30 ways you can improve your privacy protection online and in real life
...Those who surrender freedom and privacy for convenience and security will have neither.
Have you ever found it annoying that too often it is impossible to do something basic without compromising your privacy? With alarmingly increasing frequency, people have to give out their name, address, email, phone number, fill a form, create an account, subscribe, register, enrol, join, or become a member when it is completely unnecessary or irrelevant to the service in question. For many privacy-conscious customers such attempts to harvest their personal data are one of the main reasons for walking away, seeking the same goods or services elsewhere, or rethinking the need for the service altogether. The good new though, the more people vote with their feet, wallets and votes, the sooner businesses and government departments will get the message that their invasion of privacy has gone too far.
One may not realise, but we are making decisions about our privacy all the time. Whether we are shopping, using bank cards, applying for a job, using social media, participating in a survey, using government services, or being pestered by direct marketing — anything that wants or has our personal information, has a potential to misuse that information, deliberately or out of simple negligence. In today's world of digital technologies, information became a valuable asset: it is worth big money, it brings more money, and that is the main reason why we are pushed to give out our personal information more often than ever. The rapid development of information technologies also made identity theft and fraud easier than ever, yet, unfortunately the frequent, excessive and often unnecessary collection of personal information by government institutions and private enterprises left people vulnerable to scam and identity theft. That is why we can never be too vigilant and cautious with our personal data.
Identity theft, fraud, blackmail, scam, manipulation, and many other crimes are only possible because someone obtained personal, private or sensitive information about another person. Most victims do not disclose their personal information willingly, knowingly or directly. The data is usually stolen, misplaced, misguarded, misused, or wasn't properly disposed of by someone else who was trusted to hold that information. There is no such thing as an absolutely secure system. Nobody can guarantee that their network or database will never be broken into by hackers, or that all their employees are diligent and sufficiently trained in data security. The only sure way to guarantee privacy and security is to not collect personal information in the first place: one can't lose what they never had. Which means that:
- Government agencies, departments and contractors, and also private companies and corporations should not ask people to disclose their personal information unless it is absolutely necessary and there is no possible way to do whatever they are doing without every single piece of the information they are asking for.
- As the former is not likely to happen (actually, the contrary is happening and is getting worse), every individual should safeguard their own privacy as much as possible and not hesitate to ask why each bit of their personal information is required in each case.
The following list of privacy improvement ideas is most relevant to Australia, but many points are applicable worldwide. By checking and rethinking these aspects you can greatly increase your personal safety, and the safety of your family and friends. Remember, each person is not only responsible for their own safety, but also for the safety of everyone they keep in their contact list.
Disclaimer: the following list is a list of ideas and suggestions. You and you alone decide what is right for you and which of them you wish to consider.
Become aware of privacy issues and their causes
One of the most disturbing revelations in recent history is that the biggest potential threat to human rights, freedoms and privacy comes not from those who break the laws, but from those who make them. No matter how sophisticated scammers and hackers are, none of them has access to all personal information of every citizen. But governments do, just as they have the capacity to change the laws and remove privacy protections at any time. The consent you gave for the use of your personal data today may be used for a completely different purpose tomorrow.
The good news is that in a democratic society any governmental misdeed can (at least in theory) only go as far as voters allow it. Therefore it is an important obligation of every voting citizen to be aware of what the governments are doing, which privacy-affecting legislations get passed, under what pretext, for what purpose and with what likely outcome, and keep all that in mind when deciding who to vote for next time.
The “if you've got nothing to hide, you've got nothing to fear” is a very detrimental fallacy. Dignity and autonomy are basic human rights, and they cannot exist when a person cannot live their daily life free from surveillance, censorship and manipulation.
Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.
(Ironically, there is no explicit protection of freedom of speech in the Australian Constitution.)
Vote for the right people
The past two decades have proven that neither the Labor nor the Liberal party are interested in privacy protection. The legislation introduced and passed by them has been either watered down and inadequate, or designed to maintain the status quo, or paving the way for even more extensive invasion of our privacy and exploitation of our personal data.
If Australians wish to salvage what they still call “privacy” and “rights”, they should take election times seriously and vote for the smaller parties and independent candidates who take these issues seriously and genuinely have human rights, civil liberties and privacy protection in their policies.
Avoid facial recognition technology whenever possible
Despite the absence of clear regulations and guidelines on the use of facial recognition technology, Australian government and businesses are pushing ahead with its use. Retailers like Bunnings, Kmart and The Good Guys capture and store unique biometric information of the largely unsuspecting shoppers, while the government and police are building the national facial recognition database to which some states and territories have already dumped our driver's license data. In addition to the potential future abuse of our biometric data with no adequate oversight, accountability and privacy protections, this already abuses the driver licensing system itself. The purpose of a driver's license ID is to confirm that a certain person is licensed to operate an appropriate motor vehicle on public roads, not to give the government an opportunity for slurping up such highly sensitive data as our faces as use it for unrelated, vague or undisclosed purposes.
