[LINK] Spies like us: we never walk alone

[Bernard Robertson-Dunn]

<brd>
A question to the list:-

There's a big difference between gathering and using. It seems to me 
that a whole lot of effort is required to track an individual (in the 
case of murder investigations, for example). Is Joe Six-pack really at 
risk? Can the informed reduce the potential risk?

There's a lot of systems out there that gather info on us. What's the 
evidence that is it being used only for other than its intended purpose?

</brd>

Spies like us: we never walk alone
Elisabeth Wynhausen exposes the watchers exposing you
January 27, 2007
The Australian
http://www.theaustralian.news.com.au/story/0,20867,21123717-28737,00.html

If you have the bad judgment or the bad luck to give evidence in a court 
case, you may lose more than your good name. Once the case is finished, 
court files are open to the public more often than not, even if the 
files contain the bank statements, financial records, medical 
information, birthdates and addresses that witnesses produced in court.
Soon this information may be available at the click of a computer mouse.

In some countries you can search court records on the internet, and 
there is talk of adopting the system in Australia, despite a flagrant 
breach of privacy in the US, where some information from court records 
was used for data matching and direct marketing by dating companies and 
nappy manufacturers. But you don't have to be in court or under 
investigation by the police to have the details of your personal life, 
preferences and peccadilloes spread out like baubles on a blanket for 
the delectation of anyone who cares to take a peek.

Meanwhile, the Howard Government is starting to set up the clanking 
machinery required before it can introduce its de facto identity card - 
the so-called access card - to replace the Medicare card for those 
claiming any government pension or benefit. This week, federal Labor's 
human services spokeswoman Tanya Plibersek said: "This card has too much 
information on the front. It also has too much information on the 
microchip inside the card that will be available for anyone to read."

Temporarily staving off the question of whether there is such a thing as 
privacy nowadays, it might be said that many people in the West have 
more room to themselves than before, living alone rather than in 
extended family groups. But the pattern of everyday life involves 
frequent incursions into what, in the previous century (if not in 
earlier times), was regarded as part of a private realm.

You get into your car, which has a tollway e-tag (and soon enough all 
cars will have to have one of these transponders, but at least we're not 
in the US, where children at some schools have to wear them around their 
necks). Pass through a tollgate and its tag reader records your 
movements: information that can be linked to the details on the credit 
card you used to pay for the tag.

Your mobile phone is another tracking device, of course. The network has 
to know where you are to charge you for the call. If you take a detour 
to the local shopping centre, your purchases are scanned to the 
supermarket database, which may have a file on your shopping habits: 
especially if you also shop online.

In the carpark you suddenly notice you've parked all but underneath a 
closed-circuit television camera (so prevalent that research by 
criminologist Paul Wilson and others at Bond University reveals that 
Brisbane's Citytrain network has no fewer than 5500 cameras in its 
trains and around its railway platforms and carparks).

You reach your place of work, passing several more security cameras 
hanging like vultures around the building, and swipe the company pass 
you need to get in through a scanner, which registers the times you come 
and go and may send the information to the payroll people or the human 
resources department.

Luckily you don't work for a business that has security cameras trained 
on employees taking a tea break in a stairwell or merely sitting at 
their desks.

Turning on the work computer, you only half-notice the threatening 
reminder from the company that "all internet and email activity is 
logged for legal and technical reasons".

Managers can audit your use of the internet or email, possibly using the 
software they've installed to track the websites you visit.

Even so, employers do not have an absolute right to do so, according to 
Roger Clarke, the chairman of the Australian Privacy Foundation 
(www.privacy.org.au) and a consultant whose specialties include data 
surveillance and information privacy.

"The courts have never permitted unfettered powers to be granted to one 
party at the expense of another."

There are constraints on the freedom employers have to listen in or 
record employees' conversations, telephone conversations and behaviour, 
he says. "With controls existing over every other form of spying on 
employees, it's fatuous to suggest that employers can do what they like 
about their employees' use of the internet."

Of course, anything you do on a computer leaves a trace on the internet 
and, unless expunged with specific software, the computer memory. These 
traces are the lifeblood of the parasitic communities feeding off the 
data we heedlessly leave in our wake. "There are three principal ways to 
measure internet usage," says the home page for a data-tracking company 
called Hitwise that boasts of its "real-time competitive intelligence".

"A panel of users can be measured at their computers with installed 
software ... marketers can monitor how visitors interact with a specific 
website ... or the data can be collected directly from (internet service 
provider) networks."

Interaction can be monitored with "cookies", bits of identifying data 
implanted into a computer's web browser by a website. The federal 
Privacy Act 1988 is no more capable of licensing what is done with these 
digital crumbs (as another writer called them) than the beach is capable 
of licensing the waves that roll over it, only one of the criticisms of 
a piece of legislation said to have started out inadequate and become 
more so with every passing year.

