AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1999 >> [1999] PrivLawPRpr 49

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Macklin, Ben --- "Australian privacy and security website survey 1999" [1999] PrivLawPRpr 49; (1999) 6(4) Privacy Law & Policy Reporter 45

Australian privacy and security website survey 1999

Ben Macklin

Only 6 per cent of Australia’s 200 most accessed websites have an adequate privacy policy.

A privacy policy posted on a website is a valuable indicator of what an organisation does with information in its possession. With the growth in electronic commerce and the increasing number of websites collecting personal information, I undertook a survey of the top 200 most accessed Australian websites to examine their privacy and security policies. The top 200 websites were determined from a list of the most accessed websites, compiled weekly by Ian Webster as a community service at < cent7Eianw/>. This list is derived from a dataset of proxy log files representing web requests from Australians who connect to the internet from a range of internet service providers (ISPs) across Australia. The top 200 websites on 16 April 1999 were used because they represented a cross-section of Australian websites, comprising retail, government, financial, education and company sites. Surveying only the top 100 did not seem appropriate, as there were many search engines, portals and directories within this selection that essentially did not gather personal information.

The survey was carried out in April and May of 1999 as part of a larger research paper, E-Commerce at what price? Privacy protection in the ‘Information Economy’, for completion of a Masters degree in Legal Studies at the Australian National University. It was based on similar studies conducted in the US. In 1997, that country’s Electronic Privacy Information Centre (EPIC) conducted a survey of the top 100 most accessed US websites and found that only 17 sites had explicit privacy policies and none met the basic criteria for privacy protection. In 1998, the US Federal Trade Commission (FTC) conducted a survey of 674 US commercial websites and found that only 14 per cent offered even a hint of an inference of their information collection practices. In a study commissioned by the FTC and completed in May 1999, it was found that 66 per cent of US commercial websites displayed some warning that personal information was being collected. While this was a massive improvement on the 14 per cent result a year earlier, it was found that of the websites that did post a privacy policy, only 10 per cent of these policies were found to be adequate.

The Australian survey does not attempt to paint the complete privacy and security picture of Australian organisations online. It is quite possible that some organisations online have extensive internal privacy and security policies that do not translate to a website or, conversely, that the privacy policy posted on a website is not reflected in reality internally. For a complete study one would need to audit the privacy and security practices within an organisation.

The purpose of the survey was to answer a number of questions.

Eighty five per cent of websites surveyed asked for some form of personally identifiable information from the user in subscription registrations, online promotions, order forms and other means (Figure 1). This ranged from as little as requesting an email address to a complete personal profile including demographic, social and financial information.

The next task was to identify whether the website posted any sort of information practice statement or privacy policy (Figure 2). Less than half (49 per cent) gave the user any indication of what they did with the personal information they gathered. Statements ranged from as little as ‘All information is treated as confidential’ to a comprehensive privacy and security policy, as seen on the ABC website.

An ‘adequate’ privacy policy for the purpose of the survey was one that:

The survey revealed that only 6 per cent of all websites surveyed had an adequate privacy policy. Of those sites that offered goods or services for sale, the overwhelming majority (87 per cent) offered a secure transmission between the user and the merchant. Only 3 per cent of these sites, however, had an adequate privacy policy.

Some of the websites that rated very poorly included those organisations that collect a great deal of personal information from the user. NineMSN, Telstra, OzEmail, Optus and Qantas all had an inadequate privacy policy or no policy at all posted on their websites. Those organisations that rated very well included the ABC, Yahoo! and Seek.

The use of cookies — which has been equated to the notion of a store tattooing a bar code on your forehead, and then laser scanning you every time you come through the doors[1] — was also prevalent. Twenty two per cent of sites sent a permanent cookie to the user’s computer (Figure 3). Only 17 per cent of websites informed the user of the website’s use of cookies.

It is quite clear from the survey results that the overwhelming majority of websites have not addressed the privacy concerns of the online consumer. Australian businesses online have failed to realise the economic value in addressing privacy concerns and this will inevitably affect their long term profitability. More importantly perhaps, 94 per cent of websites within the top 200 do not conform to the NPPs, as they do not adequately inform the user of their information collection practices. The Government has announced that it will shortly introduce ‘light touch’ legislation based on the NPPs. While it is arguable whether this legislation will afford the level of protection that consumers will require in the future, the current state of play indicates that online organisations have much to do if they wish to meet the minimum privacy protection requirement which the legislation will mandate.

The encouraging statistic that comes out of the survey is that 87 per cent of online merchants employ a secure payment mechanism. The perception of credit card security through the use of a secure payment system is a good first step. Unfortunately, if a consumer were to assume that because a merchant is using the Secure Sockets Layer (SSL) system their credit card details are secure from outside access, they would be sadly mistaken. The SSL system of security only secures the transmission stream between the consumer and merchant; it does nothing to ensure the security of personal information once it resides with the merchant. If a hacker wished to steal credit card details, the first place they would go would be to the merchant server, which would house many more credit card numbers than could be intercepted in a transmission stream.

It is also well recognised that 75 per cent of all security breaches occur from within an organisation.[2]The SSL security system does nothing to prevent the merchant or the merchant’s employees from accessing personal information. A secure payment mechanism is the first step. The logical next step is to inform the user what safeguards and procedures are in place to ensure the privacy and security of personal information at the merchant end.

While nearly all the sites surveyed allowed users to browse through the site anonymously, there were very few sites that displayed techniques to allow the user to remain anonymous while using the services on offer or to make anonymous online purchases. One of the main reasons for this is the fact that no online payment options other than a credit card were made available to the consumer. The credit card has become the standard payment mechanism for online purchases, but with its use on the internet has come a lack of anonymity and greater privacy and security risk for the consumer.

The website survey gives a clear indication of an Australian internet market place that is immature and still developing. The scarcity of adequate privacy policies is an important indicator of this. The survey results also indicate a lack of understanding among many e-businesses about the growing sophistication of internet users and the changing business paradigm that has emerged with the internet. Personal information will be the currency that drives e-businesses over the next few years. If an online organisation knows who their visitors and customers are, then they can tailor goods and services and personalise the content to meet their needs and wants, thereby efficiently allocating resources. This same consumer data can also provide advertisers with the most predictive information about the buying habits of current and potential customers. In order for e-businesses to extract personal information from consumers, however, they have to build a relationship of trust. A privacy policy is a good first step in achieving this aim.

Ben Macklin is the Director of ePrivacy <>, an online resource for businesses and consumers about online privacy issues. He also provides Opt-In, a free bi-weekly email newsletter of cyberlaw, telecommunica-tions, e-commerce and IT news. He can be contacted at <>.

This article was first published in issue 157 of Communications Update August 1999.

[1] Clarke R (1998), ‘Cookies’, available at <>.

[2] See James S, ‘Confessions of a professional hacker’ at <>.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback