Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Why do we need the APF?'

Why do we need an
Australian Privacy Foundation?

Version of 12 May 2021

Notes for a Presentation to Deakin University Cybersecurity students

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2021

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at

The accompanying slide-set is at

The 15-minute video is at


Privacy is sometimes confused with Security. The term 'security' refers to circumstances in which some kind of asset is protected against the harm that might otherwise arise from various threats. It can also describe the safeguards that provide that protection. All kinds of assets need security. For example, a company that sells whitegoods like refrigerators needs to protect their products, the warehouses and shops that they're stored in, and the trucks that deliver their products. In cybersecurity, the focus is on protecting IT artefacts, services and data.

Privacy has a small amount of overlap with security, but its focus is completely different. Privacy is the interest that individuals have in sustaining 'personal space' free from interference by other people and organisations. So the focus isn't on financial assets, but on human values.

Privacy has many dimensions. Privacy of the physical person is infringed by enforced blood transfusions and sampling of body fluids. Frequent observation (e.g. by cameras installed in so many places) conflicts with the interest in behavioural privacy. We used to buy our reading materials, and read, and listen to public lectures, without being observed, and without our sources of information being recorded. Over the last 20 years, those behaviours have shifted to digital contexts, like the one we're in right now, in which observation and recording are built-in. That threatens experiential privacy. All of those dimensions are affected by the widespread abuses of data privacy (relating to stored personal data) and communications privacy (relating to flows of personal data).

Across these many dimensions, there are many kinds of harm that can be done to people's privacy. At any given time, a lot of people are at risk of aggressive behaviour and even violence from someone else if their identity or their location is discovered. There are also many things that most people want to do in private, and hence 'having one's life as an open book' undermines many people's self-respect, and their feeling of being in control of their lives. Invention and innovation depend on people who are by definition non-conformists. So stifling the behaviour of such people is both culturally and economically harmful. The same applies to political activities, where surveillance produces a 'chilling effect' on the expression of opinions. Privacy matters from a spiritual perspective, because beliefs should be an individual's own business and no-one else's; and in secular philosophy, it's important that individuals have the scope for self-sufficiency and self-determination.

The design of privacy protections is challenging, because there are a great many interests, and the safeguards that are implemented need to achieve an appropriate balance among them all. Consumers balance their interest in privacy of their financial data against their desire to get a bank loan. Individuals in a household or a workplace have interests in knowing enough about others, without the others knowing too much about them. Groups and communities and corporations have interests that have to be balanced against privacy. And so does society as a whole.

A wide variety of safeguards are needed, some of them legal in nature (statutes, codes, mandatory standards), some are organisational (policies, procedures, training, complaints processes), and some are technical (including data security measures such as access control and carefully-managed permissions, and privacy-enhancing technologies - PETs - that enable people to protect themselves).

But these safeguards don't just happen. Corporations and government agencies look after their own interests first, and the interests of their customers and citizens maybe later. It's difficult for the public as a whole to mobilise resources to fight for privacy protections. The two main ways that protections arise are because individuals fight their own battles, and associations are formed to argue the case for privacy safeguards.

Australia has the world's longest-standing privacy advocacy organisation, called the Australian Privacy Foundation (APF). It was formed in 1987, to mobilise the public and the media in order to defeat the attempt by the Hawke government to impose a national identification scheme that they dubbed 'the Australia Card'. We won.

We've won multiple battles over identification schemes since then. We've fought for appropriate privacy protection laws, for the regulation of privacy-invasive technologies, and for appropriate safeguards to be built into many pieces of legislation. We've fought against the eternal desires of government agencies and corporations to invade people's private spaces. The digital surveillance economy has been a major theme since 2005.

The efforts are continual, with new threats arising every year. Some recent and current issues in which APF has been very active include the most recent government disasters, Robo-Debt and 'My Health Record', the highly unsafe 'COVIDsafe' app (which was a failure anyway), the hopelessly inadequate official 'Guide to Securing Personal Information', Google's takeover of Fitbit, and Facebook's serial crimes against privacy. In universities, we've recently attacked the ANU for the grossly excessive collection of data about its employees, including through their social media postings, and we've argued against the intensive surveillance of university students through online exam invigilation.

APF's membership comprises a wide diversity of people, particularly with background in computing and in the law, but from many walks of life, and from many age-groups. APF encourages people to act on their own behalf when their privacy is under attack, and to contribute to the efforts of privacy advocacy organisations like the APF.

Reading List

Clarke R. (2015) 'The Conventional Security Model' Appendix 1 to 'The Prospects of Easier Security for SMEs and Consumers' Computer Law & Security Review 31, 4 (August 2015) 538-552, at

Clarke R. (2006) 'What's 'Privacy'?' Xamax Consultancy Pty Ltd, August 2006, at

Clarke R. (1997) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms' Xamax Consultancy Pty Ltd, August 1997, at

APF (2021) 'APF Policy Statements', Australian Privacy Foundation, at

APF (2021) 'APF Policy Submissions', Australian Privacy Foundation, at

APF (2021) 'APF Media Release Archive', Australian Privacy Foundation, at

APF (2021) 'APF Membership Information', Australian Privacy Foundation, at

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor associated with the Allens Hub for Technology, Law and Innovation in UNSW Law, and a Visiting Professor in the Research School of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 10 May 2021 - Last Amended: 12 May 2021 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy