You go to the shopping center to buy some groceries. Without your knowledge, electronic scans of your face are taken by in-store surveillance cameras and stored in an online database. Every time you return to that store, your “faceprint” is compared to those wanted for shoplifting or violence.
This may sound like science fiction but for many of us it is the reality. By failing to take our digital privacy seriously – as former Human Rights Commissioner Ed Santo has warned – Australia is “sleeping” in mass surveillance.
Privacy and the digital environment
Of course, companies have been collecting personal information for decades. If you’ve ever signed up for a loyalty program like Flybuzz, you’ve performed what marketing agencies call a “value exchange.” In exchange for a benefit from the company (such as a discounted price or special offer), you provide a description of who you are, what you buy, and how often you buy it.
Consumer data is big business. In 2019, a report by digital marketers WebFX revealed that data from approximately 1,400 loyalty programs was being regularly traded worldwide as part of an industry worth approximately US$200 billion. In the same year, the Australian Competition and Consumer Commission’s review of loyalty schemes revealed how many of these loyalty schemes lacked data transparency and even discriminated against vulnerable customers.
But the digital environment is making data collection even easier. When you watch Netflix, for example, the company knows what you watch, when you watch it, and how long you watch it. But they go even further, capturing data on which scenes or episodes you frequently watch, the rating of your content, the number of searches you make, and what you search for.
Hyper-collection: a new challenge to privacy
Late last year, controversial tech company ClearView AI was ordered by the Australian Information Commissioner to stop “scraping” social media for photos being collected in its massive facial recognition database. In the same month, the commissioners were investigating several retailers for creating facial profiles of customers in their stores.
This new phenomenon – “hyper-collection” – represents a growing tendency by large companies to collect, sort, analyze and use more information than is necessary, usually in a covert or passive manner. In many cases, hyper-collection is not actually supported by a legitimate commercial or legal purpose.
Digital Privacy Law and Hyper-archiving
Hyper-collection is a major problem in Australia for three reasons.
At first, Australia’s privacy law was unprepared for the likes of Netflix and TikTok. Despite several amendments, the Privacy Act dates back to the late 1980s. Although former Attorney-General Christian Porter announced a review of the act in late 2019, it has been put on hold by a recent government change.
Second, Australian privacy laws are unlikely to jeopardize the profit base of foreign companies, particularly those based in China. The information commissioner has the power to order companies to take certain actions — like it did with Uber in 2021 — and can enforce these through court orders. But the penalty isn’t really that big of a disincentive to companies with billions of dollars in profits.
Read more: 83% of Australians want stricter privacy laws. Now you have a chance to tell the government what you want
Third, hyper-collection is often enabled by the implicit consent we give to access the services provided by these companies. For example, Bunnings argued that the collection of your fingerprint was allowed because signs upon entry to his store told customers that facial recognition could be used. Online marketplaces like eBay, Amazon, Kogan and Catch, meanwhile, supply “bundle consent”—basically, you have to consent to their privacy policies as a condition of using their services. No consent, no access.
tiktok and hyper-collection
TikTok (owned by Chinese company ByteDance) has largely replaced YouTube as a way to create and share videos online. The app is powered by an algorithm that has drawn criticism for ByteDance’s secretive approach to content moderation and censorship, along with regularly collecting data about users.
For years, TikTok executives have been telling governments that data is not stored in servers on the Chinese mainland. But these promises may be hollow in the light of recent allegations.
Cybersecurity experts now claim that the TikTok app not only regularly connects to Chinese servers, but users’ data can be accessed by ByteDance employees, including the mysterious Beijing-based “master admin” who has every User has access to personal information.
Then, this week, it was alleged that TikTok (owned by Chinese company ByteDance) could access almost all the data on the phone – including photos, calendars and emails.
Under China’s national security laws, the government can order tech companies to pass this information on to the police or intelligence agencies.
What options do we have?
Unlike a physical store, we don’t get too many choices when it comes to consenting to the privacy policies of digital companies and how they collect our information.
One option – backed by encryption specialist Vanessa Teague at ANU – is for consumers to simply remove the offending apps until their creators are willing to submit to greater data transparency. Of course, that means locking ourselves out of those services, and it will have a big impact in the company only if enough Australians are involved.
Read more: Facial recognition is on the rise – but the law lags far behind
Another option is to “opt-out” of intrusive data collection. We’ve done this before – when My Health Record became mandatory in 2019, a record number of us opted out. Although these opt-outs diminished the usefulness of that digital health records program, they demonstrated that Australians can take their data privacy seriously.
But how can Australians opt-out of a big social app like TikTok? Right now, they can’t – perhaps the government needs to find a solution as part of its review.
Another option being explored by a review of the Privacy Act is whether to create new laws that allow individuals to sue companies for damages for breaches of privacy. While lawsuits are expensive and time-consuming, they can inflict the kind of financial damage on large companies that can alter their behavior.
No matter which option we take, Australians need to start getting more knowledgeable with their data privacy. This may mean that we actually read those terms and conditions before agreeing, and if companies will not be honest about what they are doing with our personal information, we may not be able to “vote with our feet”. “Ready for.