The limits of freedom

Two events this week raise big questions about our privacy. The first was the mistake by Ticketek of sending an advertising email to its customers along with several thousand private email addresses. The second was the release of a mammoth 2,700-page report on privacy by the Australian Law Reform Commission.

Ticketek's error shows how hard privacy is to protect and to police. A simple human error meant that thousands of people had their email address put into the public domain. This provided a rich harvest for spammers and other abusers of the Internet. More ominously, organised crime groups might bundle the email details with contextual information such as bogus requests from Ticketek to lure people into revealing even more about themselves.

Internet crime syndicates have become increasingly sophisticated. They have moved on from spamming millions of addresses with Nigerian and other scams in the hope that a few people take the bait. They now tailor rogue emails with information relevant to the target, even so that an email appears to come from inside a person's organisation.

With a University of New South Wales email address, I routinely receive emails that appear to come from our own IT service desk. These ask for private information such as my employee number or request that I click on a link that will infect my computer and even allow the attacker to gain control (thereby rendering my computer a ''zombie'', to use the technical term).

Ticketek says that its mistake covers less than 0.01 per cent of its database, but I would certainly be concerned if I was one of those affected. This loss of privacy could have serious consequences unless the person is aware of what has happened and is vigilant about follow-up emails or other invitations.

Despite this, there is no likely prospect of a remedy against Ticketek. Australia's 1998 Privacy Act is a lengthy, complex piece of law that is unfortunately distinguished by the fact that many regard it as a ''toothless tiger''.

The law does not even require a company to notify its customers if their most private details have inadvertently been made public.

The report by the Australian Law Reform Commission has 295 recommendations on how to fix the Privacy Act. One is that any organisation which collects our data and then breaches our privacy must notify us of the fact. It makes sense that notification not be required where the breach is trivial, but be mandatory where serious harm may result.

In the case of Ticketek, some people will be aware of the mistake due to media reporting or because they have seen their email address revealed along with thousands of others. Others will be oblivious and thereby susceptible to follow-up contact by harmful operators.

The Privacy Act is riddled with exemptions, including for businesses with a turnover of less than $3 million. The Commission recommends that privacy law extend to all companies. Indeed it should. A person's privacy should be protected irrespective of the size of the business. Both small and large businesses should have a responsibility to protect the personal details of their customers.

In a move sure to annoy its political masters, the commission recommends that political parties no longer be exempted from the law. Parties compile large databases containing a wealth of information about voters, including their contact details, local concerns and political preferences. While this certainly helps with campaigning, there is too large a scope for information to be misused. Just because politics is involved should not mean that privacy concerns can be ignored. The exemption should be rejected for what it is: politicians looking after their own interests.

Many of the recommendations represent commonsense change and reveal the poor state of the current law on privacy. A good example is the proposal to prohibit telephone companies charging a fee for people have an unlisted number. People should be able to take their phone number out of circulation, and beyond the reach of telemarketers, without having to pay for the privilege. Access to such a service should not be limited to those people who can afford the fee.