22 Ways You May Be Losing Your Privacy
... Those who surrender freedom and privacy for convenience and security will have neither.
Have you ever found it annoying that too often it is impossible to do something without compromising your privacy? With alarmingly increasing frequency, the people have to give out their name, address, email, phone number, fill a form, create an account, subscribe, register, enrol, join or become a member when it is completely unnecessary or irrelevant to the service in question. For many privacy-conscious customers such attempts to harvest their personal data are one of the main reasons for walking away, seeking the same goods or services elsewhere, or rethinking the need for the purchase altogether. The more people vote with their feet and wallets, the sooner businesses will get the messages that they have no right to invade customer privacy just because they supply some goods or services.
One may not realise, but we are making decisions about our privacy nearly every day. Whether we are doing online shopping, using bank cards, filling forms, applying for a job, using social media, participating in a survey or being pestered by direct marketing — anything that wants or has our personal information, has the potential to invade the territory of our privacy. In today's world of digital technologies, information became a valuable asset: it is worth big money, it brings more money, and it is the reason why we are asked to give out our personal information more often than ever. The rapid development of information technologies also made identity theft and fraud easier than ever, yet, unfortunately, frequent excessive and often unnecessary collection of personal information by government institutions and private enterprises left people vulnerable to scam and identity theft. That is why we can never be too vigilant and cautious.
Identity theft, fraud, blackmail, scam, and many other crimes are only possible because someone obtained personal, private or sensitive information about another person. Most victims do not disclose their personal information willingly or directly. The data is usually stolen, misplaced, misguarded, misused or wasn't properly disposed of by someone else who was trusted to hold that information. There is no such thing as an absolutely secure system. Nobody can guarantee that their network or database will never be broken into by hackers, or that all their employees are diligent and sufficiently knowledgeable in data security. The only sure way to provide privacy and security is to not collect personal information in the first place: they can't lose what they never had. Which means that:
1. Governments agencies, departments and contractors, and also private companies and corporations should not ask people to disclose their personal information unless it is absolutely necessary, and there is no possible way to do whatever they are doing without every single piece of the information they ask for.
2. As the former is not likely to happen (actually, the contrary is happening and is getting worse), every individual should safeguard their own privacy as much as possible and not hesitate to ask why each bit of their personal information is required in each case.
By checking and rethinking your use of the following privacy holes, you can greatly increase your personal safety, and the safety of your family and friends. Remember, each person is not only responsible for their own safety, but also for the safety of everyone in their contact list.
Giving out more information than necessary
If someone wants to collect your personal information, ask questions and make them justify their need for the data: Why do they need it? What will they do with it? How will they store and protect it? And who, if anyone, will they share it with? This applies to any business, organisation, health care provider or government agency. If each person starts fighting for every bit of personal data, data collectors will have to review their appetites. Most often their demands for data are a mere effort to harvest information and keep it until some future time when companies discover a use for it. Unfortunately, a routine fishing expedition by marketers — collecting information for loyalty schemes and marketing databases — exposes consumers to greater risks when data is sold or stolen. Even big companies with huge IT budgets lose control over the data they collect. Privacy and security experts say the increased demand for personal data creates an arms race: as identity fraud worsens, companies want to gather more evidence to establish a customer's identity, which in turn exposes more information to the risk of abuse or theft.
Letting your ID documents to be scanned or copied
When staying at a hotel or other lodging facility
Unlike some other countries, there is no legal requirement in Australia for hotels, motels and other accommodation providers to ask for identity documents, let alone copy them and retain those copies. Any Australian hotel demanding a photo ID does it at its own initiative.
As this practice creates a high risk of personal data misuse and identity theft, it has guidelines issued by the Office of the Australian Information Commissioner. In particular, they advise that a business can scan a customer's ID or collect information from that ID by any other means only if:
- it is necessary for one of its functions or activities;
- the customer is clearly informed what information will be collected, how it will be collected and why, what it will be used for, who it will be disclosed to or shared with, how long it will be kept for, how it will be held, including any IT security measures used to protect the electronically stored information, how long the information is kept for, and how it will be destroyed or de-identified;
- the customer consents, and this consent is free and informed.
