The internet

9.14 The internet is a worldwide collection of interconnected computer networks based on a set of standard communication protocols. The World Wide Web (the Web)—a global collection of publicly accessible electronic information—is accessed by individual computer ‘nodes’ that are attached to the internet. An individual computer node could be, for example, a personal computer (PC) or a wireless device such as a mobile telephone. The internet was created in the mid 1980s and widespread use of it commenced in the 1990s. In 2007, a survey conducted by the Australian Bureau of Statistics indicated that 61% of Australians aged over 15 had accessed the internet within the past 12 months.[26]

9.15 The internet can be used for a myriad of social, economic and political transactions. It can be used by individuals to send and receive messages that include text, images and sound (email). It can also be used by individuals and organisations to engage in trade (e-commerce) or to advertise or promote goods or services (e-marketing). Further, it can be used by individuals to communicate with governments and access government services (e-government); to engage in leisure activities, such as online gaming; or to access information for personal purposes. It has been noted that user-generated content (or ‘Web 2.0’) sites such as MySpace, Facebook, Second Life, LinkedIn and YouTube are increasingly used by individuals for the dissemination of information and for social and professional networking purposes.[27] Increasingly, social, business and political communications take place through user-generated sites, internet chatrooms, webcams and two-way videoconferencing.

Data collection on the internet

9.16 Currently, vast amounts of data are collected about internet users, often without their knowledge or consent. For example, data are often collected about the search terms an internet user has entered into an online search engine; the websites an internet user has visited; and the goods or services an internet user has purchased or inquired about online.[28] Data are also collected about internet users who use tools provided by online search engines, such as free email and map services.[29] These data have the potential to reveal a substantial amount of information about an internet user, including ‘information about health, education, credit history, [and] sexual or political orientation’.[30] Information collected about internet users is not usually linked directly to an individual, but rather to a particular computer. This is because each computer connected to the internet is allocated a unique Internet Protocol (IP) address for the duration of each internet session.[31] Some information collected about internet users may be subject to the model Unified Privacy Principles (UPPs).[32]

9.17 Information collected about internet users can be used for a variety of purposes, such as to create a profile of the individual for marketing purposes. In 2007, 65% of respondents to research conducted for the OPC indicated that they had more concerns about their privacy when providing details online rather than in hard copy format.[33] Half of the respondents indicated that they had more concerns about their privacy when using the internet than they did two years previously.[34] This section provides a brief overview of the way in which data about internet users can be collected.

Cookies

9.18 A ‘cookie’ is a piece of information that is sent from a computer or website to an internet user’s browser. The browser stores the information on the internet user’s computer. If the user accesses the same website at a later time, the cookie is sent back from the user’s computer to the website, thereby indicating that the same user has returned to the same website.

9.19 Cookies are used for a number of purposes, such as to personalise online search engines and store lists of items to be purchased online. Although cookies are principally linked to computers, they can also be linked to an individual in certain circumstances. For example, a cookie could be linked to an individual user if the user provides identifying details, such as his or her name and address, when browsing a website.

9.20 Cookies are often stored on an internet user’s computer, and accessed by websites visited by the user, without the user’s knowledge or consent. In addition, cookies can, in some circumstances, have a lifespan of several years. It is possible, however, for an internet user to take steps to prevent cookies being stored on his or her computer. For example, if the user’s operating system allows it, he or she can limit the lifespan of cookies so that they are only stored for as long as the user’s browser is running. Alternatively, an internet user can purchase and install software to assist the user to control the use of cookies when he or she enters the online environment.

Web bugs

9.21 A web bug is a small, invisible image that is included on a web page or email. When a web page containing a web bug is accessed, the web bug collects certain information, such as the IP address of the computer, the time the web page was accessed, and the type of browser used to access it. Web bugs are often used on web pages by third parties, such as advertisers, to track the web pages accessed by users. It has been noted that virus scanners have mixed success in locating web bugs on web pages as it is impractical to scan every web page that is accessed by a user.[35]

9.22 When an email containing a web bug is opened, the sender of the email is informed that the email has been opened and the time at which it was opened. In addition, web bugs can identify the IP address of the computer that opened the email. Web bugs can be used by marketers and ‘spammers’ to verify the validity of email addresses, or by individuals wishing to be informed of the number of times their email has been forwarded and read.[36]

Hypertext transfer protocol

9.23 Hypertext transfer protocol (HTTP) is a set of rules developed to enable information to be requested and sent on the Web. In order to access a particular web page, an internet user’s browser must first request certain information. For example, it must send information about the Uniform Resource Locator (URL) of the web page that the user wishes to access. Further information can also be sent during the request for information, however, such as the email address of the internet user or the last web page viewed by the user.[37] If the last web page viewed by the user was an online search engine, then the search term entered into the search engine is also transmitted.[38] In addition, it is possible for the identity of the user to be disclosed if the user’s internet service provider (ISP) does not take steps to prevent this from happening.[39]

Spyware and remote access software

9.24 Software such as remote access software or spyware installed on a computer can enable a third party to view the activity or data on that computer.[40] Remote access software can be used for beneficial purposes, for example, by an employee in an organisation to fix another employee’s computer from another location. On the other hand, spyware can be installed without the knowledge or consent of the user of the computer for malicious purposes, such as to collect personal information about the user for the purpose of engaging in fraudulent activities.

