Privacy in an unregulated electronic world

Privacy in an unregulated electronic world

Would you like your Internet transactions and surfing habits to become a corporate commodity? The government needs to address privacy laws before all is revealed and sold to the highest bidder.

By Brendan Scott

Electronic commerce has been a catchword in the information technology and banking industries for some time now. The technologies underlying electronic commerce promise a number of benefits for all players in the industry. The time is not so far away now where electronic commerce will play an integral part in all of our lives, from smartcards over the counter to Internet banking. Some people have also foretold of a future populated by information appliances. Every fridge in the nation will be hooked up to the Internet with its own microprocessor. The optimists of the world claim that this is the dawn of a golden era of heightened personal freedom through technologies which help us do what we want to do more easily. It is not clear that this is true.


The Internet undermines the concept of identity and the feeling of certainty that is present in most commercial transactions. As they say - on the Internet nobody knows you're a dog. Businesses transacting over the Internet are faced with the difficult decision of requiring users to be pre-authorised before they can purchase over the Internet or to accept the risk of credit card fraud by dispensing with pre-authorisation. This is a hard decision because credit card fraud appears to be more prevalent on the Internet than elsewhere. However, to require a pre-authorisation is to cut yourself off from the majority of your potential market unless you have a highly specialised product. For security and certainty, online traders would prefer a system of digital authorisation so that individuals can be identified by their transactions on the Internet. One can think of this as an Internet driver's licence.

However, if each business can identify each individual as well as what they have bought there is the potential to abuse the privacy of that individual. Information about purchasing habits and other details of an individual can be collected, collated and sold for later marketing. In this world of global deregulation, we are divesting ourselves of appropriate means of controlling the excesses of corporate information collection and use. Today it is possible to recreate a person's entire Internet surfing session. In the information appliance future, practically every detail of your life could be recorded. From the moment you turn off your alarm in the morning until you brush your teeth (with your electric toothbrush) in the evening, all of this information, in an unregulated world, can be collected (and sold).

For example, over the last 12 months the Intel corporation has been the subject of extensive controversy in relation to a unique serial number identifier that has been embedded onto all of its new chips. Commentators argue that these serial numbers can be harvested across the Internet to build a database of users (not necessarily by Intel) uniquely identified by the computer that they are using. The same commentators claim that the serial number can be accessed without an end user's knowledge, and can even be accessed if the end user has specifically turned the serial number function off. If this is true, it represents a serious threat to the privacy of the user.


We have also seen the advent of identifiers being attached through software. The person currently accused of creating the "Melissa" virus that swept across the world was identified by information about him inserted (presumably without his knowledge) by a word processing program. While this may be a good thing if it catches a virus writer, it is not so good if it means that the rest of society loses its rights of anonymity. What about software that must be registered with a unique registration key after purchase? It is reasonable to assume that this key can uniquely identify the person to whom that software has been registered and that, if it was embedded into documents, could be used to identify their source. Imagine if any of your software providers could at any moment tell what contracts you'd entered into and with whom, or how many documents you'd processed using their systems. Imagine if they disclosed this information to third parties.

At its most sinister these things could evolve into a corporate surveillance operation of Orwellian proportions. In Australia there is very little to stop a person's or a corporation's information being disclosed by another person or corporation - that is, there is no legislative right to privacy. There are specific limitations - where a person is providing credit, is a bank, or is a public authority - but the overwhelming majority of information is unregulated. So, when a child surfs the Internet there is nothing to stop the Web sites it visits from collecting information from them, including their address or their parent's details.

Privacy organisations have been horrified by this state of affairs and have pushed for privacy legislation. To date, there has been a lot of talk, but very little action from Australian Governments. At one stage the Federal Government looked very close to creating effective privacy controls. However, it caved in to special interest groups at the last moment. It has since (in December 1998) returned privacy to the agenda and indicated that it will pass some privacy legislation (albeit not very strong legislation). Victoria, more recently, has indicated that it is willing to be Australia's legislative thought leader on this issue.

Big business has argued that privacy legislation is just too hard for them to comply with, or that they wouldn't be able to market their products under such a regime. However, privacy has only really had a serious impact at a consumer level with the advent of computer systems. For thousands of years business has coped with effective privacy controls (imposed by having to deal with the physical nature information) without suffering. There is no reason to suspect that they will not be able to cope in the future.

From a consumer's point of view the less third parties know about them the better. There is no reason why commercial, and other transactions, cannot be engineered as "double blind" transactions. Where a purchase is concerned, the vendor doesn't need to know the purchaser's name and address, it only needs to know whether they have enough money in their electronic wallet to pay for the item. Equally, buying a computer from someone should not mean that your computer life is an open book. Until effective privacy legislation is put into place, you should make sure you have contractual protections over your information - and if you have the chance, tell your legislature to get to work on putting the situation right.

Brendan Scott ( is a lawyer with the Sydney office of Gilbert & Tobin, technology lawyers.

Business Solution: