​The Grubb appeal and our metadata collection laws

Yesterday, the federal court handed down its decision on a thorny and controversial legal dispute between Telstra, the federal privacy commissioner and former technology journalist Ben Grubb over... I was about to write “his” metadata, but I can’t. The court has deemed that it’s not his or even about him.

Who he spoke to, where he was and which web sites he accessed on his mobile is not to be considered personal information “about Ben”, according to the court ruling.

The federal government has not since sought to make such fiddly distinction about this information when monitoring and processing metadata it requires telcos to collect and store for two years — all under the banner of intelligence, safety and security.

In 2015, the federal government introduced the legislation to enact the controversial telecommunications metadata retention laws. Under the laws, telcos are required to store so-called customer telecommunications “metadata” an ensure it’s available to law enforcement agencies and others for two years. There has never been a genuine definition from the federal government on what constitutes metadata but the law has pushed ahead.

Pre-empting the laws, in 2013, Ben Grubb challenged them in a less than silent nod of support for civil liberties.

Grubb, a tenacious, talented and resourceful young journalist, pre-emptively wanted to test the meaning of metadata under federal law and, in 2013, launched a legal challenge against his carrier Telstra in a groping and highly public exercise to seek out exactly what the term meant.

Grubb lodged an application against Telstra to seek out what metadata information they had collected about his mobile account. Grubb has since retreated from journalism but his case has lingered on in the hands of privacy advocates and the Office of the Australian Information Commissioner (OAIC)

Grubb was brave using his own mobile phone account with Telstra to launch the action under the auspices of the of the then current federal national privacy principles (NPP) which, on the surface, gave him the right to inspect “personal information” that the carrier held about him. (Privately, it appears, he was concerned about the prospect of authoritarian scrutiny on information shared between journalists and sources.)

However, Telstra dug in its heels and the carrier refused Grubb the full extent of the information he requested. He complained to the OAIC and they listened.

The OAIC and its chief Timothy Pilgrim found the carrier to be in breach of its obligations to Grubb but a legal contest was imminent.

The OAIC seemed equally curious as to what information was in scope to be collected under the legal term ‘metadata’ and eventually chose to spearhead Grubb’s case supporting a legal challenge to explore the question. The case eventually advanced to the federal court and other privacy protection organisations petitioned it in sympathy with Grubb under its amicus curiae provisions (friends of the court).

As the OAIC was the primary legal force behind Grubb’s petition, the case has widely been viewed as a test of what can be expected of Australia’s controversial metadata retention laws.

The matter was initially brought before the Administrative Appeals Tribunal (AAT) but, after several rounds of appeal, eventually ended up before three Federal Court judges.

The Judgements, what they mean and why they’re problematic for privacy

There is something extraordinary about the conclusions from evidence that Telstra has given in this case. That’s not to say that the evidence is false. However, it suggests that the probability of sustaining a truly useful metadata collection regime is low at best.

Consider this from the AAT deliberations before the matter reached the federal court:

“The Deputy President (of the AAT) concluded (at [109]) that Telstra’s mobile network data has two essential features: (i) it records transactions between mobile devices and Telstra’s mobile network; and (ii) it establishes, maintains or disconnects connections between mobile devices and the destinations to which they communicate (e.g. another mobile, an internet location or a fixed service telephone). The Deputy President accepted that Telstra does not collect all the network data that is generated and, if it does collect it, it does not generally store the data for more than 30 days. However, the Deputy President concluded that if the data was retained it [may] be possible to identify a Telstra customer by reference to mobile network data together with other data ([111])”.

We can’t put aside the existence of newer systems put in place to keep up with the new laws enacted since the petition was first raised. However, if this part of the judgement is to be accepted, then it casts serious doubt on the efficacy of the federal metadata retention regime’s mission. Let’s set aside the two-year retention period and focus on the use of the word “may” — in its curious brackets within that stanza. It is hard not reach the conclusion that all the carriers (not just Telstra) may have difficulty identifying a ‘person of interest’ easily.

It’s also hard to ignore this from the AAT’s final ruling:

“The Deputy President also concluded that information relating to the IP address allocated to a mobile device which Mr Grubb used was not “about” Mr Grubb ([113]). As she explained, an IP address is not allocated exclusively to a particular mobile device. The IP address might even change frequently in the course of a communication. For that reason, the Deputy President concluded that the connection between the person using a mobile device and an IP address was too ephemeral for the IP address to be ‘about’ the individual”.

Again, the legal force of an IP address for a criminal or civil pursuant appears nullified if it’s chimeric and shifting. Even if Grubb had been using the internet to fund and educate himself to build a Spectre-like doomsday device, it wasn’t about him; according to Telstra they had nothing but points on a bill. And even if it was more than that, it wasn’t about Grubb as Telstra so assiduously argued; the information had nothing to do with anything but their systems. So, why pursue the collection at all, if the evidentiary outcome is zilch?

