As survey results pile, it’s becoming clear Australians are sceptical about how their online data is tracked and used. But one question worth asking is: are our fears founded?
The short answer is: yes.
In a survey of 2,000 people completed last year, Privacy Australia found 57.9% of participants weren’t confident companies would take adequate measures to protect their data.
Similar scepticism was noted in results from the 2017 Australian Community Attitudes to Privacy Survey of 1,800 people, which found:
• 79% of participants felt uncomfortable with targeted advertising based on their online activities
• 83% were uncomfortable with social networking companies keeping their information
• 66% believed it was standard practice for mobile apps to collect user information and
• 74% believed it was standard practice for websites to collect user information.
Also in 2017, the Digital Rights in Australia report, prepared by the University of Sydney’s Digital Rights and Governance Project, revealed 62% of 1,600 participants felt they weren’t in control of their online privacy. About 47% were also concerned the government could violate their privacy.
The ugly truth
Lately, a common pattern has emerged every time malpractice is exposed.
The company involved will provide an “opt-out” mechanism for users, or a dashboard to see what personal data is being collected (for example, Google Privacy Checkup), along with an apology.
If we opt-out, does this mean they stop collecting our data? Would they reveal collected data to us? And if we requested to have our data deleted, would they do so?
To be blunt, we don’t know. And as end users there’s not much we can do about it, anyway.
When it comes to personal data, it’s extremely difficult to identify unlawful collections among legitimate collections, because multiple factors need to be considered, including the context in which the data is collected, the methodology used to obtain user consent, and country-specific laws.
Also, it’s almost impossible to know if user data is being misused within company bounds or in business-to-business interactions.
Despite ongoing public outcry to protect online privacy, last year we witnessed the Cambridge Analytica scandal, in which a third party company was able to the gather personal information of millions of Facebook users and use it in political campaigns.
More recently, a New York Times article exposed how much fine granular data is acquired and maintained by relatively unknown consumer scoring companies. In one case, a third-party company knew the writer Kashmir Hill used her iPhone to order chicken tikka masala, vegetable samosas, and garlic naan on a Saturday night in April, three years ago.
At this rate, without any action, scepticism towards online privacy will only increase.
History is a teacher
Early this year, we witnessed the bitter end of the Do-Not-Track initiative. This was proposed as a privacy feature where requests made by an internet browser contained a flag, asking remote web servers to not track users. However, there was no legal framework to force web server compliance, so many web servers ended up discarding this flag.
Many companies have made it too difficult to opt-out from data collections, or request the deletion of all data related to an individual.
For example, as a solution to the backlash on human voice command annotation, Apple provided an opt-out mechanism. However, doing this for an Apple device is not straightforward, and the option isn’t prominent in the device settings.
Also, it’s clear tech companies don’t want to have opting-out of tracking as users’ default setting.
It’s worth noting that since Australia doesn’t have social media or internet giants, much of the country’s privacy-related debates are focused on government legislation.
Are regulatory safeguards useful?
But there is some hope left. Some recent events have prompted tech companies to think twice about the undeclared collection of user data.
For example, a US$5 billion fine is on air for Facebook, for its role in the Cambridge Analytica incident, and related practices of sharing user data with third parties. The exposure of this event has forced Facebook to take measures to improve its privacy controls and be forthcoming with users.
Similarly Google was fined EU$50 million under the General Data Protection Regulation by French data regulator CNIL, for lack of transparency and consent in user-targeted ads.
Like Facebook, Google responded by taking measures to improve the privacy of users, by stopping reading our e-mails to provide targeted ads, enhancing its privacy control dashboard, and revealing its vision to keep user data in devices rather than in the cloud.
No time to be complacent
While it’s clear current regulatory safeguards are having a positive effect on online privacy, there is ongoing debate about whether they are sufficient.
Some have argued about possible loopholes in the European Union’s General Data Protection Regulation, and the fact that some definitions of legitimate use of personal data leave room for interpretation.
Tech giants are multiple steps ahead of regulators, and are in a position to exploit any grey areas in legislation they can find.
We can’t rely on accidental leaks or whistleblowers to hold them accountable.
Respect for user privacy and ethical usage of personal data must come intrinsically from within these companies themselves.
Authors: Suranga Seneviratne, Lecturer - Security, University of Sydney