Internet Privacy
1.Parliamentary Joint Committee on the Australian
Security Intelligence Organisation Current inquiries
and other activities
Electronic Transactions Bill, privacy and digital
agenda reforms: speech to Australian Information
Industry
The Australian government have realised the new
problems that are raised by the Internet in relation
to privacy issues to do with personal data and
consumer protection, and are taking measures to
remedy them and prevent them from happening again
in the future.
Specific aspects of privacy that are being concentrated
on are: writing, signature, the production of
original documents and retention of electronic
records.
Increased privacy means that increased numbers
of the general public can use the Internet for
a variety of transactions. The TRUSTe Internet
Privacy Survey conducted last year by the Boston
Consulting Group found that for approximately
42% of consumers, privacy concerns played a large
part in their decision not to give registration
information on web sites. For 27% of consumers,
privacy concerns led them to provide false information.
The National Principles for the Fair Handling
of Personal Information, developed by the Privacy
Commissioner, in February this year. The National
Principles were developed following wide-ranging
consultations with business, privacy and consumer
groups. They are intended to provide practical
assistance to businesses in developing protection
that will meet the concerns of their customers.
The National Principles are like a rule book for
organisations that handle personal information,
to ensure individual privacy is respected Conclusion:
83. It is not only the Government's view that
we are at the forefront of international thinking
in developing regulatory and policy frameworks
for electronic commerce, privacy and digital copyright.
Mr Ira Magaziner, until recently President Clinton's
special adviser on electronic commerce, was reported
earlier this month as praising Australia's role
in international policy development.
He said that Australia 'punched above its weight'
internationally.
84. Australia needs to lead technological change
if it is to fully benefit from the development
of the information economy.
PRIVACY IN CYBERSPACE
THE HON JUSTICE MICHAEL KIRBY AC CMG
I. A NEW DYNAMIC Time passes. Twenty years ago
in the Organisation for Economic Cooperation and
Development (OECD) work was beginning towards
guidelines on the protection of privacy in the
context of
transborder data flows.[1] Ten years ago work
towards the later OECD guidelines on security
of information
systems was commenced. There are enormous implications
in regards to modern technology, for the law and
human
rights in every society ie "respect for human
rights and fundamental freedoms". There has
been little endeavour to
reflect the major scientific and technological
developments of the last fifty years, and their
impact on human rights,
in a conceptual way. Instead, old human rights
instruments developed for earlier times are scrutinised
for their
possible utility in solving the controversies
presented by the new technology. For example,
the privacy of genetic
information is as much an issue for human rights
in the context of informatics as it is in the
context of
biotechnology. In the twenty years since the OECD
Guidelines on Privacy were formulated, the Internet
has been
launched. It expands at an astonishing rate with
world wide users doubling every twelve months.[8]
William
Gibson's vision of cyberspace[9] is fast becoming
a reality. Starting with 8.5 million users in
1995, the Internet is
expected to reach over 142 million users by the
year 2000.[10] For a pertinent analogy, it is
necessary to go back
to Gutenberg's printing press.[11] Look ahead.
Imagine the way in which, in the future, the lives
of human beings
will be altered as the global network of interconnected
users of information technology becomes bigger
and even
more powerful. Privacy, it is argued, will be
harder to maintain.
II. ENDANGERED PRIVACY
As the Internet develops its power, so does
the risk of privacy becoming a problem within
society. Computers can
now store up more information and more different
types of information, on-line, about individuals
and this
information is becoming easier to access by other
people (such as an investigator). Now individuals
have limited
control and knowledge of the potential of their
personal information being accessed by others
and governments
have had problems trying to restrict this phenomenon.
As a result of this, human rights questions are
being raised.
Each time a user goes to a particular site there
is a record made of this. These record combine
and build to form a
profile of that person and the user may not necessarily
be aware that this profile is being made. Subjects
within
these profiles include the subject's inclinations
such as:, political, social, sexual and otherwise.
Attempts to use
these profiles legally against people have been
made in the past. However, this system of data
collecting is
problematic as it is only getting part of the
story, not the full one. Misunderstandings can
and do occur frequently
and these sometimes end in defamation cases where
prosecution can occur.
It is not accurate to say that the Internet is
a law free zone. Much local law applies to the
activities occurring there.
But it is true to say that there is no global
authority which controls the Internet. There is
no uniform global regime
to regulate and enforce standards.[24] The absence
of a controlling and enforceable law facilitates
problems with
the right to privacy and to reputation and honour,
and the confidentiality of communications. In
the world of the
Internet, technological capacity tends to favour
the spread of information. The protection of competing
values is
decidedly weak.
With the Internet have come additional problems.
Because of the growing use of information systems
by business
and government, and because these are connected
to the Internet, many transactions by individuals
in every
country will now be potentially inter-connected
and examinable. This will afford means of distributing
data about the
individual to remote places and, often, to persons
or organisations with which the individual may
have no other
connection. A subject tried Altavista on the news
groups and was sickened. "What I found ...
using my name or
email address as search parameters, was a copy
of almost every post I've made to Newsnet news
groups since the
first week in January ... That includes my posts
to these two news groups, and all rejoinders from
anyone here who
included my name in his or her reply. Make out
of that what you wish. My reaction to it is somewhere
between
disgust and fury. What I do not expect is that
the news group clubhouse is bugged and that what
is said there, by
any of us, will be recorded and made available
to any person on the Internet, for whatever reason
persons might
have. The irony of this is: I came across [this]
... using the Altavista search engine."
With most web browsing software, such as Netscape
and Microsoft Explorer, any request to a website
discloses the
network identity of the machine used to access
the web, the web page immediately previously accessed,
together
with related `cookies', such as information stored
by the web server on the computers of users who
have accessed
it, the list of previously accessed web pages
or transactional information generated while accessing
those web
pages.[29] If this does not cause anxiety about
the potential loss of privacy of Internet users,
nothing will.
Fundamental human rights (including privacy):
false, distorted, damaging, hurtful and intrusive
information that can
be compiled about an individual based upon data
received from a multitude of digital sources and
given an apparent
authenticity by digital delivery. Web crawlers,
spiders, robots and trawlers introduce a new dimension
to the
info-privacy debate. They also challenge the applicability,
in today's technology, of some of the OECD Guidelines
prepared in the context of the technology of earlier
decades, when such intense dataveillance was not
foreseen.
Although privacy can be described as a fundamental
human right, it is not an absolute one. The protection
of
privacy gives rise to the inherent conflict--a
classic one between individual rights and the
public good, between the
demands of law enforcement and the preservation
of private spheres. Increasing sophistication
of information
technology, with its capacity to collect, analyse
and disseminate information on individuals, introduces
a sense of
urgency to the demand for legislation able to
meet this advance. New developments in medical
research and care,
telecommunications, advance transportation systems
and financial transfers have dramatically increased
the level
of information generated by each individual.
There is no doubt that computers linked together
by high speed networks with advanced processing
systems can
create comprehensive dossiers on any person without
the need for a single central computer system.
It is not
surprising that people's concerns over the potential
invasion of privacy are now greater than at any
time in recent
history. I think it is fair to say that populations
throughout the world express fears about encroachment
on people's
privacy and of course that has resulted in a number
of nations passing laws which specifically protect
the privacy of
their citizens.
Internet as perhaps the best known example of
global technology--which leads to the elimination
of technological
barriers between systems, and multimedia which
fuses many forms of transmission and expression
of data and
images so that information gathered in a certain
form can be easily translated into other forms.
The Internet as an example of the dramatic increase
in the quantity of information available in digital
form which of
course has resulted in a proliferation of uses
of personal information. Encryption has become
the most important
tool for protection against surveillance, and
PGP--Pretty Good Privacy--is perhaps the best
known encryption
program. However, the recording of information
about specific Internet activities has become
one of the biggest
emerging threats to Internet privacy. Every time
a user accesses a webpage, the server holding
the page logs the
user's Internet address along with the time and
date.
`Cookies' on a user's machine helps track people's
activities at a much more detailed level. As all
honourable
members will know, a `cookie' is a piece of information
that an Internet web site sends to your browser
when you
access information at that site. Upon receipt
of the information, your browser saves the information
on your hard
disk and, each time you use your computer to access
that same web site, the information that was previously
received is sent back to the web site by your
browser.
One might well ask: `Why are cookies used?' Cookies
indicate to a web site that you have been there
before and
can be used to report what part of a web site
you visit. While cookies in themselves may not
identify you in the
same way that a name or address does, a cookie
could potentially be linked with other identifying
information and
used to track people's activities at a much more
detailed level.
