25 ways you may be losing your privacy. How to protect it online and in real life

...Those who surrender freedom and privacy for convenience and security will have neither.

Have you ever found it annoying that too often it is impossible to do something basic without compromising your privacy? With alarmingly increasing frequency, people have to give out their name, address, email, phone number, fill a form, create an account, subscribe, register, enrol, join, or become a member when it is completely unnecessary or irrelevant to the service in question. For many privacy-conscious customers such attempts to harvest their personal data are one of the main reasons for walking away, seeking the same goods or services elsewhere, or rethinking the need for the service altogether. The good new though, the more people vote with their feet, wallets and votes, the sooner businesses and government departments will get the message that their invasion of privacy has gone too far.

One may not realise, but we are making decisions about our privacy all the time. Whether we are shopping, using bank cards, applying for a job, using social media, participating in a survey, using government services, or being pestered by direct marketing — anything that wants or has our personal information, has a potential to misuse that information, deliberately or out of simple negligence. In today's world of digital technologies, information became a valuable asset: it is worth big money, it brings more money, and that is the main reason why we are pushed to give out our personal information more often than ever. The rapid development of information technologies also made identity theft and fraud easier than ever, yet, unfortunately the frequent, excessive and often unnecessary collection of personal information by government institutions and private enterprises left people vulnerable to scam and identity theft. That is why we can never be too vigilant and cautious with our personal data.

Identity theft, fraud, blackmail, scam, manipulation, and many other crimes are only possible because someone obtained personal, private or sensitive information about another person. Most victims do not disclose their personal information willingly, knowingly or directly. The data is usually stolen, misplaced, misguarded, misused, or wasn't properly disposed of by someone else who was trusted to hold that information. There is no such thing as an absolutely secure system. Nobody can guarantee that their network or database will never be broken into by hackers, or that all their employees are diligent and sufficiently trained in data security. The only sure way to guarantee privacy and security is to not collect personal information in the first place: one can't lose what they never had. Which means that:

  1. Government agencies, departments and contractors, and also private companies and corporations should not ask people to disclose their personal information unless it is absolutely necessary and there is no possible way to do whatever they are doing without every single piece of the information they are asking for.
  2. As the former is not likely to happen (actually, the contrary is happening and is getting worse), every individual should safeguard their own privacy as much as possible and not hesitate to ask why each bit of their personal information is required in each case.

The following list of privacy “holes” is most relevant to Australia, but many its points are applicable worldwide. By checking and rethinking these holes, you can greatly increase your personal safety, and the safety of your family and friends. Remember, each person is not only responsible for their own safety, but also for the safety of everyone they keep in their contact list.


The COVID-19 pandemic became a convenient pretext for many governments, health authorities and various seemingly irrelevant players for ramping up surveillance and privacy invasion to unprecedented levels. Some aspects of it may have been justified, while others are unacceptable and using this pandemic merely as an excuse and cover-up. Be careful and read before you agree to so-called privacy policies of virus tracing, proximity tracking and attendance tracking apps, when giving your personal details for COVID testing, and when receiving the vaccine.

Many medical establishments and pharmacies insists on online vaccination bookings through commercial third-party booking systems, such as HotDoc, findapharmacy.com.au or HealthEngine, which may use your name, contact details and medical data for other purposes, such as targeted advertisement, marketing, and for sharing it further with their business partners. It also appears that pharmacies can add contact details from vaccination bookings to their marketing mailing lists. To protect your privacy and prevent spam and scam, you may like to avoid online bookings and instead use walk-in appointments, and refuse to give your email address or phone number.

Another threat to privacy to be aware of, before you sign up for anything, is that one of the core concerns with the implementation of novel surveillance regimes in times of exception is that, in many cases, governments are reluctant to dismantle systems of surveillance enacted during the crisis, seeking to justify their continued access to surveillance data after the immediate public health threats have subsided, as the Australian Privacy Foundation's COVID-19 Surveillance statement points out. You may never be able to opt our or delete your data from wherever it ends up “due to COVID-19”, COVID-29, or whatever else it evolves into.

Being lax or unaware of privacy issues and their causes

One of the most disturbing revelations in recent history is that the biggest potential threat to human rights, freedoms and privacy comes not from those who break the laws, but from those who make them. No matter how sophisticated scammers and hackers are, none of them has access to all personal information of every citizen. But governments do, just as they have the capacity to change the laws and remove privacy protections at any time. The consent you gave for the use of your personal data today may be used for a completely different purpose tomorrow.

