Alysson Watson, Associate lecturer in journalism, University of Newcastle

The family of Ash Good, one of the Bondi stabbing victims and the mother of the nine-month-baby who was also stabbed, issued a plea overnight for media to stop reproducing photos of Ash, her partner and their baby without consent.

Good, 38, was an osteopath who liked to exercise, post photographs of her young family and share thoughts on new motherhood: the endless nights and blurry days, the joy, the anxiety, the “indescribable love”.

Journalists discovered this from “mining” her (and her friends’ and family’s) social media accounts.

As well as Good’s family, federal politician Allegra Spender, whose electorate of Wentworth covers Westfield Bondi Junction, posted on social media a plea for “the media and everyone” to respect the wishes of those affected by the “tragedy at Bondi Junction”.

She wrote: “I have been contacted by Ash’s family. They have asked the media not to publish personal images from social media. I ask the media and everyone to respect their wishes.”

But will the victims’ privacy be respected? My research indicates that is unlikely.

What can, and can’t, journalists do?

The practice of journalists taking photos from social media, both with and without consent, is now commonplace, and is sanctioned in Australia by law and by professional codes, with some caveats.

Journalists are exempted from the Privacy Act “in the course of journalism”, and while advice from professional bodies such as the Australian Press Council and the Australian Communications and Media Authority (ACMA) is to tread with caution when reproducing images from social media, they do permit publication “in the public interest”. So do the guidelines of media companies, including the ABC.

The ethical code that binds member journalists in Australia, the MEAA Code of Ethics, also advises journalists to respect privacy and grief. It gives them the right not to intrude, but tempers this advice with a “guidance clause” about their capacity to override standards if publication is in the public interest.

The “public interest” is a nebulous concept that increasingly extends to “what the public is interested in”.

The modern-day ‘death knock’

As citizens and news consumers, we want information about everyone who is impacted, and it is the job of news reporters to feed the hungry beast that is digital news. How can they resist the intensely personal content that is shared on “public” social media accounts which gives such a human face to tragedy? Is it reasonable to expect them to?

These are questions I am exploring though my PhD research into the practice journalists informally (and perhaps unpalatably) call the “death knock”.

On hearing of a newsworthy death (or crime or major incident), journalists will do whatever they can to get information about the people impacted – the perpetrators, victims, and witnesses.

The job of gathering news is to find the most credible sources, and, in addition to expert voices (such as police, ambulance, health authorities and politicians), those who know something about the event or the people impacted.

Should journalists ask for permission?

Increasingly, in the digital age, newsgathering starts (and sometimes ends) with journalists mining social media.

Journalists use social media as a tool to find people they want to interview, but also as a source of information, images and tributes.

If people’s accounts are set to “public”, there is nothing to stop journalists using the photos and comments they find there in their stories.

Some journalists will pause and ask for permission, but not all will, and most do not feel compelled to.

However, my research indicates that journalists, by and large, are not thoughtless when it comes to what some view as stealing images from social media. They face enormous pressure to do so, from colleagues, editors and competitors.

Many argue that if images are in the public domain, they are fair game. And if everyone else is doing it, why wouldn’t they? They may ask themselves “how can I tell my boss I’m not going to do it when our competitors have already done it? If I pause to ask for permission, will I be scooped? What if I don’t hear back? What if permission is refused?”

In the UK, where protections from media harassment are arguably stronger, people impacted by tragedy are advised to check their social media privacy settings or delete material altogether.

This though assumes users are social media-literate, but journalists are “very adept at finding ways around privacy settings, and won’t hesitate to do so in pursuit of a story or photo”.

A better path forward?

Reporting on tragedy is routine work for many journalists, but it can take its toll, sometimes in the form of moral injury, when they feel compelled to break their own moral code.

My research indicates journalists want better preparation, guidance, and support from their employers in reporting tragedy, and they want to be listened to about the impacts of this work on them.

However, in the realm of the “digital death knock” – the use of social media to report on tragedy – some argue that an ethical approach alone cannot stem what some believe is egregious behaviour, and that legislative (citizen privacy protections) and normative (stronger advice from professional bodies) approaches may be needed to protect journalists from themselves – and better protect people who fall victim to tragedy.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Margarita Vladimirova, PhD in Privacy Law and Facial Recognition Technology, Deakin University

The morning started with a message from a friend: “I used your photos to train my local version of Midjourney. I hope you don’t mind”, followed up with generated pictures of me wearing a flirty steampunk costume.

I did in fact mind. I felt violated. Wouldn’t you? I bet Taylor Swift did when deepfakes of her hit the internet. But is the legal status of my face different from the face of a celebrity?

Your facial information is a unique form of personal sensitive information. It can identify you. Intense profiling and mass government surveillance receives much attention. But businesses and individuals are also using tools that collect, store and modify facial information, and we’re facing an unexpected wave of photos and videos generated with artificial intelligence (AI) tools.

The development of legal regulation for these uses is lagging. At what levels and in what ways should our facial information be protected?

Is implied consent enough?

The Australian Privacy Act considers biometric information (which would include your face) to be a part of our personal sensitive information. However, the act doesn’t define biometric information.

Despite its drawbacks, the act is currently the main legislation in Australia aimed at facial information protection. It states biometric information cannot be collected without a person’s consent.

