The internet has provided humanity with an unprecedented medium to share information, but is this coming at a cost of forfeiting our rights to privacy and ownership of personal information. Whilst government on a national level has implemented within in most developed countries regulations to protect citizens, the internet is a global phenomenon and national legislation is often ineffective in controlling privacy.
This article does not intend to accuse corporations or government of committing illegal activity in regard to privacy, however it does intend to examine the effectiveness of privacy legislation in Australia and its application to global corporations. Australians sharing information with global corporations that may not be an operating entity in Australia are not subject to Australian law and as such, privacy laws in Australia do not protect this information.
The Australian government introduced privacy legislation in 2001 through an amendment to the 1988 Privacy Act that was intended to protect users from electronic misuse of personal information. The basis of this has led to Australian corporations requirement to comply with the legislation through adherence with a basic set of privacy principles for the collection and disclosure of information.
What is privacy? When a person shares any type of information particularly personal information there is usually an assumed or explicit agreement on what that information will be used for. A person might tell a personal friend of an illness or family problem and it is assumed that the friend will keep this information with a respect for the persons confidentiality. This is also true though often more in explicit terms with an agreement on sharing information with a corporate entity or government department. So privacy in broad terms is an assumed level of confidence in that the information will only be used for the intent in which it was shared.
The Australian guidelines to the National Privacy Principles (NPP) define personal information as. "Personal information is information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion (section 6). It includes all personal information regardless of its source."
When we log onto the internet several things are happening with the experience of accessing and sharing information. Firstly an Internet Service Provider (ISP) is logging every web page accessed by a user and whilst this may not be a users name or personal details it is the users experience and not unlike a traditional library keeing records of the books a user has borrowed a profile can be generated or details can be investigated. The next level of interaction is when we are explicitly providing details such as an email address to a website for a specific intention and thirdly is the exchange of details of a very personal nature with banks and government departments.
Social networking websites such as Facebook (FB) and Myspace (MS) have taken this into a new realm with users signing agreements on the information they are providing in using the service. Users are by agreeing the terms and conditions forfeiting some of the rights to this information and in the case of FB opting into to advertising and data gathering exercise that the user may be unaware of. For example if I have a conversation on the telephone with a friend, it is a reasonable assumption that no one is scanning that conversation for keywords. If we look at the medium of FB and MS this is not necessarily the case. Whilst placing information in the public domain is by itself an implicit freedom of access to anyone who can access it, exactly how and for what purpose it is being accessed now and in the future in often unclear.
This raises the question of should a corporate entity such as Google, FB and MS need to comply with the NPP of Australia if it is collecting information on Australian citizens. In reality this is not a requirement and the NPP contains a clause that gives a corporation the ability to seek consent for disclosure of information. The NPP legislation defines two levels of disclosure Primary and Secondary
NPP 2.1(a) Primary and related purposes
Determining the primary purpose of collection should always be possible. Where an organisation collects personal information directly from the individual the context in which the individual gives the information to the organisation will help identify the primary purpose of collection. When an individual provides and an organisation collects personal information, they almost always do so for a particular purpose - for example, to buy or sell a particular product or receive a service. This is the primary purpose of collection even if the organisation has some additional purposes in mind.
http://www.privacy.gov.au/publications/nppgl_01.html
NPP 2.1(b) Secondary use and disclosure with consent
This allows an organisation to use or disclose personal information for a secondary purpose if it has the individual's consent. Consent to the use or disclosure can be express or implied. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation. For example, it may be possible to infer consent from the individual's failure to opt out provided that the option to opt out was clearly and prominently presented and easy to take up. If the organisation's use or disclosure has serious consequences for the individual, the organisation would have to be able to show that the individual could have been expected to understand what was going to happen to information about them and gave their consent. In such situations, it would ordinarily be more appropriate for the organisation to seek express consent.
http://www.privacy.gov.au/publications/nppgl_01.html
The secondary use clause allows users to give consent or to opt in for further use of the information provided to a corporation. This gives the corporation rights within the terms and condition or disclosure to utilize this information in the manner set out therein, however where does this stop.
