Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Gunning, Patrick --- "Evaluating privacy for Internet users and service providers" [1997] PrivLawPRpr 40; (1997) 4(4) Privacy Law & Policy Reporter 67

• Anatomy of web browsing
  
  • Information a web site operator will ordinarily know
    
• Cookies
  
• Interceptions
  
• The 1997 telecommunications regime10
  
• Self-regulation
  
  • INTIAA Code of Conduct
    
  • Draft Distance Selling Code of Conduct
    

Evaluating privacy for Internet users and service providers

Patrick Gunning

I have endeavoured to look at some unexplored territory on the topic of privacy and the Internet in this article, rather than cover matters that are often addressed in papers on this topic. In overview, this article discusses:

• the basic anatomy of web browsing;
• cookies;
• the applicability of telecommunications interception legislation to ISPs;
• the possible impact of the 1997 telecommunications regime on ISPs;
• developments in self-regulation.

Anatomy of web browsing

The most popular part of the Internet is undoubtedly the World Wide Web. I don’t profess to be an expert on the technical details of the operation of the web. However, it is important to understand some basic terminology and structure of the web in order to meaningfully discuss the existing and any proposed regulatory environment.

To access the web, users need to have browser software and an Internet access provider. The access provider allocates a virtual address — known as an Internet Protocol (IP) address — to the user’s computer each time the user initiates an access session. When the user wishes to access the material stored on a computer with a particular Uniform Resource Locator (URL), the access provider ‘resolves’ the user’s designated URL (by referring to a domain name server that maintains a directory of IP address to URL relationships) to an IP address representing the relevant host computer. The user’s browser causes a message to be sent to that IP address. Two way communication between the two IP addresses then occurs.

For reasons associated with bandwidth capacity, many access providers cache commonly accessed material on computers under their control. If a user requests access to such material, rather than establishing a communication between the user and the originator of the material, the communication occurs between the user and the access provider’s cache.

There may be a slight difference in the case of access to the web through a computer that is connected to a local area network (LAN) — which is the situation in most work places. In this case, instead of establishing a direct connection between the user’s computer and the access provider there is often an intermediate or ‘proxy’ server through which all Internet access by computers connected to the LAN is mediated. In other words, the external web site addresses its messages to the IP address of the proxy server which, in turn, redirects the message to the appropriate user.

Information a web site operator will ordinarily know

At a minimum, the operator of a web site will be able to determine the user’s IP address and the URL of the web page the user immediately previously accessed (this is necessary so the ‘back’ function will work on the browser). In many cases, it will be possible to determine the type of browser software being used and, by implication, the user’s operating system environment.

From the IP address it is possible to use a domain name look up service to establish the URL associated with that address (which will generally be either the access provider’s URL or the URL of a proxy server). Often it will be possible to determine the user’s rough geographical location from that URL. However, if a proxy server is used, there may be little relationship between the location of the proxy server and the location of the user. Nevertheless, it is possible that a machine address may personally identify its user.

Some users resent the fact that this kind of information is available to web site operators as a matter of course. They now have an alternative. The ‘Anonymizer’ site[1] effectively acts as a proxy — the only trace left is that you have come from the anonymizer site.

Additionally, a web site operator will be able to track a user’s passage through the site — compiling data as to which links were followed and the period of time the user viewed each page. This sort of feedback is important for web site operators who want to improve the attractiveness of their service. And it is particularly important if the web site is looking to sell advertising space.

Cookies

The glue that holds the web together is the Hyper Text Transfer Protocol (HTTP). The original specifications for HTTP provided that web servers responded to each request by the user without relating that request to any previous or subsequent request by the user. In other words, each user placed in the same situation would be treated equally. However, Netscape — the creator of the most popular browser program — saw this as a shortcoming. Netscape devised ‘cookies’ (sometimes known as ‘magic cookies’) as a response. The Internet community has since developed the concept and the Internet Engineering Task Force issued an informal standard on the subject in February 1997.[2]

Put simply, a cookie is a packet of information supplied by a web server to the user’s computer that may be returned to the server by the user on a subsequent occasion. Perhaps the most commonly recited use of cookies is to create a ‘shopping basket’ metaphor. Many of the online stores — and particularly book and music stores — use this metaphor. They allow users to browse through the titles in their catalogue and to identify the products they are interested in purchasing, so that it is only necessary for there to be one transaction to purchase three products instead of three separate small transactions. On each occasion the user indicates that he or she wishes to add an item to the shopping basket, the web server sends a cookie to the user’s computer that records the selected product. When the user wishes to either inspect the items in the shopping basket or to purchase the products in the basket, the web server will request that the cookie be returned from the user’s computer so the relevant products can be identified.

The uses of cookies are many and varied. Apart from shopping baskets, they enable personal customisation of web sites (so, for example, you can receive the headlines of stories in the subject areas you are interested in before receiving other material). On the whole, this use of cookies is likely to be beneficial to users. Cookies may also be used for purposes that are more annoying to users. For example, they could be used to rotate advertising material so each regular user was exposed to a given ad for a particular number of times he or she visited a page. While this may be annoying or distracting to users, it may still turn out to be beneficial if it allows the operator of the site to continue making available content that is of interest to the user.

While cookies can undoubtedly play a beneficial role, there are some concerns as to how the technology has been implemented in some cases. Perhaps the most legitimate concern about cookies is that many users are unaware of them. Accordingly, web site operators can, theoretically, be gathering profiles on users without the user’s knowledge of:

(a) the nature of the information being collected;

(b) the primary purpose for which the information is collected; or

(c) any possible secondary uses of the information.

However, the more recent versions of the popular browsers allow users to opt out of receiving cookies. Nevertheless, if a user wishes to opt out, it can be difficult to make an informed decision about whether to accept a particular cookie, because the purpose for which the web site operator is using the cookie may not readily apparent. It seems that this is due to the particular means of implementation chosen by most web site operators because the specification governing the use of cookies anticipates this problem and allows web site operators to optionally associate a ‘comment’ attribute with each cookie to enable an informed choice as to whether the cookie should be accepted.

Interceptions

The federal Telecommunications (Interception) Act 1979 regulates the interception of ‘a communication passing over a telecommunications system’.[3] There are three important concepts here:

(i) the scope of a ‘communication’;

(ii) when is a communication ‘passing over a telecommunications system’; and

(iii) what is considered to be an ‘interception’.

There has been some discussion of how the Interception legislation might affect the activities of Internet access providers, particularly in relation to their ability to monitor email messages.[4] The analysis to date has focussed on the first and third issues identified above and is sound. However, it seems to me that the critical issue in defining the applicability of the Interception legislation to the Internet is (ii) above.

To determine whether a communication is passing over a telecommunications system, it is necessary to identify the boundaries of that system and the form the communication takes at the time it is intercepted.

As to the physical boundaries of a telecommunications system, it is clear that it includes ‘equipment’, a ‘line’ or other ‘facility’ that is within Australia and is connected to a ‘telecommunications network’.[5] Each of these terms is defined by reference to their meanings under the general telecommunications legislation (and will be updated when the 1997 telecommunications regime commences). Most probably all equipment that is in Australia, up to and including the user’s PC, used in the connection of a user to the Internet will fall within this boundary.

An essential feature of a telecommunications system is that it is a means of carrying communications by guided or unguided electromagnetic energy or both.[6] So a communication must still be in electromagnetic form if it is in its passage over a telecommunications system. Thus, a communication in the form of audible speech (sounds waves) cannot be said to be passing over a telecommunications system.[7] In order to understand how the Interception legislation applies to the Internet, it is necessary to determine whether a given communication is in the form of guided or unguided electromagnetic energy. Ultimately, that is a question for expert evidence.

However, based on my limited (high school) understanding of physics, it seems to me that there is a reasonable argument that the term ‘electromagnetic energy’ is synonymous with electromagnetic radiation. In other words, an element of propagation is essential to the concept of electromagnetic energy. If this is correct, it is difficult to classify data held in a digital storage medium as electromagnetic energy. This results in the following position:

• ‘interception’ of data stored by a computer[8] involved in any ‘communication’ does not contravene the legislation because the communication is not ‘passing over a telecommunications system’ at that time; and
• the Interception legislation is only potentially relevant to ‘real time’ interceptions of communications — that is, in the context of the Internet, interception of exchanges that occur whilst a transmission channel between two computers is open.[9]

If this is correct, the primary legislative basis at present for the establishment of email privacy is the offence for unauthorised access to a computer. From a user’s perspective, an Internet access provider is unlikely to commit such an offence by monitoring any email held in the user’s mailbox administered by the access provider. Rather, this issue is left to the subscription contract and general obligations of confidence.

The 1997 telecommunications regime10

However, the telecommunications industry is about to undergo a regulatory revolution with the passage of the 1997 telecommunications reforms through Parliament. This may have a considerable impact on Internet access providers, including in relation to privacy issues.

The 1997 telecommunications regime classifies the participants in the telecommunications industry in broad terms as either a ‘carrier’ or a ‘service provider’. Service providers are, in turn, broken down into ‘carriage service providers’ and ‘content service providers’.

The carriers are the owners of the telecommunications infrastructure — referred to as ‘network units’ which comprise the line links and transmission facilities necessary to establish connections between distinct places. They are the most heavily regulated businesses under the regime.

Carriage service providers are those who supply a ‘listed carriage service’ to the public using a network unit owned by one or more carriers. A listed carriage service is a ‘carriage service’ between two or more points,[11] at least one of which is in Australia. And a carriage service is a service for carrying communications by means of guided and/or unguided electromagnetic energy. Many activities of carriage service providers are regulated under the legislation, but much of the regulation is restricted to those carriage service providers who offer a ‘standard telephone service’.

Content service providers are those who use a listed carriage service to supply a ‘content service’ to the public. A content service is a broadcasting service[12] or an online service (whether for the provision of information, entertainment or educational material). Accordingly, it appears that anyone operating a web site will be considered to be a content service provider. However, the regulation of content service providers is light handed, and most web site operators will be unaffected by the change.

