27 November 1996

Ms Kathy Leigh
Senior Government Counsel
International Civil and Privacy Branch
Attorney-General's Department
National Circuit
BARTON ACT 2600

Telephone: (06) 250 6211
Facsimile: (06) 250 5939

Dear Ms Leigh

Attached are comments by Electronic Frontiers Australia (EFA) in response to the Discussion Paper "Privacy Protection in the Private Sector" dated September 1996.

Electronic Frontiers Australia Inc. is a non-profit national organisation formed in 1994 to define, promote and defend the civil liberties of users and operators of networked systems. Our major goals are to ensure that people have the same basic freedoms within computer based communication systems as without, and to support, encourage and advise on the development and use of computer based communication systems and related innovations.

Because our interests lie mainly in the area of telecommunications, our comments have been largely confined to this area, which we see as being largely overlooked in the Discussion Paper. We hope that our comments may serve to alert your officers and advisors to these serious omissions and we would be happy to participate in any further discussions on the important issue of data and communications privacy.

Please do not hesitate to contact us if we can be of assistance in this important area.

Yours sincerely,

Brenda Aynsley
Vice-Chair
Electronic Frontiers Australia

Privacy in the Private Sector

This is a response to the Discussion Paper "Privacy Protection in the Private Sector" (henceforth "the discussion paper"), which can be found at http://www.agps.gov.au/customer/agd/clrc/privacy.htm This response considers the discussion paper specifically in the context of the Internet and issues of importance to Internet users.

Privacy on the Internet is a subject of considerable complexity. This response attempts to cover only a few of the most critical issues. A good collection of on-line resources relevant to privacy can be found at http://www.cpsr.org/dox/program/privacy/privacy_links.htm, though some of this is US-centric. For an Australian perspective, Roger Clarke's page at http://www.anu.edu.au/people/Roger.Clarke/DV/ is a valuable resource; it includes an Australian Privacy Charter.

While the discussion paper makes explicit reference right at the beginning to new communication technologies, networks, and network users, it completely fails to address the privacy issues of most significance to to Internet users. In its concentration on explicit collection of data (by "collectors") and on the use and protection of "data records", it largely ignores privacy of personal communications, privacy of personal data, and privacy of data access.

Privacy of Communications

Many forms of communication carried out over the Internet are, as one-to-one communications between individuals, essentially private. Electronic mail is the obvious example, but Internet Relay Chat sessions, "talk" programs, and newer applications such as video conferencing are similar. In practice, there is little protection for such communications.

Internet Access Providers (IAPs) are in a position where they can monitor communications both to and from their users. Backbone service providers are in a position to monitor communications more widely. There are no controls on tapping of data communications by law enforcement agencies akin to those on telephone taps or postal searches; this influences private sector issues in that an Internet Service Provider subject to having its equipment confiscated at the whim of police (as the recent West Australian censorship Act allows) is likely to cooperate informally in the monitoring of users' communications. And even where service providers themselves respect the privacy of their users, there is the possibility of unauthorised monitoring of communications by outside individuals who have breached the security systems involved.

Many Internet users are unaware of these facts; there is a common assumption that electronic mail is private. Certainly belief that email should be private would be near unanimous.

Analogy: postal mail, telephone calls, facsimile

Recommendations:

* electronic mail (and similar communications) should be given similar legal protections to postal mail and telephone calls.

* service providers should inform new users that electronic mail is not well protected against snooping.

* companies providing Internet access to their own employees should make clear the extent to which logging and monitoring of their communications is carried out.

Cryptography presents a way for users to guarantee some forms of privacy against intrusions either by governments, companies, or other individuals. In particular, it can be used to protect email against snooping. Most importantly, encryption allows protection of communication privacy where one of the participants is outside Australia, something outside the controls of Australian law. While encryption technology is widely distributed and its use is not uncommon, there are concerns that its legal status within Australia may be jeopardised. Bans by the United States on the export of strong cryptography may in many cases deny Australians access to software with real security.

Recommendation:

* The right to use encrypted communications should be enshrined in law.

* Conflicts between the right to use encryption and attempts to restrict encryption via export controls and key escrow provisions should be resolved in favour of individual privacy.

Data Access

Internet users regularly access information on the World Wide Web: in fact this is probably the most popular use of the Internet. Other forms of database access include telnet connections to remote servers, NNTP access to news servers, and an immense variety of other applications. As with communications with other people, these transactions have a presumption of privacy; again, however, they have few protections, legal or technological.

Users' own Access Providers can monitor their network traffic. In some cases this may be automatic (if a Web proxy server is in use, for example). At the other end, the Content Providers offering information can record details of those connecting to it. The extent to which this can be done depends on the software system (eg Web browser) being used.

Analogy: library borrowing records

Recommendations:

* Internet Access Providers should avoid logging information which allows tracing of their users' data accesses. In some cases -- for billing purposes or traffic analysis aimed at improving services -- logging of some personal information may be unavoidable. As little such information should be logged as possible, however. (So a billing system might record how many bytes users download, without recording information which allows the content of those downloads to be established; a news server might log how often newsgroups were accessed without logging who was accessing them.)

* Users should be informed how much information about them and their transactions the applications they are using (such as Web browsers) make available to third parties. This should be the responsibility of software vendors, but consumer organisations have an obvious role in certifying software.

* It is not practical to control the collection of information by Content Providers, most of whom are outside Australia in any event.

Privacy of Data

Many service providers hold data (other than email in transmission) for their users.

Anonymity

An important issue, but not discussed here.

A Role for Government?

Some privacy issues can be dealt with in contractual agreements between service providers and users, though Internet industries do not have a direct interest in protecting the privacy of their users. Obvious contributions can be made by Internet user groups, consumer organisations, and civil liberties groups. The Privacy Commissioner should contribute to efforts by these groups rather than attempting to create privacy protections ex nihilo.

However the production of complex and detailed codes of practice is not likely to be the best approach. Firstly, most users are not capable of understanding complex legal documents (nor, indeed, are many small service providers). Secondly, the networked world changes so rapidly that any such codes of conduct are likely to be outdated rapidly. A better plan is the establishment and publicisation of simple, well-known, and non-specific privacy guidelines.

While there are some hugely complex issues involved in network privacy, there are also some quite simple ones, where consideration of the presumptions about privacy made by individuals and analogies with older forms of communication make appropriate action obvious.

Danny Yee ([email protected]),
on behalf of Electronic Frontiers Australia
http://www.efa.org.au/

efapriv1.html