But the law doesn’t specify whether it should be express or implied consent. Express consent is given explicitly, either orally or in writing. Implied consent means consent may reasonably be inferred from the individual’s actions in a given context. For example, if you walk into a store that has a sign “facial recognition camera on the premises”, your consent is implied.

But using implied consent opens our facial data up to potential exploitation. Bunnings, Kmart and Woolworths have all used easy-to-miss signage that facial recognition or camera technology is used in their stores.

Valuable and unprotected

Our facial information has become so valuable, data companies such as Clearview AI and PimEye are mercilessly hunting it down on the internet without our consent.

These companies put together databases for sale, used not only by the police in various countries, including Australia, but also by private companies.

Even if you deleted all your facial data from the internet, you could easily be captured in public and appear in some database anyway. Being in someone’s TikTok video without your consent is a prime example – in Australia this is legal.

Furthermore, we’re also now contending with generative AI programs such as Midjourney, DALL-E 3, Stable Diffusion and others. Not only the collection, but the modification of our facial information can be easily performed by anyone.

Our faces are unique to us, they’re part of what we perceive as ourselves. But they don’t have special legal status or special legal protection.

The only action you can take to protect your facial information from aggressive collection by a store or private entity is to complain to the office of the Australian Information Commissioner, which may or may not result in an investigation.

The same applies to deepfakes. The Australian Competition and Consumer Commission will consider only activity that applies to trade and commerce, for example if a deepfake is used for false advertising.

And the Privacy Act doesn’t protect us from other people’s actions. I didn’t consent to have someone train an AI with my facial information and produce made-up images. But there is no oversight on such use of generative AI tools, either.

There are currently no laws that prevent other people from collecting or modifying your facial information.

Catching up the law

We need a range of regulations on the collection and modification of facial information. We also need a stricter status of facial information itself. Thankfully, some developments in this area are looking promising.

Experts at the University of Technology Sydney have proposed a comprehensive legal framework for regulating the use of facial recognition technology under Australian law.

It contains proposals for regulating the first stage of non-consensual activity: the collection of personal information. That may help in the development of new laws.

Regarding photo modification using AI, we’ll have to wait for announcements from the newly established government AI expert group working to develop “safe and responsible AI practices”.

There are no specific discussions about a higher level of protection for our facial information in general. However, the government’s recent response to the Attorney-General’s Privacy Act review has some promising provisions.

The government has agreed further consideration should be given to enhanced risk assessment requirements in the context of facial recognition technology and other uses of biometric information. This work should be coordinated with the government’s ongoing work on Digital ID and the National Strategy for Identity Resilience.

As for consent, the government has agreed in principle that the definition of consent required for biometric information collection should be amended to specify it must be voluntary, informed, current, specific and unambiguous.

As facial information is increasingly exploited, we’re all waiting to see whether these discussions do become law – hopefully sooner rather than later.

Correction: we have amended a sentence to clarify Woolworths use camera technology but not necessarily facial recognition technology.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Katharine Kemp, Associate Professor, Faculty of Law & Justice, UNSW Sydney

Australian consumers don’t understand how companies – including data brokers – track, target and profile them. This is revealed in new research on consumer understanding of privacy terms, released by the non-profit Consumer Policy Research Centre and UNSW Sydney today.

Our report also reveals 70% of Australians feel they have little or no control over how their data is disclosed between companies. Many expressed anger, frustration and distrust.

These findings are particularly important as the government considers long-overdue reforms to our privacy legislation, and the consumer watchdog finalises its upcoming report on data brokers.

If Australians are to have any hope of fair and trustworthy data handling, the government must stop companies from hiding their practices behind confusing and misleading privacy terms and mandate fairness in data handling.

We are all being tracked

Our activities online and offline are constantly tracked by various companies, including data brokers that trade in our personal information.

This includes data about our activity and purchases on websites and apps, relationship status, children, financial circumstances, life events, health concerns, search history and location.

Many businesses focus their efforts on finding new ways to track and profile us, despite repeated evidence that consumers view this as misuse of their personal information.

Companies describe the data they collect in confusing and unfamiliar terms. Much of this wording seems designed to prevent us from understanding or objecting to the use and disclosure of our personal information, often collected in surreptitious ways.

Businesses can use your data to make more profit at your expense. This includes

• charging you a higher price
• preventing you from seeing better offers
• micro-targeting political messages or ads based on your health information
• reducing the priority you’re given in customer service
• creating a profile (which you’ll never see) to share with a prospective employer, insurer or landlord.

Anonymised, pseudonymised, hashed

Businesses commonly try to argue this information is “de-identified” or not “personal”, to avoid running afoul of the federal Privacy Act in which these terms are defined.

But many privacy policies muddy the waters by using other, undefined terms. They create the impression data can’t be used to single out the consumer or influence what they’re shown online – even when it can.

Privacy policies commonly refer to:

• anonymised data
• pseudonymised information
• hashed emails
• audience data
• aggregated information.

These terms have no legal definition and no fixed meaning in practice.

Data brokers and other companies may use “pseudonymised information” or “hashed email addresses” (essentially, encrypted addresses) to create detailed profiles. These will be shared with other businesses without our knowledge. They do this by matching the information collected about us by various companies in different parts of our lives.