Never give out more information than necessary
If someone wants to collect your personal information, ask questions and make them justify their need for the data: Why do they need it? What will they do with it? How will they store and protect it? Who will they share it with?... This applies to any business, organisation, health care provider or government agency. If each person starts fighting for every bit of their personal data, data collectors will have to reconsider their appetites. Most often their demands for data are a mere effort to harvest as much information as they can and keep it until some future time when they discover a use for it. Unfortunately, a routine fishing expedition by marketers — collecting information for loyalty schemes and marketing databases — exposes consumers to greater risks when that data is sold or stolen. Even big companies with huge IT budgets lose control over the data they collected. Privacy and security experts say the increased demand for personal data creates an arms race: as identity fraud worsens, companies want to gather more evidence to establish a customer's identity, which in turn exposes more information to the risk of abuse or theft.
Use cash, at least sometimes
Increasing numbers of people are switching to cashless payments, paying for everything by card, or worse, by using an app on their smart phone. This may feel quick and convenient, but it also means that the bank, the payment processing companies, and potentially numerous third parties watch nearly every step of the person's life: from where and when they boarded and got off their commuter train to where and when they had a cup of coffee. In addition, the mere act of downloading the payment app onto the phone most likely means the person had to create an Apple App Store or Google Play account, which inevitably means giving your personal details to those corporations as well.
Unfortunately, the decreasing cash use gives governments an excellent excuse to start talking about abolishing cash altogether, which will not only take away the last option to have any financial privacy, but will also mean that the whole country can be easily paralysed by a hacker attack, or that nothing can be purchased during internet and/or electric power outage. Think of all those times when Australia has a cyclone, a storm, a flood, a bushfire... Power lines are down? Mobile tower burned? Broadband node flooded? Too bad: no food or fuel for you. Not so “quick and convenient” anymore, is it?
Or a much more mundane scenario: someone who decided to be ultra-modern and carry no wallet: no cash, no cards — everything is in their phone, which they accidentally drop in the toilet. Classics. Now what? They can't pay for anything, can't get anywhere, can't even call anyone to ask for help. Will that be the point where some futuristic fantasy proponent suggests we have implanted chips for human tracing and payments? ;)
Don't let your ID documents to be scanned or copied
When staying at hotels or other lodging facilities
Unlike some other countries, there is no legal requirement in Australia for hotels, motels and other accommodation providers to ask for identity documents, let alone copy them and retain those copies. Any Australian hotel demanding a photo ID does it at its own initiative.
As this practice creates a high risk of personal data misuse and identity theft, it has guidelines issued by the Office of the Australian Information Commissioner. In particular, it is advised that a business can scan a customer's ID or collect information from that ID by any other means only if:
- it is necessary for one of its functions or activities;
- the customer is clearly informed what information will be collected, how it will be collected and why, what it will be used for, who it will be disclosed to or shared with, how long it will be kept for, how it will be held, including any IT security measures used to protect the electronically stored information, how long the information is kept for, and how it will be destroyed or de-identified;
- the customer consents, and this consent is free and informed.
OAIC also states:
Collecting unnecessary personal information is a breach of the Privacy Act. A business should not scan or copy a customer's ID, if sighting it would be sufficient for the purpose the business requires it for.
Therefore, if someone wants to copy your ID, yet cannot explain what exactly it is needed for, how securely it will be stored and who will have access to it, they are acting unlawfully. So, do you really want to give your ID to someone who is breaking the law?
Research also indicates that the more relentless a hotel is in demanding a photo ID, the more likely it is to have customer data misused or stolen. And the larger the hotel or hotel chain, the larger the privacy breaches. For example, Marriott hotels insisted (and still insist!) on collecting excessive volumes of guest personal information, scanning their IDs, and retaining the data long after the guests left. In 2018 their network was hacked and thus compromised the personal information of 500 million people who stayed at their hotels since 2014. The stolen data included card numbers and expiration dates, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, and more. If Marriott can't afford a secure system, then a smaller hotel can't either. The only way to guarantee customer data safety would be to refrain from collecting it in the first place.
Also, beware of websites and online services that ask you to send them a copy of your ID, for any reason. If they don't trust you, why should you trust your ID to them? Sending a copy of your identity documents is unsafe, as the copy of your ID will not only be kept and used by that site for an unknown length of time and uncontrolled purposes, but can also be harvested along the way by email providers and other systems or apps.
When visiting clubs or other entertainment venues
Many clubs scan patron's ID upon entry, taking “you either do as we tell you or get lost” stance, giving zero explanations and disregarding legal requirements for this procedure. Not surprisingly, there have been numerous incidents when customer personal data collected by night clubs was misused or sold to dubious third parties without customer consent.
When paying with a credit card
“May I see your ID?” — you may never give a second thought to such request for identification when you pay with a credit card at a store or a hotel. While all credit card networks allow a merchant to ask for identification, Mastercard and Visa explicitly prohibit retailers from requiring an ID to accept a properly signed card. Merchants can ask for an ID, but you can refuse to show it and they still must accept the card. Some business owners are not aware of this or disregard card issuer restrictions on requiring an ID, and set their own policies that violate the rules, ostensibly to make sure the card indeed belongs to the person. It is also unclear how some merchants get away with pushing further and insisting on copying the ID instead of just having a look at it. Knowing your PIN is enough for getting cash out of any ATM, so it should also be sufficient for a card payment.
