Privacy Law and Policy Reporter
The purpose of the survey was to answer a number of questions.
Eighty five per cent of websites surveyed asked for some form of personally identifiable information from the user in subscription registrations, online promotions, order forms and other means (Figure 1). This ranged from as little as requesting an email address to a complete personal profile including demographic, social and financial information.
It is quite clear from the survey results that the overwhelming majority of websites have not addressed the privacy concerns of the online consumer. Australian businesses online have failed to realise the economic value in addressing privacy concerns and this will inevitably affect their long term profitability. More importantly perhaps, 94 per cent of websites within the top 200 do not conform to the NPPs, as they do not adequately inform the user of their information collection practices. The Government has announced that it will shortly introduce ‘light touch’ legislation based on the NPPs. While it is arguable whether this legislation will afford the level of protection that consumers will require in the future, the current state of play indicates that online organisations have much to do if they wish to meet the minimum privacy protection requirement which the legislation will mandate.
The encouraging statistic that comes out of the survey is that 87 per cent of online merchants employ a secure payment mechanism. The perception of credit card security through the use of a secure payment system is a good first step. Unfortunately, if a consumer were to assume that because a merchant is using the Secure Sockets Layer (SSL) system their credit card details are secure from outside access, they would be sadly mistaken. The SSL system of security only secures the transmission stream between the consumer and merchant; it does nothing to ensure the security of personal information once it resides with the merchant. If a hacker wished to steal credit card details, the first place they would go would be to the merchant server, which would house many more credit card numbers than could be intercepted in a transmission stream.
It is also well recognised that 75 per cent of all security breaches occur from within an organisation.The SSL security system does nothing to prevent the merchant or the merchant’s employees from accessing personal information. A secure payment mechanism is the first step. The logical next step is to inform the user what safeguards and procedures are in place to ensure the privacy and security of personal information at the merchant end.
While nearly all the sites surveyed allowed users to browse through the site anonymously, there were very few sites that displayed techniques to allow the user to remain anonymous while using the services on offer or to make anonymous online purchases. One of the main reasons for this is the fact that no online payment options other than a credit card were made available to the consumer. The credit card has become the standard payment mechanism for online purchases, but with its use on the internet has come a lack of anonymity and greater privacy and security risk for the consumer.
Ben Macklin is the Director of ePrivacy <www.eprivacy.com.au>, an online resource for businesses and consumers about online privacy issues. He also provides Opt-In, a free bi-weekly email newsletter of cyberlaw, telecommunica-tions, e-commerce and IT news. He can be contacted at <firstname.lastname@example.org>.
This article was first published in issue 157 of Communications Update August 1999.