9.25 Spyware can be installed on a computer in a number of ways. For example, it can be physically installed by another individual, or installed in the online environment where it may be attached to an email or to downloaded material. In 2005, the Australian Government Department of Communications, Information Technology and the Arts (DCITA) announced the outcome of a review of spyware. DCITA concluded that the most serious and malicious uses of spyware were adequately addressed by existing laws, such as computer offences in the Criminal Code (Cth).[41]

Social engineering

9.26 Social engineering practices, such as ‘phishing’, rely on a person providing information to another person, whether face-to-face, over the telephone or over the internet. Social engineering involves ‘human interaction (social skills) to obtain or compromise information about an organization or its computer systems’.[42] Phishing is discussed further in Chapter 12.

Security of the internet

9.27 There is concern about the security of personal information transmitted via the internet, particularly the security of information disclosed during the course of e-commerce. Such information may be intercepted during transmission or accessed in an unauthorised manner when stored electronically. Shortcomings in internet security have prompted research projects such as the ‘Clean Slate Program’ at Stanford University, which aims to design a new internet that is robust, predictable and ‘inherently secure’.[43] This section focuses on internet and computer security. It should also be noted, however, that other technologies—such as wireless networks—have security risks that present significant privacy implications.[44]

9.28 A number of reports suggest that data thieves are increasingly ‘hacking’ into computer systems.[45] There are a number of ways that ‘hackers’ can access personal information transmitted over the internet or stored on computer systems. For example, a hacker may infect a computer with spyware that can collect personal information displayed on a computer screen or stored on a computer system.[46] More sophisticated hacking techniques include the use of ‘rootkits’, which can be installed directly in an operating system kernel or system hardware and take over an entire computer system.[47] Rootkits have been described as ‘cloaking technologies’ since they can operate with other malware to hide ‘files, registry keys and other operating system objects from diagnostic, antivirus and security programs’.[48]

9.29 Rootkits can be used to establish ‘botnets’, which are automated crime networks controlled by ‘botherders’ who use malware to infect numerous computers. Botnet computers are referred to as ‘zombies’ because a user of an infected computer generally is unaware that the computer has become part a botnet. Botnets can be used by botherders to carry out distributed denial of service attacks, including phishing and spam attacks and, ultimately, identity theft. The Federal Bureau of Investigation has arrested a number of botherders in the United States. Botherders operate in several nations, however, and effective policing of botnets depends on inter-jurisdictional cooperation.[49]

9.30 Individuals are often advised to use commercially-available programs such as anti-virus and anti-spyware programs to ensure computer and network security.[50] It has been noted, however, that market-based solutions may not provide adequate protection against hackers.[51] Moreover, an online safety study conducted in the United States in 2006 indicates that many individuals incorrectly assume that their anti-virus protection is adequate and up-to-date.[52]

9.31 In Chapter 10, the ALRC recommends that the OPC should develop and publish guidance about technologies that impact on privacy. This guidance should incorporate relevant local and international privacy and security standards.[53] Further, in Chapter 51 the ALRC recommends that the Privacy Act be amended to require agencies and organisations to notify the OPC and any affected individuals of data breaches in certain circumstances.[54] This measure is intended to reduce the likelihood of security breaches leading to identity theft.

The internet of things or ubiquitous computing

9.32 The United Nations agency for information and communications technologies, the International Telecommunication Union, has predicted that the next development in information transfer will be the ‘internet of things’. The internet of things, or ubiquitous computing, will allow the transfer of information between inanimate objects, humans, the internet, intranets and peer-to-peer networks—without the need for personal computers.[55] The internet of things will use wireless technologies such as RFID, which is discussed below, together with smart and sensor technologies and miniaturising technologies such as nanotechnology.[56]

9.33 The internet of things will be based on next generation networks (NGNs), which use ‘packet-based’ Internet Protocol (IP) technology. Many telecommunications devices currently use the Public Switched Telephone Network (PSTN), which is a ‘circuit-switched’ network. In NGN networks, linked devices are more mobile than in PSTN networks, and service delivery is not linked to the underlying transport technologies.[57]

9.34 The internet of things could impact on privacy by allowing more information to be collected from an individual without his or her knowledge or consent. In addition, the convergence of technologies in the internet of things means that individuals could be more easily tracked, monitored and profiled.[58] It also has been noted that remote access to sensor networks could impact on security of information, as data thieves could ‘collect information from further away and from multiple locations simultaneously’.[59] The European Commission is monitoring these developments and at the end of 2008 intends to issue to the European Parliament a communication on privacy, trust and governance issues related to the internet of things.[60]

[26] Australian Bureau of Statistics, 8146.0—Household Use of Information Technology, Australia, 2006–2007 (2007).