“Anonymised information” – not a legal term in Australia – may sound like it wouldn’t reveal anything about an individual consumer. Some companies use it when only a person’s name and email have been removed, but we can still be identified by other unique or rare characteristics.

What did our survey find?

Our survey showed Australians do not feel in control of their personal information. More than 70% of consumers believe they have very little or no control over what personal information online businesses share with other companies.

Only a third of consumers feel they have at least moderate control over whether businesses use their personal information to create a profile about them.

Most consumers have no understanding of common terms in privacy notices, such as “hashed email address” or “advertising ID” (a unique ID usually assigned to one’s device).

And it’s likely to be worse than these statistics suggest, since some consumers may overestimate their knowledge.

The terms refer to data widely used to track and influence us without our knowledge. However, when consumers don’t recognise descriptions of personal information, they’re less likely to know whether that data could be used to single them out for tracking, influencing, profiling, discrimination or exclusion.

Most consumers either don’t know, or think it unlikely, that “pseudonymised information”, a “hashed email address” or “advertising ID” can be used to single them out from the crowd. They can.

Most consumers think it’s unacceptable for businesses they have no direct relationship with to use their email address, IP address, device information, search history or location data. However, data brokers and other “data partners” not in direct contact with consumers commonly use such data.

Consumers are understandably frustrated, anxious and angry about the unfair and untrustworthy ways organisations make use of their personal information and expose them to increased risk of data misuse.

Fairness, not ‘education’

Simply educating consumers about the terms used by companies and the ways their data is shared may seem an obvious solution.

However, we don’t recommend this for three reasons. Firstly, we can’t be sure of the meaning of undefined terms. Companies will likely keep coming up with new ones.

Secondly, it’s unreasonable to place the burden of understanding complex data ecosystems on consumers who naturally lack expertise in these areas.

Thirdly, “education” is pointless when consumers are not given real choices about the use of their data.

Urgent law reform is needed to make Australian privacy protections fit for the digital era. This should include clarifying that information that singles an individual out from the crowd is “personal information”.

We also need a “fair and reasonable” test for data handling, instead of take-it-or-leave-it privacy “consents”.

Most of us can’t avoid participating in the digital economy. These changes would help ensure that instead of confusing privacy terms, there are substantial, meaningful legal requirements for how our personal information is handled.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

A suite of recent cybersecurity data breaches highlight an urgent need to overhaul how companies and government agencies handle our data. But these incidents pose particular risks to victim-survivors of domestic violence.

In fact, authorities across Australia and the United Kingdom are raising concerns about how privacy breaches have endangered these customers.

The onus is on service providers – such as utilities, telcos, internet companies and government agencies – to ensure they don’t risk the safety of their most vulnerable customers by being careless with their data.

A suite of incidents

Earlier this year, the UK Information Commissioner reported it had reprimanded seven organisations since June 2022 for privacy breaches affecting victims of domestic abuse.

These included organisations revealing the safe addresses of the victims to their alleged abuser. In one case, a family had to be moved immediately to emergency accommodation.

In another case, an organisation disclosed the home address of two children to their birth father (who was in prison for raping their mother).

The UK Information Commissioner has called for better training and processes. This includes regular verification of contact information and securing data against unauthorised access.

In 2021, the Australian Information Commissioner and Privacy Commissioner took action against Services Australia for disclosing a victim-survivor’s new address to her former partner.

The commissioner ordered a written apology and a A$19,980 compensation payment. It also ordered an independent audit of how Services Australia updates contact details for separating couples with shared records.

An earlier case involved a telecommunications company and the publisher of a public directory.

The commissioner ordered them each to pay $20,000 to a victim of domestic violence whose details were made public, which jeopardised her safety.

More recently, the Energy and Water Ombudsman Victoria reported a case where an electricity provider inadvertently provided a woman’s new address to her ex-partner. The woman had to buy security cameras for protection. The company has since revised its procedures.

The Energy and Water Ombudsman Victoria has also reviewed complaints received in 2022-23 related to domestic violence. These include failing to flag accounts of victims who disclosed abuse, as well as potentially unsafe consumer automation and data governance processes.

The Victorian Essential Services Commission accepted a court-enforceable undertaking from a water company that it would improve processes after allegations its actions put customers affected by family violence at risk.

The commission found the company failed to adequately protect the personal information of two separate customers in 2021 and 2022, by sending correspondence with their personal information to the wrong addresses.

In both cases, the customer had not disclosed their experience of domestic violence. Nevertheless, the regulator noted these “erroneous information disclosures put these customers at risk of harm”.

Australia’s Telecommunications Industry Ombudsman received about 300 complaints involving domestic violence in 2022-23, with almost two-thirds relating to mobile phones.

Complaints included instances of telcos disclosing the addresses of victim-survivors to perpetrators or of frontline staff not believing victim-survivors. There were also cases of telcos insisting a consumer experiencing family violence contact the perpetrator of family violence. The report noted:

For example, one person was asked by her telco to bring her abusive ex-partner into a store to change her number to her new account.

We’ve also had complaints about telcos disconnecting the services of a consumer experiencing family violence – sometimes at the request of the account holder who is the perpetrator of the violence – despite access to those services being critical to the consumer staying safe.

The Australian Financial Complaints Authority resolved more than 500 complaints from people experiencing domestic and family violence in 2021-22, including those related to privacy breaches.

