28 July 2000
Inquiry into e-Privacy
Below is a copy of EFA's submission to the Senate Select Committee on Information Technologies' inquiry.
- Web Bugs (aka Clear GIFS, aka 1 x 1 GIFS)
- HTTP Technology
- Web Browser Settings
- Other Software Programs
5. Self-defence mechanisms for consumers
- Disabling Mechanisms
- Digital Signatures
7. Comments on the adequacy of the proposed Privacy Amendment Bill
- Direct Marketing and E-mail Spam
- Other problems with the Privacy Principles
- Exception and Exemptions
- Enforcement Issues
9. Lessons from other countries
Appendix A - Report on Online Profiling Network Advertising Initiative: Principles not Privacy by Electronic Privacy Information Centre and Junkbusters, 28 July 2000
1. Executive Summary
EFA welcomes the committee's interest in the matter of electronic privacy.
EFA supports in principle the introduction of a co-regulatory scheme to provide privacy protection for Australians in relation to the activities of the public and private sectors under Australian jurisdiction.
The Internet of its very nature is a surveillance-enabled technology. Unscrupulous organisations can and do exploit the technology to collect private information and consumer profiles without the knowledge or permission of the user.
It must be recognised that the Australian government can do little by way of statutory measures to protect consumers from privacy-invasive practices originating from other jurisdictions. There are a range of self-defence measures that consumers can consider, but most Internet users are unaware of the tools available.
The government should consider further high-level agreements between consumer protection bodies, such as that recently signed between the ACCC and the US Federal Trade Commission (FTC).
EFA strongly recommends that the Committee should endeavour to include its report on this inquiry in the context of the Senate's consideration of the Privacy Amendment (Private Sector) Bill 2000 ("the Bill").
EFA is unable to support the Bill in its current form, because the Bill contains too many exemptions and exceptions and fails to come to grips with consumer privacy needs in the 21st century.
The exception to the Privacy Principles in the Bill in relation to direct marketing is contrary to international developments and effectively legitimizes the practice of "spamming" (the sending of unsolicited E-mail advertising) on the Internet.
The exemption for small business is unjustified and will introduce a confusing and complex regulatory environment that fails to protect consumers from privacy invasive practices. The confusion that will result from this exemption will hamper attempts by E-commerce vendors to attract overseas customers.
The exemptions for media organisations and political parties are far too broad and have not been justified. The definition of media organisation could well include almost every existing website.
The exemption for pre-existing data is unacceptable. A transition period should be provided for existing data uses to comply with the new legislation.
Enforcement provisions in the Bill are inadequate.
Instead of empowering individuals to exercise their right to privacy of personal data, the Bill confers on certain business interests the right to invade individual privacy.
The Bill is at best a token attempt to introduce privacy legislation.
It is complex, unwieldy, ineffective and an insult to the citizens of
Australia. The Bill needs to be re-drafted, preferably as a replacement
for, rather than an amendment to, the Privacy Act 1988. By so doing,
Australia could establish a reputation for strong privacy protection
and therefore take a leading position in global electronic commerce.
"Solitude and privacy have become more essential to the individual; but
modern enterprise and invention have, through invasions upon his privacy,
subjected him to mental pain and distress, far greater than could be
inflicted by mere bodily injury....
The common law has always recognized a man's house as his castle, impregnable, often even to its own officers engaged in the execution of its commands. Shall the courts thus close the front entrance to constituted authority, and open wide the back door to idle or prurient curiosity?"
Harvard Law Review 4 193 (1890)
Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation formed to protect and promote the civil liberties of users and operators of computer based communications systems. EFA was formed in January 1994 and incorporated under South Australian law in May 1994.
Our major goals are to advocate the amendment of laws and regulations in Australia and elsewhere (both current and proposed) which restrict free speech and unfettered access to information and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems. EFA is independent of government and commerce and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting civil liberties.
EFA has a particular interested in privacy protection for Internet users and our comments relating to this inquiry will therefore largely focus on matters that may impact in the online area. However, we recognise that electronic privacy issues pervade many other aspects of life, and we will therefore briefly comment on other relevant aspects.
EFA generally believes that government regulation should be a measure of last resort, particularly when it comes to regulation of new technologies such as the Internet. We are of the view that existing law can be applied to most problems that arise in the new information economy. We put this view particularly strongly in opposing the government's move to censor the Internet through the Broadcasting Services Act amendment of 1999. The government failed to listen and the result was a bizarre piece of legislation that is all but unenforceable, that has failed to meet its objectives, and that has embarrassed Australia internationally. The Australian government has recently moved to enshrine privacy protection in legislation covering the private sector through the Privacy Amendment (Private Sector) Bill 2000. While EFA supports the stated intent of this Bill, we believe that it falls a long way short of what is needed, primarily because the exceptions and exemptions in the Bill effectively eliminate any real outcomes for genuine privacy protection for Australians. Privacy and security are the major issues affecting consumer confidence in electronic commerce, and if the proposed Bill is allowed to pass without major amendment, Australia may as well give up any hope of being a leading player in the information economy.
When it comes to privacy legislation, EFA is of the view that this is a legislative backwater that has been ignored in Australia for too long. We support a co-regulatory approach to privacy legislation, with approved privacy codes backed up by legal sanctions.
However, we consider that the current Bill fails to meet the standards of international best practice that have been established by other countries that have already legislated in this area, such as New Zealand, Canada, the UK and Hong Kong. Furthermore, we are of the view that the Australian legislation in its current form will fail to meet the requirements of the European Union Directive on Data Protection and therefore threaten to prevent Australian industry from fully participating in the emerging information economy.
Privacy has been defined as the right to be left alone. Unfortunately this simple principle has been largely overlooked in the current Bill. Australians generally deplore being overwhelmed with junk mail, telemarketing calls, unsolicited E-mail and an arrogant and intrusive media. As citizens we are nervous about giving out information about ourselves lest it be used for purposes that we did not approve.
