Is On Line Privacy a Luddite Dream or a Necessity for Economic Growth?

Privacy on line: a laughably luddite dream, or an increasingly essential condition for future economic growth?

The battle lines are being drawn, and make no mistake that it is a battle. Major commercial interests are at stake, for there is heaps of money to be made out of knowing more about potential customers. And big business is often in an unholy alliance with bureaucrats and politicians who see a surveillance society as a quick fix for social and economic management problems.

What do Internet users want?

Because on-line transactions inevitably create an electronic trail, the practicability of being anonymous while using the Internet is limited, and more and more organisations are realising the value of capturing and using personal information about users. The explosive growth of 'free' ISPs relies on customers, knowingly or not, authorising the use of information about their browsing habits for market research and direct marketing.

The paradox of privacy on line is that Internet users are perplexingly inconsistent as between their attitudes and their behaviour. On one hand, surveys show that privacy and security of personal information are key public concerns. On the other hand, Internet users seem to be falling over themselves in their rush to take advantage of services and offers that involve parting with often detailed personal information.

What are the risks to privacy on line?

Greater vulnerability of transactions and communications

More and more transactions are being conducted on line, generating either a new record/trail or one that is much more easily read than previous paper trails. At the same time, communications are increasingly of a 'store and forward' nature (typically e-mail) rather than real-time (voice). Because the communications 'exist' for a longer time there is inevitably greater potential for interception and access by third parties.

Two types of privacy risk have increased. First, the risk of unauthorised interception and access (commonly known as hacking), and second, the risk of authorised (official) interception and access, involving lawful surveillance by government authorities.

Unauthorised access is being addressed by a range of security measures. The challenge of securing such information when it is in the hands of the various participants (ISP's, web hosts and on-line merchants) is no different from that facing any other holder of computerised data. The additional risk of interception while in transit over the Internet is typically addressed by encryption of details such as credit card numbers. But encryption doesn't mean complete security. There are regular media reports of security breaches.

Officially authorised access to personal information arises from a growing range of powers for various government agencies to obtain information without a search warrant. Not only law enforcement, but also tax and social security authorities have such powers. We have seen recently how those powers can be abused, with the Tax Office having to back down both on plans to use electoral roll information to send out GST related letters, and on the sale of personal details of applicants for Australian Business Numbers. Somehow we have allowed governments to create a sense that accessing our information without our knowledge or consent is somehow less intrusive than entering our homes or business premises. The public outcry over the Tax Office plans shows that we may be starting to fight back!

Unwelcome commercial use - unsolicited Email or "Spam" is another key Internet privacy issue. While the potential harm is not in the same order as security breaches, nothing excites as much passion in many Internet users. Spam is arguably a breach of a fundamental privacy principle: no secondary use without consent. There is, however, a grey area around the sending of marketing material by a supplier you have already dealt with, which many businesses argue is within the 'reasonable expectation' of individuals and a commercial freedom-of-communication 'right'. But as any connection with past purchases becomes more remote, the case for gaining consent strengthens. There is also a question of the basis of consent: is 'opt-out' enough or should prior 'opt-in' be required?

What can be done to safeguard privacy on line?

Currently, the only private-sector activities subject to privacy law are consumer credit reporting and use of tax file numbers, which are covered by the Commonwealth Privacy Act 1988.

But governments and industry associations have increasingly responded to public concerns and have seen the provision of privacy protection as an important part of the infrastructure for electronic commerce and electronic service delivery.