Close and delete all unnecessary accounts
There is no guarantee that once you have closed your account and requested that the company deletes your data, the company will actually do so. Too often companies prefer to hold onto customer data long beyond necessary, just in case they come up with a way to monetise it somehow in the future. However, cancelling, closing and deleting all the accounts, memberships and subscriptions that you no longer use or need gives you a chance that at some point your information will be removed from that system and thus will stop being an entry point for hackers and scanners into your life.
Whether it is ticking all marketing “opt out” boxes on a paper form or opting out of online health record system, each step will contribute to security of your personal data.
Australian “My Health Record” system is still developing, and nobody knows whether the patient control over the stored data is going to be eventually restricted or removed. There is also no guarantee that the sensitive and/or identifiable health information won't be disclosed to third parties, stolen by hackers, shared for a research, or used for any purpose other than direct benefit for the health of the person — all without the explicit consent of the patients. In fact, in 2015 the Australian Bureau of Statistics announced that it will keep people's names and addresses collected during the 2016 census and link census data to health records.
Don't give your personal information to social media, cloud storage, AI devices, or Google
Once something has been uploaded to the Internet, it cannot be 100% deleted. It may be marked as “deleted”, or hidden from view, but it will keep being stored somewhere. Don't put important private information or large amounts of personal data on social networking sites. Uploading your data into cloud storage services like iCloud means you almost certainly lose your control over its privacy and confidentiality. Don't upload photos of people, yourself included, to Facebook and other social media sites: facial recognition technology is evolving extremely quickly and can be used for tracking you across online platforms and in real life.
Be mindful when creating an account on some websites, like Facebook. They often set a trap by initially allowing you to sign up with minimal personal details, let you use the account for some time, and later start demanding that you give them more information, like phone number or a government-issued ID. They won't let you access your profile until you give them that data. Before you sign up, search for online complaints like “Facebook suddenly requests my phone number” and see what you are getting into.
Using Google for all your Internet searches and Gmail for all your communication is another sure way to have no privacy at all. In addition to watching, analysing and recording everything you do online, Google is notorious for suddenly locking people out of their accounts (allegedly for “security purposes”) and not letting to log in even with a correct password until the person gives Google more personal data, such as mobile phone number or home address. Consider using other search engines, like DuckDuckGo, for at least some of your browsing, to avoid letting Google spy on you 24/7. And don't use Gmail for some or all of your correspondence, to prevent Google from knowing everything about your work, family, friends and other personal interactions. Many other email service providers snoop on their users too, but, unlike Google, they are unable to supplement that information with a detailed dossier on all your other online activities. You may like to consider a privacy-driven email service, such as Protonmail or Tutanota.
Think really well before getting a so-called smart home device, or any artificial intelligence technology, that is connected to the Internet, like Google Home, Amazon Alexa or Echo. They harvest enormous amounts of information about you and your daily life, end up knowing more about you than you could imagine, and send all that data to their vendors. Nobody can tell how and when this data will be used in the future.
Don't keep personal information on your mobile device
Many use their smart phones to store their own, their friends' and their family members' personal info, such as names, phone numbers, home addresses, email addresses, birthdays and online profile links in the contact list, sometimes supplemented by logins to your various accounts and copies of important documents. It may be handy, but don't forget that mobile phones are easily lost or stolen. In addition, the phone's OS or apps can gather and transmit all that personal information to an interested company or agency. Given that they can also collect information about the websites you visit, photos you take, your geolocation coordinates, contact lists, sms texts, email contents and phone calls history, and have an in-built “intelligent virtual assistants”, like Siri, that listen to everything you say, they may know about your private life more than you realise. Also, think twice before synchronising your mobile phone data with any sort of “cloud”. Even if you adopted “I've got nothing to hide” attitude about your personal life, are you sure that all the people in your contact list are happy for their personal details to be handed over to the company that owns the “cloud”?
If you must sync your contacts with a cloud storage, consider using short names or nicknames for your contacts, and avoid adding extra information about them, such as their photos or birthdays.
Use SIM PIN
Set a SIM PIN on your phone in addition to a passcode. A passcode is essential, as it protects the information stored on your phone. However, it cannot stop the phone thief from taking your SIM card out, putting it into another device and then receiving your bank authorisation codes, login links and multifactor authentication codes. A SIM PIN takes care of that. Every time your phone it restarted or when your SIM card is put into a different device, the SIM will be locked until the correct PIN is entered. After three failed attempts, the SIM will be locked permanently and can be unlocked only with a PUK, which is known only to you and your telco provider.
In the past, we lived with anticipation and curiosity about the technology evolution, we were wondering what a new, interesting and useful discovery will be implemented next. And those new implementations were indeed interesting and useful. Today, the world has changed. For the majority of people, the technology evolves too rapidly to follow it with deep understanding. Nearly every day we discover that now we have to do things differently. Sometimes we have a choice, sometimes we don't. Too often we are told that now we have to upgrade, sign up, install an app, create an account or login in order to be able do the same things we were dong before (for example, the infamous my.gov.au portal). The changes are always touted as “improvements”, as something faster, more efficient and convenient.