New concepts, sites and applications are arriving on the internet everyday one recent addition is http://www.spokeo.com/ which is an aggregation engine for information in particular email addresses. This allows users to track the appearances of email addresses across the web and when a user updates information on a social network site such as FB and MS. This may be interpreted as address harvesting and is arguably in violation of section 22 on the Australian Spam Act 2003 if it is supplied to someone who resides in Australia by an Australian commercial entity.
20 Address-harvesting software and harvested-address lists must
not be supplied
(1) A person (the supplier) must not supply or offer to supply:
(a) address-harvesting software; or
(b) a right to use address-harvesting software; or
(c) a harvested-address list; or
(d) a right to use a harvested-address list;
http://www.comlaw.gov.au/comlaw/Legislation/ActCompilation1.nsf/0/DED153276FD7C6F9CA2570260013908A/$file/SpamAct03WD02.pdf
Spokeo does not harvest the email addresses you must supply these from your social and email contact lists, it does however harvest links where these email addresses may be found. Chances are when you placed your email address there you did not intend for it be harvested in the context of the site and aggregated with every other site it may appear on. And that is the real question here if your intention of placing something in the public domain was to have it taken in the context of the site it appears on. This means people find the site and perhaps see your email and contact you; it is driven by the topic of the site. That is a reasonable assumption and expectation. With applications such as FB, MS and now Spokeo this been changed to a position where you are the topic and the interests around you are aggregated. I would say that most users feel they did not place information in the public domain with this intention.
Whilst not to say that we are all being spied upon, there is a commercial incentive to aggregate information around an individual or group of individuals for the purpose of advertising or reselling it. In some but not all cases this is against the primary and secondary collection purpose and would be in violation of Australian Law. This may not be an invasion of privacy in the purest sense but raises questions of who ultimately owns your email address and who has the rights to aggregate it in a way you may have not intended? What rights do you have to remove your address from and engine like Spokeo? Was this made clear to you when you signed up to a social network site?
To be clear again, I do not claim anything illegal is happening here, however both the Spam Act 2003 and the Privacy Act 1988 in Australia can do little to protect privacy in these cases in fact it is completely ineffective as the corporate entities are in most cases outside of Australia and therefore free from compliance.Is this outdated and too local, yes its time for a fresh look at privacy and controls that may force a level of corporate responisbility on a global scale that does not exist at present.
This article does not intend to accuse corporations or government of committing illegal activity in regard to privacy, however it does intend to examine the effectiveness of privacy legislation in Australia and its application to global corporations. Australians sharing information with global corporations that may not be an operating entity in Australia are not subject to Australian law and as such, privacy laws in Australia do not protect this information.
The Australian government introduced privacy legislation in 2001 through an amendment to the 1988 Privacy Act that was intended to protect users from electronic misuse of personal information. The basis of this has led to Australian corporations requirement to comply with the legislation through adherence with a basic set of privacy principles for the collection and disclosure of information.
What is privacy? When a person shares any type of information particularly personal information there is usually an assumed or explicit agreement on what that information will be used for. A person might tell a personal friend of an illness or family problem and it is assumed that the friend will keep this information with a respect for the persons confidentiality. This is also true though often more in explicit terms with an agreement on sharing information with a corporate entity or government department. So privacy in broad terms is an assumed level of confidence in that the information will only be used for the intent in which it was shared.
The Australian guidelines to the National Privacy Principles (NPP) define personal information as. "Personal information is information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion (section 6). It includes all personal information regardless of its source."
When we log onto the internet several things are happening with the experience of accessing and sharing information. Firstly an Internet Service Provider (ISP) is logging every web page accessed by a user and whilst this may not be a users name or personal details it is the users experience and not unlike a traditional library keeing records of the books a user has borrowed a profile can be generated or details can be investigated. The next level of interaction is when we are explicitly providing details such as an email address to a website for a specific intention and thirdly is the exchange of details of a very personal nature with banks and government departments.
Social networking websites such as Facebook (FB) and Myspace (MS) have taken this into a new realm with users signing agreements on the information they are providing in using the service. Users are by agreeing the terms and conditions forfeiting some of the rights to this information and in the case of FB opting into to advertising and data gathering exercise that the user may be unaware of. For example if I have a conversation on the telephone with a friend, it is a reasonable assumption that no one is scanning that conversation for keywords. If we look at the medium of FB and MS this is not necessarily the case. Whilst placing information in the public domain is by itself an implicit freedom of access to anyone who can access it, exactly how and for what purpose it is being accessed now and in the future in often unclear.
