Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 29 August 2000
© Xamax Consultancy Pty Ltd, 2000
This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/SenateeP2.html
ACN: 002 360 456
78 Sidaway St Chapman ACT 2611
Tel: +61 2 6288 1472, 6288 6916
Senate Select Committee on Information Technologies
Canberra ACT 2600
Dear Ms Griffiths
I refer to my Submission of 30 July 2000. I regret that I was unable to accept your invitation to give evidence to the Committee on 21-22 August, due to my absence in Hong Kong on business. Thank you for the opportunity to appear instead on 29 August.
I attach a Supplementary Submission which briefly addresses the Committee's Terms of Reference. The web version of this document contains a large number of hot-links to papers that provide greater detail on many aspects of the Submission. The web version is at:
Roger Clarke MComm (UNSW) PhD (ANU) FACS PCP
My Preliminary Submission of 30 July 2000, due to pressure of time, merely provided an annotated bibliography of the more than 40 papers I've published on the topic of e-Privacy.
This Supplementary Submission addresses the Enquiry's Terms of Reference. It commences with a discussion of the Terms' scope. followed by some observations on privacy law generally. It then concentrates on Term (a)(i) relating to Internet transactions, followed by a brief comment on Terms (b) and (c). It concludes with comments relating to the policy directions that the Parliament needs to adopt if e-privacy is to be assured, and the present serious lack of citizen and consumer confidence overcome.
The title selected for the Enquiry, 'e-Privacy', implied that the Terms would be expressed very broadly. In fact, the Terms are very narrow.
Firstly, the word 'consumer' is used on four occasions in only 40 words, and in such a manner that it constrains the Committee's scope to the economic dimension of people's lives. This is especially problematical because most personal behaviour on the net is not economically motivated.
Secondly, the expression used in Terms (a) and (b) embodies presumptions that marketers have some innate right to gather, use and in particular to interchange personal data. This results in it appearing as if there are only a few actions that organisations need to take, in particular disclosure obligations about the uses they put data to. Moreover, Term (a) appears to actually exclude consideration of the vital issue of protections against collection of personal data. Such presumptiveness is commonplace among American corporations, and has been shared by the Clinton Administration; but the U.S.A. is alone among Australia's reference group in having these views, and they are not an appropriate starting-point for an assessment of e-privacy needs in this country. (Moreover, there are clear signs that the U.S. will shortly be forced to change its direction, all then more quickly in the event of Gore being elected to the Presidency).
Thirdly, the term 'browsing' is generally only used in relation to the World Wide Web, and not to the Internet generally. The Terms could accordingly be read as excluding the many other services available over the Internet, especially email, file-transfer and news.
Conclusion: The Committee needs to either read its Terms very broadly, so as to circumvent these apparent limitations; or it must appreciate, and acknowledge in its Report, that its scope has not been comprehensive.
Privacy has been a major concern of the second half of the twentieth century, and a great deal has happened in that time. This section provides a very brief overview of the state of play. Further background is provided in a separate paper on the history of privacy in Australia.
Following action by legislatures primarily in Europe and to a lesser extent the U.S.A., and concerned about the impact of differential regimes on international trade, the OECD codified the so-called 'Fair Information Practices' approach to the protection of personal data in 1980. A separate paper provides an analysis of the OECD Guidelines. Australia acceded to the OECD Guidelines in 1984, but took no action.
Following the withdrawal of the proposal for an Australia Card, the Parliament legislated in 1988 an OECD-style regime for the Commonwealth public sector only. Only limited action has been taken by the Commonwealth Parliament on privacy matters since then. The States have also been extremely slow to act, with only N.S.W. having a law in place in relation to its public sector; and that is a very weak statute, currently only in the implementation phase. Victoria (once again) has a Bill on the parliamentary table.
During the 20 years since the OECD Guidelines were formulated, European countries have moved to greatly strengthen their laws. The European model is often depicted as a strict regulatory approach (unreasonably so, because in many cases such a description is quite misleading). The New Zealand legislation of 1993 is particularly relevant to Australia, because its 'co-regulatory' approach owes some of its features to Australian experience, and industry and associations and privacy advocates agreed some time ago that it represents an effective model for Australia to adopt.
The present Commonwealth Bill which purports to regulate the private sector is an appalling document, which needs to be withdrawn and replaced by a Bill that addresses the needs of Australian society, and of Australian business. Its manifold inadequacies have been attacked from many sides. Attention was drawn to them in my submission to the House of Representatives Legal and Constitutional Committee when it considered the Bill, and to the serious problems catalogued in my earlier submission to the Attorney-General.
The OECD Guidelines were a late 1970s codification of legislation of the period 1970-75, which in turn reflected the ravages wrought by late 1960s computer technology. During the intervening 30 years, computer technology has matured and advanced enormously, has been married with communications to produce information technologies of dramatically greater privacy invasiveness, and is in the process of being extended to ubiquitous wireless coverage, and of converging with both robotics and, shortly, human genomics.
In short, the three-decades-old OECD / Fair Information Practices approach is utterly inadequate as a means of protecting citizens in the 21st century. A separate paper examines specific inadequacies of the OECD / FIP approach.
Most countries in Australia's reference group were 5-15 years late in adapting to the information technology of the late 1960s. Australia, in relation to the private sector, is now about 30 years behind, and is even now mistakenly trying to protect its corporations at the expense of its people.
The Australian Parliament is accordingly very poorly placed to assure its citizens that its e-privacy is protected. Should the current Bill be passed, the public will become even more cynical about the corporation-serving and person-hostile nature of Australian law.
Conclusions: In considering e-Privacy, the Committee needs to:
Some of Term (a) relates to consumer concerns about electronic transactions over proprietary networks such as those which connect ATMs and EFT/POS terminals to transaction-processors and card-issuers. These concerns are of long standing, and have been addressed in various forums in the past. I was involved in those matters in the late 1980s, but have not studied them in recent years. I accordingly restrict my submission to Internet matters.
The Internet differs greatly from any technology that precedes it. A separate paper provides an introduction to Internet architecture. The Parliament has recently passed several statutes that demonstrate seriously inadequate appreciation of technologies and their implications. These have been in areas as diverse as content censorship, alternative uses of the electromagnetic spectrum ('data-casting'), and copyright; and it seems likely that an equally misguided statute on online gambling may soon follow.
Meaningful discussion of the Internet's impacts and implications, and evaluation of the likely effects of alternative approaches to regulatory intervention, depend on a clear appreciation of:
Reviews of e-privacy threats and countermeasures are provided in separate papers (Clarke 1998, 1997, 1999). There has been virtually no assistance forthcoming from government to date, and most interactions between privacy advocates and government agencies have resulted in disappointment. Of especial note is the abject failure of the Government Public Key Authority (GPKA) and the National Electronic Authentication Council (NEAC) to address the enormous privacy implications of public key infrastructure.
Meanwhile, the Privacy Commissioner's Guidelines on Workplace E-mail, Web Browsing and Privacy reflect a highly corporation-friendly and employee-unfriendly stance. They offer corporations carte blanche as regards the policies they adopt, which is completely at odds with the needs of the situation, and very different from the position that applies to workplace visual, audio and telephone surveillance. If this is indicative of the kind of 'balance' that the current Privacy Commissioner thinks is appropriate, then he will be regarded by the public as being captured by the private sector. Given the very gentle handling of the Australian Taxation Office's recent breaches of privacy laws in relation to the Australian Business Number register, the public could be excused for suspecting that he is captive to government agencies as well.
Conclusion: Effective regulation of Internet technologies and behaviours is important and urgent. But there is serious risk of inappropriate and ineffectual legislation, and hence action needs to be delayed until policy advisors in the public service, Ministerial advisors, and the Parliament as a whole have developed far greater understanding of the subject-matter than they presently have.
The dominant uses of the Internet have always been personal play, entertainment, infotainment, research, self-education, inter-personal interactions and community transactions. Marketers have failed to understand Internet technologies, cyberspace behaviour, and the nature of net e-consumers. They have continued the exploitative 'push-marketing' approaches that worked for them during the era of broadcast technologies. As a result, consumer e-commerce is only stumbling along while community usage explodes; and hence personal and social uses of the net may be becoming even more dominant than before.
The Australian Direct Marketing Association, together with some direct marketing companies it represents, believe that economic considerations dominate social factors, and that the primary clients whose interests Parliament should protect are corporations. Some time ago, it issued a 'code' which was opposed by consumer and privacy advocates across the nation, because of its arrogance and one-sided, non-negotiated nature.
ADMA's code is objectionable in relation to mail and telephone marketing. In relation to marketing over the Internet, it is not merely objectionable, but was prepared in apparent ignorance of the practicalities and even the economics of Internet technologies. A separate paper authorised by the Australian Computer Society has explained the ways in which ADMA-condoned practices result in cost impositions on consumers, and threats to public services.
As and when direct marketers abandon the ADMA code, and look for more constructive and less rapacious methods, they will find them. A separate paper provides guidelines on privacy-friendly direct marketing.
