Australians can now register for the beta version of Australia Post Digital Mailbox. The service allows mail to be sent to you digitally, to pay bills, and aims to be your go-to storage solution for the business of life, so to speak: Copies of official documents, receipts, and family records, for example.
EFA approves that the policy starts by at least citing and linking to Australian privacy legislation:
The policy requires you to agree to share data as necessary to a very wide range of people, including marketers. However, EFA also approves that it claims, at least, to not sell or rent the information:
The policy also claims that the service will use industry standard SSL and TLS security protections, and the site runs in https by default. These security architectures are used by most e-commerce sites and most users trust them. EFA uses them and we certainly prefer them to more limited schemes. That being said, there are a lot of issues along the SSL/TLS chain that can be compromised, and Australia Post has suffered security lapses in the past:
It is also claimed that the service will be run on Australian servers, but given the news about the new server complex at HMAS Harman, this is not really a cause for comfort:
EFA finds it concerning, then, that the policy requires you to agree to the collection of aggregated data, claiming that it will be de-identified and thus not personal. Aggregation does not necessarily equate with protection if it can be used to aid profiling and other pattern-based surveillance strategies:
EFA is also concerned that the policy does not even make many guarantees about misuse of information beyond stopping spam, an intention to not use its own communications to users as direct marketing, and asking third parties undertake reasonable measures to protect the information from disclosure:
Finally, EFA is concerned that if you want to find out what the service knows about you or change it, you might be charged an access fee or be denied. The policy says that you will be given reasons for the decision, but does not provide any detail:
Your Eggs. Their Basket
Summary: Adequate; Some concerns; Room to improve
- Good: Cites Australian privacy legislation; Won't sell or rent your data.
- Neutral: Industry-standard security.
- Bad: Policy itself opens in a pop-up window that can not be directly accessed; non-online opt out of marketing only; allows for web-beacons; will aggregate data; might charge money or deny you the ability to view/change what they know about you.
We believe that Australians should demand a much higher standard of privacy for entities that are so closely perceived as related to the government, even if they are for-profit. There are few indications that this entity holds itself uniquely accountable based on its central and (usually) trusted part of Australian life.
The new Australia Post Digital Mailboxes may not, yet, deserve our trust. While features and usability are important, if Australia Post really wants to compete against Digital Post Australia, it could win the trust of Australians by working to both market-leading and world-leading privacy and security.
- 20 June 2013: Clarified the precise legal status of Australia Post as a Commonwealth statutory corporation.