CementeryBy Bruce Arnold.

Privacy Is Dead, But Not The Privacy You Know.

Most Australians have grown up with data protection lite, a world in which there was not much legawl protection for personal information and corporate information. It was a world without data mining and geospatial identification. It was a world without biometrics and social network services. No Facebook. No Wikileaks. No thumb drives. No 9/11. A world with lace curtains and lots of foot-in-the-door journalism. A world with few constraints on what information was collected, how it was processed and where it went. That world is over. It’s not coming back.

Law eventually catches up with all technologies. What we’re seeing at the moment is the emergence of a new data protection regime, one that provides stronger protection for individuals and organisations. That regime will affect private investigators, corporate IT managers, lawyers, journalists, policymakers and consumers. It will also empower law enforcement and national security agencies, allowing them to meet the challenges of global commerce and global crime, without
acting illegally.

It’s common for digital enthusiasts to announce that privacy is dead. The implication is that we should all just get used to living in the public eye or being invisibly tagged and sorted by a range of marketers and surveillance agencies. It’s also common for the digerati to announce that ‘information just wants to be free’, so abandon notions of confidentiality, secrecy and intellectual property. One Australian academic announced that privacy is “a middle-class invention by people with nothing else to worry about”, the “adult equivalent of Santa Claus and unicorns”, and an invention that “permeates the feeble minds of law-makers and puts the innocent at risk”. Academics say the strangest things and the professor hasn’t got round to publishing his financial records on the internet or walking naked down Collins Street in rush hour. He is choosing to protect his privacy, in the same way that executives guard information, and he would presumably reach for the law if I invaded his life with a bug, a crowbar or a keylogger.

The death of privacy (or confidentiality) is a naïve claim. Claims that it is over should frighten anyone who has seen the glee with which cyber-vigilantes such as Anonymous or irresponsible anarchists such as Julian Assange have released commercial and government information into the public domain without much concern for the consequences or effort to verify whether the data is true.

The claim is naïve because there are legitimate reasons to protect personal and corporate information. The claim is also naïve because law is getting stronger and more extensive rather than disappearing. Australian and overseas law, such as the profoundly important Council of Europe Cybercrime Convention (a global law enforcement agreement that includes Australia), is increasingly giving organisations and individuals meaningful legal backing for administrative practices and technical restrictions dealing with the unauthorised collection, distribution and use of sensitive data. If you are careless you may not be able to stop your employee walking out with the secrets, but you can stop her profiting from that illegal behaviour. The law is not dead; it has just changed. Readers need to be hard-headed and take advantage of it, rather than believe the hype.

Much of that hype involves new technologies which enthusiasts assume always mean the death of privacy. A more realistic view is that technologies are neutral. They can be used for good or evil. Law provides a framework for that use. Law is catching up and will continue to do so. That is an issue if you have been engaged in surveillance and in data profiling. It is good news if you are concerned about the protection of personal/corporate information or simply want a more coherent set of rules that do not feature the anomalies that are evident in how state governments deal with covert surveillance, such as last year’s ADFA webcam incident.

Where Are The Changes Coming From?

The national constitution does not refer to privacy. That’s unsurprising, because it was written in the age of the box brownie camera, when there were only 7,000 telephone numbers in Melbourne and gentlemen did not read each other’s mail. The constitution does not enshrine privacy as a human right, because it does not yet enshrine human rights. More importantly, for many businesses, it does not enshrine data protection or commercial confidentiality. If you want protection for business secrets, you rely on traditional mechanisms, such as locked doors and red labels, along with increasingly strong judge-made law about confidentiality and acts of parliament that criminalise activity such as hacking or the unauthorised removal of electronic media, such as hard drives.

Privacy in the era of our grandfathers and fathers was weak and very inconsistent, a matter of good manners. It is getting increasing legal recognition and we’re moving towards a significantly stronger national Privacy Act, one that will probably include substantial financial damages in favour of people whose lives have been invaded. The old world of privacy is dead, along with the lace curtains. The new world is on the way.

Where is the change coming from? One answer is that it is coming from overseas, with Australia, reluctantly or otherwise, adopting international business standards and global law about, for example, personal privacy, government surveillance and commercial data protection. Neither businesses nor governments like activities such as hacking, whether done by journalists, terrorists or rogue businesses. In the past six months, we’ve seen a string of people go to prison in the UK, Canada and US over unauthorised access to information in electronic and print formats. Those convictions are based on law that has been introduced in the past decade and that is currently being strengthened. Ask the News of the World journalists sharing a cell with Bubba if privacy is dead. Presumably, the answer is that their privacy is dead and they hope Bubba isn’t too curious.

What about Facebook and other social network services? One conclusion is that governments leave many decisions to consumers. If you choose to share some information, that’s your choice. A more informed conclusion is that governments, particularly those in Europe, are progressively tightening what such services can do with information and how they need to alert you so that you can make an informed choice. The law won’t stop you from making a fool of yourself, but it will protect you from being deceived. Facebook and its competitors, remember, are not charities. They exist to make money and can be persuaded by the sort of law that is in the pipeline.

What about Mr Assange, the guy who is just about to get his own show on a Kremlin-aligned, Russian television network? Assange is the best thing to have happened to the US intelligence community, and to major corporations, in the past 30 years. He is a wakeup call for lazy managers who failed to adequately supervise databases containing large amounts of sensitive information. He also provided a justification for a tightening of law about hacking and other information activity. If Assange had not existed, the CIA or NSA would have needed to invent him.

That law, which will authorise law enforcement agencies to access web surfing, email and other electronic traffic data, does pose questions about the place of privacy in a global, digital economy. The law does not mean that privacy will go away. It does mean that we need to manage privacy. There will be times when courts and parliaments draw a line and say that some information should not be shared by agencies or purchased from commercial agents. People who step over the line will be in trouble. Privacy in the new world won’t be dead. It will be different.

Bruce Arnold is a lecturer in the Law Faculty at the University of Canberra. He has published widely on the regulation of new technologies, privacy, biometrics, confidentiality and security. He has also provided testimony in a range of parliamentary committee inquiries about security and other matters.