[27] See, eg, Australian Communications and Media Authority, Submission PR 268, 26 March 2007; B Howarth, ‘Another Life’, Australian IT (online), 3 April 2007, <www.australianit.news.com.au>.

[28] Y Fen Lim, Cyberspace Law: Commentaries and Materials (2nd ed, 2007), 127.

[29] See, eg, A Brown, ‘Google is Watching …’, The Age (Melbourne), 2 September 2006, Insight 3.

[30] Y Fen Lim, Cyberspace Law: Commentaries and Materials (2nd ed, 2007),127–128.

[31] G Greenleaf, ‘Privacy Principles—Irrelevant to Cyberspace?’ (1996) 3 Privacy Law & Policy Reporter 114, 115.

[32] In Ch 6, the ALRC recommends an amendment to the definition of ‘personal information’. See Rec 6–1.

[33] Wallis Consulting Group, Community Attitudes Towards Privacy 2007 [prepared for the Office of the Privacy Commissioner] (2007), [12.1].

[34] Ibid, [12.1].

[35] W Caelli, Correspondence, 2 April 2007.

[36] Y Fen Lim, Cyberspace Law: Commentaries and Materials (2nd ed, 2007), 133.

[37] Office of the Privacy Commissioner, Protecting your Privacy on the Internet <www.privacy.
gov.au/internet> at 24 April 2008.

[38] Y Fen Lim, Cyberspace Law: Commentaries and Materials (2nd ed, 2007), 134.

[39] Ibid, 135.

[40] Australian Government Department of Communications‚ Information Technology and the Arts, Spyware Discussion Paper (2005), [2.2.2].

[41] Australian Government Department of Communications‚ Information Technology and the Arts, Outcome of the Review of the Legislative Framework on Spyware (2005), [2.3].

[42] United States Computer Emergency Readiness Team (US-CERT), National Cyber Alert System—Avoiding Social Engineering and Phishing Attacks (2004) <www.us-cert.gov/cas/tips/ST04-014.html> at 24 April 2008.

[43] N McKeown and B Girod, Clean-Slate Design for the Internet—A Research Program at Stanford University: Whitepaper Version 2.0 (2006) Stanford University, 2–3.

[44] See, eg, R Naraine, Wi-Fi Hacking, with a Handheld PDA (2007) ZDNet <blogs.zdnet.com> at 6 February 2007; D Goodin, ‘Flash: Public Wi-Fi Even More Insecure than Previously Thought’, The Register (online), 2 August 2007, <www.theregister.co.uk>.

[45] See, eg, ‘The Year Hacking Became a Business’, Australian IT (online), 30 January 2007, <www.australianit.news.com.au>; J Evers, ‘Homeland Security Sees Cyberthreats on the Rise’, CNET News.com (online), 8 February 2007, <news.com.com>.

[46] W Caelli, Correspondence, 2 April 2007.

[47] D Fisher, ‘Rootkit Dangers at an ‘All-time High’’, SearchSecurity.com (online), 6 February 2007, <searchsecurity.techtarget.com>.

[48] Australian Institute of Criminology, High Tech Crime Brief No 12, 2006—High Tech Crime Tools, 1 December 2006.

[49] See, eg, ‘FBI Tackles “Zombie” PC Networks’, Sydney Morning Herald (online), 17 June 2007, <www.
smh.com.au>.

[50] See, eg, Australian Government, Securing Your Computer (2007) Australian Government Department of Communications, Information Technology and the Arts <www.staysmartonline.gov.au/securing_your
_computer> at 24 April 2008.

[51] P Croll and W Caelli, Consultation PC 88, Brisbane, 13 February 2007.

[52] National Cyber Security Alliance and Bank of America, Online Fraud Report (2006), 1.

[53] Rec 10–3.

[54] See Rec 51–1. Identity theft is discussed in Ch 12.

[55] International Telecommunication Union, The Internet of Things (2005), 3.

[56] For an overview of nanotechnology, see S Wood, R Jones and A Geldart, Nanotechnology: From the Science to the Social—A Report for the Economic and Social Research Council (2007) Economic and Social Research Council.

[57] International Telecommunication Union, The Internet of Things (2005), 4.

[58] Ibid, 82–3.

[59] Ibid, 83.

[60] Commission of the European Communities, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions—Radio Frequency Identification (RFID) in Europe: Steps Towards a Policy Framework (2007), 11.