The more interesting issue is whether an Internet access provider falls within the definition of a ‘carriage service provider’. For this to be the case, it is necessary to find that an access provider provides a service for carrying communications by means of guided and/or unguided electromagnetic energy. Certainly communications over the Internet are transmitted by these means. But the critical question is: ‘who carries these communications’?

This is not an easy question to answer. Each user will have a contract with a carriage service provider (whom I will refer to as the ‘primary CSP’) for the carriage of data between the user’s location and the access provider’s point of presence. Typically, the access provider and the primary CSP will be different businesses. However, once a communication reaches the access provider’s point of presence it is routed to the appropriate remote computer by the access provider, and the primary CSP may well play no further role until the access provider routes a communication back to the user. It seems to me that there is an arguable case that the access provider falls within the definition of a ‘carriage service provider’ in that it has agreed with the user to carry communications between its points of presence and any remote computer connected to the Internet.[13]

If the argument above is correct, Internet access providers will be subject to considerable regulation that they are presently not subjected to.[14] Privacy issues, in particular, would be affected.

Part 13 of the 1997 Act is entitled ‘protection of communications’. Part 13 establishes a regime to prevent the unauthorised use or disclosure of:

(i) the contents or substance of communications that have been or are being carried by means of guided and/or unguided electromagnetic energy; and

(ii) any ‘affairs or personal particulars’ of users of the carriage service.

In essence, Pt 13 imposes statutory obligations of confidence on carriers and carriage service providers and their employees.[15]

Although the exceptions to the obligations of confidence are, in many respects, considerably wider than under the equivalent provisions of the existing telecommunications regime (and under the exceptions to the Privacy Act’s IPPs),[16] the legislation does establish a data protection regime (which would otherwise be unavailable) to the benefit of users.

Part 15 of the 1997 Act, is concerned with cooperation between law enforcement agencies on the one hand and carriers and members of a specified class of carriage service providers on the other. It is possible that Internet access providers could be required to ensure that they are in a position to provide a specified kind of interception capability (so as to enable warrants issued under the telecommunications interception legislation to be effective). However, it does not appear that an access provider could be required to decrypt any encrypted communications passing over their equipment. Rather the requirement would be to allow the communication to be recorded.

Self-regulation

INTIAA Code of Conduct

The Internet Industry Association of Australia (‘INTIAA’) was formed in late 1995. Its members believed that it was important to promote corporate responsibility in the industry. To that end, one of its first acts was to issue a draft code of practice for participants in the industry. The first draft was published in February 1996. The code is intended as a voluntary code to which individual members of INTIIA may subscribe. Following a consultation process, in September 1996 a second draft was published.[17] One of the topics addressed by the code is data protection. It provides for limitations on collection of data (including by passive recording of actions) relating to users and the use of such data. Code subscribers also undertake to take reasonable steps to establish access and correction rights.

Draft Distance Selling Code of Conduct

In December 1996 a working group established by the Standing Committee of Officials of Consumer Affairs (a national committee) issued a draft distance selling code of conduct.[18] It is proposed as a voluntary code of conduct to be adopted by persons referred to as ‘distance sellers’, ‘direct marketers’, ‘list users’, ‘list owners’, ‘list compilers’ and ‘list brokers’.

The code has relevance to the Internet because of its definition of ‘direct marketing’. Direct marketing is defined to mean the marketing of goods or services through a means of communication at a distance where:

(a) consumers are invited to respond using a means of communications at a distance; and

(b) it is intended that the goods or services be supplied under a contract negotiated through means of communication at a distance.

In turn, ‘means of communication at a distance’ is defined to include electronic mail and the Internet.

Each of the kinds of persons eligible to undertake to comply with the code is involved in the activity of direct marketing.

The most significant feature of the code is its consumer protection provisions (dealing with issues such as cooling off periods — something alien to many on-line businesses — and trade promotions). The code also contains a part dealing with privacy protection, which is intended to apply to code subscribers who collect personal information or compile or use lists containing personal information that may be used for direct marketing purposes. The code imposes disclosure obligations as to the primary and secondary purposes for which personal information is being collected. It prohibits the collection and use of certain sensitive information and establishes:

• a right to know the source of information;
• access and correction rights; and
• a mechanism to allow individuals to request no further contact from any participating direct marketer for 12 months or an indefinite period in relation to named marketers.

Interestingly, the code does not appear to contain prohibitions equivalent to IPPs 10 and 11 (that is, restrictions on the use and disclosure of information for purposes other than those disclosed at the time of collection).

Patrick Gunning is a Solicitor at Mallesons Stephen Jaques, Sydney (Email: Patrick_Gunning@msj.com.au) This paper was presented to IIR’s Data Protection & Privacy conference, 12 May 1997.

[2] See ‘HTTP State Management Mechanism’ at http://www.internic.net/rfc/rfc2109.txt.