Change is slowly under way

In May, new national rules came into force to provide better protection and support to energy customers experiencing domestic violence.

These rules mandate retailers prioritise customer safety and protect their personal information. This includes account security measures to prevent perpetrators from accessing victim-survivors’ sensitive data.

They also prohibit the disclosure of information without consent. In issuing its rules, the Australian Energy Markets Commission noted the heightened risk of partner homicides following separations.

The Telecommunications Industry Ombudsman has called for mandatory, uniform and enforceable rules. The current voluntary industry code and guidelines fall short in protecting phone and internet customers experiencing domestic violence.

New rules should include training, policies and recognition of violence as a cause of payment difficulties. They should also factor in how service suspension or disconnection affects victim-survivors.

The Australian Information and Privacy Commissioner said last year:

Sadly, we continue to receive cases of improper disclosure of personal information off line by businesses to ex partners who target women in family disputes and domestic violence. All of these issues reinforce the need for privacy by design.

In its response to a review of the Privacy Act, the government has agreed the Office of the Australian Information Commissioner should help develop guidance to reduce risk to customers.

We must work harder to ensure data and privacy breaches do not leave victim-survivors of domestic violence at greater risk from perpetrators.

The National Sexual Assault, Family and Domestic Violence Counselling Line – 1800 RESPECT (1800 737 732) – is available 24 hours a day, seven days a week for any Australian who has experienced, or is at risk of, family and domestic violence and/or sexual assault.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Katharine Kemp, Senior Lecturer, Faculty of Law & Justice, UNSW Sydney

New research reveals serious privacy flaws in fertility apps used by Australian consumers – emphasising the need for urgent reform of the Privacy Act.

Fertility apps provide a number of features. For instance, they may help users track their periods, identify a “fertile window” if they’re trying to conceive, track different stages and symptoms of pregnancy, and prepare for parenthood up until the baby’s birth.

These apps collect deeply sensitive data about consumers’ sex lives, health, emotional states and menstrual cycles. And many of them are intended for use by children as young as 13.

My report published today analysed the privacy policies, messages and settings of 12 of the most popular fertility apps used by Australian consumers (excluding apps that require a connection with a wearable device).

This analysis uncovered a number of concerning practices by these apps including:

• confusing and misleading privacy messages
• a lack of choice in how data are used
• inadequate de-identification measures when data are shared with other organisations
• retention of data for years even after a consumer stops using the app, exposing them to unnecessary risk from potential data breaches.

The data collected

The apps in this study collect intimate data from consumers, such as:

• their pregnancy test results
• when they have sex and whether they had an orgasm
• whether they used a condom or “withdrawal” method
• when they have their period
• how their moods change (including anxiety, panic and depression)
• and if they have health conditions such as polycystic ovary syndrome, endometriosis or uterine fibroids.

Some ask for unnecessary details, such as when a user smokes and drinks alcohol, their education level, whether they struggle to pay their bills, if they feel safe at home, and whether they have stable housing.

They also track which support groups you join, what you add to your “to-do list” or “questions for doctor”, and which articles you read. All of this creates a more detailed picture of your health, family situation and intentions.

Confusing or misleading privacy messages

Consumers should expect the clearest information about how such data are collected, used and disclosed. Yet we found some of the messaging is highly confusing or misleading.

Some apps say “we will never sell your data”. But the fine print of the privacy policy contains a term that allows them to sell all your data as part of the sale of the app or database to another company.

This possibility is not just theoretical. Of the 12 apps included in the study, one was previously taken over by a drug development company, and another two by a digital media company.

Other apps explain privacy settings using language that makes it almost impossible for a consumer to understand what they are choosing, or obscure the privacy settings by placing them numerous clicks and scrolls away from the home screen.

Keeping sensitive data for too long

The major data breaches of the past six months highlight the risks of companies holding onto personal data longer than necessary.

Breaches of highly sensitive information about health and sexual activities could lead to discrimination, exploitation, humiliation or blackmail.

Most of the apps we analysed keep user data for at least three years after the user quits the app – or seven years in the case of one brand. Some apps give no indication of when user data will be deleted.

Can’t count on ‘de-identification’

Some apps also give consumers no choice regarding whether their “de-identified” health data will be sold or transferred to other companies for research or business. Or, they have consumers opted-in to these extra uses by default, putting the onus on users to opt out.

Moreover, some of these data are not truly de-identified. For example, removing your name and email address and replacing it with a unique number is not de-identification for legal purposes. Someone would only need to work out the link between your name and that number in order to link your whole record with you.

When supposedly de-identified Medicare records were published in 2016, University of Melbourne researchers showed how just a few data points can connect a de-identified record to a unique individual.

Need for reform

This research highlights the unfair and unsafe data practices consumers are subjected to when they use fertility apps. And these findings reinforce the need for Australia’s privacy laws to be updated.

We need improvements in what data are covered by the Privacy Act, what choices consumers can make about their data, what data uses are prohibited, and what security systems companies must have in place.

The government is seeking submissions on potential privacy law reforms until March 31.

In the meantime, if you’re using a fertility app, there are some steps you can take to help reduce some of the privacy risks:

1. when launching the app for the first time, don’t agree to tracking of your data, or you can limit ad tracking via iPhone device settings
2. don’t log in via a social media account
3. don’t answer questions or add data you don’t need to for your own purposes
4. don’t share your Apple Health or FitBit data
5. if the app provides privacy choices, opt out of tracking and having your data sold or used for research, and delete your data when you stop using the app
6. bear in mind that every article you read, and how long you spend on it, and every group you join and comment you make there may be added to a profile about you.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

In the recently released Privacy Act Review Report, the Attorney-General’s Department makes numerous important proposals that could see the legislation, enacted in 1988, begin to catch up to leading privacy laws globally.

Among the positive proposed changes are: more realistic definitions of personal information and consent, tighter limits on data retention, a right to erasure, and a requirement for data practices to be fair and reasonable.

However, the report’s proposals on targeted advertising don’t properly address the power imbalance between companies and consumers. Instead, they largely accept a status quo that sacrifices consumer privacy to the demands of online targeted ad businesses.

Capturing personal information used to track and profile

Obligations under the existing Privacy Act only apply to “personal information”, but there has been legal uncertainty about what exactly constitutes “personal information”.

Currently, companies can track an individual’s online behaviour across different websites and connect it with their offline movements by matching their data with data collected from third parties, such as retailers or data brokers.

Some of these companies claim they’re not dealing in “personal information” since they don’t use the individual’s name or email address. Instead, the matching is done based on a unique identifier allocated to that person – such as a hashed email, for example.

The report proposes an expanded definition of “personal information” that clearly includes the various technical and online identifiers being used to track and profile consumers. Under this definition, companies could no longer claim such data collection and sharing are outside the scope of the Privacy Act.

Improved consent (when required)

The report also proposes higher standards for how consent is sought, in cases where the act requires it. This would require voluntary, informed, current, specific and unambiguous consent.

This would work against organisations claiming consumers have consented to unexpected data uses just because they used a website or an app with a link to a broadly worded privacy policy with take-it-or-leave-it terms.

For example, companies would need to demonstrate the higher standard of consent to collect sensitive information about someone’s mental health or sexual orientation. The report also proposes that some further data practices, such as precise geolocation tracking, should require consent.

However, it specifically states consent should not be required for some targeted ad practices. Yet surveys show most consumers regard these as misuses of their personal information.

‘Fair and reasonable’ data practices

The report proposes a “fair and reasonable” test for dealings with personal information in general.

This recognises that consumers are saddled with too much of the responsibility for managing how their personal information is collected and used, while they lack the information, resources, expertise and control to do this effectively.

Instead, organisations covered by the Privacy Act should ensure their data handling practices are “fair and reasonable”, regardless of whether they have consumer consent. This would include considering whether a reasonable person would expect the data to be collected, used or disclosed in that way, and whether any dealing with children’s information is in the best interests of the child.

Prohibiting targeted ads based on sensitive information

The report proposes the prohibition of targeting based on sensitive information and traits. However, it’s not always easy to draw the line between “sensitive” information or traits, and other personal information.

For instance, is having an interest in “cosmetic procedures” or “rapid weight loss” a sensitive trait, or a general reading interest? Companies may exploit such grey areas. So while prohibiting targeting based on sensitive information is appropriate, it’s not enough in itself.

Another loophole arises in the report’s proposal that consumer consent should be necessary before an organisation trades in their personal information. The report leaves open an exception to this consent requirement where the “trading” is reasonably necessary for an organisation’s functions or activities.

This may be a substantial exception: data brokers, for example, might argue their trade in personal information (without consumers’ knowledge or consent) is necessary.

Opt out only, not opt in

Both the ACCC and the UK Competition & Markets Authority have recommended consumers should opt in to the use of their personal information for targeted advertising if they wish to see this content.

But the report proposes individuals should only be allowed to opt out of “seeing” targeted ads. This still wouldn’t stop companies from collecting, using and disclosing a user’s personal information for broader targeting purposes.

Even if a consumer opts out of seeing targeted ads, a business may continue to collect their personal information to create “lookalike audiences” and target other people with similar attributes.

Although having the option to opt out of seeing targeted ads gives consumers some limited control, companies still control the “choice architecture” of such settings. They can use their control to make opting out confusing and difficult for users, by forcing them to navigate through multiple pages or websites with obscurely labelled settings.

Are targeted ads necessary to support online services?

This limitation of consumers’ choices was partly explained by the view of the Attorney-General’s Department that targeted ads are necessary to fund “free” services. This refers to services where consumers “pay” with their attention and data (which companies use to make revenue from targeted advertising).

However, many companies using customers’ personal information for targeted ad businesses aren’t providing free services. Consider online marketplaces such as Amazon or eBay, or subscription-based products of media companies such as NewsCorp and Nine.

Meta (Facebook) and the Interactive Advertising Bureau Australia argued that if consumers opt out of targeted ads, a company should be able to stop offering them the service in question. This proposal was rejected on the basis that a platform can still show non-targeted ads to such consumers.

Inconsistently, the report failed to question broader claims that targeted advertising – as opposed to less intrusive forms of advertising – must be protected for online services to be viable.

Real change is needed

The reform of our privacy laws is long overdue. The government should avoid watering down potential improvements by attempting to preserve the status quo dictated by large businesses.

The government is seeking feedback on the report until March 31. It will then decide on the final form of the reforms it proposes, before these are debated in Parliament.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

We can expect to see lots of noise about specific proposals and hope the Albanese government (copied by state/territory counterparts) gives us the legislation we need.

