[LINK] IT specialists not understanding privacy law [was: Google's WiFi bungle]

Stephen Wilson swilson at lockstep.com.au
Wed May 19 16:52:42 AEST 2010 

Craig Sanders wrote:
> On Wed, May 19, 2010 at 03:08:05PM +1000, Stephen Wilson wrote:
>> ...  numerous IT specialists on this list and elsewhere state 
>> erroneously over and over again that because the wifi information was 
>> "public", it was not subject to privacy law.
> i haven't seen ANYONE on this list state that, or anything like that.  not
> even once, let alone "over and over again".
Yesterday Craig I wrote:

> under the Privacy Act you cannot in general collect 
> personally identifiable information without a real need to do so ... 

And you responded:

> you've just broadcast your name - "personally identifiable information"
> - to a public mailing list. I am subscribed to this list, so i have
> collected it.
> 
> Have I broken the law according to Privacy Act by collecting it?
> 
> my mail server logs details about every message received ... 
> my mail practices including archiving every email ... 
> my procmail config also feeds a copy of every email ... 
> 
> none of those things are illegal. neither was google receiving and
> processing data which had been broadcast.

Conducted by a corporation, these sorts of acts *are* governed by 
information privacy law, and may well be illegal, unless there is a good 
reason to collect the information, or the user has consented etc.

You keep saying that the data was "broadcast" but this makes no 
difference under information privacy law. 

This to me is a repeated misunderstanding of information privacy.


>> ... the operable term is "personal 
>> information" meaning information about a subject where their identity is 
>> apparent or may be readily determined. 
> please demonstrate how that definition actually applies to tiny snippets
> of random garbage picked up when scanning wifi networks.
>
> SSIDs don't identify individuals.  MAC addresses don't.  IP addresses
> don't. 
Are you actually trying to understand this issue? I know SSIDs don't 
identify individuals.  What matters is that individuals associated with 
MACs and SSIDs are identifiable from the data collected by Google. They 
said themselves that they collected extra payload information in 
addition to MACs and SSIDs (and that an engineer went to some extra 
trouble to write some code to effect this collection). The data stream 
therefore constitutes personal information and regardless of whether 
it's in snippets, or random, or garbage, once collected by Google it is 
subject to the Privacy Act.

If you don't understand that or don't want to read the Privacy Act to 
satisfy yourself as to what the law actually says on the matter, then I 
say there's a gulf between at least one IT practitioner and the world of 
privacy.

Steve Wilson.

More information about the Link mailing list