Is Metadata A Marketer’s Best Friend Or Possible Worst Enemy?

Corporations are starting to keep a heap of data on all of us. But who owns it, who can access it and what are the implications if you do? Here, ContactAbility managing director, Zoe Catchlove, says a recent Australian court case will have implications for all of us.

Last month Ben Grubb – a Fairfax telco and tech journalist – won a court case against Telstra to obtain access to his metadata[1]. The decision was two years in the making highlighting how important the issue of metadata privacy is. It is safe to say this is not going away and there’s no doubt it will play out in the world of marketing very soon – a good reason for marketers to keep up to speed with it now. In other words, Ben Grubb is just the beginning.

The case in point

This case is not about what information is being collected but rather whether consumers can have access to all their information that’s is collected.

Grubb asked the Privacy Commissioner to agree that the metadata Telstra had on him was “personal information” and that he has a right to access it. After all, law-enforcement and intelligence agencies can access it without a warrant – as can councils and the RSPCA – so why can’t he?

Grubb’s intention in pursing this with Telstra was to show Australians what metadata is and what is being done with it. (For more on Grubb’s perspective watch this video explaining the issue and the case.)

In the time it took Grubbto win the court case he not only gained access to his metadata, he – just as importantly – gained agreement from the Privacy Commissioner that metadata is indeed deemed to be personal information. This is significant because metadata (by its definition) does often not contain a consumer’s name, address or email details.

So, what is metadata exactly?

Essentially metadata is ‘data about data’ in relation to telephone and internet activity. The Australian Attorney General defines it as 1) Information that allows a communication to occur and 2) Information about the parties to the communications.[2]

In Understanding Metadata Guenther and Radebaugh explain that it “assists in resource discovery by allowing resources to be found by relevant criteria, identifying resources, bringing similar resources together, distinguishing dissimilar resources, and giving location information.”[3]

So even though metadata does not show the content of emails, texts, calls and web browsing history it does record a whole lot of other information that can be used to track a person down and reveal their identity. Although not content specific this metadata can be used to identify when, where, for how long and with whom a person is communicating. [4] Needless to say, analogies like ‘metatdata is what’s written on the envelope not the letter’ (as some politicians have stated) shouldn’t be used because they are misleading and downplay the issue of privacy considerably.

The greatest challenge from the Privacy Commissioner’s perspective is to accurately define metadata. In the Grubb/Telstra ruling a consumer’s metadata includes the phone numbers called but not, for example, the numbers of incoming calls to Grubb’s phone as this would be a breach of the caller’s privacy.

Metadata disclosure comes with a challenge

Customers like Ben Grubb (and so many others) view access to their metadata as a personal right. And why shouldn’t they know what information a company holds on them? What’s more, it’s not their problem what the business challenges are in providing it. And oh, there are some challenges. Some identified during this court case were:

1) Ability to provide

Organisations need to figure out ways to efficiently and securely provide customers with their metadata on request. By Telstra’s own admission there appear to be only 120 staff in the entire business that could access all the internal systems (and interrogate them appropriately) that house pieces of an individuals metadata to get the information required. That’s a huge headache for companies – how do they resource these requests when they have, in this case, data spread across 30 different systems?

2) Cost

What technology and human capital are businesses going to need to make this process efficient and cost effective? Government, business and/or consumers will have to pay for the storage and security of release. The Government’s new data retention laws which allow 85 security and policing agencies to access two years of a person’s metadata is predicted to cost $400 million per year. If there were no Government support for this it would cost the customer about $3.98 per year.[5] Some would say this is a small price to pay for reducing crime, others would say it’s far too hefty a price for the potential invasion of privacy.

3) A universal definition

We need to ascertain a universal definition of metadata. For example, is the location of a mobile phone tower that carried a phone call a consumer made their information? Probably not, or is it? It’s likely to be a security risk to the telco at the very least.

Another thing to consider is that technology allows marketers (and their big businesses employers) to collect huge volumes of data from many locations (e.g. Twitter, Facebook, their own database, call centre agents, consumers themselves filling out forms and webpages etc). This of course widens the landscape for personal information requests even further but must be included if a universal definition if to be accurate.