The legal acrobatics became quite extraordinary in the case. Take this convoluted quote adapted from Justice McHugh’s ruling in Kelly v The Queen [2004] which was intended to inform the case:

“[T]he function of a definition is not to enact substantive law. It is to provide aid in construing the statute. Nothing is more likely to defeat the intention of the legislature than to give a definition a narrow, literal meaning and then use that meaning to negate the evident policy or purpose of a substantive enactment ... [O]nce ... the definition applies, ... the only proper ... course is to read the words of the definition into the substantive enactment and then construe the substantive enactment – in its extended or confined sense – in its context and bearing in mind its purpose and the mischief that it was designed to overcome. To construe the definition before its text has been inserted into the fabric of the substantive enactment invites error as to the meaning of the substantive enactment. ... [T]he true purpose of an interpretation or definition clause [is that it] shortens, but is part of, the text of the substantive enactment to which it applies.”

It might be possible to understand where this argument was going in its context. However, for the purposes of this legal battle, it seems to be baffling or, the very least, reaching in the extreme. Let’s deconstruct it a little.

“[T]he function of a definition is not to enact substantive law.”

Then what purpose does a definition serve, if it has no link to a shared and accepted definition? Substantive law simply means law that has affect ­— don’t kill your neighbour’s donkey and so on. One can pretty much negate away any law if it comes down to a semantic debate about definitions. If laws merely become shared fiction about definitions (which they are in many ways), there is no law worth relying on.

“It is to provide aid in construing the statute. Nothing is more likely to defeat the intention of the legislature than to give a definition a narrow, literal meaning and then use that meaning to negate the evident policy or purpose of a substantive enactment”

Indeed. Let’s try to turn that into plain English:

Definitions of words get in the way of (or “negate” the intention of) legislation if we take the carefully selected words the constitute them at their face value and then seek ‘substantively enact’ them. That is to say, USE them.

And the word Construe. A great word but, in a similar manner, it simply means interpret. Remove bothersome literal meanings and you can start interpreting.

No doubt, in many cases the “spirit” of a law may be lost but those are much more complicated affairs than in this situation. And the further we move from literal meanings and toward “construction” of meaning the further we move from reality. It has to be said to the legislators: write the laws with more precision, stop prevaricating or get out of government. It’s that simple.

... [O]nce ... the definition applies, ... the only proper ... course is to read the words of the definition into the substantive enactment and then construe the substantive enactment

i.e. Once we decide on a definition we like we can bend the law as we like and then move to “substantive enactment” – meaning living by laws we pull from thin air.

The presence of these words alone is more an alarm bell than a smoking gun. Looking further into the ruling there are more troubling consequences. The legal ground that has been laid by the OAIC and its privacy principles has, by ill-design or coincidence, been weak — or, at the very least, stymied.

A cursory reading of the Grubb ruling reveals that it has been easy for Telstra’s lawyers to argue its opponents into oblivion using sophisticated sleight-of-hand and, naturally, that’s is for what Telstra pays them.

The government can know more about us than we are allowed

To be fair, Telstra provided Grubb with an enormous amount of information about his mobile service with them. Grubb received CD-ROMs and printed material that related to his bills and so on. What he wanted and didn’t get was geographic location and web browsing history — the main prize as far as Grubb was concerned.

It should never have been considered a pipe dream on Grubb’s part. Your correspondent once had the opportunity to interview Malcolm Turnbull when he was communications minister, shortly before he became Prime Minister. In the global security climate in which your correspondent interviewed him (which has persisted), there was no doubt that the legislation was intended to give the government’s law enforcement agencies the ability to link internet protocol addresses to individuals somewhat like vehicle number plates are linked to cars and their owners (regardless of the technical differences).

It wasn’t an easy conversation but I was challenging him on the idea of creating a record of sites Australian internet users visited and frequented; a digital paper trail for IP addresses. I asked the then communications minister:

“So how do investigators link the DHCP (a randomly allocated IP address) information to those sites?”

The Prime Minster answered: “Because in the course of police work, surveillance work, from time-to-time law enforcement agencies will become aware of a particular IP address connected with a particular host or computer. And the question is ‘who is behind that?’”

So, it was clear that the government had Australian internet users’ visitation IP destinations in scope for retention, or at the very least to have those records on hand should there be a need to investigate who of us was visiting those sites. By extension, it should now be easier to identify individuals inveigled in (or who appear to be inveigled in) nefarious activity at a national or local level. No-one knows, or can know, if it’s working.

This is what Grubb was seeking and never received. The carrier was, by law, required to retain the information for the federal government under the new metadata retention telecommunications laws.

Telstra fought tooth and nail to ensure Grubb never saw those records. The mystery is as to why it did so. The carriers have never been friends of the metadata laws for recognition of the cost of enforcing them alone.

The only fact that can be construed from the ruling is that your government has been shown a legal path to argue that what you do online is no longer “about you”. It’s hard to imagine the thinking population will accept that.


Join the CSO newsletter!

Error: Please check your email address.

Tags federal governmentfederal courtBen GrubbGrubbmetadataTelstraDeputy PresidentAdministrative Appeals Tribunal (AAT)

More about Administrative Appeals Tribunal

Show Comments

Market Place