17.08.2010
71.99 This section considers briefly three relatively new technologies that are considered to have privacy implications—voice over internet protocol (VoIP), electronic numbering (ENUM) and web server logs. These technologies are also discussed in Part B.
Voice over internet protocol
71.100 VoIP enables spoken conversations to be conducted in real time over the internet. VoIP services usually operate over a telecommunications network and are classified as carriage services for the purposes of the Telecommunications Act.[108] This means that VoIP service providers generally will be ‘carriage service providers’ that are required to observe the provisions in Part 13 of the Telecommunications Act.
71.101 There are also, however, a variety of VoIP products and services that are closer to pure internet applications in that they tend only to operate over internet protocol networks, and not the Australian Public Switched Telephone Network (PSTN).[109] For example, instant messaging products such as Yahoo Messenger and MSN Messenger allow voice communications from computer to computer over the internet. If a VoIP service does not connect with the PSTN at all, the service provider may not be regulated by the Telecommunications Act but may be regulated by the Privacy Act.[110] It has been noted that:
The Telecommunications Act does not govern the use of these products and services, and it can be persuasively argued that it does not need to. Those who utilise VoIP products and services of this class have no expectations of a telephony-grade service—they would not, for example, be likely to attempt to make an emergency call using such a service … On the other hand, the privacy issues raised by the use of this class of VoIP products and services are no less real simply because they are not appropriate to be regulated by the Telecommunications Act.[111]
71.102 The OPC submitted that it is unclear whether the definition of a ‘carriage service provider’ in s 87 of the Telecommunications Act will always encompass the regulation of ISPs, where ISPs provide services that are similar to those of traditional carriage service providers (for example, where an ISP is hosting VoIP services, which are telephone call services that do not route through the regular PSTN).[112] In the ALRC’s view, it is outside the Terms of Reference for the current Inquiry to consider whether the definition of ‘carriage service provider’ under s 87 of the Telecommunications Act should be amended. This issue should be considered as part of the recommended review of the Telecommunications Act.[113]
71.103 Another concern that has arisen in relation to VoIP technology is that Australians may access voice services from providers outside Australia.[114] This may have an impact on the standards of protection for personal information disclosed during a VoIP call.[115] The OPC Review recommended that the Australian Government initiate discussions in international forums to deal with international jurisdictional issues arising from the global reach of new technologies such as VoIP.[116] The ALRC supports this recommendation.
ENUM
71.104 ENUM is an abbreviation for electronic numbering or electronic number mapping. ENUM is ‘an electronic numbering system that can link the public telephone network and the internet by allowing telephone numbers to be converted into internet domain names’.[117] In summary, ENUM enables telephones connected to the internet to make calls to the PSTN and receive calls from the PSTN.[118] The ALRC notes that ACMA has completed a trial of ENUM.[119] It is not known if or when ENUM will become available in Australia.[120]
71.105 ACMA submitted that the next development in ENUM technology, infrastructure ENUM, will involve the mapping of blocks of ENUM registrations ‘to a single Internet resource—generally a Voice over Internet Protocol (VoIP) address’.[121] One application of infrastructure ENUM could involve the ‘peering’—or direct connection—of VoIP services in isolation from the PSTN.[122]
71.106 ACMA commissioned an independent privacy consultant to prepare a privacy impact assessment (PIA) for its ENUM project.[123] The Privacy Impact Assessment made 13 recommendations relating to the implementation of the ENUM project. These recommendations included that ACMA:
adopt, as a guiding principle in relation to ENUM, the position that privacy protections must be no less than those affecting PSTN telephony now;
ensure that ENUM providers do not request individuals’ address details except as required for any billing purposes, in which case post office boxes should be acceptable;
require ENUM providers to publish and maintain a Privacy Policy on their website; and
ensure ENUM providers understand that registration cannot be made conditional upon customers giving ‘consent’ to any unrelated secondary uses or disclosures of their personal information. [124]
71.107 The ALRC understands that ACMA is in the process of implementing these recommendations.[125]
71.108 In the ALRC’s view, it is too soon to recommend legislative amendment to accommodate ENUM in the Privacy Act or telecommunications-specific legislation. Further, as noted in Chapter 10, maintaining technology-neutral privacy legislation is the most effective way to ensure individual privacy protection in light of developing technology.
71.109The public, however, should understand the privacy risks and issues associated with new technologies such as ENUM. The ALRC recommends below that ACMA, in consultation with relevant stakeholders, should develop and publish guidance that addresses privacy issues raised by new technologies such as ENUM.
Web server logs
71.110 Electronic Frontiers Australia noted that it is highly concerned that neither the Privacy Act nor the Telecommunications Act adequately protect personal information contained in web server logs and similar logs, due in part to an inadequate definition of ‘personal information’. It considers that internet protocol addresses should be regarded as ‘personal information’ because they can be used to identify individuals.
EFA considers legislative amendments are necessary as a matter of priority to prevent the disclosure of information about Internet users’ web browsing activities on the grounds of claims that IP addresses are not personal information and that therefore disclosure and use is not regulated.[126]
71.111 The ALRC examines the definition of ‘personal information’ in Chapter 6. In that chapter, the ALRC notes that information that simply allows an individual to be contacted—such as an internet protocol address—in isolation, would not fall within the definition of ‘personal information’. The Privacy Act is not intended to implement an unqualified ‘right to be let alone’. Contact information, however, may become ‘personal information’, however, in certain contexts once an internet protocol address is linked to a particular individual.