Everything advertised as “one click away” is in fact a profile full of personal data away. People suddenly need to create so many profiles and logins, fill so many online forms, and accept so many “Terms and Conditions” that it is virtually impossible to carefully research, remember and keep track of each one. Usually, the users just tick the ‘accept’ box and submit a load of private information to the service, which will store, analyse, merge, verify, disclose, sell and use the personal information to its advantage in any way it sees profitable. Every bit of personal information we give away means we are tracked, targeted, profiled, and subjected to surveillance for “safety and security reasons”, at the same time increasing the danger of theft of our identity. The database with our data may be misguarded, misused, hacked or leaked, our identity may be forged or stolen, and once the information is passed into someone else's hands, there is no way back (hello Optus, hello Medibank!).
Freedom, privacy and safety are worth spending some extra time researching the true benefits and drawbacks of a new trinket or service before rushing into using it. Very often, the old trusty cash, cheque or paper form is more secure than all the “new and improved” apps and online frills. It also very beneficial for one's health to pick up a pen every now and then to exercise the fine motor skills with the old-fashioned writing rather than tapping the screen or pushing the buttons.
Don't install unnecessary apps
In recent years, some businesses and even some government services began requiring their customers to install an app. Vast majority of such apps fall within the range from pointless nuisance to technological discrimination. They do not offer any new functionality beyond what until recently was available through a website, but they require the person to have a compatible device, to get an account with Apple or Google, and to use the service on a tiny phone screen instead of a much larger laptop or a desktop computer monitor. This severely disadvantages the elderly, the visually impaired, and the privacy-conscious users.
It is easier and cheaper to create one web-page that would work in any browser on any device that to develop multiple apps for different platforms and then jump through hoops and hurdles in Apple App Store and Google Play Store. So why do business and government departments take their webpages down and peddle their apps instead? Most likely, because (a) they think that their useless app is cool and modern; (b) an app can show ads that most browsers successfully filter out; (c) an app can harvest much more personal data about the user and do much more tracking than any browser.
If whatever you are dealing with still has a web-browser alternative, use it! Otherwise we will soon be forced to keep getting the latest smartphones and installing hundreds of apps that will track everyone 24/7.
Ditch the companies that force you to use their apps
Some banks, insurance companies, telecommunication providers and other companies now require their customers to download their apps (e.g. my Optus app, myBOQ app, ANZ Plus app, etc) in order to be able to log in and manage their accounts. These companies must be too insensitive, too lazy or too greedy to hire decent IT specialists and create secure interfaces for proper desktop browsers for their online systems. They don't care that their customers may not have the latest phones, or be able too see all the important information on a tiny phone screen, or wish to compromise their privacy by giving their personal information to Apple or Google because an App Store or Google Play account is mandatory just for the chance to download such apps.
If you don't want to be forced into creating unwanted accounts with overseas corporations for the sake of being able to use an unwanted app, the solution is easy: leave the company that puts this pressure on you, that gives you no other choice besides their app. There are still banks, mobile operators and insurers that care about the privacy, security and comfort of their customers enough to offer desktop interfaces or even in-person/in-branch service options. The more customers they see switching to them for that reason, the greater is the chance that in a few years we won't all become slaves to mobile phones, apps, Apple and Google.
Beware of low quality apps and software
Unfortunately, programmers and IT specialists are not chosen from geniuses and brain elite anymore. Companies are cutting corners and are happy to outsource programming jobs, which means they are getting lower quality for lower cost. They know that everyone is pretty much forced to use online services these days and will have to put up with bugs and errors because too often there is no alternative.
Rapidly growing IT industry also means time pressure — to be quick, to be the first. New websites, apps, online shops, e-government services and internet banking systems are rolled out as quickly as possible, often skipping the thorough testing stage in the software development process. Illogically, companies don't mind spending extra time and money on unnecessary, fancy-looking design features, and would rather cut costs of proper security and testing. After all, a pretty interface is what gets the majority of new customers in. Once they signed up — the target is achieved, it will be too late when the customers discover the poor quality and unacceptable level of security of the system, their data is already in the system.
Promises of secure server connection or encrypted data transfer do not guarantee that your data will be securely stored and correctly used once it has passed through that connection. Solemn mentions of long cipher key, strongest industry standard encryption technology or military grade security have nothing to do with long-term safety. The system is as secure is its weakest component; and the vast majority of breaches happen because there are holes and errors in badly tested software often made by cheap, outsourced software developers, and because of poor security training or negligence of human staff using that software.
Beware that “deleted” doesn't always mean deleted
Once the information is entered into a database, it hardly ever gets deleted, even if you were told it has been. In modern databases, the information gets marked as no longer in use, but it may be kept in the database for a long time. The disk space is very cheap these days, and database management programs are very nifty and fast: anything can be kept indefinitely and restored at any point. Companies no longer run out of space on their archive shelves for paper documents, so no information needs to be destroyed, no matter how old and outdated. The best way to make sure your data in not stored forever in some database is not to let it to get there in the first place.
Don't use one email address for everything
Set up separate email accounts for different purposes. At the very least, have a “junk” account for anything you don't trust entirely, for example for subscribing to “newsletters” and “special offer” notices. If possible, don't enter your real name, date of birth or mobile phone number when creating an account for that.
Avoid surveys, competitions, prize draws, registering product purchases
Essentially, all these are baits in the fishing expedition for your personal data. Many companies use various win-whatever appeals as a way of obtaining customer personal information for their marketing research. No business does anything really for free: if they are offering a prize, it only means that the information they are expecting to collect from the participants will bring them more money than the worth of the prize they are promising.