Making sense of the report

At a superficial level, the report gives effect to an election commitment – a promise to do something about federal privacy law, which is centred on public/private data collection and use (often online), rather than state/territory law dealing with activity such as strip searches, public hospital records, hidden cameras in toilets or senior figures distributing nude photos of rivals.

More deeply, it is a recognition that, as part of the global economy where data and investment flow across borders, Australia continues to limp behind law and administration where protecting privacy is concerned. Updating the Privacy Act also reflects recognition of challenges facing business and government in the world of ransomware, big data and artificial intelligence.

Unhappiness with the “she’ll be right, mate” approach of some large organisations and the failure of the key national privacy regulator (under-resourced, under-skilled and slow to act) was evident in the recent Optus and Medibank data breaches.

The proposals are not new. They have been voiced in detailed law reform commission reports, national and state parliamentary committee reports, statements by independent bodies such as the Law Council and academics over the past 20 years. The lack of action to date means Australians might be sceptical about what will happen once the government is lobbied by those whose interests are served by keeping things as they are, and it is again tempted to kick the can down the road.

What do the proposals cover?

It is important to remember that states and territories have significant responsibilities regarding privacy. The proposal to set up a working party involving those governments provokes thought about why that hasn’t been done already.

The initial proposal calls for changing the 1988 Privacy Act to explicitly recognise that privacy is in the public interest, something that shouldn’t be controversial and offsets the absence of a human rights framework in the national constitution. After that, we are into some positive steps forward. However, these are tempered by a lot of “let’s wait and see the administration” before starting to celebrate.

The report retains the overall structure of the 1988 Act but, crucially, extends its coverage, in particular on what is “personal information”. It calls for consultation about criminal penalties and for prohibiting some of the ways organisations have got around restrictions.

It proposes consultation about removing the exemption for small businesses (those under A$3million) and about the handling of employee records. The major exclusion of political parties – a common source of unhappiness – would be modified. Journalists would be expected to behave better.

The report emphasises meaningful consent. In the collection of personal information, consent must be

voluntary, informed, current, specific and unambiguous.

This would bring Australia into line with Europe and indeed with much of our existing law, such as that administered by the Australian Competition and Consumer Commission.

We can expect controversy about a proposed right of “erasure” and about “de-indexing”. This is referred to as the “right to obscurity” in Europe, and means some personal information stays online but is not highlighted in search engine results. Individuals would need to ask for that obscurity, and it would not be granted for serious criminal offences.

There have been recurrent proposals for a “privacy tort”: this means people whose privacy has been seriously invaded could take action in a court to stop the invasion and/or gain compensation.

The report endorses this recommendation by the Australian Law Reform Commission. It also proposes a “direct right of action” under the current act. This implicitly offsets the weakness of the Office of the Australian Information Commissioner (OAIC), one of the two national information privacy watchdogs.

The report grapples with data breaches such as the recent Optus and Medibank incidents. Proposals regarding mandatory reporting of such breaches tweak the current regime.

There is likely to be more push-back from business and public sector organisations regarding a proposed requirement for those bodies to “identify, mitigate and redress actual and reasonably foreseeable loss”. This is a first step towards persuading organisations to meaningfully lift their game and compensate for harms.

It’s too soon to cheer

On the surface, the report is a major step forward, something that business and the community should strongly endorse. In practice, we need to look beyond the headlines and see the details of how the proposals would be written into law, and whether the attorney-general can harness support in the face of the usual strong lobbying.

Proposals that there will be discussion, yet again, don’t provide much comfort. More worryingly, the proposals centre on the development and implementation of guidelines and standards by the OAIC.

In practice, the report proposes to perpetuate existing problems involving a regulator with a timid corporate culture and a commitment to interpreting the legislation through the eyes of the bodies it is meant to regulate. Change is better than good intentions.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

ChatGPT has taken the world by storm. Within two months of its release it reached 100 million active users, making it the fastest-growing consumer application ever launched. Users are attracted to the tool’s advanced capabilities – and concerned by its potential to cause disruption in various sectors.

A much less discussed implication is the privacy risks ChatGPT poses to each and every one of us. Just yesterday, Google unveiled its own conversational AI called Bard, and others will surely follow. Technology companies working on AI have well and truly entered an arms race.

The problem is it’s fuelled by our personal data.

300 billion words. How many are yours?

ChatGPT is underpinned by a large language model that requires massive amounts of data to function and improve. The more data the model is trained on, the better it gets at detecting patterns, anticipating what will come next and generating plausible text.

OpenAI, the company behind ChatGPT, fed the tool some 300 billion words systematically scraped from the internet: books, articles, websites and posts – including personal information obtained without consent.

If you’ve ever written a blog post or product review, or commented on an article online, there’s a good chance this information was consumed by ChatGPT.

So why is that an issue?

The data collection used to train ChatGPT is problematic for several reasons.

First, none of us were asked whether OpenAI could use our data. This is a clear violation of privacy, especially when data are sensitive and can be used to identify us, our family members, or our location.

Even when data are publicly available their use can breach what we call textual integrity. This is a fundamental principle in legal discussions of privacy. It requires that individuals’ information is not revealed outside of the context in which it was originally produced.

