Is On Line Privacy a Luddite Dream or a Necessity for Economic Growth?

Privacy on line: a laughably luddite dream, or an increasingly essential condition for future economic growth?

The battle lines are being drawn, and make no mistake that it is a battle. Major commercial interests are at stake, for there is heaps of money to be made out of knowing more about potential customers. And big business is often in an unholy alliance with bureaucrats and politicians who see a surveillance society as a quick fix for social and economic management problems.

What do Internet users want?

Because on-line transactions inevitably create an electronic trail, the practicability of being anonymous while using the Internet is limited, and more and more organisations are realising the value of capturing and using personal information about users. The explosive growth of 'free' ISPs relies on customers, knowingly or not, authorising the use of information about their browsing habits for market research and direct marketing.

The paradox of privacy on line is that Internet users are perplexingly inconsistent as between their attitudes and their behaviour. On one hand, surveys show that privacy and security of personal information are key public concerns. On the other hand, Internet users seem to be falling over themselves in their rush to take advantage of services and offers that involve parting with often detailed personal information.

What are the risks to privacy on line?

Greater vulnerability of transactions and communications

More and more transactions are being conducted on line, generating either a new record/trail or one that is much more easily read than previous paper trails. At the same time, communications are increasingly of a 'store and forward' nature (typically e-mail) rather than real-time (voice). Because the communications 'exist' for a longer time there is inevitably greater potential for interception and access by third parties.

Two types of privacy risk have increased. First, the risk of unauthorised interception and access (commonly known as hacking), and second, the risk of authorised (official) interception and access, involving lawful surveillance by government authorities.

Unauthorised access is being addressed by a range of security measures. The challenge of securing such information when it is in the hands of the various participants (ISP's, web hosts and on-line merchants) is no different from that facing any other holder of computerised data. The additional risk of interception while in transit over the Internet is typically addressed by encryption of details such as credit card numbers. But encryption doesn't mean complete security. There are regular media reports of security breaches.

Officially authorised access to personal information arises from a growing range of powers for various government agencies to obtain information without a search warrant. Not only law enforcement, but also tax and social security authorities have such powers. We have seen recently how those powers can be abused, with the Tax Office having to back down both on plans to use electoral roll information to send out GST related letters, and on the sale of personal details of applicants for Australian Business Numbers. Somehow we have allowed governments to create a sense that accessing our information without our knowledge or consent is somehow less intrusive than entering our homes or business premises. The public outcry over the Tax Office plans shows that we may be starting to fight back!

Unwelcome commercial use - unsolicited Email or "Spam" is another key Internet privacy issue. While the potential harm is not in the same order as security breaches, nothing excites as much passion in many Internet users. Spam is arguably a breach of a fundamental privacy principle: no secondary use without consent. There is, however, a grey area around the sending of marketing material by a supplier you have already dealt with, which many businesses argue is within the 'reasonable expectation' of individuals and a commercial freedom-of-communication 'right'. But as any connection with past purchases becomes more remote, the case for gaining consent strengthens. There is also a question of the basis of consent: is 'opt-out' enough or should prior 'opt-in' be required?

What can be done to safeguard privacy on line?

Currently, the only private-sector activities subject to privacy law are consumer credit reporting and use of tax file numbers, which are covered by the Commonwealth Privacy Act 1988.

But governments and industry associations have increasingly responded to public concerns and have seen the provision of privacy protection as an important part of the infrastructure for electronic commerce and electronic service delivery.

Some sectors have developed voluntary codes of practice, implementing the Privacy Commissioner's National Principles for Fair Information Handling. Examples are the General Insurance Industry Information Privacy Principles, the ADMA Code of Practice for Direct Marketing and the Internet Industry Association Code of Practice. The IIA Code is particularly relevant to Internet users, see http://www.iia.net.au/

The federal government has now moved to give statutory backing to these voluntary codes, and to cover most larger private-sector businesses. However, the Bill introduced into Parliament in April has been widely criticised as containing too many exemptions and not being tough enough on issues like on-line collection, profiling and matching, and direct-marketing uses.

Even with regulation on its way, individuals should still look after themselves. If laws or codes are to be effective in the long term, they will require individuals to use their rights and challenge apparent breaches. Internet users should demand clear statements of privacy policy from the organisations they deal with, and complain if they don’t like what they are told. Surveys of web sites both in Australia and overseas show a depressing absence of privacy policies, although this is starting to change under consumer pressure and (in the US) to stave off regulation.

In the US and elsewhere we are also seeing the development of so-called "privacy enhancing technologies" (PETs). Anyone can, of course, use encryption, but most people won't do so until it can be accessed with a few simple mouse clicks.

One early PET is the facility in the major browsers to turn off acceptance of 'cookies', the programs that some web sites seek to install on the user's computer to facilitate interaction, and which incidentally result in some information about the user passing to the host site. The facility is not, however, widely advertised – the default setting is acceptance. Turning cookies off seems to have little effect on the use of most web sites except where extra security is required for payments.

Other PET examples are anonymous re-mailers but many users seem reluctant to go to this length as it suggests they have something to hide. We should not have to resort to anonymity to have our privacy respected.

Underlying many PETs is an assumption that individual web users, if fully informed about the policies of web sites, can make their own choices, and can either decline to deal with sites whose practices they don’t like, or negotiate. This 'market driven' approach strikes many consumer and privacy advocates as unrealistic; it assumes that consumer choice will lead to higher privacy standards.

In practice, most web sites will offer some limited choices about sale of personal details but basically will have a 'take it or leave it’ approach to their own marketing uses and in some cases also to disclosure to associated businesses.

The fact is that consumers are likely to choose web sites to deal with on the basis of other factors such as price, product range and convenience, even if they don't like the privacy policy. Just because they don't value their privacy enough for it to override these other factors, should this mean they should be denied the right to independently control the secondary use of their personal information?

To sum up

At present in Australia, Internet users have little or no control over what personal information web site owners or hosts can seek to collect, either directly or indirectly, or what they can do with that information. Enforceable privacy principles are on the way, initially in Codes of Practice but to be backed up within a few years by legislation. Users will soon have someone to complain to, and the prospect of getting problems fixed if they have been damaged or embarrassed by privacy breaches.

In the meantime, it is a case of 'buyer beware'. Users can and should challenge web sites about their privacy policies or lack of them. If enough users do this, the market will start to respond, and the Net will become a little 'safer'.