Too often the purchased products come with a paper form or a link to an online page that you supposedly should fill on order to “register your warranty”. This is another smoke-screen for obtaining your personal details. Under the Australian Consumer Law, automatic consumer guarantees apply to products and services you buy regardless of anything else the supplier says. If the purchased product can be covered by a warranty, it is covered without any need to “register” anything. To guarantee the quality of the product, the supplier doesn't need to know your name, email address, phone number, where you live, how much you earn, how many children you have, and a tonne of other personal information, as this example of a ridiculously intrusive warranty registration form from Barbeques Galore demonstrates.
Be skeptical about loyalty programs and rewards cards
These are not about rewarding the customers, they are about spying on the customers. These schemes usually offer very little value while collecting huge amounts of customer personal information for data mining. The main objective of any business is to create a profit. So a business will never do or offer anything unless it yields more than it costs. Suppliers are always in search for strategies to sell us more than we need, or to cut corners in production and delivery. Targeted marketing is the most effective tool for that. And, as a result, we are not getting the best goods, only the best marketed goods.
By signing up for a rewards or loyalty card, you share your name, address, gender, age, interests, income range, and other information about your family and household. Then, every time you shop and use that card, you essentially tell the retailer what, when and how much you buy. All that data is collected, analysed, added to your profile, used to predict your next move, shared with other businesses, and sometimes even sold to third parties for even bigger profits. Next time when you are wondering how an ad, packaging design or a “special discount” managed to convince you to buy some rubbish you never needed, don't be surprised: marketers know about you and your behaviour way more than you do. They know how to target you when you are most vulnerable and susceptible.
Be careful with the medical system: it doesn't always act for the benefit of the patient
Within medical system, “privacy” usually means that the patients never get to see the full information about them that is collected and shared, while many other people and institutions have unlimited access to it.
Australian federal, state and territory authorities are continuously trying to ramp up the collection, matching and sharing of medical data on every person in Australia. From My Health Record, from which people luckily can opt out, through state systems like the HealtheNet in NSW, ieMR in Queensland or Clinical Information Portal in Victoria, which grab and share a massive array of private and sensitive data without people's consent or ability to opt out completely, to the booking and patient management systems used by hospitals and small medical practices.
In each instance, patients can lose control over what data is collected about them, whom it is shared with, where it is stored, what it is used for now, and what it can be used for in the future. This severely undermines people's trust in the medical system, destroys the confidentiality between doctors and patients, and discourages people from seeking medical help.
Results of many medical tests, together with the patient's personal details, are reported to various government-run health surveillance programs and entered into screening registers and recall-and-reminder systems. The management of some of those systems and registers involves commercial third parties. For example, the National Cancer Screening Register is operated by Telstra. This personal information disclosure can happen without the clear knowledge and explicit consent of the patient. Or the patient is informed about this but given no choice and no option to stop their personal data from being distributed throughout the system. Other times, there is an opportunity to opt out of this data sharing and medical surveillance, but the patients are not told about it in advance, before the privacy of their data has been taken out of their control.
If you strongly prefer to make your own health decisions and wish to minimise the propagation of your personal data through the medical system and beyond, before consenting to any tests tell your doctor that you don't want your information to be shared with anyone. If your personal data has already been dumped into any of those systems or registers, there are ways to opt out of some of them. For example, you can opt out of the National Cervical Screening Program and the National Bowel Cancer Screening Program by filling the NCSR webform or PDF form or by calling 1800 627 701. Pay attention to the options. Your request to cease contact and correspondence will stop the nagging messages, but the new information about you will keep being recorded in the register. Whereas your request to opt out will prevent further information about you from being be recorded in the NCSR.
your information may be used by the NCSR or given to other parties, such as professional disciplinary authority, child protection officers, enforcement bodies, court or tribunal proceedings, coronial inquiry, research, investigation, health promotion and planning purposes, and
where the use or disclosure is required or permitted by that state's or territory's law — whatever this clause may encompass at any given time. Therefore, if maximum privacy is your priority, you may conclude that it is best to avoid being added to these databases in the first place.
Perhaps one day the government will realise that significantly more people would participate in such tests and programs if there were an anonymous option — the only option that can truly guarantee privacy. As of now, unfortunately, collecting personal data and spending taxpayer money on promotion campaigns seems to be the preferred modus operandi of the Australian government and healthcare system.
The COVID-19 pandemic became a convenient pretext for many governments, health authorities and various seemingly irrelevant players for ramping up surveillance and privacy invasion to unprecedented levels. Some aspects of it may have been justified, while others are unacceptable and using this pandemic merely as an excuse and cover-up. Be careful and read before you agree to so-called privacy policies of virus tracing, proximity tracking and attendance tracking apps, when giving your personal details for COVID testing, and when receiving the vaccine.
Many medical establishments and pharmacies insists on online vaccination bookings through commercial third-party booking systems, such as HotDoc, findapharmacy.com.au or HealthEngine, which may use your name, contact details and medical data for other purposes, such as targeted advertisement, marketing, and for sharing it further with their business partners. It also appears that pharmacies can add contact details from vaccination bookings to their marketing mailing lists. To protect your privacy and prevent spam and scam, you may like to avoid online bookings and instead use walk-in appointments, and refuse to give your email address or phone number.
