Privacy Law and Policy Reporter
I have endeavoured to look at some unexplored territory on the topic of privacy and the Internet in this article, rather than cover matters that are often addressed in papers on this topic. In overview, this article discusses:
The most popular part of the Internet is undoubtedly the World Wide Web. I don’t profess to be an expert on the technical details of the operation of the web. However, it is important to understand some basic terminology and structure of the web in order to meaningfully discuss the existing and any proposed regulatory environment.
To access the web, users need to have browser software and an Internet access provider. The access provider allocates a virtual address — known as an Internet Protocol (IP) address — to the user’s computer each time the user initiates an access session. When the user wishes to access the material stored on a computer with a particular Uniform Resource Locator (URL), the access provider ‘resolves’ the user’s designated URL (by referring to a domain name server that maintains a directory of IP address to URL relationships) to an IP address representing the relevant host computer. The user’s browser causes a message to be sent to that IP address. Two way communication between the two IP addresses then occurs.
For reasons associated with bandwidth capacity, many access providers cache commonly accessed material on computers under their control. If a user requests access to such material, rather than establishing a communication between the user and the originator of the material, the communication occurs between the user and the access provider’s cache.
There may be a slight difference in the case of access to the web through a computer that is connected to a local area network (LAN) — which is the situation in most work places. In this case, instead of establishing a direct connection between the user’s computer and the access provider there is often an intermediate or ‘proxy’ server through which all Internet access by computers connected to the LAN is mediated. In other words, the external web site addresses its messages to the IP address of the proxy server which, in turn, redirects the message to the appropriate user.
At a minimum, the operator of a web site will be able to determine the user’s IP address and the URL of the web page the user immediately previously accessed (this is necessary so the ‘back’ function will work on the browser). In many cases, it will be possible to determine the type of browser software being used and, by implication, the user’s operating system environment.
From the IP address it is possible to use a domain name look up service to establish the URL associated with that address (which will generally be either the access provider’s URL or the URL of a proxy server). Often it will be possible to determine the user’s rough geographical location from that URL. However, if a proxy server is used, there may be little relationship between the location of the proxy server and the location of the user. Nevertheless, it is possible that a machine address may personally identify its user.
Some users resent the fact that this kind of information is available to web site operators as a matter of course. They now have an alternative. The ‘Anonymizer’ site effectively acts as a proxy — the only trace left is that you have come from the anonymizer site.
Additionally, a web site operator will be able to track a user’s passage through the site — compiling data as to which links were followed and the period of time the user viewed each page. This sort of feedback is important for web site operators who want to improve the attractiveness of their service. And it is particularly important if the web site is looking to sell advertising space.
The glue that holds the web together is the Hyper Text Transfer Protocol (HTTP). The original specifications for HTTP provided that web servers responded to each request by the user without relating that request to any previous or subsequent request by the user. In other words, each user placed in the same situation would be treated equally. However, Netscape — the creator of the most popular browser program — saw this as a shortcoming. Netscape devised ‘cookies’ (sometimes known as ‘magic cookies’) as a response. The Internet community has since developed the concept and the Internet Engineering Task Force issued an informal standard on the subject in February 1997.
While cookies can undoubtedly play a beneficial role, there are some concerns as to how the technology has been implemented in some cases. Perhaps the most legitimate concern about cookies is that many users are unaware of them. Accordingly, web site operators can, theoretically, be gathering profiles on users without the user’s knowledge of:
(a) the nature of the information being collected;
(b) the primary purpose for which the information is collected; or
(c) any possible secondary uses of the information.
The federal Telecommunications (Interception) Act 1979 regulates the interception of ‘a communication passing over a telecommunications system’. There are three important concepts here:
(i) the scope of a ‘communication’;
(ii) when is a communication ‘passing over a telecommunications system’; and
(iii) what is considered to be an ‘interception’.
There has been some discussion of how the Interception legislation might affect the activities of Internet access providers, particularly in relation to their ability to monitor email messages. The analysis to date has focussed on the first and third issues identified above and is sound. However, it seems to me that the critical issue in defining the applicability of the Interception legislation to the Internet is (ii) above.
To determine whether a communication is passing over a telecommunications system, it is necessary to identify the boundaries of that system and the form the communication takes at the time it is intercepted.
As to the physical boundaries of a telecommunications system, it is clear that it includes ‘equipment’, a ‘line’ or other ‘facility’ that is within Australia and is connected to a ‘telecommunications network’. Each of these terms is defined by reference to their meanings under the general telecommunications legislation (and will be updated when the 1997 telecommunications regime commences). Most probably all equipment that is in Australia, up to and including the user’s PC, used in the connection of a user to the Internet will fall within this boundary.