Part of the problem is that the act essentially allows people to spy on 
you as long as they tell you what they're doing, a compromise our 
regulators seem to love. This doesn't apply of course to dreaded 
spyware, programs slipped on to your computer surreptitiously while 
you're browsing that can send information back to a perpetrator on what 
websites you look at (of interest to markets), or even your credit card 
details, internet banking passwords or other personal information that 
may be stored in memory. Last year it emerged that Google keeps records 
on every search your computer, identified by a number, makes using its 
search engine.

Not long ago, the Australian Communications Authority dealt with a 
complaint that telemarketing companies may have improperly gained access 
to the database that contains the names, addresses and phone numbers of 
every phone service in Australia, silent lines included. When customers 
contacted internet service providers from a silent line, some phone 
companies, Telstra and Optus among them, were allegedly giving the ISPs 
the numbers for which Telstra customers pay the usual motza.

Rather than punishing Telstra for invading the privacy of its customers 
(while charging them for the privilege), the ACA came up with what it 
called an "alternative solution": it would "seek the co-operation" of 
ISPs, asking them to let customers know their private numbers had become 
public property. Yeah, right.

But I digress. A year ago, Attorney-General Philip Ruddock announced 
that the Australian Law Reform Commission would review commonwealth and 
state privacy legislation, not least to "consider the needs of 
individuals for privacy protection in the light of evolving technology".

In its submission, privacy advocacy group Electronic Frontiers Australia 
suggested how far the horse had already bolted. "Internet technologies 
enable the collection of information about individual internet users' 
behaviour across thousands of websites. Personal profiles about them, 
including their habits and interests, are being compiled surreptitiously 
and in many cases without users being aware that this is even possible, 
let alone their having provided their name to such websites."

Does this make the very concept of privacy redundant, not just in 
theory? As part of its review, the ALRC conducted a "national privacy 
phone-in". ALRC commissioner Les McCrimmon, an adjunct professor at the 
University of Technology, Sydney, tells Inquirer there were 1300 
responses. "By far the majority were concerned about telemarketing," 
McCrimmon says.

The report, which you can see by clicking on to issues paper 31 on the 
ALRC website (www.alrc.gov.au), lists four "hypothetical situations" 
more than 90 per cent of respondents considered an invasion of privacy.

A business you don't know gets hold of your personal information (94 per 
cent); a business monitors your activities on the internet, recording 
information on the sites you visit without your knowledge (93 per cent); 
you supply your information to a business for a specific purpose and the 
business uses it for another purpose (93 per cent); a business asks you 
for personal information that doesn't seem relevant to the purpose of 
the transaction (94 per cent).

"They're not hypotheticals," says Roger Clarke by email, his preferred 
mode of communication. "Such things are standard business practice."

For the most part, we seem to accept them as such, whatever we tell 
interviewers. "Most people will happily sell their privacy for something 
as paltry as collecting a quantity of 'fly-buy' points too small to 
redeem for anything useful, or a one-in-a-million chance of winning a 
'free' car," says Dale Clapperton, an EFA board member.

In fact, we fill in the forms knowing we will be plagued with mail from 
associated marketing companies until we're old and grey, not that our 
consent is necessarily involved.

Take the case of the medical information that health professionals may 
unthinkingly share around, for instance emailing results to each other. 
If patients know this, they will usually see the value.

"The one that got our people stirred up was when we found out that data 
collected by one of the doctor's medical software packages was being 
sent off overseas, possibly for marketing analysis and not for patient 
care," says Helen Hopkins of the Consumers' Health Forum of Australia.

In an article on neuroscience, this week's Time magazine reports on the 
potential for a more intimate invasion of privacy: "Even in their 
current state, brain scans may be able to reveal, without our consent, 
hidden things about who we are and what we think and feel."

Look up the word privacy in Roget's Thesaurus and you get three possible 
meanings: invisibility, refuge and seclusion, all only glancingly 
related to the power to keep information about ourselves and our lives 
from entering the public domain, the other interpretation given to the 
word these days.

In an essay on the subject, Bob Sullivan, the technology correspondent 
for the US news website MSNBC, contrasts this willingness to sacrifice 
our privacy with the outrage sometimes expressed when entities 
compromise it for commercial gain.

In the US in 2004, ChoicePoint, a data services company that creates and 
sells files containing people's names, addresses, social security 
numbers and credit reports, gave a bunch of crooks in Nigeria who had 
posed as legitimate businessmen potential access to the records of 
140,000 people. The Atlanta-based firm, previously a fast-growing 
company, "suddenly ... became a household term associated with identity 
theft", according to one American observer.