OAIC also states:
Collecting unnecessary personal information is a breach of the Privacy Act. A business should not scan or copy a customer's ID, if sighting it would be sufficient for the purpose the business requires it for.
Therefore, if someone wants to copy your ID, yet cannot explain what exactly it is needed for, how securely it will be stored and who will have access to it, they are acting unlawfully. Research also indicates that the more relentless a hotel is in demanding a photo ID, the more likely it is to have customer data misused or stolen. And the larger the hotel or hotel chain, the larger the privacy breaches. For example, Marriott hotels insisted (and still insist!) on collecting excessive volumes of guest personal information, scanning their IDs, and retaining the data long after the guests left. In 2018 their network was hacked and thus compromised the personal information of 500 million people staying at their hotels since 2014. The stolen data included card numbers and expiration dates, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, and more. If Mariott can't afford a secure system, then a smaller hotel can't either. The only way to guarantee customer data safety would be to refrain from collecting it in the first place.
The bottom line? Check accommodation's policy before booking, and give your preference to those hotels who are either contend with merely sighting your ID, or care about their customer data safety enough to rely on other measures for their own security, such as credit card details, advance payments, bonds or cash deposits.
When visiting a club or other entertainment venues
Many clubs scan patron's ID upon entry, taking “you either do as we tell you or get lost” stance, giving zero explanations and disregarding legal requirements for this procedure. Not surprisingly, there have been numerous incidents when customer personal data collected by night clubs was misused or sold to dubious third parties without customer consent.
When paying with a credit card
“May I see your ID?” — you may never give a second thought to such request for identification when you pay with a credit card at a store or a hotel. While all credit card networks allow a merchant to ask for identification, Mastercard and Visa explicitly prohibit retailers from requiring an ID to accept a properly signed card. Merchants can ask for an ID, but you can refuse to show it and they still must accept the card. Some business owners are not aware of this or disregard card issuer restrictions on requiring an ID, and set their own policies that violate the rules, ostensibly to make sure the card indeed belongs to the person. It is also unclear how some merchants get away with pushing further and insisting on copying the ID instead of just having a look at it.
Forgetting to opt out
Whether it is ticking all marketing “opt out” boxes on a peper form or opting out of online health record system, each step will contribute to security of your personal data.
Australian “My Health Record” system is still developing, and nobody knows whether the patient control over the stored data is going to be eventually restricted or removed. There is also no guarantee that the sensitive and/or identifiable health information won't be disclosed to third parties, stolen by hackers, shared for a research, or used for any purpose other than direct benefit for the health of the person — all without the explicit consent of the patients. In fact, in 2015 Australian Bureau of Statistics announced that it will keep people's names and addresses collected during the 2016 Census and link Census data to health records.
Participating in surveys, competitions, entering prize draws, or registering product purchases
Essentially, these are baits in the fishing expedition for your personal data. Many companies use various win-whatever appeals as a way of obtaining customer personal information for their marketing research. No business does anything really for free: if they are offering a prize, it only means that the information they are expecting to collect from the participants will bring them more money than the cost of the prize they promise.
Too often the purchased products come with a paper form or a link to an online page that you supposedly should fill on order to “register your warranty”. This is another smoke-screen for obtaining your personal details. Under the Australian Consumer Law, automatic consumer guarantees apply to products and services you buy regardless of anything else the supplier says, asks or promises. If the purchased products can be covered by a warranty, it is covered without any need to “register” anything. To guarantee the quality of the product, the supplier doesn't need to know your name, email address, phone number, where you live, how much you earn, how many children you have, and a tonne of other personal information, as this example of a ridiculously intrusive warranty registration form from Barbeques Galore demonstrates.
Loyalty programs and rewards cards
They are not about rewarding the customers, they are about spying on the customers. They are schemes offering very little value while collecting huge amounts of customer personal information for data mining.
If it is a business, its main purpose — to make more money. Period. A business will never do or offer anything unless it brings back more than it costs. Suppliers are always in search for strategies to sell us more than we need, or to cut corners. Targeted marketing is the most effective tool for that. And, as a result, we are not getting the best goods, only the best marketed goods.
By signing up for a rewards or loyalty card, we share our name, address, gender, age, interests, income range, and other information about our family and household. Then, every time we shop and use that card, we tell the retailer what, when and how much we buy. All that data is collected, analysed, added to our profile, used to predict our next move, shared with other businesses, and sometimes even sold to third parties for even more profit. Next time when you are wondering how an ad, packaging design or a “special discount” managed to convince you to buy some rubbish you never needed, don't be surprised: marketers know about you and your behaviour way more than you do. They know how to target you when you are most vulnerable and susceptible.
Memberships, clubs, doctors, dentists
Customer database is one of the most valuable assets any business or institution has. They are used to generate extra profits and sometimes are shared with other companies for money or other benefits. The most unfair aspect in this arrangement is that this information is not only extracted from the customers for free, but the customers are given no choice, and are often charged admin / joining / new customer / new patient fees for that. Shops, clubs, gyms, entertainment venues, ticket sellers, doctors, dentists, optometrists — all demand excessive volumes of personal information without ever explaining why it is necessary. As most of us know, it is impossible to visit a dentist or get a new pair of glasses from an optometrist without being later bombarded with reminders, marketing messages and special offers.
For example, optometrists obtain customer details under the pretext of being “healthcare providers” under the Health Practitioner Regulation National Law (which, by the way, says nothing about personal data collection and usage), and then use that data for marketing and spam. The customers are never given the choice of not being included into the mailing lists, or for their data not to be shared with numerous third parties. The only option is to opt out once the spam starts coming. Unfortunately, opting out at that stage doesn't erase personal data from the marketing databases or stops its further disclosure and misuse, it only stops the unwanted communications for some time.
Medical establishments have become frequent targets of hacker attacks and honeypots for identity fraudsters: doctors and other medical professionals collect and keep huge volumes of highly personal and private data, yet have no skills or expertise to keep it secure. How many people dare to question why a medical centre is asking for certain personal information and what they are going to do with it? People simply comply and supply. Medical centres often engage other companies too look after their technology needs (which means those companies have access to your health information without being bound by healthcare privacy laws), or use third-party software for managing bookings, medical records and communications. That software is often made overseas and uses cloud facilities located in other courtiers, meaning nobody knows what happens to your data and who has access to it.
Be careful and vigilant every time you are filling a form, and keep in mind that the company is most likely going to use all this data for marketing purposes, and in case of a medical or semi-medical establishments, pass information about you to the government medical surveillance systems, which can share it with other government branches or link it to census and other data. If some information is “mandatory”, ask why. If there is no satisfactory answer, ask yourself whether you still want the “service” on these terms? Is it worth the loss of control over your personal information, privacy and safety?
Posting personal information online, using social media and cloud storage
Once something has been uploaded to the Internet, it cannot be 100% deleted. It may be marked as “deleted”, or hidden from view, but it will keep being stored somewhere. Don't put important private information or large amounts of personal information on social networking sites. Uploading your data into cloud storage services like iCloud means you almost certainly lose your control over its privacy and confidentiality.
Credit cards, loans, mortgages
Once you borrowed any funds, your personal information goes into the credit history and is shared with all sorts of third-party companies and credit reporting agencies, which may use and misuse the data as they please. By borrowing money you not only enter the financial slavery and enable the lending institutions to make money off the interest you play, you are also forced to supply a load of your personal information which will be used by other companies to make money off selling or sharing access to it — all without your control or explicit consent. Given the fact that Credit Reporting Agencies like Veda/Equifax can easily navigate their ways around the law, can they be trusted to do a decent job of safeguarding your privacy? It is also worth noting that many credit reporting agencies, such as Equifax and Experian, which receive your personal information from your banks, utility services, phone provides, etc without giving you any choice in the matter, are foreign-owned companies that not only may accumulate, store and share your data overseas, but are also subject to massive hacker attacks, security breaches and data theft.
Keeping personal information in your mobile device
Many use their smart phones to store their own, their friends' and their family members' names, phone numbers, home addresses, email addresses, birthdays and online profile links in the contact list. It may be handy, but don't forget that mobile phones are not only easy to lose the or steal, but also that phone's OS or apps can gather and transmit all that personal information to an interested company or agency. Given that they can also collect information about websites you visited, photos you uploaded, your geolocation coordinates, buddy lists, sms texts, email contents and phone calls history, they may know about your private life more than you realise. Also, think twice before synchronising your mobile phone data with any sort of “cloud”. Are you sure that all the people in your contact list are happy for their personal details to be handed over to the company that runs the “cloud”?
