Privacy Law Resources

Nigel Waters, Pacific Privacy & Australian Privacy Charter Council

Introduction

This seminar provides a rare opportunity to consider the overall law enforcement context of a number of interrelated developments and issues in the electronic environment. We also need to see the bigger picture in relation to privacy. Too many privacy battles are fought, and too often lost, on the narrow ground of specific initiatives and proposals, where the immediate arguments for access to personal information appear compelling, and the loss of privacy only marginal, and inconsequential.

But for those concerned about the bigger picture, the incremental loss of privacy, and with it of other freedoms, is a major issue. It is timely to look at the overall effect of the various law enforcement driven initiatives to regulate cyberspace and the way we transact within it, and ask if we are not in danger of giving up too much, in exchange for an uncertain dividend in crime prevention and detection.

In his stimulating 1999 book Code, and other Laws of Cyberspace^[1], US academic Lawrence Lessig cautions against the naïve assumption that there is something inherently unregulable about cyberspace. He shows how the regulability of the electronic environment is determined by its architecture  including the characteristics of software, and that this architecture in turn influenced by political and commercial choices and interests. For example, whether to allow anonymity, unfettered speech, unlimited access to gambling or sexual material are initially political decisions, but can then be hard-wired  into operating systems, Internet protocols or telecommunications systems specifications. Cyberspace can either be a zone of freedom (a nightmare for some) or a zone of surveillance (equally alarming for others). Which it becomes should be within our control through democratic institutions, but whether the choices that are made follow an informed public debate, or are determined by particular vested interests, is a key issue. And there is also a globalisation  factor at work. Because so much software and hardware is of foreign origin, and because the architecture of the Internet and of telecommunications is largely determined by unelected and arguably unaccountable international bodies, the balance between privacy and other public interests for Australians is increasingly out of our control. As in so many other areas of public policy, new forms of trans-national governance are required if we are to have any say on the balance in the future.

Sometimes, Privacy, Security and Law enforcement interests co-incide. Audit trails and logs of access to computer systems are a powerful tool for investigation of unauthorized access or other abuse, both of personal information and of commercial or administrative information.

But Security and Law Enforcement interests make no distinction between information about living individuals (personal information) and information about dead people, legal entities or inanimate objects.- a distinction which is fundamental to privacy rights.

When dealing with personal information, there is a clear tension between the security principle in privacy laws (IPP and NPP 4 (Cwth), IPP 4 (Vic), IPP 5 (NSW)) and some of the other principles  notably collection, use and disclosure; access and correction where these are allowed on-line  and also the new  anonymity and identifiers principles in the Cwth and Victorian Acts. This tension arises mainly in relation to the privacy of employees, but increasingly also in relation to the privacy of customers or clients. On the one hand the other principles are saying only collect, retain and use the minimum of details, and give individuals access to their own information (and often allow them to edit it). On the other hand, the security principle is saying keep detailed records of access and transactions to be used, and often disclosed, for use in the event of abuse, or even just as a deterrent against any abuse. It also prompts organizations to limit access and control the ability to change information  having to verify individuals identity and authority to make changes to their own records is a major security challenge.

Because of the focus on privacy as an individual right, no-one has cared much about the privacy of information as a value independent of the subject  when perhaps a greater focus on the powers of authorities (and governments) to invade privacy  both of businesses and individuals - would have been justified.

We have perhaps too readily accepted the argument that legal entities should have no privacy rights  that accountability requires absolute transparency. This has led to increased powers of intrusion into the affairs of legal entities (companies, associations) which have not been seriously challenged. But as more and more individuals are pushed or pulled by government policies into incorporation, or at least into being treated as a business (ABN required), the distinction is blurring, and we find that rights that we still expect in our capacity as individuals are suddenly removed simply because of an arbitrary change of status. While there may have once been an argument that loss of privacy rights was a trade-off for the benefits  of incorporation (eg: tax advantages); this is not a convincing argument if people are being forced  into incorporation or business status rather than choosing it.

The experience of the Tax Office last year with the proposed sale  of personal details of ABN holders is salutary^[2]. The Tax Office obviously approached the issue on the basis that such details were about businesses, which are assumed to be familiar with a degree of transparency through business name and company registration. There was apparently no recognition that tens of thousands of ABN holders were simply individual contractors and freelance workers for whom this was a first, involuntary and reluctant exposure to the world of business registration. Faced with the outrage of these people (already aggravated by the introduction of the GST) the government backed off, to the unprecedented extent of quickly amending the ABN legislation to avoid the necessity to make individual ABN holders details public.

