Is On Line Privacy a Luddite Dream or a Necessity for Economic Growth?

Some sectors have developed voluntary codes of practice, implementing the Privacy Commissioner's National Principles for Fair Information Handling. Examples are the General Insurance Industry Information Privacy Principles, the ADMA Code of Practice for Direct Marketing and the Internet Industry Association Code of Practice. The IIA Code is particularly relevant to Internet users, see http://www.iia.net.au/

The federal government has now moved to give statutory backing to these voluntary codes, and to cover most larger private-sector businesses. However, the Bill introduced into Parliament in April has been widely criticised as containing too many exemptions and not being tough enough on issues like on-line collection, profiling and matching, and direct-marketing uses.

Even with regulation on its way, individuals should still look after themselves. If laws or codes are to be effective in the long term, they will require individuals to use their rights and challenge apparent breaches. Internet users should demand clear statements of privacy policy from the organisations they deal with, and complain if they don’t like what they are told. Surveys of web sites both in Australia and overseas show a depressing absence of privacy policies, although this is starting to change under consumer pressure and (in the US) to stave off regulation.

In the US and elsewhere we are also seeing the development of so-called "privacy enhancing technologies" (PETs). Anyone can, of course, use encryption, but most people won't do so until it can be accessed with a few simple mouse clicks.

One early PET is the facility in the major browsers to turn off acceptance of 'cookies', the programs that some web sites seek to install on the user's computer to facilitate interaction, and which incidentally result in some information about the user passing to the host site. The facility is not, however, widely advertised – the default setting is acceptance. Turning cookies off seems to have little effect on the use of most web sites except where extra security is required for payments.

Other PET examples are anonymous re-mailers but many users seem reluctant to go to this length as it suggests they have something to hide. We should not have to resort to anonymity to have our privacy respected.

Underlying many PETs is an assumption that individual web users, if fully informed about the policies of web sites, can make their own choices, and can either decline to deal with sites whose practices they don’t like, or negotiate. This 'market driven' approach strikes many consumer and privacy advocates as unrealistic; it assumes that consumer choice will lead to higher privacy standards.

In practice, most web sites will offer some limited choices about sale of personal details but basically will have a 'take it or leave it’ approach to their own marketing uses and in some cases also to disclosure to associated businesses.

The fact is that consumers are likely to choose web sites to deal with on the basis of other factors such as price, product range and convenience, even if they don't like the privacy policy. Just because they don't value their privacy enough for it to override these other factors, should this mean they should be denied the right to independently control the secondary use of their personal information?

To sum up

At present in Australia, Internet users have little or no control over what personal information web site owners or hosts can seek to collect, either directly or indirectly, or what they can do with that information. Enforceable privacy principles are on the way, initially in Codes of Practice but to be backed up within a few years by legislation. Users will soon have someone to complain to, and the prospect of getting problems fixed if they have been damaged or embarrassed by privacy breaches.

In the meantime, it is a case of 'buyer beware'. Users can and should challenge web sites about their privacy policies or lack of them. If enough users do this, the market will start to respond, and the Net will become a little 'safer'.