Shred all documents before throwing them out. Don't just crumple the paper up or tear it in half! Cut the paper to small pieces across the lines or text, paying special attention to the areas where your personal details are printed.
Trusting that “deleted” means deleted
Once the information is entered to a database, it hardly ever gets deleted, even if you were told it has been. In modern databases, the information gets marked as no longer in use, but it may be kept in the database forever. The disk space is very cheap these days, and database management programs are very nifty and fast: anything can be kept indefinitely and restored at any point. Companies no longer run out of space on their archive shelves for paper documents, so no information is destroyed, no matter how old and outdated. The best way to make sure your data in not stored forever in some database is not to let it to get there in the first place.
Using one email address for everything
Set up a separate junk email account for subscribing to “newsletters” and “special offer” notices. If possible, don't enter your real name or mobile phone number when creating a junk account for those purposes.
Ignoring fine print and privacy policies
Travelling to or through certain countries
Countries collecting biometric data from visitors. What was once a procedure reserved for arrested, is now becoming a “normal” part of holiday travels. One by one, countries demand tourists and visitors to submit their fingerprints, iris scans or photographs for facial analysis under the same overused pretext: counter-terrorism and national security. It remains unclear how, by looking at fingerprints, the border security is going to tell who is a potential terrorist and who isn't; yet it is clear that this process harms civil liberties, invades privacy, and creates a serious risk of identity theft, because any leaks from biometric databases could be used by criminals or hostile individuals.
Countries demanding excessive personal information. For example, the US require all visitors to supply their parents names, all current and past citizenship, details of all travel and national identity documents ever issued by any country, present and past email addresses, phone numbers and social media accounts. Travellers are also obliged to supply passwords for any of their mobile devices or accounts to allow all the data to be searched and copied by security forces. The same is demanded from transit travellers who have no intention of leaving the airport! This violates not only the privacy of the travelling individual, but also the privacy of their family, friends and colleagues who ever shared any private messages, pictures or documents. Doctors, lawyers, scientists and business people may be forced to break the law and moral obligations by disclosing sensitive information about their patients, clients, research or business to border agents; and after Snowden and Manning revelations, every person has solid grounds to distrust the US government promises or intentions regarding the data. These demands also severely undermine the freedom of speech, which is absolutely essential for democracy, as people who have to travel to or through such country will be forced to censor everything they ever publish online, and because the US authorities do not give any explanations at why the entry to the country was denied, any criticism of anything relating to the country can potentially impede the person's movements at any point in life. Unfortunately, the US disregards the much-quoted words of their very own Benjamin Franklin: “Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.”
If you do not wish to be treated like a criminal and be forced to supply your fingerprints or personal data for a panoptical regime to keep and use in any way they see fit, you may want to research the entry or transit requirements of the countries before making your travel plans and instead spend your money in the countries who don't think they are entitled to damage civil liberties and jeopardise personal safety of innocent individuals. Sadly, the choice is narrowing.
Australian border security now use the SmartGate technology, and airport staff is often quite pushy in their attempts to get the travellers from “eligible” countries to use SmartGate electronic kiosks rather than being processed by a fellow human. At the moment, unless forcibly herded by the airport employees to the SmartGates, people still have a choice to be processed by a real human officer. However it may no longer be an option in the future. Presumably, the plan is to make people get used to machines, get rid of the highly-trained and famously polite Australian border security officers; then say that no system is perfect, SmartGates make errors and a facial recognition is not enough, so more biometrics are needed, and start collecting fingerprints / iris scans / body parameters / DNA samples / anything else the authorities want. If people don't insist on being processed by human staff now, biometrics collection won't stop at facial recognition. There is nothing more intelligent and sophisticated than a trained person who can do more than any machine, such as analysing behaviour and other clues. Using machines has nothing to do with increasing the country's security, it is just another way of harvesting more data.
If you are tired of telemarketing, add your number to the Do Not Call Register. For Australia, visit www.donotcall.gov.au. For other countries, do a search and see if there is an official way to opt out.