The Commonwealth Parliament must avoid legitimising marketers' privacy-invasive practices, and must subject marketers to privacy-protective laws. In particular, data collection without consent, and data-sharing without consent, must be rendered illegal, as the OECD Guidelines long ago implied that they should be. This means that the present Bill must be rejected, and a new Bill prepared and introduced whose purpose is to establish a privacy-protective regime.
The current Bill is not about privacy protection, but about confirming that businesses are permitted to continue their privacy-invasive practices. If it were passed, even in heavily amended form, it would greatly harm the relationship between business and consumers. It must be withdrawn, and a real OECD-style Bill introduced and passed.
OECD/FIP style protections are a necessity, but they are a reaction to technologies of 30 years ago. 21st century privacy protections are also a necessity. In their absence, the public will continue to be sceptical about and slow to embrace electronic commerce and electronic service delivery, and will become yet more cynical about the power of corporations, and the servility of Parliament to corporate interests.
Several challenges need to be overcome before 21st century privacy protections are legislated. The first is that a meaningful appreciation needs to be developed of the nature of Internet technology and cyberspace behaviour.
The second is that the 'supra-jurisdictional' aspects of the Internet need to be understood. In brief, some cyberspace actions take place, or can be contrived to take place, in a space beyond the reasonable reach of geographically-based jurisdictions. But many actions are locateable in physical space, and hence can be made subject to laws, provided that they are consistent with the social and economic needs of the country, and with the realities of technology and its use, and are not unduly onerous on the organisations and individuals concerned.
During recent years, a 'technology neutrality' vogue has been in use among government lawyers. This referred to the presumed desirability that laws be expressed in such a manner that they cope with technological difference, and survive technological change. This approach is dubious in any context. (Consider, for example, the differences between cars and horse-drawn carriages; between ship-borne travel and aeroplane travel; and between sub-sonic and supersonic travel). In the Internet context, it was a vain hope. Specific laws will be needed, to establish appropriate balances among multiple interests, and appropriate contexts for corporate and personal behaviour.
It is stressed, however, that advisers to Ministers and to the Parliament have not yet assimilated the differences involved in Internet activities. It is not just another broadcast medium, and it involves less 'push', more 'pull', and a lot more interactivity. It is not just about one or two formats, as radio and television have been; it is about many old formats, and some new ones. Internet services simply cannot be sensibly explained by analogy to pre-existing services, nor by anything else that preceded them. They have to be understood in their own terms before any action is taken to regulate them.
I identified the dimensions of e-privacy in 'Information Privacy On the Internet: Cyberspace Invades Personal Space', in the Telecommunication Journal of Australia 48, 2 (May/June1998).Further details are in 'Privacy On the Internet: Threats, Countermeasures and Policy' presented at seminars in Sydney in April and October 1997.
This analyis was updated in 'Current Developments in Internet Privacy', Proc. IIR Conf. Data Protection and Information Privacy, August 1999, Sydney.
A general overview of issues is provided in the form of a Book Review of Simon Davies' important book 'Monitor': 'The Information Infrastructure is a Super Eye-Way', Privacy Law & Policy Reporter 3, 5 (August 1996).
A more specific paper addresses the Promises and Threats in Electronic Commerce (August 1997, prepared as a basis for an interview by the ABC TV series, Quantum).
In a recent paper in a refereed, international journal, I argued that e-Privacy issues are so significant that they will force even the hitherto intransigent U.S. Administration and Congress to create effective controls over the U.S. private sector.
The paper, 'Internet Privacy Concerns Confirm the Case for Intervention', was published in February 1999 in Communications of the Association for Computing Machinery (Commun. ACM, the flagship journal of a 100,000-member professional body), 42, 2 (February 1999) 60-67. The article was presented to the U.S. Congress as part of a briefing by the ACM in mid-1999.
I provided an explanation of the OECD Guidelines in a 1989 paper 'The OECD Data Protection Guidelines: A Template for Evaluating Information Privacy Law and Proposals for Information Privacy Law'.
In 'Beyond the OECD Guidelines: Privacy Protection for the 21st Century', January 2000, I drew attention to the utter inadequacy of contemporary regulatory approach of 'fair information practices', and the need to move from a 1970s view of 1960s technologies to a 21st century appreciation of what humankind is doing to itself.
I stress that the Privacy Amendment (Private Sector) Bill 2000, currently before the Commonwealth Parliament, is a complete travesty, even when compared against the very modest standards of the OECD Guidelines.
I expressed that view in a Submission to the Inquiry into the Privacy Amendment (Private Sector) Bill 2000 by the House of Representatives Legal and Constitutional Committee, in May 2000. That document referred back to an earlier Submission to the Commonwealth Attorney-General, which explained the Bill's manifold deficiencies.