Cookies involves information such as:
- the user's server address
- the user's top level domain name (for example,
.com.gov.au etc.)
- the date and time of the visit
- the pages accessed and documents downloaded
- the previous site visited
- and the type of browser used
What have become known as `cookie cutter' programs
stop sites from putting cookies on a user's machine
and are
now built into most browsers. I can also report
to the House that there are many software products
that you can
purchase which will reject or manage cookies for
you, including Cookie Cutter, Cookie Crusher,
Cookie Pal and
Cookie Master.
No. 2
Information technology and the Internet
The development of information technology and
the Internet has dramatically increased the quantity
of information
available in digital form. This has resulted in
a proliferation of uses of personal information.
Some of these have
major implications for the privacy of individuals.
The inherent limitations of paper-based systems
provide a certain level of privacy protection.
The migration of
records of personal information to IT systems
has made possible a far greater range of uses
of personal
information and has made it easy to transfer information.
The Internet makes it easy to solicit and collect
information.
This part of the Privacy Commissioner's website
looks at topical IT and Internet issues that may
affect the privacy
of individuals. Our aim is to promote awareness
of these issues and to encourage public debate.
Unless stated otherwise, views given or statements
made in this part of the website do not constitute
the official
policy of the Privacy Commissioner.
No. 3
Information Privacy is the interest an individual
has in controlling, or at least significantly
influencing, the handling
of data concerning him or herself.
Data Surveillance (Dataveillance) is the systematic
use of personal data systems in the investigation
or monitoring
of the actions or communications of one or more
persons.
No. 4
B. CONSUMER PRIVACY CONCERNS
Notwithstanding the substantial benefits that
consumers may derive from using the Internet,
consumers still care
deeply about the privacy of their personal information
in the online marketplace. Eighty-seven percent
of U.S.
respondents in a recent survey of experienced
Internet users stated that they were somewhat
or very concerned
about threats to their privacy online. Seventy
percent of the respondents in a recent national
survey conducted for
the National Consumers League reported that they
were uncomfortable providing personal information
to
businesses online. Consumers are particularly
concerned about potential transfers to third parties
of the personal
information they have given to online businesses.
[14] It is not surprising that only about one-quarter
of Internet
users go beyond merely browsing for information
to actually purchasing goods and services online.
B. THE ONLINE PRIVACY ALLIANCE
On June 22, 1998, the Online Privacy Alliance
(OPA), a coalition of
industry groups, announced its Online Privacy
Guidelines, which apply to individually identifiable
information
collected online from consumers. Pursuant to these
guidelines, OPA members agree to adopt and implement
a
posted privacy policy that provides comprehensive
notice of their information practices. The notice
includes a
statement of what information is being collected
from consumers and how it is being used; whether
the information
will be disclosed to third parties; consumers'
choices regarding the collection, use and distribution
of the
information; data security measures; and the steps
taken to ensure data quality and access to information.
The
OPA Guidelines also include provisions on choice,
feasible consumer access to identifiable information,
and data
security, and call for self-enforcement mechanisms,
such as online seal programs, that provide consumers
with
redress.
The OPA Guidelines have been used by the leading
privacy seal programs, which have adapted them
to fit their
own program requirements. Unlike the seal programs,
however, the OPA does not monitor members' compliance
or
provide sanctions for non-compliance. The central
focus of OPA's efforts since release of its Guidelines
has been
business education to promote widespread adoption
of online privacy policies. 2. BBBOnLine PRIVACY
SEAL
PROGRAM BBBOnLine, a subsidiary of the Council
of Better Business Bureaus, launched its privacy
seal
program for online businesses on March 17, 1999.
Forty-two sites currently post BBBOnLine seals,
and the
program has received more than 300 applications.
In order to be awarded the BBBOnLine Privacy Seal,
applicants
must post a privacy policy that comports with
the program's information practice principles,
complete a
"Compliance Assessment Questionnaire,"
and must agree to participate in a consumer dispute
resolution system
and to submit to monitoring and review by BBBOnLine.