Because we seem unable to normalise our attitudes to privacy, other 
public and private institutions justify niggling bureaucratic procedures 
in its name. A Sydney woman who has accounts with Westpac says when the 
bank unexpectedly telephoned her not long ago, "they refused to say why 
they were ringing. They said they couldn't tell me until I told them my 
birth date".

A spokesman for the bank agrees that customers are asked for personal 
information before being told the reason for the call. "For privacy 
reasons we obviously have to confirm who they are, for instance by 
asking their date of birth ... "

While this sort of thing annoys most people almost as much as 
telemarketing, most accept being spied on in public, as long as the 
invasion of privacy is justified by the suggestion that it will make 
law-abiding citizens safer.

"People have a secret love affair with CCTV: they approve of it," says 
Wilson, who has just found out that about three-quarters of the public 
shares the love. "They're not worried about the number of cameras on 
them, they are not concerned about civil liberties issues." Wilson is 
one of the authors of a new study reporting the results of what he calls 
"the first major investigation of CCTV in Australia".

The two-year project looked at the effectiveness of the thousands of 
security cameras around the Gold Coast and in the Citytrain network.

"The paradox here is that CCTV is not very good at preventing crime but 
is generally fairly good at picking up crime going on," Wilson says.

The cameras are supplied by private firms, who are helping to drive the 
fast expansion of CCTV cameras into every settled pocket of this wide 
brown land. But Wilson's study found that the private contractors doing 
the monitoring in the council's control room in Surfers Paradise spent 
just 15 per cent of the time looking at what was happening. They spent 
much time instead "searching through old tapes or filling in log books".

But this is no more likely to inhibit the love affair with CCTV than the 
certain knowledge that it isn't much good at preventing crime, and 
doesn't necessarily stand up in court.

People acknowledged as much even as they told the researchers from Bond 
University that it made them feel safer, a near relative of the 
sentiment that seems to underpin the surprisingly sanguine acceptance of 
widespread "anti-terror legislation".

Only this week the BBC reported that the Blair Government in Britain was 
proposing to create a giant database of people's personal details at 
Whitehall. "Step by step," said Conservative Opposition constitutional 
affairs spokesman Oliver Heald, "the Government is logging details of 
every man, woman and child in 'big brother' computers."

For its part, the US Government will reportedly demand that visitors to 
the country have all 10 fingers scanned when they enter the country, 
with the biometric information collected to be shared with intelligence 
agencies, the FBI included.

The Observer reported that "passengers face having all their credit card 
transactions traced when using one to book a flight. And travellers 
giving an email address to an airline will be open to having all 
messages they send and receive from that address scrutinised".

But even in the light of such overwrought measures the Australian 
Government has hardly lagged behind, passing no fewer than 41 pieces of 
"anti-terror legislation" giving officials unprecedented access to what 
used to be thought of as private communication.

Under the Telecommunications (Interception) Amendment Act 2006, now law, 
authorities can bug the phones of people who are not suspected of 
complicity in any crime but who are thought to be in contact with 
suspected criminals, or (in the new parlance) "persons of interest".

Once a judge signs off on the required "B-party" warrant, says Martin 
Bibby, a spokesman for the NSW Council for Civil Liberties, the 
Australian Federal Police or ASIO can "tap the phone of a completely 
innocent person and listen to all conversations on that phone".

"The issue it raises is whether privacy means anything at all in 
Australia," Bibby says. "If it is given away whenever there is a 
conflict with other concerns, we will soon lose it all." Perhaps we 
already have.

In an article in the Privacy Law Bulletin in 2005, EFA's Clapperton 
looked at the feeble constraints on the use of spyware. Yet for the 
Privacy Act to apply, Clapperton tells Inquirer, "you would have to show 
that information could be linked to your identity.

"People are tricked into installing software that includes the spyware. 
They don't read the licence agreement, so they don't know what it's doing."

There are some similarities with shopping mall sweepstakes and 
supermarket giveaways.

"If the fine print says that they are going to take your personal 
information and sell it to all and sundry, the Privacy Act won't stop 
them," says Clapperton.

"The attitude implicit in the Privacy Act is that if you didn't want 
them doing it, you should have read the fine print and not given the 
information in the first place."

Despite the act's limitations, there appears to be a backlog of cases 
piling up. "The Privacy Commissioner's office doesn't handle complaints 
promptly or well," says Clarke. "We fear the department has become 
ossified. It's just another defensive government agency."

Whatever Privacy Commissioner Karen Curtis is doing about your privacy, 
her own is well guarded. Her spokesman informs Inquirer there will be no 
interview with the commissioner unless the questions are emailed to him 
beforehand.

Additional reporting by Karen Dearne.

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au