If you are unexpectedly contacted by someone claiming to be an insurance company, a bank, a government agency, a debt collector, no matter what the reason, never give them any of your personal details. You can't be sure who the caller really is. If they are really your insurance company, bank or real government agency, they already have all the necessary information. If they want to “confirm”, “verify” or “make sure everything is correct because they are updating their system”, they are either too dodgy to do the update properly without such verifications, or are a fake trying to steal your identity. The easiest way to check is to call back to an official contact number and ask whether such verification has really been required. Never call back using the phone number the stranger gave you without making sure that number really belongs to the company they claim to work for.
If you notice that a company or institution suddenly needs more personal information than they needed before for the same service saying that they “will be unable to provide you with the service” without that information, demand an explanation. This is common, and is a direct result of unnecessary data harvesting combined with inability to keep the harvested data secure. First they need you full name and address, which quickly leaks out because every Tom, Dick and Harry asked for it and added it to their flimsy databases, contact lists and apps. So they want your date of birth, to be able to be “identified securely”; which of course also leaks out from social media, email provider snooping, or the database of any entity that has it. Now they want your photo ID details, which will of course eventually be leaked too, because nothing can be kept secure forever, especially if everyone demands to have a copy and stores that information in their databases even when it is no longer needed. With all personal details leaked, email accounts hacked and phone communication snooped upon, what is next? What will people have to provide for secure identification? Fingerprints? DNA samples? You get the gist.
Low quality of online systems and software
Unfortunately, programmers and IT specialists are not chosen from geniuses and brain elite anymore. Companies are cutting corners and are happy to outsource programming jobs, which means they are getting lower quality for lower cost. They know that everyone is pretty much forced to use online services these days and will have to put up with bugs and errors because there often is no alternative.
Rapidly growing IT industry also means time pressure — to be quick, to be the first; new websites, online shops, e-government services and internet banking systems are rolled out as quickly as possible, often ditching the thorough testing stage in the software development process. Illogically, companies don't mind spending some extra time and money on unnecessary, fancy-looking design features and would rather cut costs for proper security and testing. After all, a pretty interface is what gets the majority of new customers in. Once they signed up — the target is achieved, it will be too late when the customers discover the poor quality of the system.
Promises of secure server connection or encrypted data transfer do not guarantee that your data will be securely stored and correctly used once it was passed through that connection. Solemn mentions of long cipher key, strongest industry standard encryption technology or military grade security have nothing to do with real safety: the system is as secure is its weakest component. The vast majority of breaches happen because there are holes and errors in badly tested software often made by cheap, outsourced software developers, because of poor security training or negligence of human staff using that software.
Money management and budgeting tools offered by banks
Personal online budgeting services and software like NAB's Money Tracker, St George & Westpac's Budget Planner Calculator or ANZ bank's MoneyManager are actively advertised as invaluable services to help the customers take control of their money and develop a better understanding of where they are spending and how much they are saving. Sounds great, but keep in mind that first of all, banks always help themselves.
The online personal finance analysers have sophisticated transaction analysis engines for organising and categorising user data. Along with promising their customers to “take all of the headache and guess work out of budgeting, tracking money and saving for goals”, the banks are able to “run rich customer analytics, for example by customer segment for more targeted marketing” and to get “valuable insights to our customers, for example, to see a comparison of spending patterns to others like them”. Customers who use money management tools are providing the bank with a live picture of their financial situation at any point in time. When you use the budget planner or the “what if” scenario analysis option, you are giving your bank the important insights on your future plans. If you would rather keep your plans for your future to yourself, you may want to avoid using these tools.
By monitoring your financial transactions, banks continuously watch where you are going, staying, working, holidaying and shopping, what you are choosing and buying, who your insurers, doctors, friends and family are; your everyday life is monitored, analysed, and that information being used by the banks and their third parties. At the moment, the only sure way to avoid being watched, analysed, categorised and targeted is to pay in cash.