Privacy concerns are consistently raised as amongst the top reasons why
Internet users are reluctant to make purchases on the Internet. If
Australia is to be a successful E-commerce player, it will have to
convince the rest of the world that privacy is taken seriously and
that effective sanctions are in place against offenders.
3. Surreptitious collection technologies
A cookie contains information sent by a web site server to a user's web browser at the same time as it sends a web page. Sites using cookies generally send a Set-Cookie header as part of the "header information" of a web page. The information received is not displayed to the user but is recorded by the user's web browser (usually stored on the user's computer unless they know of and have taken steps to prevent this). During future visits to the site, the user's web browser sends the previously stored information to the web site along with the request for a web page.
Generally cookies contain a code or other data used to uniquely identify the user's computer, enabling the site to track and profile that user's activities on their site and/or other sites.
While it is often claimed that cookies only contain and pass non personally identifying information (non-PII) this is not necessarily the case. Moreover, while the cookie itself may not contain personally identifying information, the web site may know the identity of the user whose browser sends the cookie. For example:
- A web site that collects users' names or email addresses from online inquiries, registration, sales, etc. is readily able to connect personally identifying information (name, email address, etc) to a cookie sent by the user's browser and to other information obtained about the user.
With the increasing use of HTML-enabled email programs (such as Microsoft Outlook, those included in Web browser packages, etc) a cookie can be set when a user reads an email message or accesses a page mentioned in the email message. The sender of the email message can include personally identifying information about the recipient in data hidden in the email message. When the message is read, a cookie can be set and the site receives details of the identity of the person associated with that cookie, since they know to whom the message was sent.
b. Web Bugs (aka Clear GIFS, aka 1 x 1 GIFS)
A Web Bug is a tiny graphic included in a web page or in an email message that is used to identify who, or how many people, are reading the material. Web Bugs are usually invisible to a user since they are generally only 1 pixel wide by 1 pixel high (smaller than the size of a full stop) and are clear images (have no visible content). They are placed in IMG tags in the underlying HTML code of web pages and HTML-enabled email messages.
When a Web Bug is viewed, the following information is sent to the web server:
- The IP address of the computer that fetched the Web Bug
- The URL of the page that the Web Bug is located on
- The URL of the Web Bug image
- The time the Web Bug was viewed
- The type of browser that fetched the Web Bug image
- A previously set cookie value
Web Bugs on Web Pages
When a Web Bug is included in a web page, they can be used, for example:
- by advertising networks to compile information about sites a user visits. Advertising networks place their Web Bugs in the web pages of other companies and organisations, thus enabling them to record which sites and pages a user visits and add that information to their personal profile about the user. Some or all of this information may be provided to the web sites who provide the pages viewed, or used by the advertising network to determine what banner advert/s are displayed to a particular user.
- to provide an independent accounting of how many people have visited a particular Web page
- to compile statistics about which Web browsers are being used on particular sites on the Internet.
Web Bugs in HTML-enabled email messages
When a Web Bug is included in an email message, they can be used to find out, for example:
- whether a particular email message has been read by someone and if so, when the message was read. Since the sender knows the recipient's email address, they can include recipient details in the Web Bug, enabling them to know whether a particular recipient read the message
- the IP address of the recipient if the recipient is attempting to remain anonymous
- within an organisation, how often a message is being on forwarded and read.
- the identity of people who visit a site advertised in the email message at a later date. This can be achieved by synchronising a Web browser cookie to a particular email address.
- the number of people who view the same email message in a marketing campaign
- whether someone viewed a junk email message or not. This may be used in deciding which email addresses to keep on a junk mailing list.
For further information about Web Bugs, visit Richard M. Smith's pages: "The Web Bug FAQ" <http://www.tiac.net/users/smiths/privacy/wbfaq.htm> and the "Web Bug search page" <http://www.tiac.net/users/smiths/privacy/wbfind.htm">
c. HTTP Technology
Each time a user requests a web page, their web browser may automatically send a range of information to the web site without the knowledge of the user. This function is part of the HTTP protocol; the technology that enables web pages to be transported between users and a web server:
- the "Remote Address" and the "Remote host" variables provide information about the user's location and may indicate where the user lives and/or works. "Remote Address" is a number in the form 000.000.000.000 which may be used to identify the user's ISP or place of work and the "Remote host" is a domain name or number, for example such as ---.aph.gov.au.
- The "HTTP From" and "REMOTE_USER" variables may pass on the user's email address or other indications of their identity.
- The "HTTP Referrer"
discloses the web page the user was viewing before accessing the
current page, that is, the page that contained the URL clicked on to
reach the current page.
- If the prior page was a search engine, the entire search query typed by the user is generally passed on to the web server of the page the user clicks on. (Also, where the prior page was a banner advertisement, the URL of the advertisement clicked on may contain coded data used to target specific advertisements at the user.)
- If the URL clicked on was contained in a user's private file, the file name is passed on to the web site. In cases where the file is an email message being viewed in the users email program, information passed on may contain indications of the user's name or email address and the email program they are using. Information about the structure of the user's file space, file directory names for example, may also be passed on.
- The "User Agent" variable discloses to web sites information about the software and hardware being used, such as browser name (Netscape, Microsoft IE etc) and operating system (Windows version, Unix, etc).
- The "REMOTE_IDENT" variable may disclose the identity of the user. This depends on whether or not the user's ISP has disabled this function. A considerable number of ISPs disable this.
For further information, visit Junkbusters "Alert on Web Privacy" <http://www.junkbusters.com/cgi-bin/privacy>.
d. Web Browser Settings
Options in various web browsers (depending on how they are set) that may enable information about the user to be obtained by web sites include:
- Send email address as anonymous FTP password
- Enable Autoinstall
- The What's Related feature
- Enable page hit counting
e. Other Software Programs
4. Types of Data Being Collected
Internet technologies enable the collection of information about individual Internet user's behaviour across thousands of web sites. Personal profiles about them, including their habits and interests, are being compiled surreptitiously and in many cases without users being aware that this is even possible.