Also, OpenAI offers no procedures for individuals to check whether the company stores their personal information, or to request it be deleted. This is a guaranteed right in accordance with the European General Data Protection Regulation (GDPR) – although it’s still under debate whether ChatGPT is compliant with GDPR requirements.

This “right to be forgotten” is particularly important in cases where the information is inaccurate or misleading, which seems to be a regular occurrence with ChatGPT.

Moreover, the scraped data ChatGPT was trained on can be proprietary or copyrighted. For instance, when I prompted it, the tool produced the first few paragraphs of Peter Carey’s novel “True History of the Kelly Gang” – a copyrighted text.

Finally, OpenAI did not pay for the data it scraped from the internet. The individuals, website owners and companies that produced it were not compensated. This is particularly noteworthy considering OpenAI was recently valued at US$29 billion, more than double its value in 2021.

OpenAI has also just announced ChatGPT Plus, a paid subscription plan that will offer customers ongoing access to the tool, faster response times and priority access to new features. This plan will contribute to expected revenue of $1 billion by 2024.

None of this would have been possible without data – our data – collected and used without our permission.

A flimsy privacy policy

Another privacy risk involves the data provided to ChatGPT in the form of user prompts. When we ask the tool to answer questions or perform tasks, we may inadvertently hand over sensitive information and put it in the public domain.

For instance, an attorney may prompt the tool to review a draft divorce agreement, or a programmer may ask it to check a piece of code. The agreement and code, in addition to the outputted essays, are now part of ChatGPT’s database. This means they can be used to further train the tool, and be included in responses to other people’s prompts.

Beyond this, OpenAI gathers a broad scope of other user information. According to the company’s privacy policy, it collects users’ IP address, browser type and settings, and data on users’ interactions with the site – including the type of content users engage with, features they use and actions they take.

It also collects information about users’ browsing activities over time and across websites. Alarmingly, OpenAI states it may share users’ personal information with unspecified third parties, without informing them, to meet their business objectives.

Time to rein it in?

Some experts believe ChatGPT is a tipping point for AI – a realisation of technological development that can revolutionise the way we work, learn, write and even think. Its potential benefits notwithstanding, we must remember OpenAI is a private, for-profit company whose interests and commercial imperatives do not necessarily align with greater societal needs.

The privacy risks that come attached to ChatGPT should sound a warning. And as consumers of a growing number of AI technologies, we should be extremely careful about what information we share with such tools.

The Conversation reached out to OpenAI for comment, but they didn’t respond by deadline.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Ausma Bernot, PhD Candidate, School of Criminology and Criminal Justice, Griffith University

A group of researchers studied 15 months of human mobility movement data taken from 1.5 million people and concluded that just four points in space and time were sufficient to identify 95% of them, even when the data weren’t of excellent quality.

That was back in 2013.

Nearly ten years on, surveillance technologies permeate all aspects of our lives. They collect swathes of data from us in various forms, and often without us knowing.

I’m a surveillance researcher with a focus on technology governance. Here’s my round-up of widespread surveillance systems I think everyone should know about.

CCTV and open-access cameras

Although China has more than 50% of all surveillance cameras installed in the world (about 34 cameras per 1,000 people), Australian cities are catching up. In 2021, Sydney had 4.67 cameras per 1,000 people and Melbourne had 2.13.

While CCTV cameras can be used for legitimate purposes, such as promoting safety in cities and assisting police with criminal investigations, their use also poses serious concerns.

In 2021, New South Wales police were suspected of having used CCTV footage paired with facial recognition to find people attending anti-lockdown protests. When questioned, they didn’t confirm or deny if they had (or if they would in the future).

In August 2022, the United Nations confirmed CCTV is being used to carry out “serious human rights violations” against Uyghur and other predominantly Muslim ethnic minorities in the Xinjiang region of Northwest China.

The CCTV cameras in China don’t just record real-time footage. Many are equipped with facial recognition to keep tabs on the movements of minorities. And some have reportedly been trialled to detect emotions.

The US also has a long history of using CCTV cameras to support racist policing practices. In 2021, Amnesty International reported areas with a higher proportion of non-white residents had more CCTV cameras.

Another issue with CCTV is security. Many of these cameras are open-access, which means they don’t have password protection and can often be easily accessed online. So I could spend all day watching a livestream of someone’s porch, as long as there was an open camera nearby.

Surveillance artist Dries Depoorter’s recent project The Follower aptly showcases the vulnerabilities of open cameras. By coupling open camera footage with AI and Instagram photos, Depoorter was able to match people’s photos with the footage of where and when they were taken.

There was pushback, with one of the identified people saying:

It’s a crime to use the image of a person without permission.

Whether or not it is illegal will depend on the specific circumstances and where you live. Either way, the issue here is that Depoorter was able to do this in the first place.

IoT devices

An IoT (“Internet of Things”) device is any device that connects to a wireless network to function – so think smart home devices such as Amazon Echo or Google Dot, a baby monitor, or even smart traffic lights.

It’s estimated global spending on IoT devices will have reached US$1.2 trillion by some point this year. Around 18 billion connected devices form the IoT network. Like unsecured CCTV cameras, IoT devices are easy to hack into if they use default passwords or passwords that have been leaked.

In some examples, hackers have hijacked baby monitor cameras to stalk breastfeeding mums, threaten parents that their baby was being kidnapped, and say creepy things like “I love you” to children.

