E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: The Sydney Morning Herald

Posted on March 22, 2011

With her long chestnut hair, lawyer Katherine Lane mightn't look much like Luke Skywalker but that's the name she gives to nosy retailers who needlessly demand personal details.

The principal solicitor with the Australian Consumer Credit Legal Centre NSW, Lane takes a hard line on requests that increasingly accompany purchases. Buy a toaster and you're asked for a postcode. Buy a television and you're asked for a home address - ostensibly to validate a warranty. Buy a mobile phone service and you're likely to have your driver's licence photocopied.

The requests may seem harmless but Lane says they are insidious, exposing people to identity fraud and eroding a right to shop anonymously.

''They basically ask for as much personal information as possible now,'' she says. ''The big question has to be: is it necessary?''

More often than not it's just part of a fishing expedition by marketers, she says. Collecting information for loyalty schemes and marketing databases - common motivations for businesses - exposes consumers to greater risks when data is sold or stolen. And even big companies with substantial IT budgets lose control over the data they collect. (See: Risky business.)

According to the nation's privacy principles, personal details should be collected only when they are necessary for a company to conduct business but hard definitions for that are elusive.

The Australian federal Privacy Commissioner, Timothy Pilgrim, encourages people to challenge requests for personal details.

He emphasises that companies are obliged to answer questions that justify their need for the data. Among them: Why do you need it? What will you do with it? How will you protect it? And who, if anyone, will you share it with?

In some cases, the information is required by law. Bank customers, for example, must prove their identity to open an account. An Australian Federal Police spokesman says the aviation, maritime, telecommunications, chemicals and pharmaceutical industries are also required to obtain proof of a customer's identity.

But in many cases businesses go beyond merely sighting information; they photocopy or scan valuable personal documents, exposing people to an additional avenue of risk. Mobile phone service providers are a common example. (See: A call for clarity.)

A spokesman for consumer advocacy group Choice, Christopher Zinn, says many people supply information without considering the repercussions.

''We've had stories of people who have bought pillowcases and been asked to give their postcode. It's no one's business who you are or where you come from,'' Zinn says.

At the more extreme end, pubs and clubs such as the Coogee Bay Hotel have fingerprinted customers.

''They get people to do things even the police aren't allowed to ask unless they have suspicions,'' Zinn says. He believes businesses are taking advantage of a ''misguided'' desire by most people to be polite and comply when asked for personal data.

Zinn harbours two fears about widespread collection of such information.

First, consumers have little way of knowing how their information will be used. And second, the more information that's out there, the greater the risk of it being abused.

''If you give [personal data] willy-nilly to every trader out there, who's to say who can get hold of it?'' Zinn warns. ''It makes it much easier for miscreants to steal your identity.''

The head of technology for computer security company Sophos, Paul Ducklin, often encounters requests for his driver's licence when he checks into hotels for business. Receptionists ask for his licence to verify he is the person who has reserved a room. Ducklin obligingly produces his ID and holds it up for verification. But when they reach out for it, they encounter a sharp reply: ''I'm sorry. You can look but you can't touch.''

Ducklin sees such demands for data as part of an indiscriminate effort to harvest information and keep it until some future time when companies discover a use for it.

He makes the point that photocopying a driver's licence exposes all sorts of information - not just your identity but your address, your legal signature and your date of birth.

A driver's licence can also identify whether a person is an organ donor. According to Pilgrim, this could be classified as ''sensitive health information'', which is subject to some of the most restrictive rules in the privacy sphere.

Citing the privacy principle that businesses should only collect information necessary for their business, Ducklin says he is baffled by some applications. How, he asks, does a driver's licence help a telco improve a customer's mobile phone service?

Similarly, he questions why ticketing agencies require a customer's date of birth when buying online. Surely, he says, the point is the customer's age, not his or her birth date. Checking the age of a buyer could be relevant for events at licensed venues but Ducklin also points out that the purchaser isn't necessarily the end user.

The collection of personal details is sometimes justified to consumers as being necessary for a manufacturer's warranty but Lane dismisses this as ''rubbish''. An implied warranty requires that goods must be fit for their purpose. ''The reason they want it is not for warranty purposes but for building a customer database,'' Lane says.

Privacy and security experts say the increased demand for personal data has created a kind of arms race.

As identity fraud worsens, companies gather more evidence to establish a customer's identity and thereby expose more information to the risk of abuse or theft.

A professor of law and information systems at the University of NSW, Graham Greenleaf, believes much of the blame for what some see as an unchecked escalation in demands for personal data rests with successive federal privacy commissioners.

He says the fault lies not with the powers entrusted to the commissioner but in how rarely those powers are exercised. Lane, Zinn and Nigel Waters of the Australian Privacy Foundation all voice similar concerns.

Greenleaf acknowledges the commission has a good record for mediating disputes. But he says the commission's strongest power - the ability to issue formal rulings (known as Section 52 determinations) to clarify what constitutes a breach of privacy - has been used for only one case in the 10 years since the commissioner was granted authority over the private sector.

The commission can grant compensation to an aggrieved consumer but, Greenleaf says, details of those are all but unknown.

''We know absolutely nothing - not a scintilla - about what a breach of privacy is worth, because the privacy commissioner refuses to publish any information that actually reveals that,'' he says. ''It's not the sorry state of enforcement powers. It's the sorry state of enforcement.''

Pilgrim, who has been privacy commissioner since last July, has not yet issued a Section 52 determination but he says the commission has published case notes on about two dozen complaints to educate businesses. He says the commission shuns using its biggest guns in favour of mediation.

In the 2009-10 enforcement year, the commission handled 1201 complaints. Pilgrim anticipates a 10 per cent increase in complaints this year, largely because of online practices.

''We think if you take the less adversarial role, it is a better way to get a better outcome,'' he says.

Greenleaf argues the commission's apparent reluctance to exert its Section 52 power has robbed the system of its ability to deter bad behaviour. ''There are no signals sent out as to what really are breaches of the Privacy Act and what the consequences of a breach are,'' he says.

He also sees the system as ''biased'' against consumers: companies can, in effect, appeal against the commissioner's decisions. Individuals who believe their privacy has been breached have no such right. Both men agree on the bottom line: consumers should take responsibility for their privacy and be proactive against what they see as encroachments on personal information.

Risky business

The more information companies collect, the more details become vulnerable. Recent Australian examples that put personal details at risk include:

• February 2011 - cosmetics company Lush warns Australian and New Zealand customers that details of online credit card transactions have been captured by criminals.

• February 2011 - the Privacy Commissioner rebukes Vodafone for ''an inadequate level of security'' on systems storing the personal details of up to 4 million customers.

• January 2011 - Details about thousands of University of Sydney students are found stored online where they can be downloaded or read via an internet connection.

• January 2011 - The Sun-Herald reports that club and pub patrons are being forced to undergo fingerprint and photographic scans to enter entertainment venues.

• December 2010 - Telstra accidentally leaks personal details of hundreds of customers after an employee emails people waiting for products rather than to the stores that were to deliver the goods.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.