Revelations that Facebook may have allowed the sale of the data of 87 million users to analytics firm Cambridge Analytica – which may have been used to influence both the U.S. 2016 presidential election and the U.K.’s Brexit vote – have reignited the debate over digital privacy rights.
It’s a challenging topic. Certainly, concern about digital privacy and the protection of personal data has never been higher. According to the Australian Community Attitudes to Privacy Survey of 2017:
- 69% of us are more concerned about our online privacy than they were five years ago.
- 79% of us are uncomfortable with businesses sharing personal information with other organisations.
- 93% are concerned about organisations sending personal information overseas.
Yet, despite this, the majority of citizens are not willing to do the work necessary to protect their personal information. The ACAPS 2017 survey found that 65% of us do not read privacy policies. Further research by Syzygy and Attest found that, out of 1,000 survey participants, only 5% intend to leave Facebook, despite knowing of its conflict with Cambridge Analytica.
This cognitive dissonance is a microcosm of the larger question surrounding privacy. We want the benefits and features that come along with sharing our personal information, such as social engagements with friends and relatives, as well as more customised digital experiences or even protection against threats. We just don’t want to confront the potential negative repercussions that come from having done so.
How do we balance our desire to fully embrace the benefits of technology, without giving up too much of our personal lives and data in return? Let’s explore.
Privacy and Piracy, Defined
To understand the risks digital consumers face, we must first examine what is meant by “privacy and piracy.” Unfortunately, the number of risks threatening citizens’ private data has never been higher. So although the following list is far from complete, think of it as a useful starting point for our discussion.
A few of the different data privacy and piracy risks facing Australian consumers today include:
- Identity theft. Identity theft occurs whenever criminals improperly use a person’s personal information to their benefit; for example, by fraudulently applying for a credit card or loan in their name. More than 770,000 Australians fell victim to identity theft in 2014, with an average financial impact of $4,000 per incident, according to Veda.
- Phishing attacks. One of the ways criminals access the information needed for identity theft is phishing attacks, in which legitimate data-collecting websites (such as login or transaction pages) are spoofed with malicious versions. At one point, Australians were the biggest phishing targets in the world.
- Ransomware events. In a ransomware event, a malware program takes over a user’s computer, causing it to effectively be held hostage until a fee is paid. Again, Australia loses out. In 2017, we were one of the 10 hardest hit countries by ransomware worldwide, while one in five Australian small businesses hit by ransomware attacks were forced to close their doors.
- Cybercrime and hacking. Even if private citizens take steps to secure their identities, they may be put at risk by hacking attempts against companies and organisations that store copies of their personal information. An estimated six million Australians were affected by these attacks in 2017.
The threats described above are serious, but they’re effectively all variations of the same theme: malicious actors harvesting personal data for financial gain. A more nuanced look at data privacy and piracy requires broader thinking and presents threats that go beyond the theft of personal information.
- The use of personal data for social and political manipulation. As noted above in the example of Cambridge Analytica, personal information – in this case, data that’s freely shared over social networking websites – can be weaponised by those who harvest it to advance movements or influence political processes.
- Rate limiting and other data-based restrictions. The recent repeal of the United State’s net neutrality policy should concern Australians, who may suffer a flow-on effect from the policy’s potential access limitations. One privacy-related concern is the precedent that could be set if internet service providers (ISPs) are allowed to parcel out access to specific websites. By default, this arrangement requires that users give up data on their viewing habits and preferences, which they may prefer to keep private.
- The right to disappear. These and other risks underscore one of the questions at the heart of today’s data privacy and piracy debate: what rights do users have to the personal information they’ve shared both intentionally and unintentionally? European Union (EU) court cases have made some strides in defining this ‘right to disappear,’ as evidenced by the passage of the EU’s General Data Protection Regulation (GDPR).
Data Privacy in Australia
The governance of personal data is a wide-reaching challenge, with implications for individual consumers, businesses of all sizes and governmental bodies. Unfortunately, data privacy and piracy risks often emerge and evolve faster than organisations can identify them – let alone respond with either practical or legal guidelines.
That said, several regulations defining personal data management rights and responsibilities exist in Australia.
One of the standards most germane to this discussion is the Australian Privacy Principles (APP). Defined by the Privacy Act 1988, the principles offer guidance to ‘APP entities’ (including most governmental bodies, businesses and nonprofits with turnover greater than $3 million, private health service providers and many small businesses) on how they should “handle, manage and use personal information.”
The Privacy Act 1988 has been amended multiple times, most recently in February 2017. Updates made at that time – which went fully into effect in February 2018 – adds further guidance on the topic of data breaches. KPMG’s Jacinto Munro explains the impact of these revisions on APP entities:
“Entities will be required to take all reasonable steps to ensure an assessment is completed within 30 days. If an eligible data breach is confirmed, as soon as practicable they must provide a statement to each of the individuals whose data was breached or who are at risk, including details of the breach and recommendations of the steps individuals should take.”
Another notable instance is Australia’s data retention law. Formally known as the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, the act passed by both Houses of Parliament on 26 March 2015 and requires that telecommunications service providers store customer data (including the metadata associated with phone calls, emails and texts; not the content itself) for two years.
One final guideline worth mentioning here is the EU’s GDPR framework, which went into effect on 25 May 2018. Though the GDPR affects EU citizens most directly, Australian companies may have some responsibilities under the new policies, which offer broad guidance on how personal data should be processed, stored, managed and deleted
According to ZDNet contributor Asha McLean:
“The laws do not stop at European boundaries, however, with those in the rest of the world, including Australia, bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.”
Failure to comply could result in “administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
What are We Willing to Give Up?
Ostensibly, the rationale behind each of the regulations described above is the protection of citizens, whether with regard to the well-being of individual consumers or to broader societal needs. The data retention law, for instance, is described as being a counterterrorism measure that plays a vital role in investigating terrorism and organised crime.
Australian privacy advocates don’t always agree. Uri Gal, Associate Professor in Business Information Systems, University of Sydney, shares in a contribution to The Conversation that “despite the government’s warnings, the risk of getting hurt in a terrorist attack in Australia has been historically, and is today, extremely low.” Rather than being a protective measure, he sees the data retention law as an invasion of privacy.
“Metadata – data about data – can be highly revealing and provide a comprehensive depiction of our daily activities, communications and movements. As detailed here, metadata is broad in scope and can tell more about us than the actual content of our communications. Therefore, claims that the data retention law does not seriously compromise our privacy should be considered as naïve, ill-informed, or dishonest”
Gal’s assertion epitomises the conflict described earlier, provoking the question, “What are we willing to give up?” Are we willing to:
- Enjoy the benefits of connecting with friends and relatives, even if doing so puts us at risk of being influenced by external actors?
- Share our financial data with businesses to access the advantages of e-commerce, even if this adds another point of weakness for potential identity theft and cybercrime?
- Make our personal data available to the government for the possibility of greater protection, even before we’ve fully defined how much is being revealed and who will have access to this information?
There are no easy answers to these questions, and these risks aren’t going away any time soon. But that doesn’t mean you can abdicate responsibility for them. Stay educated, and practice data safety to the extent you’re able to. Your well-being, financial health, and future rights may depend on it.
How concerned are you about data privacy and piracy? What steps are you taking to protect yourself? Leave us a comment below to join in the discussion:
Image Source: Pixabay