The good news is that in a democratic society any governmental misdeed can (at least in theory) only go as far as voters allow it. Therefore it is an important obligation of every voting citizen to be aware of what the governments are doing, which privacy-affecting legislations get passed, under what pretext, for what purpose and with what likely outcome, and keep all that in mind when deciding who to vote for next time.

The “if you've got nothing to hide, you've got nothing to fear” is a very detrimental fallacy. Dignity and autonomy are basic human rights, and they cannot exist when a person cannot live their daily life free from surveillance, censorship and manipulation.

For tuning into Australian issues surrounding online and digital privacy, rights and freedoms, you can watch Electronic Frontiers Australia talks and share them with your family members, friends, colleagues and through social media. These discussions may be not highly entertaining, but a responsible citizen in a democratic society cannot afford to be ignorant and want nothing but bread and circuses. Otherwise there may not be any democratic society in the future, nor bread or circuses.

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.

Edward Snowden
(Ironically, there is no explicit protection of freedom of speech in the Australian Constitution.)

Giving out more information than necessary

If someone wants to collect your personal information, ask questions and make them justify their need for the data: Why do they need it? What will they do with it? How will they store and protect it? Who will they share it with?... This applies to any business, organisation, health care provider or government agency. If each person starts fighting for every bit of their personal data, data collectors will have to reconsider their appetites. Most often their demands for data are a mere effort to harvest as much information as they can and keep it until some future time when they discover a use for it. Unfortunately, a routine fishing expedition by marketers — collecting information for loyalty schemes and marketing databases — exposes consumers to greater risks when that data is sold or stolen. Even big companies with huge IT budgets lose control over the data they collected. Privacy and security experts say the increased demand for personal data creates an arms race: as identity fraud worsens, companies want to gather more evidence to establish a customer's identity, which in turn exposes more information to the risk of abuse or theft.

Using cashless payments for everything

Increasing numbers of people are switching to cashless payments, paying for everything by card, or worse, by using an app on their smart phone. This may feel quick and convenient, but it also means that the bank, the payment processing companies, and potentially numerous third parties watch nearly every step of the person's life: from where and when they boarded and got off their commuter train to where and when they had a cup of coffee. In addition, the mere act of downloading the payment app onto the phone most likely means the person had to create an Apple App Store or Google Play account, which inevitably means giving your personal details to those corporations as well.

Unfortunately, the decreasing cash use gives governments an excellent excuse to start talking about abolishing cash altogether, which will not only take away the last option to have any financial privacy, but will also mean that the whole country can be easily paralysed by a hacker attack, or that nothing can be purchased during internet and/or electric power outage. Think of all those times when Australia has a cyclone, a storm, a flood, a bushfire... Power lines are down? Mobile tower burned? Broadband node flooded? Too bad: no food or fuel for you. Not so “quick and convenient” anymore, is it?

Or a much more mundane scenario: someone who decided to be ultra-modern and carry no wallet: no cash, no cards — everything is in their phone, which they accidentally drop in the toilet. Classics. Now what? They can't pay for anything, can't get anywhere, can't even call anyone to ask for help. Will that be the point where some futuristic fantasy proponent suggests we have implanted chips for human tracing and payments? ;)

Letting your ID documents to be scanned or copied

When staying at hotels or other lodging facilities

Unlike some other countries, there is no legal requirement in Australia for hotels, motels and other accommodation providers to ask for identity documents, let alone copy them and retain those copies. Any Australian hotel demanding a photo ID does it at its own initiative.

As this practice creates a high risk of personal data misuse and identity theft, it has guidelines issued by the Office of the Australian Information Commissioner. In particular, it is advised that a business can scan a customer's ID or collect information from that ID by any other means only if:

OAIC also states:

Collecting unnecessary personal information is a breach of the Privacy Act. A business should not scan or copy a customer's ID, if sighting it would be sufficient for the purpose the business requires it for.


Therefore, if someone wants to copy your ID, yet cannot explain what exactly it is needed for, how securely it will be stored and who will have access to it, they are acting unlawfully. So, do you really want to give your ID to someone who is breaking the law?