Beyond hacking, businesses can also use data collected through IoT devices to further target customers with products and services.

Privacy experts raised the alarm in September over Amazon’s merger agreement with robot vacuum company iRobot. A letter to the US Federal Trade Commission signed by 26 civil rights and privacy advocacy groups said:

Linking iRobot devices to the already intrusive Amazon home system incentivizes more data collection from more connected home devices, potentially including private details about our habits and our health that would endanger human rights and safety.

IoT-collected data can also change hands with third parties through data partnerships (which are very common), and this too without customers’ explicit consent.

Big tech and big data

In 2017, the value of big data exceeded that of oil. Private companies have driven the majority of that growth.

For tech platforms, the expansive collection of users’ personal information is business as usual, literally, because more data mean more precise analytics, more effective targeted ads and more revenue.

This logic of profit-making through targeted advertising has been dubbed “surveillance capitalism”. As the old saying goes, if you’re not paying for it, then you’re the product.

Meta (which owns both Facebook and Instagram) generated almost US$23 billion in advertising revenue in the third quarter of this year.

The vast machinery behind this is illustrated well in the 2021 documentary The Social Dilemma, even if in a dramatised way. It showed us how social media platforms rely on our psychological weaknesses to keep us online for as long as possible, measuring our actions down to the seconds we spend hovering over an ad.

Loyalty programs

Although many people don’t realise it, loyalty programs are one of the biggest personal data collection gimmicks out there.

In a particularly intrusive example, in 2012 one US retailer sent a teenage girl a catalogue dotted with pictures of smiling infants and nursery furniture. The girl’s angered father went to confront managers at the local store, and learned that predictive analytics knew more about his daughter than he did.

It’s estimated 88% of Australian consumers over age 16 are members of a loyalty program. These schemes build your consumer profile to sell you more stuff. Some might even charge you sneaky fees and lure you in with future perks to sell you at steep prices.

As technology journalist Ros Page notes:

[T]he data you hand over at the checkout can be shared and sold to businesses you’ve never dealt with.

As a cheeky sidestep, you could find a buddy to swap your loyalty cards with. Predictive analytics is only strong when it can recognise behavioural patterns. When the patterns are disrupted, the data turn into noise.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Jane Andrew, Professor, University of Sydney Business School, University of Sydney; Max Baker, Senior lecturer, University of Sydney, and Monique Sheehan, Research officer, University of Sydney

The Optus data breach, which has affected close to 10 million Australians, has sparked calls for changes to Australia’s privacy laws, placing limits on what and for how long organisations can hold our personal data.

Equally important is to strengthen obligations for organisations to publicly disclose data breaches. Optus made a public announcement about its breach, but was not legally required to do so.

In fact, beyond the aggregated data produced by the Office of the Australian Information Commissioner, the public is not made aware of the vast majority of data breaches that occur in Australia every year.

Australia has had a “Notifiable Data Breaches” scheme since February 2018 that requires all organisation to notify affected individuals as well as the Office of the Australian Information Commissioner in the case a breach of personal information likely to result in serious harm.

However, no notification is required if the organisation takes remedial action to prevent harm. Most importantly, public disclosure is never required.

This gives a lot of discretion to organisations. They can make their own assessment about the risks and decide not to disclose a breach at all.

Companies listed on the Australian Securities Exchange (ASX) are also obliged to disclose any data breach expected to have a “material economic impact” on a company’s share price. But it is notoriously difficult to measure material economic impact. So these announcements are not a reliable source of information for the public.

Notified data breaches

While the Notifiable Data Breaches scheme is a step in the right direction, it’s impossible to know if the disclosures made reflect the scale and scope of data breaches.

The most recent Notifiable Data Breaches Report, covering the six months from July to December 2021, lists 464 notifications (up 6% from the previous period).

Of these, 256 (55%) were attributed to malicious or criminal attacks, and 190 (41%) to human error, such as emailing personal information to the wrong recipient, publishing information by accident, or losing data storage devices or paperwork. Another 18 (4%) were attributed to system errors.

The sectors that reported the most breaches were the health care service (83 notifications); finance (56); and legal, accounting and management services (51).

About 70% of all incidents reportedly affected fewer than 100 people. But one event affected at least a million people. Despite the scale, the public has not been provided details of these events, or the identities of the organisations responsible.

Regardless of the scale or reason, all data breaches have an impact on people and organisations. Despite this, we rarely learn about anything other than the most spectacular and most criminal of these events.

Without mandatory disclosure, there is insufficient public accountability.

How should minimum disclosure work?

A minimum disclosure framework should include information about the type of data breached, the sensitivity of the data, the cause and size of the breach, and the risk-mitigation strategies the organisation has adopted.

The framework should require both a standardised public announcement when any significant data breach occurs, as well as a mandatory annual public report of data breaches. Reports and announcement should be published on the company’s website (just like an annual report) and filed with the Office of the Australian Information Commissioner.

This would ensure public access to a coherent historical record of breach-related events and organisational responses. The disclosures would allow community groups, regulators and interested parties to analyse breaches of our data and act accordingly.

At its simplest, a mandatory disclosure framework encourages annual disclosures that are comparable and publicly available. At the very least it creates opportunities for scrutiny and discussion.

This article is republished from The Conversation under a Creative Commons license. Read the original article.