This raises the question of should a corporate entity such as Google, FB and MS need to comply with the NPP of Australia if it is collecting information on Australian citizens. In reality this is not a requirement and the NPP contains a clause that gives a corporation the ability to seek consent for disclosure of information. The NPP legislation defines two levels of disclosure Primary and Secondary
NPP 2.1(a) Primary and related purposes
Determining the primary purpose of collection should always be possible. Where an organisation collects personal information directly from the individual the context in which the individual gives the information to the organisation will help identify the primary purpose of collection. When an individual provides and an organisation collects personal information, they almost always do so for a particular purpose - for example, to buy or sell a particular product or receive a service. This is the primary purpose of collection even if the organisation has some additional purposes in mind.
http://www.privacy.gov.au/publications/nppgl_01.html
NPP 2.1(b) Secondary use and disclosure with consent
This allows an organisation to use or disclose personal information for a secondary purpose if it has the individual's consent. Consent to the use or disclosure can be express or implied. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation. For example, it may be possible to infer consent from the individual's failure to opt out provided that the option to opt out was clearly and prominently presented and easy to take up. If the organisation's use or disclosure has serious consequences for the individual, the organisation would have to be able to show that the individual could have been expected to understand what was going to happen to information about them and gave their consent. In such situations, it would ordinarily be more appropriate for the organisation to seek express consent.
http://www.privacy.gov.au/publications/nppgl_01.html
The secondary use clause allows users to give consent or to opt in for further use of the information provided to a corporation. This gives the corporation rights within the terms and condition or disclosure to utilize this information in the manner set out therein, however where does this stop.
New concepts, sites and applications are arriving on the internet everyday one recent addition is http://www.spokeo.com/ which is an aggregation engine for information in particular email addresses. This allows users to track the appearances of email addresses across the web and when a user updates information on a social network site such as FB and MS. This may be interpreted as address harvesting and is arguably in violation of section 22 on the Australian Spam Act 2003 if it is supplied to someone who resides in Australia by an Australian commercial entity.
20 Address-harvesting software and harvested-address lists must
not be supplied
(1) A person (the supplier) must not supply or offer to supply:
(a) address-harvesting software; or
(b) a right to use address-harvesting software; or
(c) a harvested-address list; or
(d) a right to use a harvested-address list;
http://www.comlaw.gov.au/comlaw/Legislation/ActCompilation1.nsf/0/DED153276FD7C6F9CA2570260013908A/$file/SpamAct03WD02.pdf
Spokeo does not harvest the email addresses you must supply these from your social and email contact lists, it does however harvest links where these email addresses may be found. Chances are when you placed your email address there you did not intend for it be harvested in the context of the site and aggregated with every other site it may appear on. And that is the real question here if your intention of placing something in the public domain was to have it taken in the context of the site it appears on. This means people find the site and perhaps see your email and contact you; it is driven by the topic of the site. That is a reasonable assumption and expectation. With applications such as FB, MS and now Spokeo this been changed to a position where you are the topic and the interests around you are aggregated. I would say that most users feel they did not place information in the public domain with this intention.
Whilst not to say that we are all being spied upon, there is a commercial incentive to aggregate information around an individual or group of individuals for the purpose of advertising or reselling it. In some but not all cases this is against the primary and secondary collection purpose and would be in violation of Australian Law. This may not be an invasion of privacy in the purest sense but raises questions of who ultimately owns your email address and who has the rights to aggregate it in a way you may have not intended? What rights do you have to remove your address from and engine like Spokeo? Was this made clear to you when you signed up to a social network site?
To be clear again, I do not claim anything illegal is happening here, however both the Spam Act 2003 and the Privacy Act 1988 in Australia can do little to protect privacy in these cases in fact it is completely ineffective as the corporate entities are in most cases outside of Australia and therefore free from compliance.Is this outdated and too local, yes its time for a fresh look at privacy and controls that may force a level of corporate responisbility on a global scale that does not exist at present.