While it is generally believed that these profiles are used for the purpose of targeting banner advertisements at Internet users, a far more disturbing aspect is that detailed profiles about consumers may make them more susceptible to discriminatory business practices such as redlining - the practice of placing particular customers at the end of a priority queue, or simply not dealing with them at all. As reported in "Weblining" in Business Week, 3 April 2000:
"Old-style redlining is unacceptable because it is based on geographic stereotypes, not concrete evidence that specific individuals are poor credit risks. Webliners may claim to have more evidence against the people they snub. But their classifications could also be based on irrelevant profiling data that marketing companies and others collect on the Web. How important to your mortgage status, say, is your taste in paperbacks, political discussion groups, or clothing? Yet all these far-flung threads are getting sewn into online profiles, where they are increasingly intertwined with data on your health, your education loans, and your credit history."
Demographic data and behaviour/interests data
Some months ago, Acxiom's compilation of massive databases about Australian citizens was widely reported. The Business Week article of April 2000 reported on the type of data Acxiom and other companies collect about consumers:
"...if you peek into the machinery of personalization, you may not like everything you see. Here's how personal it's getting on the Net: Data broker Acxiom offers a new service called InfoBase Ethnicity System, described in a 1999 marketing catalog as a 'broad and precise breakdown of ethnic, religious, and minority classifications.' The service can, in seconds, match names against housing, income, education, and other demographic data--and identify individual or group ethnicity, designated by 'B' for black, 'J' for Jewish, 'W' for white, 'N' for 'Nipponese' (meaning Japanese), and so on. Prices for blocks of such information start at $1,500. You can request the full names, addresses, and ages of pre-school children, or 'select parents and children by age, gender, and declared religious affiliation.' If you have a product you would like to target to 'full-figured African American women,' as the catalog puts it, you can get it from Acxiom--which serves a cross-section of companies from Lands' End to Conseco Insurance.
...This spring, the company plans to move all this information into a new Net-enabled service--AbiliTec--that helps companies consolidate the information they have collected about customers and, for an extra fee, combine it with details from the data mother lode, called Acxiom Data Network. ADN, in turn, has been integrated into popular Web software programs from the likes of E.piphany, which make Acxiom's information instantly available to many more companies."
Another profiling organisation, Engage
that they have a database "containing over 70 million Non-PII
interest profiles". According
to Engage, they compile profiles by converting "clickstream
logs from participating sites across the World Wide Web into
actionable, anonymous user profiles" and their profiling
Top-Level Behavioral Categories
Major Life Events
Hobbies & Leisure Activities
Children and Family
Food and Wine
Health and Fitness
Home and Garden
Money and Finance
Social and Community Activities
While Engage Technologies state quite clearly that they respect Internet users' privacy and therefore provide only anonymous profiles, it seems clear from other Engage Technologies' statements that this is a matter of the company's present choice rather than technological ability. They state, for example, that participating sites are "prohibited from using the profile to derive personally identifiable information; combine the profile with other information; or resell or transfer a profile to a third party" and that they use a "unique 'double-blind' technology" to assign a unique numerical identifier to each user. (It should be noted that for some usage of profiles, it is irrelevant whether the web site knows the actual identity of the user.)
Company assurances as to Internet users' privacy cannot, however, be regarded as adequate in ensuring privacy. There is no guarantee a company will not change its mind, as has been demonstrated by the cases of, for example, Toysmart.com and DoubleClick. For further information, see Business Self Regulation Failures.
For further information on the activities of online profilers, see the report by the Electronic Privacy Information Centre and Junkbusters, issued on 28 July 2000:
- Network Advertising Initiative: Principles not Privacy
"A report that assesses past events surrounding Internet advertisers, analyzes the recent self-regulatory guidelines approved by the Federal Trade Commission (FTC), and proposes solutions that will provide for the adequate protection of online privacy."
A copy of the report is attached at Appendix A.
Aggregated Health DataOne example of the risks to consumers of data aggregation and intrusive use of data gathered by linking databases is in the area of health information stored by significant databases such as those compiled by pharmacists, medical practitioners, hospitals, health insurance companies and Government. There are strong arguments for widespread data aggregation in terms of reducing incidence of misdiagnosis, abuse of pharmaceutical benefits, malingering and other wastage of health services or fraud against insurance companies. However, such aggregated data has a high commercial value and any organisation with access to such an aggregated database has information concerning the patient of unprecedented completeness, well beyond the purposes for which each database was compiled.
Just as the Crimenet site has made available to the general public information about criminal convictions, a law report site could similarly make available to the public information such as personal injury cases for audiences ranging from health services to criminals. In a hyper-linked Internet, aggregation of data for profiling is a natural consequence of unique personal identifiers, and the ramifications of aggregation of personal data through the online environment have not been considered. Because a database, or the personal identifier, does not cause undue breaches of privacy in the offline environment is no guarantee that abuses will not escalate with data-matching between databases; or with online access to aggregated data presently available only by physical examination at each place of storage. If Medicare numbers and purchases from pharmacies are matched, it is only a matter of time before drug companies and others harvest commercial information and statistics from this aggregated database.
Without adequate safeguards against unauthorised access to the aggregated data, and specific guidelines for the range and detail of data that can be access by diverse (often competing) stakeholders, there is an enduring danger that patient data can be:
(a) Perpetuating errors across a number of important databases;
(b) Used for determination of critical decisions, such as access to health services;
(c) Published outside protected environments, to the detriment of the patient; or
(d) Used for commercial purposes without "opt-in" by the patient.
When coupled with biometric information, such as fingerprint, DNA or comprehensive medical profile, a health card has the capacity to be the ultimate identity card. Most Australians would regard the compulsory carrying of an internal passport to be an extreme political solution to health services costs, and the expense needed to make a "smart card" secure against identity theft and forgery would be a staggering misuse of health funding. The Committee is urged to note that patient information is uniquely sensitive, and attempts to aggregate this information for use by diverse clients should be strictly controlled to preserve individual privacy.
It is recommended that the Committee obtain a detailed report
from the National Online Health Summit (meeting in Adelaide on August 3rd
and 4th, 2000) regarding current policy development in this area with a
view to opening up for public debate the amount and detail of patient data
to be aggregated.