If that Bill were to be passed into law, in anything even vaguely resembling its original form, it would gravely exacerbate the already serious distrust between people and corporations. It would, moreover, be evidence of astounding and most regrettable incomprehension on the part of the Members and Senators, and failure by them to address the needs of the people that they represent.
I examined the privacy-invasiveness of direct marketing techniques in 'Direct Marketing and Privacy', Proc. AIC Conf. on the Direct Distribution of Financial Services, Sydney, 24 February 1998.
Many corporations marketing to Australian consumers have been extremely cavalier in the handling of personal data. The unilateral 'code' established by the Australian Direct Marketing Association was attacked by virtually all consumer and privacy advocacy organisations, yet ADMA irresponsibly continues to assert that its code is privacy-protective. Criticisms of the draft code were expressed in a submission to ACCC (October 1998), and in a further submission (December 1998).
A particularly extreme initiative is the Packer / PBL / Acxiom InfoBase, which came to light in November 1999.
I provided an explanation relating to the specifics of direct marketing and e-privacy, in a paper written for, and approved by, the Australian Computer Society: 'Privacy Bill needs much more work', the Australian Computer Society column of The Australian, 15 February 2000.
The foundation analysis of the impending explosion in surveillance of people through their data rather than through visual and aural means was provided in 'Information Technology and Dataveillance', published in the international journal Comm. ACM 31,5 (May 1988), and re-published in C. Dunlop and R. Kling (Eds.), 'Controversies in Computing', Academic Press, 1991.
A populist rendition is in 'Dataveillance: Delivering 1984', a chapter in Green L. & Guinery R. (Eds.) 'Framing Technology: Society, Choice and Change' Allen & Unwin, Sydney, 1994.
A literary perspective was provided in 'A 'Future Trace' on Dataveillance: Trends in the Anti-Utopia / Science Fiction Genre' (March 1993).
A central element was comprehensively examined in 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Info. Technology & People 7,4 (December 1994).
'The Digital Persona and Its Application to Data Surveillance' was published in the leading international journal, The Information Society 10,2 (June 1994). This predicted the monitoring of the 'real-life' behaviour of individuals and groups through their net behaviour.
A further vital aspect is the availability of choice among anonymous, pseudonymous and identified transactions. This was first addressed in 1995 in 'When Do They Need to Know 'Whodunnit?': The Justification for Transaction Identification' at the Computers, Freedom & Privacy Conference in San Francisco. It was addressed again in 1996, in a paper for a Sydney conference, 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue'. A more advanced treatment was provided in 'Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice', for a conference in Stockholm in June 1999.
Papers and resource-pages that examine specific matters include:
Privacy Issues in Smart Card Applications in the Retail Financial Sector were addressed in 'Smart Cards and the Future of Your Money', Australian Commission for the Future, June 1996, pp.157-184.
The promise and peril of chip-based ID was addressed in an invited paper for the International Conference on Privacy, Montreal (September 1997).
Of enormous significance among the ever-growing threats are person-location and person-tracking technologies. These were examined in an invited paper for the Conference of Privacy and Data Protection Commissioners in Hong Kong in September 1999.
A more recent paper considered privacy in the context of e-Transport, including the denial of road-usage without the provision of one's identity, and the secret extension of truck-monitoring technology to cars. This was presented to a conference in Melbourne last Friday, 28 July 2000.
The following series of papers addresses the technically difficult area of cryptography in general, and digital signatures in particular:
The scene for this topic was set by an overview paper, Public Interests on the Electronic Frontier, Invited Address to IT Security '97, 14 & 15 August 1997, Rydges Canberra (August 1997).
A more general perspective is provided in 'Information Technology & Cyberspace: Their Impact on Rights and Liberties' (1995, invited presentation to a Seminar Series of the Victorian Council for Civil Liberties).
A more recent expression is in 'Ethics and the Internet: The Cyberspace Behaviour of People, Communities and Organisations', Proc. 6th Annual Conf. Aust. Association for Professional and Applied Ethics, Canberra, October 1999 (revised version forthcoming in the Journal of Professional and Applied Ethics).
The role of I.T. professionals is addressed in 'Economic, Legal and Social Implications of Information Technology', in the international journal MIS Qtly 12,4 (December 1988) 517-9.
Go to Roger's Home Page.
Go to the contents-page for this segment.
Send an email to Roger
Created: 27 August 2000
Last Amended: 29 August 2000
|These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).|
| The Australian National University|
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Pty Ltd, ACN: 002 360 456|
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916