An essential feature of a telecommunications system is that it is a means of carrying communications by guided or unguided electromagnetic energy or both. So a communication must still be in electromagnetic form if it is in its passage over a telecommunications system. Thus, a communication in the form of audible speech (sounds waves) cannot be said to be passing over a telecommunications system. In order to understand how the Interception legislation applies to the Internet, it is necessary to determine whether a given communication is in the form of guided or unguided electromagnetic energy. Ultimately, that is a question for expert evidence.
However, based on my limited (high school) understanding of physics, it seems to me that there is a reasonable argument that the term ‘electromagnetic energy’ is synonymous with electromagnetic radiation. In other words, an element of propagation is essential to the concept of electromagnetic energy. If this is correct, it is difficult to classify data held in a digital storage medium as electromagnetic energy. This results in the following position:
If this is correct, the primary legislative basis at present for the establishment of email privacy is the offence for unauthorised access to a computer. From a user’s perspective, an Internet access provider is unlikely to commit such an offence by monitoring any email held in the user’s mailbox administered by the access provider. Rather, this issue is left to the subscription contract and general obligations of confidence.
However, the telecommunications industry is about to undergo a regulatory revolution with the passage of the 1997 telecommunications reforms through Parliament. This may have a considerable impact on Internet access providers, including in relation to privacy issues.
The 1997 telecommunications regime classifies the participants in the telecommunications industry in broad terms as either a ‘carrier’ or a ‘service provider’. Service providers are, in turn, broken down into ‘carriage service providers’ and ‘content service providers’.
The carriers are the owners of the telecommunications infrastructure — referred to as ‘network units’ which comprise the line links and transmission facilities necessary to establish connections between distinct places. They are the most heavily regulated businesses under the regime.
Carriage service providers are those who supply a ‘listed carriage service’ to the public using a network unit owned by one or more carriers. A listed carriage service is a ‘carriage service’ between two or more points, at least one of which is in Australia. And a carriage service is a service for carrying communications by means of guided and/or unguided electromagnetic energy. Many activities of carriage service providers are regulated under the legislation, but much of the regulation is restricted to those carriage service providers who offer a ‘standard telephone service’.
Content service providers are those who use a listed carriage service to supply a ‘content service’ to the public. A content service is a broadcasting service or an online service (whether for the provision of information, entertainment or educational material). Accordingly, it appears that anyone operating a web site will be considered to be a content service provider. However, the regulation of content service providers is light handed, and most web site operators will be unaffected by the change.
The more interesting issue is whether an Internet access provider falls within the definition of a ‘carriage service provider’. For this to be the case, it is necessary to find that an access provider provides a service for carrying communications by means of guided and/or unguided electromagnetic energy. Certainly communications over the Internet are transmitted by these means. But the critical question is: ‘who carries these communications’?
This is not an easy question to answer. Each user will have a contract with a carriage service provider (whom I will refer to as the ‘primary CSP’) for the carriage of data between the user’s location and the access provider’s point of presence. Typically, the access provider and the primary CSP will be different businesses. However, once a communication reaches the access provider’s point of presence it is routed to the appropriate remote computer by the access provider, and the primary CSP may well play no further role until the access provider routes a communication back to the user. It seems to me that there is an arguable case that the access provider falls within the definition of a ‘carriage service provider’ in that it has agreed with the user to carry communications between its points of presence and any remote computer connected to the Internet.
If the argument above is correct, Internet access providers will be subject to considerable regulation that they are presently not subjected to. Privacy issues, in particular, would be affected.
Part 13 of the 1997 Act is entitled ‘protection of communications’. Part 13 establishes a regime to prevent the unauthorised use or disclosure of:
(i) the contents or substance of communications that have been or are being carried by means of guided and/or unguided electromagnetic energy; and
(ii) any ‘affairs or personal particulars’ of users of the carriage service.
In essence, Pt 13 imposes statutory obligations of confidence on carriers and carriage service providers and their employees.
Although the exceptions to the obligations of confidence are, in many respects, considerably wider than under the equivalent provisions of the existing telecommunications regime (and under the exceptions to the Privacy Act’s IPPs), the legislation does establish a data protection regime (which would otherwise be unavailable) to the benefit of users.
Part 15 of the 1997 Act, is concerned with cooperation between law enforcement agencies on the one hand and carriers and members of a specified class of carriage service providers on the other. It is possible that Internet access providers could be required to ensure that they are in a position to provide a specified kind of interception capability (so as to enable warrants issued under the telecommunications interception legislation to be effective). However, it does not appear that an access provider could be required to decrypt any encrypted communications passing over their equipment. Rather the requirement would be to allow the communication to be recorded.
The Internet Industry Association of Australia (‘INTIAA’) was formed in late 1995. Its members believed that it was important to promote corporate responsibility in the industry. To that end, one of its first acts was to issue a draft code of practice for participants in the industry. The first draft was published in February 1996. The code is intended as a voluntary code to which individual members of INTIIA may subscribe. Following a consultation process, in September 1996 a second draft was published. One of the topics addressed by the code is data protection. It provides for limitations on collection of data (including by passive recording of actions) relating to users and the use of such data. Code subscribers also undertake to take reasonable steps to establish access and correction rights.
In December 1996 a working group established by the Standing Committee of Officials of Consumer Affairs (a national committee) issued a draft distance selling code of conduct. It is proposed as a voluntary code of conduct to be adopted by persons referred to as ‘distance sellers’, ‘direct marketers’, ‘list users’, ‘list owners’, ‘list compilers’ and ‘list brokers’.
The code has relevance to the Internet because of its definition of ‘direct marketing’. Direct marketing is defined to mean the marketing of goods or services through a means of communication at a distance where:
(a) consumers are invited to respond using a means of communications at a distance; and
(b) it is intended that the goods or services be supplied under a contract negotiated through means of communication at a distance.
In turn, ‘means of communication at a distance’ is defined to include electronic mail and the Internet.
Each of the kinds of persons eligible to undertake to comply with the code is involved in the activity of direct marketing.
The most significant feature of the code is its consumer protection provisions (dealing with issues such as cooling off periods — something alien to many on-line businesses — and trade promotions). The code also contains a part dealing with privacy protection, which is intended to apply to code subscribers who collect personal information or compile or use lists containing personal information that may be used for direct marketing purposes. The code imposes disclosure obligations as to the primary and secondary purposes for which personal information is being collected. It prohibits the collection and use of certain sensitive information and establishes:
Interestingly, the code does not appear to contain prohibitions equivalent to IPPs 10 and 11 (that is, restrictions on the use and disclosure of information for purposes other than those disclosed at the time of collection).
Patrick Gunning is a Solicitor at Mallesons Stephen Jaques, Sydney (Email: Patrick_Gunning@msj.com.au) This paper was presented to IIR’s Data Protection & Privacy conference, 12 May 1997.
 See ‘HTTP State Management Mechanism’ at http://www.internic.net/rfc/rfc2109.txt. Telecommunication (Interception) Act 1979, s 7(1).  See Graham Greenleaf’s article ‘Interception’ on the Internet — the risks for ISPs’ (1996) 3 PLPR 93.  Telecommunication (Interception) Act 1979, s 5(1) — definition of ‘telecommunications system’.  Telecommunication (Interception) Act 1979, s 5(1) — definition of ‘telecommunications network’.  From a regulatory perspective, the recording of sound waves is the domain of the various State laws in relation to listening devices.  Here I am referring to any form of storage — even storage in a temporary medium such as RAM or a buffer.  Here I have used the language employed in the specification for Simple Mail Transfer Protocol (SMTP) found at http://ds2.internic.net/std/std10.txt.  I would like to issue a strong disclaimer in relation to this section of the paper. I do not profess an intimate knowledge of the 1997 telecommunications regime — I have not followed its development closely nor considered the issue of whether an Internet access provider might be a carriage service provider for any great period of time. What follows is very much a first impression and should be treated as such.  A point may be mobile or potentially mobile.  ‘Broadcasting service’ has its meaning under the Broadcasting Services Act 1992 — that is, point-to-multipoint services — including pay-TV.  Note that an access provider is also likely to fall within the definition of a ‘content service provider’.  A notable aspect of the regulation is Pt 9, which imposes performance standards promulgated by the ACA on carriage service providers in respect of particular kinds of carriage services. Part 22 is also worthy of comment. Potentially, there may be rules regarding the portability of users’ email addresses between access providers.  See the definition of ‘eligible person’.  See Graham Greenleaf, ‘Call data — no warrants needed’ (1997) 3 PLPR 182 for a brief summary of this issue.  The second draft is available at http://www.intiaa.asn.au/codeV2.htm.  The draft code and accompanying discussion paper is available at http://www.accc.gov.au/docs/draft/httoc.htm.