The David vs. Goliath metadata battle

Fairfax journalist Ben Grubb recently managed to win a two-year tussle with Telstra, without the need to deploy an army of lawyers, to gain access to the metadata collected on him by the telco. That's no mean feat given the serious muscle Telstra has at its disposal to ensure it gets its way with most things.

This time the Privacy Commission has stepped up to the plate, helping Grubb get his metadata, and it's a shining light amidst the heavy-handed anti-privacy policies that are being introduced by the Abbott government, as well as the often blatant collection of private data by internet companies.

The Privacy Commission may have been steamrollered by the government in recent years but this victory, albeit limited in scale, reinvigorates public trust in the body.

Now there are many issues connected to this, a key one being cost; and Telstra is perfectly justified in raising the issue. However, the response from the telco body Communications Alliance, which has labelled the decision a case of regulatory overreach, merits closer scrutiny.

Isn't the balance, as it stands, egregiously tipped in the other direction? Surely the fact that the majority of Australians have great concerns regarding their privacy should count for something?

Australians are concerned about privacy

Consumers are deeply concerned about all aspects of security and privacy. More than 61% of Australians worry about what information organisations can access about their digital behaviour and a similar number (65%) are concerned about what personal data organisations can access when interacting with them online.

The clearest evidence of the need for government action is that an overwhelming 80% of Australians want government to step in and compel organisations to be more transparent. Government agencies need to prepare for expanded definitions of metadata, creating new data storage requirements and the potential to further raise citizens’ awareness of privacy issues. For example, as smartcard technology takes over from ticketing in public transit, transport authorities may find themselves responsible for storing metadata from journeys.

All agencies need to consider what data they should be protecting. In education, public schools are moving to digital administration, requiring new cyber security controls. With permission forms, student data and parent correspondence going online, hackers have the potential to build frighteningly detailed profiles of children, including their hobbies, parental details and where they live.

(Source: Ernst and Young’s Digital Australia: The State of the Nation report, 2015)

By all means let us address the costs as Telstra suggests, and let’s have a good look of what should in fact be made available to the people whom this information is all about.

The word ‘about’ is critical here. It's not just your name birthday, etc, but with telephone numbers and internet addresses there is now also a lot of information that can be linked to you – information that is ‘about’ you.

This ruling from the Privacy Commission gives us for the first time the opportunity to have a real discussion on the issue from the individual person’s point of view rather than from that of the spy agents or the commercial data collectors.

I think that in general the privacy issue is something that most individual people will be able to live with as long as they feel they can trust the systems that are being used to protect their privacy. This trust doesn’t exist, partly because of the stumbling and stuttering that has taken place within the debate up until now – nobody is confident that the government actually knows what it is doing.

The haste with which legislation has been generated also shows that it doesn’t want the debate.

Meanwhile, the way the Googles, Facebooks and Amazons of this world are using our personal data is something most people are not happy with.

As we have been saying for over a decade, in most situations access to private data should be ‘permission-based’. This should be done in such a way that is not a black or white option – accept this app on our conditions or you don’t have access to it. The onus should be on the operator to convince the client to make that data available.

The ‘about’ data is certainly more complex, but let’s have a proper discussion about it and not rush it into legislation without any transparency. It was good to see that Telstra recognised the need for transparency – on this occasion we have a unique opportunity to conduct a proper debate on the issue.

Both the government and the industry have done a very poor job of discussing the privacy issues with their citizens and customers. Data analytics is becoming more and more important and it is in the interest of both the government and the industry to get privacy right and to address the concerns that are clearly present within the community far more seriously.

As I pointed out in a recent blog the lack of trust is undermining the digital economy and this is not good thing at all.

While the leading internet companies have updated their privacy policies over recent years, they also have made a poor job of engaging with their customers on these issues. Despite the good work they have done most customers will not trust them in relation to privacy matters, so it is also in their interest to do much more.

As is clear in Europe, unless they are taking this more seriously it is extremely likely that governments will indeed step in with heavy-handed regulations. As in the case of CommsAlliance, all of this is avoidable if the industry starts taking the privacy issue seriously; and hopefully the Ben Grubb case will contribute to making that happen.

This is an edited version of a post originally published on March 11. Paul Budde is the managing director of BuddeComm, an independent telecommunications research and consultancy company, which includes 45 national and international researchers in 15 countries.