ABR and ASIC
If you are thinking of becoming a small business owner or sole trader, check how Australian Business Register and Australian Securities and Investments Commission work. First, Australian Business Register (ABR) charges people for the registration of a business or a company. Then it charges annual fees, which are basically payments for database record maintenance, which must include secure and safe storage of private and personal information. Nevertheless, ABR is making money off people's personal details twice: once, by charging them for taking the information, and then — by selling that information to other companies and interested parties, stripping people of their privacy.
We may give your personal information to other government agencies, including regulatory and law enforcement bodies and assistance agencies, but only where authorised or required by law to do so. They don't mention that it will also be sold to whoever is willing to pay for it.
One may argue that business registration is not a private affair in Australia, yet all this unlimited information trading may be very disturbing for the owners of small business who have no choice other than providing their home address for business registration, which may jeopardise the people's safety if made publicly available. The whole arrangement is discouraging small business while benefiting large corporations, which is discriminating and has negative impact on Australian economy.
Australian Bureau of Statistics
Be aware of privacy issues with ABS census and compulsory household surveys.
Plunging into using a new gadget, website or online service
In the past, we lived with anticipation and curiosity about the technology evolution, we were wondering what a new, interesting and useful discovery will be implemented next. And those new implementations were indeed interesting and useful. Today, the world has changed. For the majority of people, the technology evolves too rapidly to follow it with deep understanding. Nearly every day we discover that now we have to do things differently; sometimes we have a choice, sometimes we don't. Too often we are told that now we have to update, move, sign up, create an account or login in order to be able do the same things we were dong before (for example, the infamous my.gov.au portal). The changes are always touted as “improvements”, as something faster, more efficient and convenient. Everything advertised as “one click away” is in fact a profile full of personal information away. People suddenly need to create so many profiles and logins, fill so many online forms, and accept so many “Terms and Conditions” that it is virtually impossible to carefully research, remember and keep track of each one. Usually, the users just tick the ‘accept’ box and submit a load of private information to the service, which will store, analyse, merge, verify, disclose, sell and use the personal information to its advantage in any way it sees profitable. Every bit of personal information we give away means we are tracked, targeted, profiled and subjected to surveillance for “safety and security reasons”, at the same time increasing the danger of identity theft. The database with our data may be misguarded, misused, hacked or leaked, our identity may be forged and stolen, and once the information is passed into someone else's hands, there is no way back.
Freedom, privacy and safety are worth spending some extra time researching the true benefits and drawbacks of a new trinket or service before rushing into using it. Very often, the old trusty cash, cheque or paper form is more secure than all the “new and improved” apps and online frills. It also very beneficial for one's health to pick up a pen every now and then to exercise the fine motor skills with the old-fashioned writing rather than tapping the screen or pushing the buttons.
The most effective way of controlling and protecting information about oneself is not to share it in the first place.
“We value your privacy”
ID protection at crisis point, Sydney Morning Herald
The Australian Privacy Foundation dedicated to protecting the privacy rights of Australians, it aims to focus public attention on emerging issues which pose a threat to the freedom and privacy and defend the right of individuals to control their personal information and to be free of excessive intrusions
Australian Information Commissioner, government website dedicated to privacy issues with a special focus on information technology and the Internet
The real danger is the gradual erosion of individual liberties through automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable.
U. S. Privacy Study Commission
The way things are supposed to work is that we're supposed to know virtually everything about what the government do: that's why they're called public servants. They're supposed to know virtually nothing about what we do: that's why we're called private individuals.
No one likes to see a government folder with his name on it.
Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding.
Louis D. Brandeis, Lawyer and Associate Justice of the Supreme Court of the United States
The right to be let alone is indeed the beginning of all freedom.
William O. Douglas, Associate Justice of the Supreme Court of the United States
Big Brother in the form of an increasingly powerful government and in an increasingly powerful private sector will pile the records high with reasons why privacy should give way to national security, to law and order ... and the like.
William O. Douglas
A desire for privacy does not imply shameful secrets; without anonymity in discourse, free speech is impossible, and hence also democracy. The right to speak the truth to power does not shield the speaker from the consequences of doing so; only comparable power or anonymity can do that.
Nick Harkaway, novelist and commentator
I don't like to share my personal life... it wouldn't be personal if I shared it.
The most sacred thing is to be able to shut your own door.
Privacy is not something that I'm merely entitled to, it's an absolute prerequisite.