Research also indicates that the more relentless a hotel is in demanding a photo ID, the more likely it is to have customer data misused or stolen. And the larger the hotel or hotel chain, the larger the privacy breaches. For example, Marriott hotels insisted (and still insist!) on collecting excessive volumes of guest personal information, scanning their IDs, and retaining the data long after the guests left. In 2018 their network was hacked and thus compromised the personal information of 500 million people who stayed at their hotels since 2014. The stolen data included card numbers and expiration dates, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, and more. If Marriott can't afford a secure system, then a smaller hotel can't either. The only way to guarantee customer data safety would be to refrain from collecting it in the first place.

Check the privacy policy of the prospective accommodation before booking, and give your preference to those hotels who are either contend with merely sighting your ID, or care about their customer data safety enough to rely on other measures for their own security, such as credit card details, advance payments, bonds or cash deposits.

Also, beware of websites and online services that ask you to send them a copy of your ID, for any reason. If they don't trust you, why should you trust your ID to them? Sending a copy of your identity documents is unsafe, as the copy of your ID will not only be kept and used by that site for an unknown length of time and uncontrolled purposes, but can also be harvested along the way by email providers and other systems or apps.

When visiting clubs or other entertainment venues

Many clubs scan patron's ID upon entry, taking “you either do as we tell you or get lost” stance, giving zero explanations and disregarding legal requirements for this procedure. Not surprisingly, there have been numerous incidents when customer personal data collected by night clubs was misused or sold to dubious third parties without customer consent.

When paying with a credit card

“May I see your ID?” — you may never give a second thought to such request for identification when you pay with a credit card at a store or a hotel. While all credit card networks allow a merchant to ask for identification, Mastercard and Visa explicitly prohibit retailers from requiring an ID to accept a properly signed card. Merchants can ask for an ID, but you can refuse to show it and they still must accept the card. Some business owners are not aware of this or disregard card issuer restrictions on requiring an ID, and set their own policies that violate the rules, ostensibly to make sure the card indeed belongs to the person. It is also unclear how some merchants get away with pushing further and insisting on copying the ID instead of just having a look at it. Knowing your PIN is enough for getting cash out of any ATM, so it should also be sufficient for a card payment.

Not opting out

Whether it is ticking all marketing “opt out” boxes on a paper form or opting out of online health record system, each step will contribute to security of your personal data.

Australian “My Health Record” system is still developing, and nobody knows whether the patient control over the stored data is going to be eventually restricted or removed. There is also no guarantee that the sensitive and/or identifiable health information won't be disclosed to third parties, stolen by hackers, shared for a research, or used for any purpose other than direct benefit for the health of the person — all without the explicit consent of the patients. In fact, in 2015 the Australian Bureau of Statistics announced that it will keep people's names and addresses collected during the 2016 census and link census data to health records.

Posting personal information online, using social media, cloud storage, AI devices, or Google

Once something has been uploaded to the Internet, it cannot be 100% deleted. It may be marked as “deleted”, or hidden from view, but it will keep being stored somewhere. Don't put important private information or large amounts of personal data on social networking sites. Uploading your data into cloud storage services like iCloud means you almost certainly lose your control over its privacy and confidentiality. Don't upload photos of people, yourself included, to Facebook and other social media sites: facial recognition technology is evolving extremely quickly and can be used for tracking you across online platforms and in real life.

Be mindful when creating an account on some websites, like Facebook. They often set a trap by initially allowing you to sign up with minimal personal details, let you use the account for some time, and later start demanding that you give them more information, like phone number or a government-issued ID. They won't let you access your profile until you give them that data. Before you sign up, search for online complaints like “Facebook suddenly requests my phone number” and see what you are getting into.

Using Google for all your Internet searches and Gmail for all your communication is another sure way to have no privacy at all. In addition to watching, analysing and recording everything you do online, Google is notorious for suddenly locking people out of their accounts (allegedly for “security purposes”) and not letting to log in even with a correct password until the person gives Google more personal data, such as mobile phone number or home address. Consider using other search engines, like DuckDuckGo, for at least some of your browsing, to avoid letting Google spy on you 24/7. And don't use Gmail for some or all of your correspondence, to prevent Google from knowing everything about your work, family, friends and other personal interactions. Many other email service providers snoop on their users too, but, unlike Google, they are unable to supplement that information with a detailed dossier on all your other online activities. You may like to consider a privacy-driven email service, such as Protonmail or Tutanota.

