[LINK] Transparent Proxy Server and Privacy

Irene Graham rene.lk at libertus.net
Thu Nov 9 00:53:36 AEDT 2006 

On Tue, 7 Nov 2006 06:56:26 +1000, Tech Support wrote:

> A number of ISP's run transparent proxy servers .
>
> One ISP that I know of recently has introduced a transparent proxy
> server where previously one of the selling points of the ISP was NO
> proxy server and that is the condition that many users signed up to the
> ISP on.
>
> The users have not been notified about the proxy server and the
> implications ( both good and bad ).
>
> Considering the information that can be gleaned from the proxy logs
> regarding any persons browsing habits is the introduction of said proxy
>
> a ) Legal ( considering that users have not been told about its
> introduction ) ?

ISPs are required to comply with the Part 13-Protection of Communications 
of the Telecommunications Act 1997 (Cth) and possibly also with the 
National Privacy Principles (NPPs) in the Privacy Act 1988 (Cth). I say 
possibly with the NPPs because they do not have to comply if their annual 
turnover is less than $3 million per annum but in that circumstance they 
would have to comply if they disclose information for benefit, or 
advantage, or something like that (which probably doesn't apply in this 
case).

If the relevant ISP is required to comply with the NPPs then imo they are 
required by NPP 1.3 to notify their customers of the collection of 
information in proxy logs (before the collection commences). However, my 
opinion may not be right because it might be argued that NPP 1.3 notices do 
not have to be that specific, it might depend on what their (hopefully) 
pre-existing NPP 1.3 notice said.

A customer of the ISP could make a complaint/inquiry to both the TIO and 
the Federal Privacy Commissioner's office. The TIO can deal with complaints 
about privacy, and could also deal with complaints about breach of 
provisions of contract if that has occurred. 

However, both of the above are not supposed to deal with complaints unless 
the person has tried to have the matter resolved by direct contact with 
their ISP first and that was not successful. However, it might be possible 
to obtain an opinion without lodging an actual complaint.

> b) Breaking any laws with respect to privacy of the user's web browsing
> habits ?
>
> c) What are the legal requirements ( regarding privacy of users) of the
> ISP especially with the generated logs ?

The content of the proxy logs would be protected information under the 
Telec Act. Imo, it unquestionably meets the description of such information 
in s276 of the Telec. Act.

"276 Primary disclosure/use offence—eligible persons
(1) An eligible person [includes ISP] must not disclose or use any 
information or document that:
(a) relates to:
(i) the contents or substance of a communication that has
been carried by a carrier or carriage service provider; or... "

"communications includes any communication:
(a) whether between persons and persons, things and things or
persons and things; and
(b) whether in the form of speech, music or other sounds; and
(c) whether in the form of data; and
(d) whether in the form of text; and
(e) whether in the form of visual images (animated or
otherwise); and
(f) whether in the form of signals; and
(g) whether in any other form; and
(h) whether in any combination of forms."

ISPs are not permitted to use or disclose protected information except for 
the specified limited circumstances/purposes set out in Part 13 of the 
Telec. Act. Offhand the main ones that would apply are s279 (performance of 
person's duties as an employee of ISP), s289 (with knowledge or consent of 
the individual), s280 (with a warrant or court order) and probably s282 
which allows disclosures to law enforcement agencies if it is "reasonably 
necessary" for the enforcement of the law. I think s282 would apply to 
logged info (imo a warrant should be required). There are other exceptions 
that could apply/be relevant in some circumstances.

To read them all, the Act is here:
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/FAA789D14
8B0FF6FCA2571AB0017F9C7?OpenDocument

The prohibitions start at s276 and the exceptions to those prohibitions 
start at s279.

Hope that helps shed some light on relevant law.

(NB: None of the above should be taken to imply that I consider the current 
legislative situation in relation to use or disclosure of proxy log 
information satisfactory.)

Regards
Irene

More information about the Link mailing list