Another threat to privacy to be aware of, before you sign up for anything, is that
one of the core concerns with the implementation of novel surveillance regimes in times of exception is that, in many cases, governments are reluctant to dismantle systems of surveillance enacted during the crisis, seeking to justify their continued access to surveillance data after the immediate public health threats have subsided, as the Australian Privacy Foundation's COVID-19 Surveillance statement points out. You may never be able to opt our or delete your data from wherever it ends up “due to COVID-19”, COVID-29, or whatever else it evolves into.
Stay vigilant when using memberships, clubs, doctors, dentists, pathology laboratories
A customer database is one of the most valuable assets of any business or institution. It is used for profit-increasing strategies and is sometimes shared with other companies for money or other benefits. The most unfair aspect in this arrangement is that this information is not only extracted from the customers for free, but the customers are given no choice, and are often charged admin / joining / new customer / new patient fees for that. Shops, clubs, gyms, entertainment venue ticket sellers, doctors, dentists, optometrists — all demand large volumes of personal information without ever explaining why it is necessary. As most of us know, it is impossible to visit a dentist or get a new pair of glasses from an optometrist without being later bombarded with reminders, marketing messages and special offers.
For example, optometrists obtain customer details under the pretext of being “healthcare providers” under the Health Practitioner Regulation National Law (which, by the way, says nothing about personal data collection and usage), and then use that data for marketing and spam. The customers are never given the choice of not being included into the mailing lists, or for their data not to be shared with numerous third parties, including mailing list services, which often are foreign third parties. The only option is to opt out once the spam starts coming. Unfortunately, opting out at that stage doesn't erase personal data from the marketing databases or stops its further disclosure and misuse, it only stops the unwanted communications, sometimes only for a limited time.
Medical establishments have become frequent targets of hacker attacks and honeypots for identity fraudsters: doctors and other medical professionals collect and keep huge volumes of highly personal and private data, yet have no skills or expertise to keep it secure. How many people dare to question why a medical centre is asking for certain personal information and what they are going to do with it? People simply comply and supply. Medical centres often engage other companies too look after their technology needs (which means those companies have access to your health information without being bound by healthcare privacy laws), or use third-party software for managing bookings, medical records and communications. That software is often made overseas and uses cloud facilities located in other courtiers, which means nobody knows what happens to your data and who has access to it.
Clinical pathology laboratories are data accumulation and sharing machines within Australian medical system: they obtain the patient personal details, add clinical test data to it, and then keep and share this information with medical practitioners, can disclose it the government or enter it into disease screening registers without asking for the explicit patient consent or offering any way of opting out of this. From the patient perspective, pathology labs operate one way: they take data from the patient without ever giving anything back, except for the bills if the certain tests aren't covered by Medicare. For any useful information the patients are forced to go back to the medical practitioners.
Be careful and vigilant every time you are filling a form, and keep in mind that the company is most likely going to use all this data for marketing purposes, and in case of a medical or semi-medical establishments, pass information about you to the government systems, which can share it with other government branches or link it to census and other data. If some information is demanded as “mandatory”, ask why. If there is no satisfactory answer, ask yourself whether you still want the “service” on these terms? Is it really worth the loss of control over your personal information, privacy and safety?
Be careful with financial borrowings: credit cards, loans, mortgages
Once you have made a loan application or borrowed any funds, your personal and financial information goes into the credit history and is shared with all sorts of third-party companies and credit reporting agencies, which may use this data in any way their policies allow. Credit providers, such as banks, may also share your personal information with credit reporting bodies for a pre-screening assessment. That is when the bank wants to decide whether you are a suitable person to bombard with spam about credit cards, loans and mortgages, even if you have never asked for any of those.
By borrowing money you not only enter the financial slavery and enable the lending institutions to make money off the interest you play, you are also forced to supply a load of your personal information which will be used by other companies to make money off selling or sharing access to it without your control or explicit consent. Given the fact that credit reporting agencies like Veda (now rebranded to Equifax) can easily navigate their ways around the law, can they be trusted to do a decent job of safeguarding your privacy?
It is also worth noting that many credit reporting agencies, such as illion, Equifax and Experian, which receive your personal information from your banks, utility services and phone provides without giving you any choice in the matter, are foreign-owned companies. Not only they may accumulate, store and share your data overseas, but they are also subject to massive hacker attacks, security breaches and data theft. The whole business and huge profits of those agencies are based on acquiring and using your personal data.
After the disastrous hacking of Optus and Medibank in 2022, many Australian were given advice to setup fraud alerts with credit reporting bodies. However that inevitably means giving those credit reporting bodies more of your personal and contact information. The problem wit this that nobody will ever guarantee that your data won't be stolen by hackers from those credit reporting bodies themselves. It is a vicious circle, and the main losing party on it are the ordinary people.
The fewer organisations have your personal data, the safer it is.
Rethink your usage of money management and budgeting tools offered by banks
Personal online budgeting services and software like NAB's Spending (formerly Money Tracker), St George/Westpac's Budget Planner Calculator, or ANZ's MoneyManager are actively advertised as invaluable services to help the customers take control of their money and develop a better understanding of where they are spending and how much they are saving. Sounds great, but keep in mind that first of all, banks always help themselves.