Even without any change in the numbers of people in each category (individuals and businesses) our lack of vigilance on loss of corporate  privacy allows authorities to refine privacy intrusive techniques that can then be brought to bear on individuals.

As a consumer advocate I feel uncomfortable defending the rights of legal entities to privacy  large businesses are at least potentially as great a threat to consumers as government, and should be held accountable. But by turning a blind eye to greater and greater powers of intrusion, initially aimed at businesses, we have allowed the authorities to acquire, and exercise, enormous powers that can and, if we are not vigilant will, be used against individuals.

Privacy laws have no limiting function in the face of other legislation that authorizes privacy intrusion. It is important that the public are not misled by false re-assurances that privacy is safeguarded because agencies are subject to Privacy laws. Firstly many law enforcement and investigatory agencies are exempted (the NSW Act is particularly generous) and secondly all privacy laws necessarily include exceptions for actions required or authorised by law . This means that the most that the privacy law does is regulate the way in which the intrusion takes place and the way information is handled  it cannot and does not limit the extent of the intrusion, which is determined by another law.

Why have we allowed a double standard to prevail in relation to search and seizure powers between the off-line and electronic environments? We still by and large vigorously defend the privacy of our property  warrants are generally still required for access to premises without consent, and this initially carried over into communications privacy, with warrant regimes for postal items and the content of telephone calls.

But in relation to access to information, we have blithely allowed agencies such as the Tax Office and Social Security (now Centrelink) to invade our lives not only without a warrant but even in many cases without a formal notice. Even in the front line of negotiations over the privacy principles, advocates reluctantly bowed to the pressure of administrative interests in allowing exceptions to the disclosure principles (IPP 10 & 11 & NPP2) which allow disclosure of personal information for a range of public interests even where it is not required  by law.

The contrast between these two extremes is most obvious in telecommunications where the regulatory regime contains the full spectrum of controls  from the TI Act warrant regime for substance and content  of calls, through a certificate based regime (Telecommunications Act s.282 (3)-(5)) to the wholly discretionary basis for release of personal information contained in s.282 (1) & (2) and the ACIF CPI Code of Practice^[3] (reflecting the NPP2 exceptions). The much looser Telecommunications Act basis for disclosure applies to subscriber details, call charge records, reverse call records, IMEI checks and cell dumps; and call tracing; as well as the affairs or personal particulars of individuals. Information such as call charge records reveals a considerable amount about a person s communications, even without access to the content of the call. It seems odd that we have allowed information of this sensitivity to be routinely accessed without a warrant or even the need to show prior cause   one of a wide range of agencies simply has to declare it reasonably necessary  (The Postal legislation has been amended to similar effect). The revelation at the end of last year that there were nearly 1 million separate disclosures by telcos in 1999-2000 (a more than 12% increase on the previous year), while not news to anyone who has followed the issue more closely, attracted some media attention.

Unfortunately, there is some uncertainty about the safeguards that apply to content and substance  of telecommunications. Because of a flaw in the drafting of the Telecommunications Act, it is not absolutely clear that content and substance cannot be released under the loose s.282(1) and (2) provisions (no warrant, no certificate). The ACIF Code on Assistance to Agencies, recently finalized, hedges its bets on this^[4].
The other ambiguity about the scope of the content or substance  exception concerns whether it applies to stored communications, such as email, pager or SMS messages or calls recorded in an answering service or messagebank. At what point are such messages or calls deemed to have been delivered  for the purposes of the exception?  when it has been posted to a user s mailbox  or message bank? - or only when read? It does seem clear that once a user has accessed or read such a stored message it loses the protection of the content or substance  exception even if the user chooses to leave it temporarily in the carrier/CSP s storage device. Even without resolving the other ambiguity this means that there is at least one category of content  - stored messages after they have been read - which is subject to the looser Telecommunications Act regime rather than the stricter Telecommunications (Interception) Act.

