Bradfield Resident

Information. Issues. Insight. Investigation.

Archive for October, 2011

Sun 02 Oct 2011 | Social media data mining, spam and privacy

Posted by bradfieldresident on 2 October 2011

Facebook: one of the major players on the web, and one not generally regarded as an advocate of privacy. It is hard to imagine what they actually do with all the user data. There have been reports that at least some of the company’s offerings violate European data protection laws (eg see Germany: Facebook Like button violates privacy laws).

Facebook is a US-based company (“The company Facebook, Inc. has been established and registered according to the law of the state of Delaware. Registration number: 3835815, Secretary of State, State of Delaware”, maybe registered someplace else in Ireland for financial reasons), arguably free of local Australian regulation. When you use Facebook. you basically do it on the terms of wherever it is registered.

What about Australian businesses using Facebook? Following is a look at some claims made by an Australian company called MyGuestlist offering direct marketing services and software which leverages Facebook (and a whole heap of your personal information) to Australian (and apparently international) clients.

First, an article promoting MyGuestlist’s products and services:

MyGuestlist blog:
4 ways your Facebook fans/friends can now be treated like a real database. (World first!)

And then, Bradfield Resident’s comment, reproduced below.

Hi MyGuestlist,

I’m interested in this notion of “All very legal”. In which jurisdiction(s) are you referring to? The phrasing itself suggests that something dodgy is going on – perhaps legally permissible, if ethically questionable.

I’ve just this evening seen a venue in Sydney using your guestlist feature (which is how I arrived here), but I can’t see a link to terms and conditions, privacy policy or anything like that.

It is also curious that you promote your services as ‘non-spammy’, yet list the many ways to spam people with less effort than ever before. Marketing spin, I’m sure. I’d be interested to hear more about your ‘reputation’ system – [Both Facebook and MyGuestlist, will restrict how you use this particular tool to begin with and will only allow you to post to a larger number of groups/pages/profiles once you increase your reputation.] – one might suppose this works by allowing ‘popular’ (not-so-complained-about) clients to bulk message more. There may be some prickly details on what, in a legal sense, constitutes ‘spam’, but I don’t, for example, see anything on the guestlist page I mentioned earlier that indicates by providing some detail or other that I wish to start receiving SMS messages, wall posts, email, etc., so would, as I’m sure others would, consider any such message to be spam (unsolicited commercial messaging). Of course many people may not care or mind, but that doesn’t change the nature of it.

A search around the ‘net pops up the following from the Australian Government’s Department of Broadband, Communications and the Digital Economy under “Spam” ( “The Spam Act 2003 prohibits the sending of spam, which is identified as a commercial electronic message sent without the consent of the addressee via email, short message service (SMS), multimedia message service (MMS) or instant messaging. The requirements under the Spam Act apply to all commercial electronic messages, including both bulk and individual messages.”

Beyond spam in particular is a more general privacy concern. It seems that Australia doesn’t yet have especially fair privacy laws (open question: does any country have actually fair privacy laws?), more to the point that privacy laws are currently not particularly protective of individuals, though laws still do exist.

It would seem that the National Privacy Principles apply to this business / activity.

From : “The National Privacy Principles (NPPs) are the base line privacy standards which some private sector organisations need to comply with in relation to personal information they hold.”

The detail of “some private sector organisations” warrants attention. An unofficial source (Carlson Analytics [correction: Caslon Analytics]) providing a privacy guide proffers, regarding the 2000 Commonwealth privacy legislation:

( “The Act covers private sector ‘organisations’: an individual, body corporate, partnership, an unincorporated association or a trust.

“That definition embraces:
* businesses (including nonprofit organisations such as sports clubs, charitable organisations and unions) with an annual turnover of more than $3 million
* organisations that carry on a business that collects or discloses personal information for a benefit, service or advantage (even if their turnover is less than $3 million).”

I suspect MyGuestlist falls into that second listed category, and that some of your clients could fall into the first (especially if they are larger venues, entities which involve multiple venues, or perhaps even large festival organisers or promotion brands).

That same page goes on to indicate what information is covered:

[— Begin quote —]
The Act covers personal information. It has special protection for personal information that is sensitive information.

Personal information is information or an opinion that can identify a person.

Sensitive information is information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health information.

The Privacy Act only applies to information that is recorded in some form. That recording need not involve paper: it can include data in an electronic record.
[— End quote —]

In your article on this page, you write “And to add to all this, the available info we can play around with for the moment are name, age, DOB and gender. Quite soon, you will also be able to filter by likes, interests, occupation, hobbies etc.”

Personal information? Check. Sensitive information? Coming soon, apparently. (I might suppose MyGuestlist is already harvesting this information even if it is not presently available to customers.)

So, how does MyGuestlist (and its customers, in using the MyGuestlist service) address the National Privacy Principles (a plain English summary thereof, below)?

[— Begin quote —]
NPP 1: collection
Describes what an organisation should do when collecting personal information, including what they can collect, collecting from third parties and, generally, what they should tell individuals about the collection.

NPP 2: use and disclosure
Outlines how organisations may use and disclose individuals’ personal information. If certain conditions are met, an organisation does not always need an individual’s consent to use and disclose personal information. There are rules about direct marketing.

NPPs 3 & 4: information quality and security
An organisation must take steps to ensure the personal information it holds is accurate and up-to-date, and is kept secure from unauthorised use or access.

NPP 5: openness
An organisation must have a policy on how it manages personal information, and make it available to anyone who asks for it.

NPP 6: access and correction
Gives individuals a general right of access to their personal information, and the right to have that information corrected if it is inaccurate, incomplete or out-of-date.

NPP 7: identifiers
Generally prevents an organisation from adopting an Australian Government identifier for an individual (e.g. Medicare numbers) as its own.

NPP 8: anonymity
Where possible, organisations must give individuals the opportunity to do business with them without the individual having to identify themselves.

NPP 9: transborder data flows
Outlines how organisations should protect personal information that they transfer outside Australia.

NPP 10: sensitive information
Sensitive information includes information such as health, racial or ethnic background, or criminal record. Higher standards apply to the handling of sensitive information.
[— End quote —]

I suppose NPP 5 is a good place to find out. I am going to suppose MyGuestlist has a policy on how you manage personal information, and I ask you to send a copy of your policy to the email address I’ve listed in the ‘Mail’ field of this web form. Thank you.

I can understand the commercial desire to have more information about customers and I’m not suggesting that it is necessarily improper. I am interested, though, to know if your organisation’s general attitude to privacy is one of it being an inconvenience to the process of making money, or if, as an organisation that essentially exists by dealing in personal information of client customers, you treat the privacy of those customers seriously.

Bradfield Resident

Posted in Department of Broadband, Communications and the Digital Economy, Internet | Tagged: , , , | Leave a Comment »