[LINK] IT specialists not understanding privacy law [was: Google's WiFi bungle]

Craig Sanders cas at taz.net.au
Wed May 19 18:27:34 AEST 2010 

On Wed, May 19, 2010 at 04:52:42PM +1000, Stephen Wilson wrote:
> 
> Craig Sanders wrote:
> > On Wed, May 19, 2010 at 03:08:05PM +1000, Stephen Wilson wrote:
> >> ...  numerous IT specialists on this list and elsewhere state 
> >> erroneously over and over again that because the wifi information was 
> >> "public", it was not subject to privacy law.
> > i haven't seen ANYONE on this list state that, or anything like that.  not
> > even once, let alone "over and over again".
> Yesterday Craig I wrote:
> 
> > under the Privacy Act you cannot in general collect 
> > personally identifiable information without a real need to do so ... 
> 
> And you responded:
> 
> > you've just broadcast your name - "personally identifiable information"
> > - to a public mailing list. I am subscribed to this list, so i have
> > collected it.
> > 
> > Have I broken the law according to Privacy Act by collecting it?
> > 
> > my mail server logs details about every message received ... 
> > my mail practices including archiving every email ... 
> > my procmail config also feeds a copy of every email ... 
> > 
> > none of those things are illegal. neither was google receiving and
> > processing data which had been broadcast.

so? yes, i said that. i didn't say 'that because the wifi information
was "public", it was not subject to privacy law' or anything like it.

argue with what i actually said rather than your stupid straw-man
rewrites.


> Conducted by a corporation, these sorts of acts *are* governed by 
> information privacy law, and may well be illegal, unless there is a good 
> reason to collect the information, or the user has consented etc.
> 
> You keep saying that the data was "broadcast" but this makes no 
> difference under information privacy law. 

congratulations! your absurd interpretation would make all mail servers
in australia illegal. every single one of them. a mail server can not
operate AT ALL without collecting, storing, processing, and forwarding
"personal information"...it's inherent in the task.  just as picking
up all sorts of random, unwanted garbage is inherent in the task of
scanning for wifi access points (aka "hotspots").

this is particular obvious for mail servers because emails generally
contain names and email addresses (and often phone numbers and street
addresses in .sig lines etc)...but the same applies, to varying
degrees, to web servers and every other server/program that in any way
communicates with the outside world. they all collect, store, process,
etc information about the client when it connects - much of which is NOT
personally identifying info (like IP addresses), but some of which could
be.



BTW, not only are mail servers subject to the privacy act (a fact which
i have never disputed - i've only disputed what you claim that means
in practice), they are also subject to archiving requirements. in many
industries (and govt agencies & non-profit groups and more), there is a
mandatory requirement to archive all communications.



> This to me is a repeated misunderstanding of information privacy.

this to me is a repeated failure to comprehend reality.

> >> ... the operable term is "personal 
> >> information" meaning information about a subject where their identity is 
> >> apparent or may be readily determined. 
> >
> > please demonstrate how that definition actually applies to tiny snippets
> > of random garbage picked up when scanning wifi networks.
> >
> > SSIDs don't identify individuals.  MAC addresses don't.  IP addresses
> > don't. 
>
> Are you actually trying to understand this issue? 

i'm trying to make YOU understand it.  you clearly don't.

> I know SSIDs don't identify individuals.  What matters is that        
> individuals associated with MACs and SSIDs are identifiable from the  
> data collected by Google.                                             

which individuals would those be? you've just stated that SSIDs and MACs
don't identify individuals and - in the same paragraph - you're also
claiming that they do (except you're now saying "associated with" to
make it slightly less obvious that you're contradicting yourself).


> They said themselves that they collected extra payload information in 
> addition to MACs and SSIDs (and that an engineer went to some extra   
> trouble to write some code to effect this collection).                

yes. i already addressed that point. i'm getting tired of saying the
same thing to someone who refuses to listen. go back and read my
previous posts.


> The data stream therefore constitutes personal information and
> regardless of whether it's in snippets, or random, or garbage, once
> collected by Google it is subject to the Privacy Act.

that's a huge conclusion to leap to without any supporting evidence.

a more accurate statement would be that you CLAIM that the data stream
"constitutes personal information" but you neglect to provide any
evidence - or even reasoning - to support your claim.

assertions aren't proof.  you're the one making a claim here, it's your
responsibility to back it up with proof.


> If you don't understand that or don't want to read the Privacy Act
> to satisfy yourself as to what the law actually says on the matter,
> then I say there's a gulf between at least one IT practitioner and the
> world of privacy.

here's how it works:

first you have to prove that there's any personally identifiable
information in the packet fragments that were collected.

THEN you get to argue the details of how the privacy act relates to
that.



but it's far easier to just get the pitchfork out and join the ignorant
mob, isn't it? why care about evidence when there's an emotive argument
being made?

beware the frankengoogle! it messes with stuff you don't understand!

craig

-- 
craig sanders <cas at taz.net.au>

More information about the Link mailing list