Even within the area of communications still subject to warrant based access, the barriers have been crumbling. Among recent amendments to the TI Act have been:

Amendments to the ASIO Act have introduced a computer data warrant which allows not only access to data but also alteration of data and computer operations to disguise the access. This raises fundamental questions about whether it is any longer possible to rely on the integrity of data, and must have an effect on the evidentiary value of electronic data, if it could have been changed officially .^[5]

While I have not yet had the opportunity to study the Cybercrime Bill 2001 in detail, it appears to extend the concept of a computer data warrant to all investigatory agencies operating under the Crimes Act 194 and the Customs Act 1901. The concerns raised by the Charter Council in relation to the ASIO warrants have never been satisfactorily addressed and we will be raising them again in this wider context.

The New Zealand Privacy Commissioner has recently commented on the equivalent Crimes Amendment Bill No 6 2001 (NZ)^[6]. Amongst a range of concerns he expressed is the view that allowing remote hacking into computer systems by government agencies for ordinary law enforcement is unacceptable, even if it is subject to a warrant process.

While on the subject of powers, there is also of course the unknown extent of communications monitoring wholly outside the known  legislative framework  particularly as part of the ECHELON system, exposed by NZ journalist Nicky Hagar in 1996, and currently the a point of major irritation between European Union member states and the US and its UKUSA allies, including Australia^[7]. Attempts to establish the extent of Australian involvement, and the legal basis of any interception of the communications of Australians, have so far met with the usual neither confirm nor deny  response that the government uses for national security matters. But this is unacceptable in relation to such significant allegations. In recent years the federal government has been forced to put the intelligence agencies on a clearer statutory basis and increase their accountability, and it will hopefully see the need to satisfy the community at least on the legal basis of any ECHELON interception.

As if the increase in powers to invade privacy was not bad enough, there are also alarming trends towards the use of those powers for intelligence gathering and routine mass surveillance, rather than for specific investigations.

There is growing pressure from law enforcement and revenue authorities to require commercial organizations to maintain records beyond the length of time they would be kept for commercial/administrative purposes, purely as an investigative resource. The danger here is that if records exist, it becomes very difficult to resist arguments for access  privacy advocates are forced into a rearguard action about ease of access and safeguards  while the principle is lost. The best privacy protection is destruction, in line with the disposal principle in privacy laws (IPP and NPP 4)

The controversy over the retention of Census returns  now to be given as an opt-in choice in next month s Census  is a good example of the issues involved.

Another current example of this pressure is the suggestion that Internet Service Providers (ISPs) should be required to retain logs of user activity for much longer than they need to for their own purposes^[8]. The proposed inclusion of such a requirement in the draft Council of Europe Convention on Cyber-crime attracted strong criticism from European Data Protection Authorities^[9], and as a result the requirement has been substantially reduced to a 60 day retention on request from law enforcement agencies, to allow time for a case to be made for lawful access. But there is still a requirement for ISPs to record traffic data in real time even where they have no commercial need to do so.

Another pressure being brought to bear by a broad coalition of government and business interests is for more demanding standards of identification for many transactions. It is argue that this is desirable for many reasons, including easier law enforcement and revenue collection, and reduction in identity fraud  allegedly a major problem in the US, although Australian evidence appears limited.

From a privacy perspective, any proposal to require identification must be justified, and there is now the anonymity principle in the Federal private sector and Victorian public sector privacy laws to back this up. Close examination of many proposals for identification shows that in many cases it is authentication that is required, rather than identification of any particular individual.

Issues of identification come to a head in the vexed area of public key cryptography and digital signatures. The impression that privacy advocates have of government policy on PKI is that it is a combination of confusion and a system in search of users, with some hidden agendas  in relation to indirect movement towards unique identifiers. Simple objections to the Gatekeeper model on the basis of established privacy principles have been consistently either ignored or misunderstood over the last two years. It is hoped that the PKI Privacy Guidelines recently issued for comment by the Privacy Commissioner will belatedly bring some sense to this important area of policy, although I have yet to assess whether they adequately address the privacy concerns.

Even where identification can be justified (including in the context of digital certificates), privacy advocates resist pressure for unique ID  and argue for retaining the option of multiple identities/persona as a barrier against whole of life profiling/matching.