4) Data security

An organisation that deals with big data should consider the impact this case has on their data security. Just because a customer’s name or other identifiers are left off the data it doesn’t mean that someone’s identity cannot be found. Former Deputy Privacy Commissioner for NSW, Anna Johnston warns: “The cautious thing for organisations to do now is to assume that even ‘anonymised’ data meets the definition of ‘personal information’… [and that if data] was lost the organisation could be fined by the Privacy Commissioner if it didn’t take reasonable steps to protect it.”[6]

Every single person who touches a customer’s personal information or has any interaction with a customer should be cautious with what they do with the information they record. The challenge is not only making the data available to share on demand but also ensuring that it is appropriate to store. You can no longer get away with writing ‘painful customer’ in the call notes when someone complains to your customer service team as the customer may read it!

The customer’s perspective

How many customers are like Ben Grubb? How many would like to know what their privacy rights are and what’s being done with their metadata? I’m betting a lot. To start the investigation rolling, however, a customer will immediately come up against one giant hurdle: information overload – unfortunately for them it’s not of the ‘personal metadata’ kind.

A recent study in the US showed that if you read the privacy policies of the top 100 websites it would take 30 days every year to stay up-to-date with them.[7] We’re guessing most people aren’t going to read the policy for every website they visit considering it is estimated we visit just under 90 domains a month.[8] As information and security law specialist Professor Fred Cate put it: “Privacy policies are pretty much useless. You wouldn’t sit down and read Hamlet, you’re not very likely to sit down and read the privacy policy.”[9]

Others with strong views on the subject (like Anthony Bendall, Victoria’s 2012 acting Privacy Commissioner) believe that data retention is “characteristic of a police state” and “is premised on the assumption that all citizens should be monitored”.[10]

You can see why this is such a hot (as in inflammatory!) subject. Hence why I’m encouraging marketers to consider and follow developments closely.

Tap here for a real life (and quite neat) example of how metadata can be used to breach privacy.

Metadata: a Marketer’s friend or foe?

The privacy commissioner is opening the floodgates to many more consumers requesting their metadata by handing down the ruling in favour of Grubb. The Government is also obviously expecting more of these sorts of challenges given they have just given additional funding in the recent budget to help guide the telcos regarding privacy. (See: National Security Funding)

Marketers should study the Australian Privacy Principles carefully. The Principles state that companies must only collect the information they need in order to deliver their services or products. They should not collect information they might need in the future about someone or any ‘nice-to-haves’. This is more important than ever given the result of the Grubb/Telstra case.

The Grubb/Telstra case could be a game-changer for the marketing profession with transparency and security set to have a makeover. Whether marketers like it or not the metadata issue is not going away which is why I suggest self-regulating now.

Here are some questions every marketer should be asking:

• What metadata do we currently have stored on our customers?
• Is there anything we don’t need and could stop collecting?
• How easy is it for customers to access their metadata?
• How can we regulate our metadata privacy practices better?

[1] Wikipedia, Metadata, viewed 29.5.2015

[2] Read: What is ‘metadata’ and should you worry if yours is stored by law? for a comprehensive explanation on what metadata is.

[3] National Information Standards Organization; Rebecca Guenther and Jaqueline Radebaugh (2004). Understanding Metadata (PDF). Bethesda, MD: NISO Press. ISBN 1-880124-62-9. Retrieved 2 April 2014.

[4] ABC News, Privacy Commissioner rules metadata personal, viewed 29.5.2015

[5] SMH, Elise Scott, Senate passes controversial metadata laws, viewed 29.5.2015

[6] SMH, Ben Grubb, Me and my metadata: How I beat Telstra after my 22-month legal battle, viewed 29.5.2015

[7] ABC News, Privacy Commissioner rules metadata personal, viewed 29.5.2015

[8] Credit Loan, How The World Spends Its Time Online, viewed 29.5.2015

[9] ABC News, Privacy Commissioner rules metadata personal, viewed 29.5.2015

[10] SMH, What is metadata and should you worry if yours is stored by law? viewed 29.5.2015