Who is snooping on me?

How can I protect my privacy online?

Lenders, retailers, online marketers, government and even criminals are tracking our transactions, activity and preferences. This is what you can do about it to protect your privacy and your right to mind your business ….

By Jason Bryce

‍

New laws give police powers (with a warrant) to take over your social media and online accounts to post, change, and delete data. They can even pretend to be you online. 

Amazon, eBay, Kogan, Catch and other online marketplaces “give consumers no real choice about how their data is collected, used and disclosed,” despite long privacy policies said Senior Lecturer in Law and Justice, Katherine Kemp, for the Australian Privacy Foundation last month.

Australian banks may collect information about you from “oral sources, from correspondence and other written material either sent to us or from publicly available sources of personal information such as newspapers, electronic media, records of proceedings and public registers.”

Banks and lenders can now share your loan and account information with each other under new ‘consumer data right’ laws.

And banks don’t always get their information and data collection right, despite massive investments in the computer systems that run their operations. ME Bank, owned by the Bank of Queensland, faces criminal charges in the federal court, brought by the corporate regulator ASIC, for misleading customers about their loans, interest rates and repayments.

Criminals are increasingly targeting your online personal identities held by companies, retailers and financial institutions and developing new ‘ransomware’ apps to kidnap your information. 

Critical infrastructure is being targeted as hacking tools and apps become increasingly available growing numbers of criminals via the dark web. Total self-reported losses from cybercrime totalled more than $33 billion in 2020/21.

In the 2020/21 financial year, the ACSC received over 67,500 cybercrime reports in total, up 13 per cent on the previous year.

“The increase in volume of cybercrime reporting equates to one report of a cyber attack every 8 minutes compared to one every 10 minutes last financial year,” said the ACSC in September 2021.

Fraud, online shopping scams and online banking scams were the top reported cybercrime types said the ACSC.

“The accessibility of cybercrime services – such as ransomware-as-a-service (RaaS) – via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment,” said the ACSC.

‍

Can I opt out of data collection?

Yes you can but there are limitations and loopholes.

When you are online, visiting a website, little web applications called cookies collect basic information about you. Often, you’re able to choose whether to accept these cookies but if you want to use a website, sometimes you need to accept their cookies.

If a website wants more information, they need to ask your permission and provide you with access to their privacy policy.

Often these privacy policies may contain clauses notifying you that your information may be used or sold or passed onto other companies for marketing purposes.

 “Online marketplaces do claim to allow choices about “personalised advertising” or marketing communications,” says Katherine Kemp, “unfortunately, these are worth little in terms of privacy protection.”

For example, Amazon says you can opt out of seeing targeted advertising but this will not opt you out of all data collection for advertising and marketing purposes.

eBay also lets you opt out of targeted ads but: “Your data may still be collected as described in our User Privacy Notice.” Sates the eBay Cookie Notice.

So eBay retains the right to continue to collect your data from data brokers, and to share them with third parties.

Katherine Kemp wants an “anti-snooping rule” that would require consumers to actively opt-in to having their data collected and shared. 

“This could involve clicking on a check-box next to a plainly worded instruction such as:

Please obtain information about my interests, needs, behaviours and/or characteristics from the following data brokers, advertising companies and/or other suppliers.”

Do I have a right to privacy online?

There is no absolute, guaranteed right to privacy enshrined in Australian law but the Australian Privacy Act 1988 and the thirteen Australian Privacy Principles, administered by the Office of the Australian Information Commissioner (OAIC) apply to government organisations, companies and organisations with an annual turnover of more than $3 million. 

That means social media companies, online marketplaces and other large online operations are covered by privacy laws. If you know your rights under the law, you are better placed to protect yourself online. The 13 Australian Privacy Principles are listed below. Click through to the OAIC to get more information.

1.  Open and transparent management of personal information An APP entity must manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

2. Anonymity and pseudonymity An APP entity must give an individual the option of not identifying themselves or of using a pseudonym. Limited exceptions apply.

3. Collection of solicited personal information Outlines when an APP entity can collect solicited personal information. Higher standards apply to the collection of sensitive information.

4. Dealing with unsolicited personal information Outlines how an APP entity must deal with unsolicited personal information.

5. Notification of the collection of personal information An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters.

6. Use or disclosure of personal information An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.

7. Direct Marketing An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

8. Cross-border disclosure of personal information Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

9. Adoption, use or disclosure of government related identifiers Outlines the limited situations when an organisation may adopt a government-related identifier of an individual as the organisation’s own identifier, or use or disclose a government-related identifier of an individual.

10. Quality of personal information An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

11. Security of personal information An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An APP entity has obligations to destroy or de-identify personal information in certain situations.

12. Access to personal information Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the APP entity. This includes a requirement to provide access unless a specific exception applies.

13. Correction of personal information Outlines an APP entity’s obligations for correcting the personal information it holds about individuals.

Do privacy laws apply to Facebook?

One frequently asked question is whether privacy laws apply to online social media platforms like Facebook and Instagram.

The Privacy Act covers organisations with an annual turnover of more than $3 million and operating in Australia (plus some others) so yes, the Privacy Act applies to Facebook, Instagram, Twitter, Snapchat, LinkedIn and other similar platforms.

Ten tings you can do to protect your information online

Here are ten simple and effective tips to help you protect your information when you are online, provided by the Office of the Australian Information Commissioner:

1. Use multi-factor authentication and strong passwords
2. If your data is breached, don’t delay, act quickly, change your passwords, check your accounts.
3. Talk about privacy and protecting your information with your children
4. Update your security software and turn on automatic updates.
5. Check before sharing your personal information. Why do they need your personal information? Most organisations are only allowed to collect information they need for their work.
6. Shop securely online, look for a secure website (with a https URL), use more secure payment systems like PayPal, BPay or a credit card, rather than direct deposit or cryptocurrency.
7. Update your privacy settings in your browser to restrict cookies and advertising.
8. Beware of phishing scams. These are fake emails that ask you click on a link or provide information.
9. Secure all your devices. Have a PIN, thumbprint or facial recognition enabled to allow access to your devices.
10. Share information carefully. Social media platforms are a common source of information about you that is gathered by criminals. Be careful what you share and with whom you share it.

‍