Privacy Law and Policy Reporter
Justin Milne, the General Manager of OzEmail Internet, one of Australia’s leading internet service providers, explains his company’s approach to privacy issues. This paper was first given at the IIR Privacy Law conference in Sydney on 9 May 2000 and is reprinted with IIR’s permission.
The advent of the internet has provided many people in the world with unprecedented access to information. Most people now recognise that this access and the revolution that the ubiquitous network is fostering will change our lives forever and will force us to change many modus operandae. The way we work is changing, as is the way we relax, and certainly the way we communicate. The quickest snapshot of this I’ve heard recently is IDC’s prediction that by 2005 there will be one billion people online and they will conduct one third of all of their transactions on the network.
An internet service provider like OzEmail is in a relatively unique position in this new world. We are the gateway to the network for a large number of people. Right now we provide internet access for around 23 per cent of Australia’s domestic online community. And we are the third largest internet publisher in Australia. My view is that internet penetration will reach about 80 per cent over the next few years — about the same as VCRs. If we simply maintain our market share — and in fact I expect it to grow as the industry rationalises — then sometime in the not too distant future we will have around
two million households who connect to the network via OzEmail.
In providing this connection we do some pretty important work. First of all we authenticate the user; in other words, we ask them to prove their identity with a unique username and password, we check that against our records and if we get a match, we let the user in.
Next we collect billing data. A little while ago that billing data was simply minutes online. Every minute ticked up created another ‘event’ which registered against the user’s account. Then, once a month, we add all these events up and use another part of the network to access the user’s credit card account and transfer money from that account to our own. Today our billing events are a little more extensive and in the future they will become even more so.
E-commerce is not only a buzzword; it is also a reality. More and more of our customers are buying things online, conducting their banking online and dealing with government online.
We are about to launch a new technology called OzEpay which allows OzEmail users to make their online purchases billing events on our billing engine, just the same as a minute spent online is. In other words, instead of users sending their credit card details to where the merchant is, they’ll get the merchant to send the details of their purchase to where their credit card is — that is, in our ‘safe’ and away from the public internet part of the network.
Our users also send and store their email with us. Every day we exchange about 1.6 million emails on behalf of our users. Some just pass fleetingly through our system; others reside there for months or years.
Our users also access newsgroups via us and, of course, they visit some of the 2.67 billion pages that constitute the world wide web today.
So — the point of all this that we collect a fair bit of information during the course of doing business. Today we provide well over 200,000 hours of connectivity a week and in a few years it will be millions of hours a week. And every second our users are logged in they’re generating information.
And here’s the somewhat scary bit. We have the username and password for every one of our users; we have their credit card details, we have a lot of information about their liquidity, we can know about every purchase they make online, with whom, when and for how much. We can know every site they visit on the web — every page, every newsgroup, every picture they look at. We could read all of their mail and know all about their romances and the jobs they’re applying for.
The commercial opportunities arising from this are endless, of course. We could watch what each of our customers does, and then just pop them a quick email that says, ‘Oh — we see that you just bought a nice new pair of brown boots. One of our other merchants just happens to have a special on black socks — just follow this link.’ Or ‘We see that you’ve been looking at dirty pictures tonight — in fact the sixth and 10th pictures you looked at were over the top and you’re busted.’ In short there’s not much we couldn’t find out about the online life of our customers — and remember, in a few years our customer base will represent a sizeable chunk of the Australian population. A chunk about the size of NSW for example. This is becoming irresistible to both marketers and governments, who often share the view that they have a God given right to access private information about the general public.
Then, of course, we could go in for a bit of datamatching, where we instruct our databases to match names, products and addresses with other databases. String three or four conditions together in a query which trawls two or three databases and you get amazing pinpoint clarity. The accuracy of this kind of targeting truly provides the so called ‘market of one’. And the nature of the net means that the marginal cost of marketing to the next market of one is effectively zero.
And right now in Australia there is almost nothing to stop us from doing this. Nearly all of Australia’s privacy legislation is pointed at government. Private corporations can effectively do what they like — with the exception of a few telcos who are caught by the Telecom-munications Act 1997 (Cth). Australians have no general right to privacy. We have no Bill of Rights that provides it. Business has no privacy obligation — although we all believe that privacy is our ‘right’.
