Bradfield Resident

Information. Issues. Insight. Investigation.

Archive for the ‘Department of Broadband, Communications and the Digital Economy’ Category

Department of Broadband, Communications and the Digital Economy
http://dbcde.gov.au

Sun 02 Oct 2011 | Social media data mining, spam and privacy

Posted by bradfieldresident on 2 October 2011

Facebook: one of the major players on the web, and one not generally regarded as an advocate of privacy. It is hard to imagine what they actually do with all the user data. There have been reports that at least some of the company’s offerings violate European data protection laws (eg see Germany: Facebook Like button violates privacy laws).

Facebook is a US-based company (“The company Facebook, Inc. has been established and registered according to the law of the state of Delaware. Registration number: 3835815, Secretary of State, State of Delaware”, maybe registered someplace else in Ireland for financial reasons), arguably free of local Australian regulation. When you use Facebook. you basically do it on the terms of wherever it is registered.

What about Australian businesses using Facebook? Following is a look at some claims made by an Australian company called MyGuestlist offering direct marketing services and software which leverages Facebook (and a whole heap of your personal information) to Australian (and apparently international) clients.

First, an article promoting MyGuestlist’s products and services:

MyGuestlist blog:
4 ways your Facebook fans/friends can now be treated like a real database. (World first!)

And then, Bradfield Resident’s comment, reproduced below.

Hi MyGuestlist,

I’m interested in this notion of “All very legal”. In which jurisdiction(s) are you referring to? The phrasing itself suggests that something dodgy is going on – perhaps legally permissible, if ethically questionable.

I’ve just this evening seen a venue in Sydney using your guestlist feature (which is how I arrived here), but I can’t see a link to terms and conditions, privacy policy or anything like that.

It is also curious that you promote your services as ‘non-spammy’, yet list the many ways to spam people with less effort than ever before. Marketing spin, I’m sure. I’d be interested to hear more about your ‘reputation’ system – [Both Facebook and MyGuestlist, will restrict how you use this particular tool to begin with and will only allow you to post to a larger number of groups/pages/profiles once you increase your reputation.] – one might suppose this works by allowing ‘popular’ (not-so-complained-about) clients to bulk message more. There may be some prickly details on what, in a legal sense, constitutes ‘spam’, but I don’t, for example, see anything on the guestlist page I mentioned earlier that indicates by providing some detail or other that I wish to start receiving SMS messages, wall posts, email, etc., so would, as I’m sure others would, consider any such message to be spam (unsolicited commercial messaging). Of course many people may not care or mind, but that doesn’t change the nature of it.

A search around the ‘net pops up the following from the Australian Government’s Department of Broadband, Communications and the Digital Economy under “Spam” (http://www.dbcde.gov.au/online_safety_and_security/spam): “The Spam Act 2003 prohibits the sending of spam, which is identified as a commercial electronic message sent without the consent of the addressee via email, short message service (SMS), multimedia message service (MMS) or instant messaging. The requirements under the Spam Act apply to all commercial electronic messages, including both bulk and individual messages.”

Beyond spam in particular is a more general privacy concern. It seems that Australia doesn’t yet have especially fair privacy laws (open question: does any country have actually fair privacy laws?), more to the point that privacy laws are currently not particularly protective of individuals, though laws still do exist.

It would seem that the National Privacy Principles apply to this business / activity.

From http://www.privacy.gov.au/law/act/npp : “The National Privacy Principles (NPPs) are the base line privacy standards which some private sector organisations need to comply with in relation to personal information they hold.”

The detail of “some private sector organisations” warrants attention. An unofficial source (Carlson Analytics [correction: Caslon Analytics]) providing a privacy guide proffers, regarding the 2000 Commonwealth privacy legislation:

(http://www.caslon.com.au/austprivacyprofile6.htm) “The Act covers private sector ‘organisations’: an individual, body corporate, partnership, an unincorporated association or a trust.

“That definition embraces:
* businesses (including nonprofit organisations such as sports clubs, charitable organisations and unions) with an annual turnover of more than $3 million
[…]
* organisations that carry on a business that collects or discloses personal information for a benefit, service or advantage (even if their turnover is less than $3 million).”

I suspect MyGuestlist falls into that second listed category, and that some of your clients could fall into the first (especially if they are larger venues, entities which involve multiple venues, or perhaps even large festival organisers or promotion brands).

That same page goes on to indicate what information is covered:

[— Begin quote —]
The Act covers personal information. It has special protection for personal information that is sensitive information.

Personal information is information or an opinion that can identify a person.

Sensitive information is information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health information.

The Privacy Act only applies to information that is recorded in some form. That recording need not involve paper: it can include data in an electronic record.
[— End quote —]

In your article on this page, you write “And to add to all this, the available info we can play around with for the moment are name, age, DOB and gender. Quite soon, you will also be able to filter by likes, interests, occupation, hobbies etc.”

Personal information? Check. Sensitive information? Coming soon, apparently. (I might suppose MyGuestlist is already harvesting this information even if it is not presently available to customers.)

So, how does MyGuestlist (and its customers, in using the MyGuestlist service) address the National Privacy Principles (a plain English summary thereof, below)?

[— Begin quote http://www.privacy.gov.au/materials/types/law/view/6893 —]
NPP 1: collection
Describes what an organisation should do when collecting personal information, including what they can collect, collecting from third parties and, generally, what they should tell individuals about the collection.

NPP 2: use and disclosure
Outlines how organisations may use and disclose individuals’ personal information. If certain conditions are met, an organisation does not always need an individual’s consent to use and disclose personal information. There are rules about direct marketing.

NPPs 3 & 4: information quality and security
An organisation must take steps to ensure the personal information it holds is accurate and up-to-date, and is kept secure from unauthorised use or access.

NPP 5: openness
An organisation must have a policy on how it manages personal information, and make it available to anyone who asks for it.

NPP 6: access and correction
Gives individuals a general right of access to their personal information, and the right to have that information corrected if it is inaccurate, incomplete or out-of-date.

NPP 7: identifiers
Generally prevents an organisation from adopting an Australian Government identifier for an individual (e.g. Medicare numbers) as its own.

NPP 8: anonymity
Where possible, organisations must give individuals the opportunity to do business with them without the individual having to identify themselves.

NPP 9: transborder data flows
Outlines how organisations should protect personal information that they transfer outside Australia.

NPP 10: sensitive information
Sensitive information includes information such as health, racial or ethnic background, or criminal record. Higher standards apply to the handling of sensitive information.
[— End quote —]

I suppose NPP 5 is a good place to find out. I am going to suppose MyGuestlist has a policy on how you manage personal information, and I ask you to send a copy of your policy to the email address I’ve listed in the ‘Mail’ field of this web form. Thank you.

I can understand the commercial desire to have more information about customers and I’m not suggesting that it is necessarily improper. I am interested, though, to know if your organisation’s general attitude to privacy is one of it being an inconvenience to the process of making money, or if, as an organisation that essentially exists by dealing in personal information of client customers, you treat the privacy of those customers seriously.

Bradfield Resident

Advertisements

Posted in Department of Broadband, Communications and the Digital Economy, Internet | Tagged: , , , | Leave a Comment »

Wed 10 Mar 10 | To: Senator Stephen Conroy – Minister for BCDE | Cyber Safety Plan

Posted by bradfieldresident on 10 March 2010

[Note: instances of “BDCE” are mistakes, and should be “BCDE” for “Broadband, Communications and the Digital Economy”]

From: […]
Date: Wednesday 10 March 2010 00:30 (+11)
Subject: Cyber Safety Plan
To: Senator Stephen Conroy – Minister for BCDE
Cc: Tony Smith MP – Shadow Minister for BDCE, Paul Fletcher MP – Member for Bradfield, Senator Scott Ludlam – Australian Greens spokesperson for BDCE

Senator Conroy,

from some time before 11:30pm (AEDT) on Tuesday 09 March 2010 I have been trying to access the “cybersafetyplan” page on the DBCDE website, but, as my browser informs me, “The server at www.dbcde.gov.au is taking too long to respond.”

How often is this website unavailable? Does the department maintain statistics on availability?

If the content allegedly provided at http://www.dbcde.gov.au/cybersafetyplan is available in document form (printed or electronic), please have someone in your department forward a copy to me.

I am also interested to know, since it seems the vast majority of people I have spoken to, or hear or read about in the news, object to a mandatory internet filter, who exactly, aside from your department, are actually in favour of and support it. Indeed, given the severe technical limitations of the proposed filter, I would like to know who proposed and drafted it in the first place.

I am deeply concerned that the filter, if it is implemented, will use a secret list of web sites, and especially that it could be the case that sites or pages that end up on the list – for whatever reason, legitimate or not – might not have any option to be removed from the list, or even be confirmed as to whether on the list or not. As the minister I am sure you are aware that such a system is obviously and easily open to abuse (either now or in the future) by design, not specifically by the good intentions (or not) of any particular people involved. If you or your department have done a thorough analysis of this risk and its implications, and subsequently found that this risk can, to a very high degree of certainty, be removed, please enlighten me with the department’s answer to this dire threat to freedom and democracy. Without a detailed guarantee of transparency and/or protection (by methodology, not just a promise) from these potential abuses, I cannot believe that the proposed filter is anything other than a tool for censorship; the thin end of the wedge, being hardware, software and processes installed at ISPs, as well as legislation, subject to feature creep, if you will, including unreasonable surveillance and spying on ordinary citizens, as well as reducing the possibilities for free and equitable access to communication (in this case via the medium of the internet).

As a final note, about one hour since finding the DBCDE website unavailable, I find this still to be the case. A federal government department’s website should not be unavailable for this long without a serious excuse in the order of serious internet backbone failure or sustained denial of service attack. It does, however, serve to illustrate that the government would do better trying to improve access to content instead of actively trying to do the opposite.

[name]

[address]

Email: [email]

Posted in Cyber Safety Plan, Department of Broadband, Communications and the Digital Economy, Federal Legislation, Federal MPs, Internet, Mail Sent | Tagged: , , , , , , , | Leave a Comment »