5. Self-defence mechanisms for consumers
a. Disabling MechanismsWhile the technologically-facilitated threats to Internet users' privacy are quite daunting, there are some technical steps that users may take to protect themselves to a degree.
These options are undermined however by the increasing prevalence of sites requiring users, for example, to permit storing of cookies on their computers as a condition of access. The search facility on the Australian Federal Parliamentary web site <http://search.aph.gov.au> provides an example of this type of disregard for users' privacy. If users disable cookies in their web browsers, they are advised "Your browser must be set to accept cookies." The page presenting this statement (and the site in general) provides no indication of why cookies are necessary, nor how information collected is used, nor a privacy statement. For a comparison with the standards set by other Federal governments relative to their sites, see section Lessons from Other Countries.
Information on how to disable various privacy invading technologies is available from Junkbusters at <http://www.junkbusters.com/ht/en/cookies.html>. This information includes:
- How to disable cookies
- How to disable other privacy-invading features
- Other things you can do to protect your privacy on the Web
Junkbusters also provides two tests that enable users to know what information is disclosing about them as they surf the Web:
- Check on data disclosed in HTTP headers <http://www.junkbusters.com/cgi-bin/privacy>
- Check on Remote Ident Variable <http://ident.junkbusters.com/>
b. Digital SignaturesThe Committee has raised the question of Digital Signatures as a possible privacy-enhancing tool. Digital Signatures provide a mechanism by which individuals and corporations can authenticate their identity but EFA does see any particular scope for their use as a privacy-enhancing mechanism. In fact, they raise more privacy questions than they solve.
A privacy issue has attracted media attention quite recently (June 2000) through the plans by the ATO to sell details of ABN holders to private interests. What does not seem to have been recognised is that the GST digital certificate scheme involves unincorporated business enterprises. Privacy concerns arise because such enterprises are indistinguishable from the individuals who operate them.
It is of some concern that a privacy scare should arise within the ambit of the very same process (ABN issuance) that is intended to be the fundamental identifier in the ABN Digital Signature Certificate (ABN-DSC) scheme, intended to be introduced in 2001.
Concerns have been expressed that the ABN-DSC scheme has similarly failed so far to identify the potential privacy problems. Greenleaf and Clarke identified a number of privacy-invasive issues associated with the use of digital signatures, including:
- the key generation process. It is essential that key generation process is undertaken entirely under the control of the individual concerned. One potential but no longer operational CA, Keypost, insisted on generating the key pairs, a process that provides scope for the applicant to be impersonated.
- the manner in which private keys are stored, and are backed-up, and in which backup copies are stored.
- proposals for private key escrow
- the potential for wrongful revocation
- public key issues associated with near-mandatory participation through public registers (of which the ABN is a pertinent example)
- certification identification requirements
- secondary use of certificate data (as has occurred with ABN registry)
- expectations of identification and the absence of an ability to conduct anonymous transactions (as occurs with many cash purposes).
- the use of digital signatures, and the infrastructure that surrounds them, as a pervasive surveillance mechanism.
Sophisticated cryptographic software is readily available now to virtually anyone who wants it, and often at little or no cost. Much of of this software is also extremely powerful -- to the point where it would be difficult, time consuming and expensive for many governments or their defence agencies to 'break' this encryption and decrypt messages coded with it.
The wide availability of strong cryptography has meant that individuals can now control their own communications privacy if they so desire. In response, governments in many countries, including Australia, have attempted to control access to strong cryptography, claiming that restrictions are necessary to prevent criminals from using these tools.
In 1996, the government made substantial steps towards developing a policy on the use of cryptography in Australia. A report was commissioned from Mr Gerard Walsh, a former deputy head of the Australian Security Intelligence Organisation (ASIO). On one side of the debate is the argument that free access to cryptography by the general public enables them to fulfill their right to protect the privacy of their communications, including commercially valuable data. On the other side, the government argued that it needs to control the use of cryptography to enable eavesdropping on phone calls, email etc as part of its law enforcement activities.
A number of widely available software applications include cryptographic routines. However, with the exception of banking applications, all software originating in the USA is crippled as regards crypto strength because of US export restrictions. Examples include:
- The major Web browsers (Navigator/Communicator and Internet Explorer), which until June 2000 have been limited to 40-bit keys in the export version as opposed to 128-bit keys in the US domestic version.
- some widely used 'office' software such as Lotus Notes, the export version of which is limited to an effective 40-bit key. (The actual key length is 64 bits but part of the key is escrowed in the USA.)
For email encryption and signature, the current de facto standard is PGP (Pretty Good Privacy). PGP is also capable of local file encryption. There is also a wide range of other commercial, shareware and freeware software available for file or message encryption, and digital signatures.
The US limits have had an effect in Australia, but in an indirect way to date. Because of the large international market share held by some US software companies, many of the products of these firms have become defacto standards. Cryptographic modules are an important part of some software packages. Internet web browsers provide a good example. The most widely used browsers in the world are Netscape Navigator (Netscape) and Internet Explorer (Microsoft). Both browsers were written in the US and contain cryptographic components that can be used for secure Internet communication (for example to make a credit card purchase over the Internet). However, until quite recently, all exported versions of these browsers contain severely weakened encryption in order to comply with the export controls.
EFA supports the widespread availability of strong cryptography, opposes government-mandated key escrow or key recovery, and opposes export controls on cryptography products.
EFA's position is based on the following observations:
- the current export controls are a failure because strong cryptography software is already widely available throughout the world.
- the current regulations impose unnecessary constraints and costs on business while doing little to achieve their aim of restricting availability of cryptographic software.
- the key escrow and key recovery concepts currently encouraged as unofficial policy are fundamentally unworkable and a risk to data security.
- no objective case for the benefits of imposing such controls has been made public.
- current regulations are stifling Australian initiatives in developing secure communications protocols.
- the restrictions on deployment of strong cryptography increase the risk of criminal or terrorist attack on vital infrastructure such as banking, electricity supply etc.
It must be recognised that the use of encryption by consumers is not
necessarily a defence against privacy-invasive practices. Encryption merely
ensures that end-to-end communication is secure. It does not prevent websites
from making use of data sent in encrypted form. For example, secure websites
typically use what is known as the SSL protocol. This encryption standard
is automatically invoked, often without the user being aware of it, by
commonly used web browsers when the server supports secure transmission.
Typically such secure transmission might be invoked when transmitting credit
card details. However, once the information has been collected by the server,
the storage and use of the decrypted details is out of the control of the consumer.
There have been many reported instances where customer credit card
information has been stored in the clear (i.e. unencrypted) on Internet-connected
servers with poor security, resulting in the information being subject to
6. Business self-regulation failures
Some instances of the inadvisability of relying on business assurances that Internet users' privacy will be protected are provided below.
The Washington Post reported on 11 July 2000 in "FTC Sues Web Store Over Plan To Sell Data"
"The Federal Trade Commission yesterday sued a financially troubled Internet toy store to keep it from selling off detailed information it had promised customers it would never sell.
The agency sued Massachusetts-based Toysmart.com, an online toy retailer largely owned by Walt Disney Co., which asked families to provide their children's names, birthdays and even wish lists as it invited them to register for contests and giveaways.
Then, in June, the company advertised the sale of assets including 'databases' and 'customer files' in the Wall Street Journal after suspending operations.
The prospect of such sensitive personal information being available to the highest bidder horrified privacy advocates and regulators alike--and raised questions about how companies that operate on Internet time interpret the word 'never.' "
Subsequently, the FTC announced that it had reached an "agreement" with Toysmart. CNet News reported on 21 July 2000 that:
"Under the agreement, Toysmart must withdraw the customer information as a separate item on its list of assets. The list may only be sold if it is packaged with the entire Web site. In addition, the company must find a suitable buyer or 'an entity that is in a related market' and one that agrees to be 'Toysmart's successor-in-interest' to the customer information."
"Just today, 39 states filed an objection in federal court to Toysmart selling its customer information. Rep. Spencer Bachus, R-Ala., announced plans earlier this month to introduce legislation that would make it illegal for companies to sell customer information during a bankruptcy."
The FTC "agreement" with Toysmart obviously does not address the serious issue that Internet users were told their personal information "will never be shared with a third party". Consumer confidence about dealing with web sites and engaging in e-commerce is likely to decline until there is evidence that companies and other entities who say "never" when collecting personal information will be forced to mean "never".
b) DoubleClick / Abacus
"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous. Since we do not have any information concerning names or addresses, we do not sell or rent any such information to third parties. Because of our efforts to keep users anonymous, the information DoubleClick has is useful only across the DoubleClick Network, and only in the context of ad selection."
However, by 1999 DoubleClick had changed its mind regarding protecting Internet users' privacy.
A report by the Electronic Privacy Information Centre (EPIC), "DoubleTrouble" provides detailed information on this matter. Extracts are include below:
"In order to add more information to these profiles of individual behavior, DoubleClick completed a merger on November 24, 1999 with Abacus Direct, a giant in offline marketing information. To be able to merge DoubleClick's already collected information with the data in the hands of Abacus Direct, DoubleClick had to personally identify all the information they previously collected.
On February 10, 2000, EPIC filed a complaint with the Federal Trade Commission (FTC) alleging that DoubleClick's decision to personally identify their profiles constitutes 'unfair and deceptive' business practices. Not only did DoubleClick deceive consumers by claiming in multiple earlier privacy policies that information collected would remain anonymous, the company also unfairly collects and links information about Internet users without their knowledge or control.
Later, DoubleClick revealed in a document filed with the Securities and Exchange Commission that the FTC is currently investigating the company's privacy practices. In addition to the ongoing FTC investigation, DoubleClick faces several class action lawsuits, legal action from the Michigan Attorney General's office, and an informal inquiry from the New York State Attorney General's office.
On March 2, DoubleClick CEO Kevin O'Connor released a statement that says the company made a 'mistake by planning to merge names with anonymous user activity across Web sites in the absence of government and industry privacy standards.' "
While DoubleClick has not to date proceeded with its plan, it is
highly doubtful that Australian consumers have an adequate means
under Australian legislation to prevent misuse of personal
information by Australian companies who change their minds about
their privacy policies.
7. Comments on the Privacy Amendment Bill
a. Direct Marketing Exception and E-mail SpamAt 2.1(c) of Schedule 3 of the Bill (National Privacy Principles) an extraordinary exception for secondary use is permitted in respect of direct marketing. Although this exception existed in the original version of the NPPs, the version included in the Bill has been widened further. No justification has ever been provided for this quite unacceptable intrusion into individual privacy.
The exception to the Privacy Principles in relation to direct marketing is also contrary to international developments and effectively legitimizes the practice of "spamming" (the sending of unsolicited E-mail advertising) on the Internet.
Personal information should only be used for marketing purposes with explicit consent, not by default with the blessing of the government. Unsolicited direct marketing, whether in the form of junk mail, telemarketing phone calls, or by E-mail is notoriously unpopular with consumers.
The rapid expansion of E-mail as a means of communication has made unsolicited advertising particularly obnoxious. Not only does the user have to put up with the nuisance value of the material, which in some cases can be quite offensive, but the user actually pays for delivery owing to the costing model for charging of bandwidth. Bandwidth charges are levied on the recipient of any data transfers. Although this cost is initially borne by the ISP, it is passed on to users in the form of usage charges.
EFA submits that the direct marketing exception should be replaced with an "opt-in"
provision that permits the use of personal information for direct
marketing purposes only by specific prior consent. Sanctions
should be applied to breaches of this principle.
b. Other problems with the Privacy PrinciplesEFA holds the view that Privacy Principles should consist of an easily understood and briefly stated set of rules that can be applied generally. Any exceptions should be justified on a case by case basis under approved Privacy Codes. When the National Privacy Principles were first promulgated by the Privacy Commissioner in 1998, the simple statement headings were qualified by large numbers of exceptions. The current Bill has taken this unfortunate situation a step further by adding more qualifications and further weakening the Principles. EFA believes it is wholly inappropriate to build such exceptions into legislation. The Canadian Act (referenced below) provides an excellent example of a more appropriate approach to legislative integration of privacy principles.
