Privacy Law and Policy Reporter
The risk of adverse media publicity has now become a major reason for businesses to review and change their privacy practices, after an unprecedented year of privacy debacles in 2000 left many well known brand names tarnished by lax, inadequate and in some cases unethical information practices. Despite the fact that surveys have long highlighted the importance of privacy to consumers, it is only more recently, with far greater media coverage of privacy issues, that the private sector has begun to recognise that privacy issues are a major risk to the public reputation of businesses.
In some respects, it is not surprising that increasing public attention on privacy issues is likely to expose the bad information practices of some organisations. Survey research has indicated that many organisations do not have clearly developed or well implemented privacy policies; and while online privacy practices are improving, they fall well short of any generally accepted privacy benchmark. Even in sectors where a substantial amount of personal information is collected, such as online recruitment services, many websites still do not have privacy policies. Among those that have a policy, many do not have adequate privacy standards.
As the spotlight on internet practices has intensified in recent years, a growing list of companies have come under attack for careless, unethical or even deceptive information practices. The public reputations of businesses can be damaged by:
These risks are illustrated by some of the privacy stories which hit the news during 2000.
The year began with online software distributor Real Networks still smarting from a blitz of negative publicity after The New York Times revealed that it was collecting information about the musical tastes of 13.5 million Real product users without their knowledge. Real Jukebox, software downloaded through the Real Networks site, was scanning users’ hard drives and transmitting information about their musical interests and music player back to Real Networks. This information was then added to pre-existing customer profile information. Although Real Networks is a member of TRUSTe and displayed its logo on its website, TRUSTe refused to launch an investigation into Real Networks because its licence only covers information collected from consumers over a website and, since the information was actually collected by software downloaded from a website, Real Networks had not violated its TRUSTe licence. TRUSTe did announce, however, that it would review its licence agreements.
In perhaps the best known incident of the year, online advertising agency DoubleClick came under siege from public outrage for unlawfully obtaining and selling customers personal inform-ation. DoubleClick is the leading online advertiser, with revenues which had grown from $US9 million in 1995 to $US258 million in 1999. By the end of 1999 DoubleClick was serving 30 billion targeted ads per month, and serving ads to around 12,000 websites. In late 1999, DoubleClick began combining and cross-referencing personal information from the web browsing habits of users with the database of a direct marketing firm, Abacus, which it had recently acquired. DoubleClick planned to match home address, name and purchasing habits to individuals’ web usage patterns. Following extensive publicity, a consumer backlash, legal action by the Michigan State Attorney-General, an Trade Federal Commissioner (FTC) investigation and a drop of one-third in its share price, DoubleClick suspended its matching practices in March 2000. Estimates of the cost to DoubleClick of the incident — which occurred at the time of its second capital raising — range as high as $US2.2 billion.
Controversy erupted for internet service provider PSINet when CNetNews.com claimed that PSINet was covertly profiting from spamming while publicly opposing it. CNet News.com obtained a ‘pink contract’ which indicated that a marketing firm in Louisiana was paying PSINet an extra $27,000 in a one off payment for ‘increased risks associated with this agreement’. Cajunnet, the marketing firm, sent out 5 to 20 million spam messages at one time — helping to explain the additional payment given the likelihood of a large number of complaints and the risk of damage to PSINet’s reputation if the arrangement came to light. At the same time, PSINet’s stated policy on spam had indicated that customers would be cut off if caught using spam. PSINet subsequently terminated the relationship and embarked on new compliance and training efforts internally to avoid the repetition of any such incidents.
American toy e-tailer Toysmart drew criticism when it announced that it intended to sell off its customer database after the company filed for bankruptcy on May 19. The decision to sell off the 250,000 customer records contradicted an express promise on Toysmart’s website never to sell customer information. This reversal in policy prompted the intervention of the FTC, which sued Toysmart for engaging in deceptive conduct. Forty-two states also sought a court injunction from the Federal Court to prevent the sale taking place, on the basis that it would violate their individual consumer protection schemes. The FTC eventually came to an agreement with the company that precluded the sale of the database as a separate asset, such that Toysmart could only sell the customer database as part of the sale of the whole website. No company came forward to buy Toysmart, and in early January 2001 Toysmart’s majority owner, Disney, paid $50,000 to destroy the database.
Stories of website security breaches which placed customer information at risk became a familiar story during 2000.
The year began with online music seller CD Universe losing more than 300,000 credit cards to a Russian hacker. Credit card cleaning house Creditcards.com lost another 55,000 records, and in December it was reported that the hackers had broken into the Egghead website, potentially gaining access to 3.7 million customer profiles. (The company later reported that investigations indicated that the hackers had not gained access to the customer records.)
At the year’s end, a hacker broke into the customer database of GlobalCentral.com, a Wyoming internet service provider, and sent information to customers including their credit card number, bank account numbers, address, telephone number and terms of their contract with GlobalCentral. The hacker was reportedly motivated by opposition to GlobalCentral’s support of a conservative family values organisation.