The online personal finance planners have sophisticated transaction analysis engines for organising and categorising user data. Along with promising their customers to
take all of the headache and guess work out of budgeting, tracking money and saving for goals, the banks are able to
run rich customer analytics, for example by customer segment for more targeted marketing and to get
valuable insights to our customers, for example, to see a comparison of spending patterns to others like them. Customers who use money management tools are providing the bank with a live picture of their financial situation at any point in time. When you use the budget planner or the “what if” scenario analysis option, you are giving your bank the important insights on your future plans. If you would rather keep your plans for your future to yourself, you may want to avoid using these tools. If your bank made it impossible to disable these tools, at least avoid adding more data to them.
By monitoring your financial transactions, banks continuously watch what you are doing, where you are staying, working, holidaying and shopping, what you are choosing and buying, who your insurers, doctors, friends and family are... Your everyday life is monitored, analysed, and that information being used by the banks and their partners. The only sure way to avoid being watched, analysed, categorised and targeted is to pay in cash whenever possible.
Shred all paper documents before throwing them out. Don't just crumple the paper up or tear it in half! Cut the paper to small pieces across the lines or text, paying special attention to the areas where your personal details are printed. If you have a garden compost bin, it is the best place for the paper shreds. Compost worms can be trusted with your privacy better than any human. :)
Don't skip the fine print
Rethink your travels to or through certain countries
Watch out for travel authorisation requirements, such as ESTA, ETIAS or ETA. These are systems that an increasing number of countries are implementing for the purpose of collecting a wide scope of personal and sensitive data about travellers while purporting that they “don't require a visa”.
Countries collecting biometric data from visitors
What was once a procedure reserved for criminals, is now becoming a “normal” part of holiday travels. One by one, countries begin demanding tourists and visitors to submit their fingerprints, iris scans or photographs for facial analysis under the same overused pretexts: counter-terrorism and national security. It remains unclear how, by looking at fingerprints, the border security is going to tell who is a potential terrorist and who isn't; yet it is clear that this process harms civil liberties, invades privacy, and creates a serious risk of identity theft, because any leaks from biometric databases could be used by criminals or hostile individuals.
Countries demanding excessive personal information
For example, the US require all visitors to supply their parents names, all current and past citizenships, details of all past travels, national identity documents ever issued by any country, all present and past email addresses, phone numbers and social media accounts. Travellers are also obliged to supply passwords for any of their mobile devices or accounts to allow all the data to be searched and copied by security forces. The same is demanded from transit travellers who have no intention of leaving the airport! This violates not only the privacy of the travelling individual, but also the privacy of their family, friends and colleagues who ever shared any private messages, pictures or documents with that person. Doctors, lawyers, scientists and business people may be forced to break the law and moral obligations by disclosing sensitive information about their patients, clients, research or business to border agents; and after Snowden and Manning revelations, every person has solid grounds to distrust the US government promises or intentions regarding the data. These demands also severely undermine the freedom of speech, which is absolutely essential for a democracy, as people who have to travel to or through such country will be forced to censor everything they ever publish online, and because the US authorities do not give any explanations as to why the entry to the country was denied, any criticism of anything relating to the country can potentially impede the person's movements at any point in life. Unfortunately, the US disregard the much-quoted words of their very own Benjamin Franklin:
Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.
If you do not wish to be treated like a criminal and be forced to supply your fingerprints or personal data for a foreign regime to keep and use in any way they see fit, you may want to research the entry or transit requirements of the countries before making your travel plans and instead spend your tourist money in the countries who don't think they are entitled to damage civil liberties and jeopardise personal safety of innocent individuals. Sadly, the choice is steadily narrowing.
Australian border security now use the SmartGate technology, and airport staff is often quite pushy in their attempts to get the travellers from “eligible” countries to use SmartGate electronic kiosks rather than being processed by a fellow human. At the moment, unless forcibly herded by the airport employees to the SmartGates, people still have a choice to be processed by a real human officer. However it may no longer be an option in the future. Presumably, the plan is to first make people get used to machines, get rid of the highly-trained and famously polite Australian border security officers. Then say that no system is perfect, SmartGates make errors and a facial recognition is not enough, so more biometrics are needed, and under that pretext start collecting fingerprints, iris scans, body parameters, DNA samples, or anything else the authorities may want. If people don't insist on being processed by human staff now, biometrics collection won't stop at facial recognition. There is nothing more intelligent and sophisticated than a trained person who can do more than any machine, such as analysing behaviour and other clues. Using machines has nothing to do with increasing the country's security, it is just a way of harvesting more data.
Australian Border Force
Australian Border Force (ABF) has very broad and intrusive powers to search personal digital devices, such as mobile phones and laptops, and copy electronic information without a warrant. An ABF officer can force you to hand over your phone and its passcode, take the device away for any length of time, look at and copy any information that you have on your device, share this information with other agenesis — all this without having to have a warrant, explaining you anything, giving you any reasons for what they are looking for and why, or informing you what information was examined and copied.
Within Australian borders, police can search your mobile phone too, but if they want to unlock your device, they must first get a warrant. Whereas ABF can do whatever they like without any warrant or explanation. Because of this lack of transparency and accountability, it is unknown how often travellers are subjected to this gross violation of privacy, whom exactly ABF targets and based on what. People might be targeted because they are journalists, or privacy advocates, or whistle-blowers, or were simply born in a “wrong” country. We just don't know!