The BBBOnLine Privacy Seal Program covers
"individually identifiable information,"
as well as "prospect information," which
is identifying, retrievable
information that is collected by the company's
Web site from one individual about another. The
BBBOnLine
Privacy Seal Program's consumer complaint resolution
procedure is bolstered by several compliance incentives,
including public reporting of decisions, and suspension
or revocation of the BBBOnLine seal, or referral
to federal
agencies, as sanctions for non-compliance. BBBOnLine
has committed to adopting a third-party verification
system, although this aspect of the program has
not yet been implemented. The Commission looks
forward to
assessing BBBOnLine's enforcement mechanisms when
they are fully in place.
The self-regulatory initiatives described above,
including the guidelines adopted by the OPA and
the seal
programs, reflect industry leaders' substantial
effort and commitment to fair information practices.
They should be
commended for these efforts. Enforcement mechanisms
that go beyond self-assessment are also gradually
being
implemented by the seal programs. Only a small
minority of commercial Web sites, however, have
joined these
programs to date. Similarly, although the results
of the GIPPS and OPA studies show that many online
companies
now understand the business case for protecting
consumer privacy, they also show that the implementation
of fair
information practices is not widespread among
commercial Web sites. Based on these facts, the
Commission
believes that legislation to address online privacy
is not appropriate at this time. We also believe
that industry
faces some substantial challenges. Specifically,
the present challenge is to educate those companies
which still do
not understand the importance of consumer privacy
and to create incentives for further progress
toward effective,
widespread implementation. First, industry groups
must continue to encourage widespread adoption
of fair
information practices. Companies like IBM, Microsoft
and Disney, which have recently announced, among
other
things, that they will forgo advertising on sites
that do not adhere to fair information practices
are to be commended
for their efforts, which we hope will be emulated
by their colleagues. These types of business-based
initiatives are
critical to making self-regulation meaningful
because they can extend the reach of privacy protection
to small and
medium-sized businesses where there is great potential
for e-commerce growth.
Second, industry should focus its attention on
the substance of Web site information practices,
ensuring that
companies adhere to the core privacy principles
discussed earlier. It may also be appropriate,
at some point in the
future, for the FTC to examine the online privacy
seal programs and report to Congress on whether
these programs
provide effective privacy protection for consumers.
Finally, industry must work together with government
and
consumer groups to educate consumers about privacy
protection on the Internet. The ultimate goal
of such efforts,
together with effective self-regulation, will
be heightened consumer acceptance and confidence.
Industry should
also redouble its efforts to develop effective
technology to provide consumers with tools they
can use to safeguard
their own privacy online. The Commission has developed
an agenda to address online privacy issues throughout
the
coming year as a way of encouraging and, ultimately,
assessing further progress in self-regulation
to protect
consumer online privacy:
The Commission will hold a public workshop on
"online profiling," the practice of
aggregating information about
consumers' preferences and interests gathered
primarily by tracking their movements online,
and, in some cases,
combining this information with personal information
collected directly from consumers or contained
in other
databases. The workshop, jointly sponsored by
the U.S. Department of Commerce, will examine
online advertising
firms' use of cookies and other tracking technologies
to create targeted, user profile-based advertising
campaigns.
The Commission will hold a public workshop on
the privacy implications of electronic identifiers
that enhance Web
sites' ability to track consumers' online behaviour.
In keeping with its history of fostering dialogue
on online
privacy issues among all stakeholders, the Commission
will convene task forces of industry representatives
and
privacy and consumer advocates to develop strategies
for furthering the implementation of fair information
practices in the online environment. One task
force will focus upon understanding the costs
and benefits of
implementing fair information practices online,
with particular emphasis on defining the parameters
of the
principles of consumer access to data and adequate
security. A second task force will address how
incentives can
be created to encourage the development of privacy-enhancing
technologies, such as the World Wide Web
Consortium's Platform for Privacy Preferences.
The Commission, in partnership with the U.S. Department
of
Commerce, will promote private sector business
education initiatives designed to encourage new
online
entrepreneurs engaged in commerce on the Web to
adopt fair information practices. Finally, the
Commission
believes it is important to continue to monitor
the progress of self-regulation, to determine
whether the
self-regulatory programs discussed in this report
fulfil their promise. To that end, the Commission
will conduct an
online survey to reassess progress in Web sites'
implementation of fair information practices,
and will report its
findings to Congress. In undertaking these efforts,
the Commission will be better able to assess industry
progress
in meeting its self-regulatory responsibilities,
while fostering the implementation of effective
protection for online
privacy in a manner that promotes a flourishing
electronic marketplace.
|