The qualifications placed on the application and enforcement of the Principles severely impair the effectiveness of the Principles in providing fair treatment of privacy. Changes to previous drafts and failure to define important terms require the Principles to be reviewed in full by process of community consultation.
Prior to the introduction of this Bill, the Principles were understood to represent a bona fide attempt to establish a series of basic protections for personal data and against undue intrusion. Eroded by exceptions, provisos and definitional deficiencies, the Principles no longer achieve a useful purpose, especially in an environment of self-regulation.
There are fundamental problems with the way this Bill treats the most
sensitive of personal information in the health industry and in the
workplace. Much work is needed to balance the rights of patients and
employees with the sweeping exemptions gifted to the holders of personal
data of particular sensitivity.
c. Exemptions and Exceptions
Existing DataDivision 3 Clause 16C(3) (Approved privacy codes and the National Privacy Principles) provides:
(1) National Privacy Principles 1, 3 (so far as it relates to collection of personal information) and 10 apply only in relation to the collection of personal information after the commencement of this section.
(2) National Privacy Principles 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 apply in relation to personal information held by an organisation regardless of whether the organisation holds the personal information as a result of collection occurring before or after the commencement of this section.
(3) National Privacy Principles 2 and 6 apply only in relation to personal information collected after the commencement of this section.
(4) National Privacy Principle 8 applies only to transactions entered into after the commencement of this section.
The exemption from Principles 2 and 6 is unreasonable. Principle 2 (Use and Disclosure)
and Principle 6 (Access and Correction) are important privacy principles that
apply irrespective of whether the data is in existence prior to the
commencement of the legislation. It is recognised that some organisations
may require time to organise their procedures to take privacy rights
into account. However, this should be accommodated by allowing
a transition period of say, 12 months, rather than a blanket exemption.
Small Business ExemptionNo justification has been provided for exempting small business operators from compliance with this legislation. (Schedule 1, 6C, 6D, 6E)
Privacy rights do not disappear just because a consumer happens to be dealing with a small company. The responsibility upon commercial organisations to recognise the privacy rights of consumers does not magically become apparent when an organisation's revenue base exceeds some arbitrary figure.
All organisations, large and small, need to take consumer privacy obligations seriously. No other countries of significant standing in this field have found it necessary to exempt small business and EFA questions whether business organisations in Australia have even raised this issue as a major concern. It seems most unlikely that small businesses would incur any significant compliance costs if strong privacy legislation were to be introduced.
In conjunction with the related body corporate provision, this exemption could conceivably be used by large organisations with complex corporate structures to evade their responsibilities by transferring data collection activities to a smaller entity.
The small business exemption also poses a major problem in relation to global trading on the Internet. Both local and overseas customers will have no way of knowing what size organisation they are dealing with, and given that consumer confidence is vital in building good customer relationships, Australian traders are likely to be bypassed in favour of suppliers from countries that have introduced good privacy law. This will affect all Australian E-commerce traders, since customers will assume the worst once they learn of Australia's half-baked approach to privacy.
EFA therefore strongly recommends that this exemption be dropped.
Media ExemptionAs a strong supporter of the principles of freedom of speech and freedom of the press, EFA recognises the need for consideration to be given to the effects of privacy legislation on news media. However, the definitions of the terms media and journalism in the draft Bill are far too broad, and the blanket exemption is considered unacceptable.
The definitions in the Bill (Schedule 1,18-19) are:
journalism means the practice of collecting, preparing for dissemination or disseminating the following material for the purpose of making it available to the public:
(a) material having the character of news, current affairs, information or a documentary;
(b) material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.
media organisation means an organisation whose activities consist of or include the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:
(a) material having the character of news, current affairs, information or a documentary;
(b) material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.
At Division 1,42:
7B Exempt acts and exempt practices of organisations
(4) An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, by the organisation in the course of journalism.
Under the proposed definition, almost any website on the Internet could be considered to qualify, given that almost all web site providers "disseminat[e] the following material for the purpose of making it available to the public: (a) material having the character of ...information...". The proposed media exemption thus appears to sanction a "media organisation" collecting and publishing personal information whether or not such publication is in the public interest.
EFA believes it is unlikely that the proposed definitions and exemption could be narrowed in a way that would not be likely to adversely affect freedom of the press. However, there is a need to provide protection for individuals whose privacy may be grossly infringed by unethical persons claiming the broad media exemption.
EFA therefore recommends that, in cases of complaint, "media organisations" should be required to
demonstrate that publication of personal information was in the public
interest. Such a test should represent no threat to ethical media
Political Parties ExemptionNo justification has been provided in the Explanatory Memorandum for an exemption from the Act for political parties (Schedule 1,42). Given the cynicism and low esteem with which the public currently regards politicians and political parties, this exemption will be regarded as yet another case of favouritism, privilege, and abuse of power. Political parties should be treated no differently from any other organisation in respecting the privacy rights of Australian citizens. To do so is to send a message that the Privacy Act is only a token gesture, to be evaded when it happens to suit particular vested interests with the political clout to get their own way.
The exemption for political parties is likely to be exploited in several
(a) Bogus political parties being formed by commercial marketing interests;
(b) Abuse of personal data gathered by political parties;
(c) Laundering of data obtained by and destined for commercial marketing interests by political parties.
Again, no other country which has introduced adequate privacy law has
seen fit to provide such an exemption, yet their political systems manage
to comply with the law. EFA therefore strongly objects to the
inclusion of this exemption in the Bill.
d. Enforcement IssuesEFA finds the enforcement provisions in the Bill confusing and unclear, like much of the rest of the document. One is invited to question whether Members of Parliament can adequately research and exercise their democratic responsibilities when legislative drafting borders on the incomprehensible. Thanks to the Internet, the law of the nation is no longer the exclusive preserve of lawmakers, lawyers and the courts. It therefore behoves the drafters of new legislation to strive for ease of comprehension by those who are subject to the law.
Given that the Bill purports to encourage self-regulation by industry, presenting a Bill that requires industry to seek legal interpretation and development of compliance strategies adds to the impression that the law is only intended to bind big business.
The Bill should contain enforcement procedures that persuade compliance from both big business and small business, notwithstanding that it is in the direct financial interests of industry to market data to the limits of the law.
What is needed is a clear statement of the responsibilities of the Privacy Commissioner or his/her delegate to approve codes, hear complaints, issue directives, make determinations, undertake privacy audits and take legal action.
Unfortunately the Office of the Commissioner has been inadequately resourced to undertake such functions even if the legislation accorded the necessary powers. Furthermore, recent incumbents in the position have been disinclined to act as independent public interest watchdogs but have instead acted as career public servants accountable to the government of the day rather than the Parliament.
Another weakness in the Act is that there are no requirements for organisations subject to the Act to provide a complaints mechanism. Such a mechanism should also be part of any approved privacy codes.
Without adequate complaints handling procedures, backed up ultimately by
strong legal sanctions, the Bill will be a totally ineffective and token
piece of legislation.
8. E-commerce implications
Survey after survey has indicated that privacy and security concerns are the main reason for reluctance of Internet users to engage in online transactions.
In February 2000, the Australian law firm Freehill Hollingdale & Page released a report outlining this problem. While 41% of Australian adults have accessed the Internet, only 5% have used it for online shopping. The report found that privacy concerns for Internet users involve:
- concerns about the security of sensitive personal information
- uncertainty about how personally identifiable information will be used or disclosed by the recipient organisation
- the desire to avoid unsolicited advertising material and other intrusions into an individual's personal cyberspace
Although there were some encouraging findings about adoption of privacy practices by website operators, only 12% of respondents' websites carried privacy statements.
Other surveys (see References section) that have researched similar issues have included:
- IBM Multi-National Consumer Privacy Study, November 1999, which reported "a study from more than 3,000 who responded in the United States, the United Kingdom and Germany shows a universal consumer interest in online privacy protection." 78% of users refused to provide personal data online.
- A Roy Morgan survey, published in August 1999, found that "the majority of Australians (56 percent) are worried about invasion of privacy issues created by new information technologies."
- Internet.com's E-Commerce Guide, August 16, 1999 reported:
"The No. 1 reason among online users who have yet to make an e-commerce purchase: lack of trust. In a new survey, a staggering 69.4 percent of reluctant e-shoppers cited fear that personal information would not be kept private by e-tailers as the major reason they shy away from purchasing via the Internet."
- in 1998, Australian Business Advisers Privacy Survey Which Australian web sites care about
your privacy? reported:
"Amazingly, only 6% of the 129 web sites surveyed by Australian Business Advisers promised not to disclose your personal information. Eighty eight percent of sites did not mention anything about what they would do with any information collected from users. And disturbingly, 5% of web sites stated that any and all information collected was deemed to be non-confidential and can be used in any way they chose, including disclosure to others 'without limitation'."
- A survey carried out by Boston Consulting Group (BCG) in 1998 confirmed that privacy and security fears do inhibit the take-up of electronic commerce on the Internet. The survey concluded that as much as 6 billion US dollars would be lost between now and the Year 2000 in potential electronic commerce revenue if privacy concerns were not addressed.
In view of these concerns, it is quite astounding that Australia proposes to introduce such weak Privacy legislation, especially as it encourages secondary use of personal data for direct marketing, despite massive user concern about such practices.
If Australia wants to be a serious player in the global information economy,
it will have to adopt international best practice. The current Bill is
far below the standard required and indeed adopted by other countries.
Even the proposed "safe harbor" concept being put forward by the USA
provides stronger protection than the Australian Bill.
9. Lessons from other countries
EFA strongly urges the Committee to compare the provisions of the Australian Bill with privacy legislation enacted in other jurisdictions, especially New Zealand, Hong Kong, the U.K. and Canada.
For example, the Canadian Personal Information Protection and Electronic Documents Act (Bill C-6), received Royal Assent on April 13, 2000 and comes into force on January 1, 2001. The Act contains no exemptions for small business, political parties or direct marketing, although there is an exemption that applies to an organisation that collects data for "a journalistic, artistic or literary purpose".
The Canadian Bill applies to any commercial activity within the legislative authority of the Canadian Parliament, covering any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership of other fundraising lists.
On January 1, 2004, the law will extend to every organization that collects, uses or discloses personal information in the course of a commercial activity within a province, whether or not the organization is a federally-regulated business or not. However, the federal government may exempt organizations and/or activities in provinces that have adopted privacy legislation that is similar to the federal law.
In February 2000, Senator Alston released the Australia-Canada Joint Statement on Global E-Commerce, saying "The statement records a joint commitment to improving the international protections for intellectual property, personal privacy and consumer rights."
The joint statement included the following:
Australia and Canada will work together and through international
organizations to develop a global environment which facilitates the growth
of global electronic commerce by:
1. Building trust for users and consumers - ensuring that frameworks and safeguards provide confidence in the digital marketplace by addressing such issues as privacy, security, and consumer protection.
Key priorities for joint work over the next year include:
d. Privacy - Ensuring effective protection with regard to the processing of
personal data on global information networks begins with domestic regimes
for the protection of privacy and personal information. Canada and
Australia have committed domestically to a 'light' legislative regime,
based on standards developed from the OECD Privacy Guidelines, in an effort
to augment self-regulatory efforts, such as voluntary codes, with
independent oversight and legal redress for consumers.
Canada and Australia agree to conclude agreements on the harmonization of their respective legislative frameworks as those frameworks proceed.
It is difficult to understand how Australia and Canada can hope to harmonize their laws in this area when Canada has strong privacy legislation with no real exemptions while Australia is planning to introduce a weak set of privacy principles and to allow massive exemptions for direct marketing, small business, and other interests.
