Protecting Your Privacy

By Chris Cooper

Under the floodlights

Experts say our privacy is on the verge of becoming extinct

Private investigator Chris Cooper wants unfettered access to your personal details but doesn't think you should have access to his. It's a paradox that bedevils much of the privacy debate - how much information should be available in a free society without trampling the rights of the individual?

"Society restricts information from those who investigate crimes while making other personal information more accessible to those who don't really need it," says Mr Cooper, who has written a book that helps people find such information.

"Information is a double-edged weapon. It can bring down crooks or terrify celebrities." he says. The former Australian Special Forces commando says Australians' privacy concerns, even in this digital age, are mostly baseless. "Your average Joe is imagining their privacy is being breached all the time but it's really not the case in Australia."

But for the smart and determined, it is not difficult to compile a dossier on someone else using these basic sources:

  • ASIC: If you run a business or are a director of a company, there's a good chance your home details and past business history is stored in ASIC's databases, available online.
  • Whois: If you bought a domain name or own a website, your name, address and likely a phone number (often a mobile) can be accessed through sites such as http://www.melbit.com.au or any domain name reseller or lookup software.
  • Blogs, public internet postings: If you participate in online discussions or run a web log, these postings may be available for years afterwards and may give an impression of your politics and other beliefs.
  • Wikipedia: Anyone can use the online collaborative encyclopedia to create an entry for you.
  • Satellite mapping: Geographic information systems that sell maps online allow anyone to cheaply get a "spy in the sky" survey of where you live. If fine detail is not crucial then use Google Street View and Google Maps
  • Educational records, newsletters, conferences: If you publish an academic paper or speak at a conference or participate in sports or arts, win an award or do anything noteworthy, chances are that somewhere this will be recorded and made available online.
  • Google cache: A side-effect of Google's search system is its ability to cache or store a copy of information published on the net, often long after the original is gone. Google also indexes pictures, Usenet newsgroup postings, and news articles.
  • WhitePages: Includes mapping information.
  • Private repositories: Companies such as LexisNexis, Acxiom credit reference providers (Baycorp Advantage) and direct mailers may have other information about you, usually sold to other businesses. Trust brokers or credential suppliers, for instance companies that supply public key encryption, hold information on individuals and businesses, to ensure confidence in online transactions.

Although each "silo" of information may contain only a few skerricks of information, together an investigator can build a profile of their subject. Other records such as electoral rolls and births, deaths and marriages may be kept in hard-copy format at public offices. Governments and privacy advocates are trying to determine how these paper-based lists and databases will be rolled into the 21st century.

For now, our privacy is protected as much by social and corporate inertia as by conscious policy and legislation.

Coherent laws across jurisdictions and government reluctance to put public data online have gone some way to protecting Australians' personal details, but other countries haven't fared as well. In the US, a country with a constitutional amendment against illegal search and seizure by government, organisations routinely invade each other's privacy, querying online databases such as mobile phone records and social security numbers - the US equivalent of an Australian tax file number.

"The States are a lot freer with the information that's available (and) a lot of their databases hinge off the social security number," Mr Cooper says.

Australians could easily suffer the same fate if we're not careful, he warns. Technological progress and legislative change will change privacy in Australia, and not necessarily for the better. The Australian Law Reform Commission will recommend changes to regulations protecting our privacy by the end of March, 2008. The terms of reference outlined by Attorney-General Philip Ruddock in January asked the commission to consider "the need of individuals for privacy protection in an evolving technological environment".

The commission will examine the locus between privacy protection and technological advancement - especially information, communication, storage and surveillance - since legislation was enacted in the 1980s.

"We potentially give away private, personal information every time we shop over the internet or with a credit card, apply for a job, go the doctor or other health professional, or even enter a competition," said Professor David Weisbrot, the Australian Law Reform Commission president, at the time the review was announced. "There are now real issues as to how securely information is stored, how it is used, and who has access to it," he said.

The review is especially timely as the Federal Government considers giving smart cards to welfare recipients.

Australians seldom think about the pointy end of privacy issues. For instance, can the driver you cut off in traffic track you down through your registration number? Not likely. Can a disgruntled shareholder locate the address of a company director through public records? Absolutely: it is published by the Australian Investments and Securities Commission on the web. Can a woman fleeing a violent relationship stay hidden in a digital age? Only if she is prepared to keep a very low profile online, and not converse in chat forums, maintain a blog, register a domain name, or do anything that might bring attention to herself.

Mr Cooper says most of our information isn't available on the web. But that's not to say we are fully protected. Despite privacy restrictions, there are volumes of public data on all Australian citizens.

Mr Cooper's book, Behind the Private Eye: Surveillance Tales and Techniques, is a government-accredited training manual for investigators - all they need to know about mining publicly accessible databases and records to build profiles on virtually anyone.

"It's all about piecing together clues. You'll get 100 databases with boring information in them," he says. "It's an information chain."