71.112 The use and disclosure offences under Part 13 of the Telecommunications Act protect any information or document that relates to the ‘affairs or personal particulars (including any unlisted telephone number or any address) of another person’, the contents of communications or carriage services supplied by carriers and carriage service providers.[127] There is a strong argument that this information would include an internet protocol address.[128]
Guidance on new technologies
71.113 In DP 72, the ALRC expressed the view that the privacy impact of new communications technologies should be addressed in guidance and that this guidance should address not only compliance with the proposed UPPs, but also requirements under the Telecommunications Act and industry codes and standards. The ALRC proposed that ACMA, in consultation with the OPC, Communications Alliance and the TIO, should develop and publish guidance that addresses issues raised by new technologies such as location-based services, VoIP and ENUM.[129]
Submissions and consultations
71.114 A number of stakeholders supported the proposal.[130] Communications Alliance advised that it, along with ACMA, the OPC and the TIO, have agreed in principle to develop guidelines that address the impact of new technologies on privacy related issues. Communications Alliance noted that it would welcome the opportunity to draft an ‘industry led solution’, given its experience of working with the Telecommunications Act.[131]
71.115 Stakeholders noted that ACMA should consult with various bodies when developing the proposed guidance,[132] including law enforcement agencies,[133] consumer organisations,[134] and the DBCDE.[135] Optus submitted that such guidance is unnecessary because the application of the NPPs to new technologies was well understood.[136]
71.116 ACMA submitted that its educative functions might extend to the provision of information to the community about new technologies, and that it will consider factoring the development of such information into its programs, as the need arises. ACMA recommended, however, that Communications Alliance should be encouraged to develop guidelines for industry participants to conduct PIAs of emerging technologies, applications and services, such as location-based services, VoIP, and electronic number mapping initiatives.[137]
ALRC’s view
71.117 In Chapter 10, the ALRC suggests that making the Privacy Act technology neutral is the most effective way to ensure individual privacy protection in light of developing technology. Current technologies do not alter fundamentally the nature of the information-handling cycle. The ALRC notes the limitations of the Telecommunications Act in dealing with converging technologies in the telecommunications environment.
71.118 ACMA, in consultation with the OPC, Communications Alliance and the TIO, should develop and publish guidance that addresses issues raised by new technologies. This guidance should provide advice on compliance with the model UPPs and requirements under the Telecommunications Act, industry codes and standards. ACMA should be required to consult broadly with industry stakeholders, including consumer groups, law enforcement agencies, government departments, and industries that may use such technologies.
71.119 ACMA, in consultation with the OPC and the TIO, should encourage Communications Alliance to develop guidelines for industry participants to conduct PIAs of emerging technologies, applications and services. In Chapter 47, the ALRC recommends that the OPC should develop and publish PIA Guidelines tailored to the needs of organisations.[138]
Recommendation 71-4 The Australian Communications and Media Authority, in consultation with the Office of the Privacy Commissioner, Communications Alliance, the Telecommunications Industry Ombudsman, and other relevant stakeholders, should develop and publish guidance that addresses privacy issues raised by new technologies such as location-based services, voice over internet protocol and electronic number mapping.
[108] Australian Government Department of Communications‚ Information Technology and the Arts, Examination of Policy and Regulation Relating to Voice Over Internet Protocol (VOIP) Services (2005), 19.
[109] The PSTN is the network of the world’s public circuit-switched telephone networks. It was originally a network of fixed-line analog telephone systems, but is now almost entirely digital, and includes mobile as well as fixed telephones.
[110] J Malcolm, ‘Privacy Issues with VoIP telephony’ (2005) 2 Privacy Law Bulletin 25, 26.
[111] Ibid, 26.
[112]Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[113] Rec 71–1.
[114] J Malcolm, ‘Privacy Issues with VoIP telephony’ (2005) 2 Privacy Law Bulletin 25, 25.
[115] Ibid, 25.
[116] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 70.
[117] Australian Communications Authority, Annual Report 2004–05 (2005), 36.
[118] Australian Communications and Media Authority, What is ENUM or Electronic Number Mapping? <www.acma.gov.au> at 30 July 2007.
[119] Australian Communications and Media Authority, Australian ENUM News (2006) <www.acma.gov.au/
WEB/STANDARD//pc=PC_2328> at 30 April 2008.
[120] ENUM is discussed in more detail in Chs 9, 10.
[121]Australian ENUM Discussion Group, Evaluation of the Australian ENUM Trial (2007), App B; Australian Communications and Media Authority, Submission PR 268, 26 March 2007.
[122] See, eg, Australian Communications and Media Authority, Australian ENUM News (2006) <www.acma.gov.au/WEB/STANDARD//pc=PC_2328> at 30 April 2008.
[123] Australian Communications and Media Authority, Submission PR 522, 21 December 2007.
[124] Australian ENUM Discussion Group, Evaluation of the Australian ENUM Trial (2007), App B.
[125] Australian ENUM Discussion Group, Evaluation of the Australian ENUM Trial (2007), App B.
[126] Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.
[127] See, eg, Telecommunications Act 1997 (Cth) ss 276, 277.
[128] See, eg, Replacement Explanatory Memorandum, Telecommunications (Interception and Access) Amendment Bill 2007 (Cth), 6.
[129]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 63–11.
[130]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; P Youngman, Submission PR 394, 7 December 2007.
[131]Communications Alliance Ltd, Submission PR 439, 10 December 2007.
[132]Australian Digital Alliance, Submission PR 422, 7 December 2007.
[133]Australian Federal Police, Submission PR 545, 24 December 2007.
[134]Australian Privacy Foundation, Submission PR 553, 2 January 2008.
[135]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.
[136]Optus, Submission PR 532, 21 December 2007.
[137]Australian Communications and Media Authority, Submission PR 522, 21 December 2007.
[138] Rec 47–5.