The absence of federal charter of human rights in Australia means that in reality Australians have very few rights. The only protection of your privacy when you travel to Australia, New Zealand or other countries that have similar border “security” procedures would be in not keeping anything on your devices that you don't want others to access. Private messages, intimate pictures, sensitive data, work documents, email history, saved passwords, online banking, Medicare, myGov... — none if these are a good idea to have on your devices when you are crossing the border of a country like Australia, where people don't legally have the fundamental human rights.
If your device was taken out of your sight, you should assume that it has been completely compromised and everything on it has been copied, and you should act accordingly as soon as possible: change all your passwords and inform all the people whose data is stored on your phone about the incident.
Notifying the people who may be affected would achieve multiple goals: it will prompt them to tighten the security of their personal data; it will give them a warning that they too could be targeted by the ABF when they travel; and it will raise the public awareness of the dreadful state of privacy legislation in Australia, which could make more people vote for the smaller parties and independent political candidates who have genuine and serious interests in protecting privacy and human rights of Australians.
If you are tired of telemarketing, add your number to the Do Not Call Register. For Australia, visit www.donotcall.gov.au. For other countries, do a search and see if there is an organised way to opt out.
Watch out for scammers
If you are unexpectedly contacted by someone claiming to be an insurance company, a bank, a government agency, a debt collector, no matter what the reason, never give them any of your personal details. You can't be sure who the caller really is. If they are really your insurance company, bank or a government agency, they already have all the necessary information. If they want to “confirm”, “verify” or “make sure everything is correct because they are updating their system”, they are either too dodgy to do the update properly without such verifications, or are scammers trying to steal your identity. The easiest way to check is to call back via an official contact number and ask whether such verification has really been required. Never call back using the phone number the stranger gave you without making sure that number really belongs to the company they claim to work for.
Learn to recognise mission creep
If you notice that a company or institution suddenly needs more personal information than they needed before for the same service saying that they “will be unable to provide you with the service” without that information, demand an explanation. This is common, and is a direct result of unnecessary data harvesting combined with inability to keep the harvested data secure. First they need your full name and address, which quickly leaks out because every Tom, Dick and Harry asked for this data and added it to their flimsy databases, contact lists and apps. So they want your date of birth, to “enable you to be identified securely”; which of course also leaks from social media, email provider snooping, or a database of any entity that has it. Now they want your photo ID details, which will of course eventually be leaked too, because nothing can be kept secure forever, especially if everyone demands to have a copy of your ID and keeps storing that information in their databases even when it is no longer needed. With all personal details leaked, email accounts hacked and phone communication snooped upon, what is next? What will people have to provide for secure identification? Fingerprints? DNA samples? You get the gist.
Be aware of the recent changes in the Australian Bureau of Statistics and the privacy issues with the ABS census and compulsory household surveys.
Check ABR and ASIC policies before starting a business
If you are thinking about becoming a small business owner or sole trader, check how Australian Business Register and Australian Securities and Investments Commission work. First, Australian Business Register (ABR) charges people for the registration of a business or a company. Then it charges annual fees, which are basically payments for database record maintenance, which should include secure and safe storage of private and personal information. Nevertheless, ABR is making money off people's personal details twice: once, by charging them for entering the information, and then by selling that information to other companies and interested parties, stripping people of their privacy.
We may give your personal information to other government agencies, including regulatory and law enforcement bodies and assistance agencies, but only where authorised or required by law to do so. They don't mention that it will also be sold to whoever is willing to pay for it.
One may argue that business registration is not a private affair in Australia, yet all this unlimited information trading may be very disturbing for the owners of small business who have no choice other than providing their home address for business registration, which may jeopardise the safety of their families if made publicly available. This whole arrangement is discouraging small business while benefiting large corporations, which is discriminating and has negative impact on Australian economy.
The most effective way of controlling and protecting information about oneself is not to share it in the first place.
“We value your privacy”. Really?
ID protection at crisis point, Sydney Morning Herald
The Australian Privacy Foundation dedicated to protecting the privacy rights of Australians, it aims to focus public attention on emerging issues which pose a threat to the freedom and privacy and defend the right of individuals to control their personal information and to be free of excessive intrusions
Australian Information Commissioner, a government website dedicated to privacy issues with a special focus on information technology and the Internet
No one likes to see a government folder with his name on it.
Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding.
Louis D. Brandeis, Lawyer and Associate Justice of the Supreme Court of the United States
The right to be let alone is indeed the beginning of all freedom.
William O. Douglas, Associate Justice of the Supreme Court of the United States
Big Brother in the form of an increasingly powerful government and in an increasingly powerful private sector will pile the records high with reasons why privacy should give way to national security, to law and order ... and the like.
William O. Douglas
A desire for privacy does not imply shameful secrets; without anonymity in discourse, free speech is impossible, and hence also democracy. The right to speak the truth to power does not shield the speaker from the consequences of doing so; only comparable power or anonymity can do that.
Nick Harkaway, novelist and commentator
I don't like to share my personal life... it wouldn't be personal if I shared it.
Privacy is not something that I'm merely entitled to, it's an absolute prerequisite.