

That One Guy (profile) says:

Re: Piracy

This will probably come out rough, but I’ll see if I can explain the difference.

When an IP address is being used to ‘identify’ piracy, it’s like taking a picture of a license plate without including a picture of the driver in the picture. At most the picture can be used to say that a given license plate was in a given spot at a certain time.

The problem with attaching ‘plates’ to ‘person’ in the case of piracy however is that in this particular example it’s laughably easy to swap out ‘plates’, such that there is no way to tell if the ‘driver’ was the person who is registered as owning a particular set of ‘plates’, and if you’re going to charge someone with a crime, then you absolutely must be able to determine whether or not they are guilty of committing it or if it was done by someone who happened to use their ‘plates’ at the time.

In this case, and similar ones however, it’s more along the lines of someone going to a company that takes the pictures of the plates, and asking for a record of where their plates were recorded as being. It’s possible that some of those records weren’t ‘legitimate’, as someone else might have been using his ‘plates’ at the time, but in general all he’s asking for is a record of where his plates have been, as recorded by the company.

samoanbiscuit (profile) says:

Re: Re: Piracy

If the link between IP and identity (and therefore legal liability) is “laughably” easy to obfuscate such that it shouldn’t be used by a court for establishing guilt/liability, then doesn’t the same logic follow for other reasons? Isn’t it an easy defense to maintain that that IP is NOT tied to your identity?

Anonymous Coward says:

Re: Re: Re: Piracy

It does kind of sound like having it both ways… Even then I’d side with caution and, perhaps begrudgingly, perhaps not, say it would be personal information.
In the license plate analogy, if the car is yours, you’d be the only person wit an actual right to get that information, even if never drove the car.

That One Guy (profile) says:

Re: Re: Re: Piracy

It’s like the difference between saying ‘Your car was seen speeding’ vs ‘You were seen speeding’. The first isn’t enough grounds to bring legal challenge because it’s not necessarily tied to the person, the second is.

The evidence isn’t accurate enough to meet the legal requirements, even if it can generally be used to track someone’s activities online, assuming they’re not taking steps to disguise their actions as those involved in copyright infringement generally are.

Put another way, IP addresses are accurate enough to track someone’s activities in general, making them personally identifiable, but they’re not accurate and reliable enough on their own to bring legal charges because they can be spoofed.

ponky tonk says:

Telstra is crap

You really shouldnt use this stupid backward bastard carrier if you live in australia. They are arrogant, monopoly seeking, asshats that believe all australians owe them a monopoly. Also they charge a lot of money for equipment my parents and grandparents paid off long before they became a private company. This sort of company should be dead and buried and should not have even been allowed to be made a parasite like the governments have done. parasitic fucking useless fuck of a company. piss it off.

Anonymous Coward says:

Re: This is a simple matter in the EU.

Simple? Ok so an IP doesn’t classify as personal information in the EU.
You might know which house had the IP at the time but you don’t know if it was the wife, husband, daughter, son or maybe someone who connected via wifi from outdoors who did something. And because you can’t uniquely identify a person it isn’t personal information.
Still simple?

Wendy Cockcroft says:

Re: Glyn?

IP addresses can’t be used to accurately identify individuals. They generally lead back to the router being used, but that doesn’t necessarily mean anything.

I’m trying to track down a troll who attempted to phish me, so believe me, I know. Nothing that I’ve found in the headers leads anywhere conclusive, but that email has gone all over the world! One of the senders in the list was Telstra, where the troll spoofed an email address on my (unused) domain. That was the last sender before the email ended up in my inbox. Via Mexico and Massachusetts. I’m not even joking…!

So no, Glyn is right. An IP address doesn’t necessarily lead to a person.

Whatever (profile) says:

Re: Re: Glyn?

Wendy, email headers can be entirely faked from end to end, with only a single entry that might be marginally valid one of the many IPs you will see. That is generally taken care of now by running your spam / phish mailer through TOR or similar “exit portal” sites. Generally it makes email just about entirely untracable.

Faking headers isn’t the same as an ISP logging it’s user’s IPS and URLs visited.

By the way, what happened to you is called a “joe job” and is about as old as the internet. Don’t fret it, it’s not much really.

Rich Kulawiec (profile) says:

The IP address isn't the most important part

It’s the URLs.

Let me explain by example. Consider every web site you visited yesterday: your bank, your doctor, your brokerage, TechDirt, the school your kids go to, the EFF, FreeBSD, DuckDuckGo, Weather Channel, etc. Let’s call that set of URLs U(1).

Today you’ll visit U(2). Tomorrow you’ll visit U(3). And so on. There will be considerable overlap between each of these sets, especially if we collect a few hundred of them. We could then construct a set U’ which is given by the set of URLs which appear in at least N of M sets — e.g., URLs which show up in at least 10 of 30 sets, or 25 of 100 sets, or whatever (N, M) we wish to pick.

That set U’ represents the set of sites that you go to often. It may well be unique, or close to unique, out of all possible sets U’ across all Internet users. And you’re going to take U’ with you — that is, if you use a VPN or you travel, you’re still going to visit U’. There is thus a reasonable probability that you can be tracked by computing U’ and then looking for it across the entire proposed database. (This isn’t all that different from tracking people via browser fingerprinting.)

Note that this method may be considerably more effective depending on the definition of URL that’s used. If it’s just the name of host, e.g.,, then that yields some information. But if it’s a full URL, e.g.,, then that may well be much more useful for individualized tracking. It may even identify the person, i.e., it may be their personal “home page” on some web site.

Note all that if this method includes timestamps, that also increases its efficacy for tracking: do you check your stock portfolio at your brokerage every weekday at the same time while you’re having coffee? And, to bring IP addresses back into it, if it includes those as well, then it’s going to be still more effective. (Note that exact IP addresses are very useful, but even knowing the CIDR of the block they reside in is probably enough. This accounts for things like dynamic address allocation by an ISP or business or school.) I wouldn’t be in the least surprised if the combination of all of this information is sufficient to uniquely identify and track most Internet users.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...