When all the links in the chain are made, an investigator has a solid profile of any target, with caveats. "With a lot of this stuff you need to trot out to dusty offices and bust out the microfiche," Mr Cooper says. The idea that the access method changes the sensitivity of information presents challenges to lawmakers and privacy advocates. Victorian privacy commissioner Paul Chadwick is acutely aware of the paradox - by its nature public information is public, but the privacy of the citizen must be respected.

"The difficulties that arise here are particular," he says. "Parliament recognised that you have some sort of standard, but you can't apply a privacy standard to a public register by definition."

Practical barriers such as keeping records in leather-bound volumes in dusty offices have acted as a de facto privacy safeguard, Mr Chadwick says, but computers and the internet have changed that forever. Even something as boring as a phone book becomes dangerous when turned into a database.

A computer hacker who asked to remain anonymous says the "Grey Pages", a reverse phone directory, came in very handy for him when he was ripped off in an online auction deal. "With his (the seller's) phone number I got his address. He did not choose to make that public," the hacker says.

The Grey Pages allows users to find an address and phone number. Such directories as this were common until they were taken off the market a few years ago but they still rattle around in underground circles, often held on secret websites accessible only to the "elite".

"Technological developments make it easier to manipulate the material, for example, by reverse sorting it to identify a person's address from their telephone number," says federal privacy commissioner Karen Curtis.

Ms Curtis says that something as simple as the format of data - paper versus digital - affects Australians' privacy. Digital information can be sliced and diced many more ways and with greater ease than paper to create entirely new information.

"Once personal information is in the public domain, individuals have very little control over who might collect it," she says. "The format in which information is made publicly available will affect the kinds of future collection possible."

It's a concern her office takes seriously. Even in this digital age, Ms Curtis encourages government departments to consider whether paper or electronic formats meet the purposes of the register best. Electronic records can be used in many new and more invasive ways than paper, she told the Australian Court Administrators Group last year, and this has serious implications for privacy.

The most obvious difference is that electronic records are available to a much wider audience, she said. Before electronic databases, court records were more difficult to access and could only be located by a determined or well-informed researcher. The records were public but they were not widely disseminated, a phenomenon that can be described as "practical obscurity".

Convicted hacker turned security consultant Kevin Mitnick knows his way around the internet. Having worked for investigators such as Pinkerton as a sub-contractor and Teltec in the early 1990s, he's familiar with using public data sources to investigate virtually anyone in the US.

He agrees with Mr Cooper: the US privacy experience is not one we should emulate here.

"What people need to be aware of is that all personal details... are really out there for anybody who really wants it to get a hold of them," Mr Mitnick says.

He believes it is very difficult to live "under the radar" - there are ways both legal and illicit to find almost anyone.

"If you're living in the US and you have a cell-phone number under your real name, a landline, a credit-card account, a car, a boat, any special licence, real estate or use any sort of utilities, you can be found. All this information is for sale," he says.

Mr Cooper says Australia was also headed down this path, at least as far as investigators were concerned.

A massive "mates network", he says, had investigators paying off contacts at government departments, including state roads and traffic authorities and other bodies.

Volumes of private information were bought and sold. The Independent Commission Against Corruption cracked down on the practice with remarkable effect in 1992, Mr Cooper says. But the remnants of that information network are underground as organisations audit attempts to access sensitive data.

"Everything that's done on those databases is recorded now in a way that previously wasn't the case," Mr Cooper says. "If you look at information you're also leaving behind the fact that you've looked at that information."

Many of the sources most commonly used by investigators - with no more access to private information than Joe Citizen - are public records stored on paper or microfiche. That could mean information obtained from the electoral roll, the land titles office, municipal offices or even the office of births, deaths and marriages and ASIC.

But internet users often leave behind digital footprints. Those footsteps are traced through tools such as the Whois database of domain names and Google. Laws won't protect those who publish their own details on the internet, but in the case of information collected by the Government and private sector, a tweaking of the Privacy Act may help.

Until then, Mr Cooper says, your privacy is relatively well-protected. "But I would sleep better knowing that the legislation was protecting access to that information," he says.

NEXT LESSONS

Eight steps to privacy from PI Chris Cooper:

  • Don't be evil and you will not need to be found by guys like me. Don't get up to mischief, don't defraud, don't steal, don't lie, and don't lodge court action over feigned injuries. Be nice. But, failing that . . .
  • Discard your rubbish properly. A phone bill is only a garbage search away.
  • Protect your mailbox or address mail to your PO box.
  • Don't provide middle names unless necessary.
  • Change your surname to something generic such as "Smith" or "Gray". A lot of effort goes into determining which records apply to which person. Ten billion Google searches for John Smith may hold all the information you need - except you just have to go through and work out which relate to your John Smith!
  • Watch your electronic footprints. Everything you do and everything you enter on forms is recorded somewhere. Privacy laws mean information given for one purpose should not be used for another.
  • It's no good hiding when you are linked to others who are not hidden so either become a hermit or hide with all of your dodgy associates together.
  • Obfuscate your identity. Don't give out personal details unless it's necessary.

Published with permission - Chris Cooper

 

We support

We support

Donate to Amnesty International