Furniture retailer Ikea attracted attention when it was revealed that its customer database, containing names, phone numbers and postal and email addresses, was publicly accessible on the web for over two days in early September 2000. The company claimed that the security breach was caused by a hacker, a claim disputed by experts who cited the lack of adequate authentication or firewall software as a contributing factor. The incident was Ikea’s second privacy slip-up that year, with the company drawing criticism in March for adopting a spam based advertising strategy. The company had offered a $75 discount coupon to any customer who emailed a promotional e-card to 10 of their friends. The scheme generated 37,000 emails within one week before Ikea stopped the promotion in response to severe public criticism.
On 7 July 2000, a customer of British power utility Powergen, while attempting to pay a bill online, managed to accidentally uncover the unencrypted, publicly accessible credit card numbers and payment and personal details of 7000 Powergen customers. In an attempt to defray criticism, Powergen at first denied the leak, then later accused the would-be customer of ‘hacking’ their site. The story was picked up by online magazine Silicon.com which attained from the customer proof of the leak. Despite originally threatening legal action against both the customer and the magazine, Powergen later admitted that the blunder had not be caused by the customer but by the company, assuring customers that its system was now safe.
Australian music e-tailer Sanity.com accidentally disclosed the email address details of customers when it sent out a payment reminder to a group of customers with the names in the ‘To’ field rather than in the ‘Bcc’ field, which would have kept them private.
In April, web search engines revealed pages containing the personal registration of some 35,000 members of the adiamondisforever.com website, a site which gives information about diamonds and which is sponsored by De Beer’s.
Similarly, a computing error on the Amazon.com website resulted in the email address of Amazon members being disclosed on an affiliate partner’s website in September.
While the introduction of the goods and services tax (GST) generally went smoothly, the same cannot be said for the privacy issues surrounding the introduction of the Australian Business Number (ABN) system. The Australian Taxation Office (ATO) found itself embroiled in controversy arising from the fact that the ABN, which had been introduced for businesses, effectively extended to millions of people who do not operate a business in a conventional sense but may be required to obtain an ABN for taxation purposes.
Over 3 million applications for ABNs were received during its first months of operation, although Australian Bureau of Statistics figures indicate that there are only 1.1 million businesses in Australia — suggesting most ABNs were for individuals. But the ATO had not taken into account the extent to which individuals would obtain ABNs, and the fact that ABN records would contain a substantial amount of personal information. Legislation relating to the ABN established a publicly available Australian Business Register, including information on the holders of ABN drawn from the ABN registration forms, and in addition the ATO was making available (at a charge of $20) records of registration related information. Although the ABN registration booklet mentioned that some ABN information would be publicly available, the details of this availability were not clear and applicants were not informed of this on the pages where they entered information. After a substantial public reaction and intervention by the Privacy Commissioner, the Treasurer agreed to legislative amendments and the ATO agreed to limit the amount of information available publicly, and give individuals the option of limiting disclosure of their information if this disclosure could present a danger to them.
Further privacy concerns were raised when a hacker accessed the business and bank account details of up to 27,000 businesses who were accredited suppliers of GST information and assistance packages to businesses through the GST Start-up Assistance Office. The ‘hacker’ reportedly obtained the information without actually hacking the site, as the information was provided on an ordinary page accessible through a URL on the site (the web address of which had not been disclosed). He then emailed 17,000 of the businesses to inform them of the security breach.
The ATO requested the Electoral Commissioner release the names, address and household information contained on the electoral roll in electronic form for a mailout of promotional information about the GST from the Prime Minister’s Office, with information targeting particular individuals on the basis of the household information. Despite assurances from the Prime Minister that the release of information was legal, subsequent investigations, including one by the Privacy Commissioner, concluded that the disclosure had occurred without any legal basis and was in fact illegal. Newspapers reported that 8 million letters were then pulped and replaced by a letterbox drop. The Government later passed the Commonwealth Electoral Amendment Act 2000 which amended the Electoral Act 1918 (Cth) to allow governments to use the electoral roll, including its demographic information, for political purposes.
In other incidents, Auction site ReverseAuction agreed to a settlement with the FTC in January 2000, agreeing to cease from engaging in unlawful practices including collecting personal information of eBay users and deceptive spamming. Other legal action on privacy grounds was also launched against Amazon.com (through its subsidiary Alexa Internet, accused of sending personal information to Amazon.com without consent), and a class action was filed in Texas against Yahoo! on the basis of a Texan anti-stalking law, arguing that cookies are the cyberspace equivalent of stalking.
Media publicity will never be a substitute for a consistent, industry-wide set of information practices. Media coverage is, after all, highly selective, open to bias and often trivialises complex issues. Nevertheless, the media plays a critical role as a check on the conduct of large organisations — both government and business. Regardless of legal developments, that role is likely to remain highly significant — after all, privacy debacles are likely to cost organisations more in the court of public opinion than in courts of law.
Tim Dixon specialises in privacy law in the Sydney office of Baker and McKenzie. He is also Chairman of the Australian Privacy Foundation. Thanks to Rob Yezerski for research assistance.