Up until now the idea of collecting this kind of information on user behaviour and either selling it to a third party, matching it with other data or leveraging it to sell other products has been almost irresistible to many so called ‘dot coms’.
We’ve recently seen Real Networks fall victim to temptation when they provided free downloads of music that contained a file that would send information back to Real. This information would allow them to mail customers with a sales proposition targeted to the kind of music Real knew that the users were playing.
Or there was the even more celebrated instance of Doubleclick collecting information on the surfing habits of users who were not their customers and were totally unaware of the data being collected on them. Doubleclick matched cookie data with another database so as to provide the names of websurfers. Then Doubleclick would know exactly who clicked on what ad banners.
Then there was Intel, who had provided a unique identifier in each computer chip they built. Not in itself unreasonable, but when that identifier was carried by the network back to base and datamatched, Intel could generate a huge amount of accurate information about most of the world’s computer users.
Forrester is one of a number of research firms to recently release a study showing that nearly 90 per cent of online consumers want the right to control how their personal information is used after it is collected. Importantly, this desire applies across a range of demographics and does not diminish as users spend more time online. Moreover, 80 per cent of the 100,000 internet users surveyed would support a policy that prohibits the sale of data to third parties, with half of online customers willing to report infractions to government.
These are powerful figures, and even if you discount them by half the message is still pretty clear. Markets and users value privacy and are prepared to punish organisations that don’t understand that.
We believe that increasingly this will be what users demand and that ISPs who cannot provide satisfactory guarantees of privacy will be spurned in favour of those that do. This could be a factor that will ultimately weigh heavily against the so called free ISPs who trade privacy for access, either restricting their users’ access to sites or generating a stream of ‘targeted’ ads to the desktop whether the user is surfing or not.
Firstly, it is published. It is available on the web all the time, with all of our sites including a link to it. During the sign up process all of our users are made aware of it so they can be certain of their ‘rights’.
Secondly, we comply with the Internet Industry Association (IIA) guidelines in the area of privacy. OzEmail has been a board member of the IIA since its inception and we certainly support the approach outlined in the IIA guidelines.
Next, we have appointed a privacy officer whose job is to both monitor our compliance with our own policy and in the future with the privacy legislation. Our privacy officer provides a direct report to our General Counsel, and a dotted line report to me. This officer has the capacity to audit any aspect of our business that relates to privacy, meaning all communications with customers, deals with advertisers and deals with any third parties. The privacy officer is also the principal point of contact for any subscriber who has a privacy issue to raise.
We have configured our mail servers so they cannot be directly used by a third party spammer as a staging post for a spam attack on our customers or any other group. We also encourage our customers to do the same to prevent their mail gateways being abused in a similar fashion. Further, our acceptable use policy states that we will not allow our service to be used by users for the purposes of sending such unsolicited email.
All marketing mail that we send is now ‘opt in’ and ‘opt out’, meaning we do not send commercial mail to users unless they have first requested it, and then, if we do send it, each mail contains an opt out clause. An exception is our monthly newsletter and billing information, which the IIA code clearly exempts from the definition of spam.
We don’t sell any information to third parties, nor do we provide lists or access to lists to third parties.
Over the years we have collected a huge amount of data, a good deal of which is effectively useless but has been kept. We now have a policy of deleting customer records after they have become disabled.
There are a few things we do reserve the right to do, however (essentially in order to improve users’ experience).
Privacy has probably been an issue since organisations started collecting and keeping data about individuals. Today the issues are largely the same as they were 50 years ago; it’s just that computers, and recently the internet, have added a whole new dimension of speed and volume. Over the next few years, the network will become ubiquitous. Most of us will be connected for most of the time. As a consequence we’ll work differently, relax differently, educate ourselves differently — and we’ll also provide more data about our lives than we can currently imagine.
ISPs, especially large ones like OzEmail, have the potential to become repositories for much of this data, so it is essential that we develop and articulate privacy policies which allow our users to travel the network freely and without the fear that someone is watching and recording their every move.
Justin Milne, General Manager,OzEmail Internet.