Profiling/matching invariably leads to reversal of onus of proof  hits are assumed to be an irregularity  and the individual is asked to justify/explain. Even if they are investigated and cleared without contact, this is still an invasion of privacy  a key point that many government officials have failed to grasp over the years.^[10]

Perhaps the best (worst?) example of routine surveillance that has been imposed on Australians almost unnoticed is the financial transactions reporting regime operated by AUSTRAC^[11]. Introduced in the same year as the federal Privacy Act, and therefore spared the scrutiny that might have been brought to bear on it under an established privacy law, the Financial Transaction Reports Act 1988 authorises a draconian regime of routine reporting by financial institutions  ironically the sector which most fiercely defends its traditional duty of confidence. The records of transactions are routinely matched against other data by a wide range of law enforcement, revenue and intelligence agencies.

A case can probably be made for significant transaction  reporting   although the relatively low threshold of $10,0000 and lack of any indexing means that this is arguably now capturing much smaller transactions than is warranted by the official  targets of major and organized crime. Of more particular concern are the unavoidably subjective nature of suspect transaction  reporting, and the clearly disproportionate capture of all international currency transfers, however small. AUSTRAC has a good record on data security and integrity and maintains strict controls on use of the data it collects, within the framework of the legislation, but the fact remains that the regime it administers is an extraordinary intrusion into the financial privacy of all Australians. Once individuals are made aware of the extent of this monitoring  as they will have to be under the Privacy Act - it will be interesting to see if there is a public outcry.

Once bulk records are being matched, there is a tendency for subjective social norms to prevail over objective offence criteria  for example evidence  of sexual orientation or reading or viewing preferences can all too easily become the basis of negative assumptions. The interest of authorities is no longer triggered just by unlawful actions   but also by supposedly predictive traits/characteristics. Even if there are statistically valid correlations to back up this intelligence based policing , there will inevitably be some individuals who are exceptions but who are caught in the net .

This paper has used examples from several different areas of electronic- or cyber-space to illustrate a common issue  the constant tension between government s desire to control and the freedom and privacy of individuals.

In the end, the balance between privacy and the powers of the state come down to one admittedly difficult and complex question. How much risk  do we need to eliminate and at what cost?

That there should be a balance is generally accepted at an abstract level, but officials charged with specific public interest objectives can understandably lose sight of the principle, when considering the limits that privacy protection places on their ability to meet those objectives. It is easy to get agreement that some limits on surveillance are desirable  otherwise we would all by now be wearing electronic bracelets routinely reporting our every move. It is more difficult at a practical level to ask a policeman or welfare worker to accept one more mugging or abused child because we deny them surveillance tools they could be using. Privacy advocates should perhaps more often acknowledge this difficulty and very real cost .

But we have to resist technological determinism. Just because we can know things and do things doesn t mean we should. We must resist both the magpie tendency   to keep records just in case ; and the constant extension of powers to access records  otherwise we will end up in a world of universal surveillance which diminishes our humanity and leaves us prey to the venal and corrupt who will always be found in positions of power.

In the US, constitutional protections act as partial barrier to these trends. A Bill of Rights would help us to challenge the insidious march of state power and associated erosion of privacy. In the absence of such institutionalised safeguards, we can only draw attention to each new initiative that threatens privacy, set it in the wider context and demand that it be publicly justified. That will not stop the trend, but may slow it and ensure that we don t unnecessarily or too carelessly surrender precious freedoms.

^[1] Basic Books 1999, ISBN 0-465-03913-8
^[2] See http://www.privacy.gov.au/news/00_11.html
^[3] Australian Communications Industry Forum Code of Practice on Customer Personal Information (C523). See www.acif.org.au
^[4] C 537 - also at www.acif.org.au
^[5] Submission by the Australian Privacy Charter Council to the Parliamentary Joint Committee on ASIO on the Australian Security Intelligence Organization Legislation Amendment Bill 1999
^[6] Supplementary Report by the Privacy Comissioner to the Parliamentary Law & Order Committee
^[7] See , www.echelonwatch.org
^[8] The New Zealand Privacy Commissioner refers to this in his recent report on the Crimes Amendment Bill (ibid)
^[9] Article 29 Data Protection Working Party, Opinion 4/2001, 22 March 2001.
^[10] For resources on privacy and data-matching, see Roger Clarke s web site http://www.anu.edu.au/people/Roger.Clarke/DV/
^[11] The author declares an interest as a privacy representative, since late 2000, on AUSTRAC s Privacy Advisory Committee  a useful monitor though with limited influence.