It is also questionable whether Canada will allow commercial data transfers to Australia once the weaknesses in the Australian legislation are made known internationally.
On 22 June 2000, the USA Office of Management and Budget issued a memorandum entitled "M-00-13, Privacy Policies and Data Collection on Federal Web Sites" to Heads of Federal Departments and Agencies. The memorandum stated, inter alia:
"Particular privacy concerns may be raised when uses of web technology can track the activities of users over time and across different web sites. These concerns are especially great where individuals who have come to government web sites do not have clear and conspicuous notice of any such tracking activities. "Cookies" -- small bits of software that are placed on a web user's hard drive -- are a principal example of current web technology that can be used in this way. The guidance issued on June 2, 1999, provided that agencies could only use "cookies" or other automatic means of collecting information if they gave clear notice of those activities.
Because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that "cookies" will not be used at Federal web sites. Under this new Federal policy, "cookies" should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval by the head of the agency."
It is clear from the examples given that privacy on the Internet is a serious problem. The problem is not just restricted to the private sector, since there have been recent examples in Australia in which information collected under statutory obligations has been released by agencies for commercial purposes, e.g. the recent ATO and Electoral Office examples.
The Internet by its very nature is a surveillance-enabled technology. Unscrupulous organisations can and do exploit the technology to collect private information and consumer profiles without the knowledge or permission of the user.
EFA supports in principle the introduction of a co-regulatory scheme to provide privacy protection for Australians in relation to the activities of both the private and public sectors under Australian jurisdiction. However, it must be recognised that the Australian government can do little by way of statutory measures to protect consumers from privacy-invasive practices originating from other jurisdictions. There are a range of self-defence measures that consumers can consider, but most Internet users are unaware of the tools available.
The Privacy Amendment (Private Sector) Bill 2000 has a number of
deficiencies, primarily resulting from the large number of exemptions
for various entities. Instead of empowering individuals to exercise
their right to privacy
of personal data, the Bill confers on certain business interests the right
to invade individual privacy.
The exception to the Privacy Principles in the Bill in relation to direct marketing
is contrary to international developments and effectively legitimizes
the practice of "spamming" (the sending of unsolicited E-mail advertising)
on the Internet.
The government should consider further high-level agreements between consumer protection bodies, such as that recently signed between the ACCC and the US Federal Trade Commission (FTC).
The ACCC and other consumer protection bodies should be encouraged to take a more active interest in promoting privacy awareness in relation to Internet usage.
EFA recommends that the Committee should endeavour to include its report on this inquiry in the context of the Senate's consideration of the Privacy Amendment (Private Sector) Bill 2000.
EFA strongly recommends that the Bill should be re-written as a Bill for an Act replace the Privacy Act 1988, rather than attempting to amend the existing Act.
The following changes to the existing provisions should be incorporated:
- The Privacy Principles should be re-drafted to a simple statement of the principles, without the current raft of qualifying statements and exceptions.
- Any exceptions to the principles should be codified in industry privacy codes that are subject to public review and approval by the Privacy Commissioner.
- The Privacy Commissioner's office should be properly resourced and should report to the Parliament as a truly independent public interest watchdog.
- There should be no exemptions from the Act for special interest groups such as direct marketing, small business and political parties.
- Secondary use of personal data should only be permitted with the express consent of the individual concerned.
- Media organisation should be required demonstrate public interest where the Privacy Principles are infringed.
- Any exception for existing data should be subject to a transition period, and should not except Principle 2 (Use and Disclosure) and Principle 6 (Access and Correction).
- Enforcement provisions in the Act should be strengthened so as to place a clear responsibility on the Privacy Commissioner to resolve complaints, and to provide for comprehensive legal remedy for infringements of the Act or approved privacy codes.
- A study should be made of international responses to privacy in terms of legislation already enacted in Canada, New Zealand, Hong Kong and the U.K.
- The implications of the EU Directive on Data Protection in respect of Australian industry should be examined in more depth.
- More notice should be taken of the need for strong privacy protection to boost Australia's participation in global e-Commerce.
OECD Privacy Guidelines 1980
Beyond the OECD Guidelines: Privacy Protection for the 21st Century
- Roger Clarke, 2000
The European Union Directive 95/46/EC
On the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Clarke, R. 2000. Privacy Requirements of Public Key Infrastructure
Greenleaf, G. and Clarke. R. 1997. Privacy Implications of Digital Signatures
National Principles for the Fair Handling of Personal Information - revised edition, January 1999
Australian Privacy Commissioner
Canada-Australia Joint Statement on Global Electronic Commerce Feb 2000.
Canadian Personal Information Protection and Electronic Documents Act, Bill C-6
Canadian Privacy Commissioner's page about the
Personal Information Protection and Electronic Documents Act
A Guide to Bill C-6 - An outline of Canada's Personal Information Protection and
Electronic Documents Act as of April 15, 1999 (does not include all
amendments) by privacy consultant Murray Long.
The New Zealand Privacy Act 1993
UK Data Protection Act 1998
International Safe Harbor Privacy Principles
Internet Privacy Survey Report 2000 - Freehill Hollingdale & Page
E-Businesses Exhibiting Privacy Leadership Get the Sale
IBM Multi-National Consumer Privacy Study, November 1999
Big Brother Bothers Most Australians - Roy Morgan Research
(Finding No. 3221. Published exclusively in the Bulletin, cover date August 30, 1999)
Consumers to E-Tailers: Don't Kiss and Tell
- from internet.com's E-Commerce Guide, August 16, 1999.
Which Australian web sites care about your privacy?
Australian Business Advisers Privacy Survey 1998
Commerce: Legal and Consumer Issues - Chris Connolly. Reports on a survey carried out by Boston Consulting
Group (BCG) in 1998
- Network Advertising Initiative: Principles not Privacy, Electronic Privacy Information Centre and Junkbusters, 28 July 2000
- "A report that assesses past events surrounding Internet advertisers, analyzes the recent self-regulatory guidelines approved by the Federal Trade Commission (FTC), and proposes solutions that will provide for the adequate protection of online privacy."