Think really well before getting a so-called smart home device, or any artificial intelligence technology, that is connected to the Internet, like Google Home, Amazon Alexa or Echo. They harvest enormous amounts of information about you and your daily life, end up knowing more about you than you could imagine, and send all that data to their vendors. Nobody can tell how and when this data will be used in the future.

Keeping personal information on your mobile device

Many use their smart phones to store their own, their friends' and their family members' personal info, such as names, phone numbers, home addresses, email addresses, birthdays and online profile links in the contact list, sometimes supplemented by logins to your various accounts and copies of important documents. It may be handy, but don't forget that mobile phones are easily lost or stolen. In addition, the phone's OS or apps can gather and transmit all that personal information to an interested company or agency. Given that they can also collect information about the websites you visit, photos you take, your geolocation coordinates, contact lists, sms texts, email contents and phone calls history, and have an in-built “intelligent virtual assistants”, like Siri, that listen to everything you say, they may know about your private life more than you realise. Also, think twice before synchronising your mobile phone data with any sort of “cloud”. Even if you adopted “I've got nothing to hide” attitude about your personal life, are you sure that all the people in your contact list are happy for their personal details to be handed over to the company that owns the “cloud”?

If you must sync your contacts with a cloud storage, consider using short names or nicknames for your contacts, and avoid adding extra information about them, such as their photos or birthdays.

Trusting that “deleted” means deleted

Once the information is entered into a database, it hardly ever gets deleted, even if you were told it has been. In modern databases, the information gets marked as no longer in use, but it may be kept in the database for a long time. The disk space is very cheap these days, and database management programs are very nifty and fast: anything can be kept indefinitely and restored at any point. Companies no longer run out of space on their archive shelves for paper documents, so no information needs to be destroyed, no matter how old and outdated. The best way to make sure your data in not stored forever in some database is not to let it to get there in the first place.

Using one email address for everything

Set up separate email accounts for different purposes. At the very least, have a “junk” account for anything you don't trust entirely, for example for subscribing to “newsletters” and “special offer” notices. If possible, don't enter your real name, date of birth or mobile phone number when creating an account for that.

Participating in surveys, competitions, entering prize draws, or registering product purchases

Essentially, all these are baits in the fishing expedition for your personal data. Many companies use various win-whatever appeals as a way of obtaining customer personal information for their marketing research. No business does anything really for free: if they are offering a prize, it only means that the information they are expecting to collect from the participants will bring them more money than the worth of the prize they are promising.

Too often the purchased products come with a paper form or a link to an online page that you supposedly should fill on order to “register your warranty”. This is another smoke-screen for obtaining your personal details. Under the Australian Consumer Law, automatic consumer guarantees apply to products and services you buy regardless of anything else the supplier says. If the purchased product can be covered by a warranty, it is covered without any need to “register” anything. To guarantee the quality of the product, the supplier doesn't need to know your name, email address, phone number, where you live, how much you earn, how many children you have, and a tonne of other personal information, as this example of a ridiculously intrusive warranty registration form from Barbeques Galore demonstrates.

Loyalty programs and rewards cards

These are not about rewarding the customers, they are about spying on the customers. These schemes usually offer very little value while collecting huge amounts of customer personal information for data mining. The main objective of any business is to create a profit. So a business will never do or offer anything unless it yields more than it costs. Suppliers are always in search for strategies to sell us more than we need, or to cut corners in production and delivery. Targeted marketing is the most effective tool for that. And, as a result, we are not getting the best goods, only the best marketed goods.

By signing up for a rewards or loyalty card, you share your name, address, gender, age, interests, income range, and other information about your family and household. Then, every time you shop and use that card, you essentially tell the retailer what, when and how much you buy. All that data is collected, analysed, added to your profile, used to predict your next move, shared with other businesses, and sometimes even sold to third parties for even bigger profits. Next time when you are wondering how an ad, packaging design or a “special discount” managed to convince you to buy some rubbish you never needed, don't be surprised: marketers know about you and your behaviour way more than you do. They know how to target you when you are most vulnerable and susceptible.

Memberships, clubs, doctors, dentists

A customer database is one of the most valuable assets of any business or institution. It is used for profit-increasing strategies and is sometimes shared with other companies for money or other benefits. The most unfair aspect in this arrangement is that this information is not only extracted from the customers for free, but the customers are given no choice, and are often charged admin / joining / new customer / new patient fees for that. Shops, clubs, gyms, entertainment venue ticket sellers, doctors, dentists, optometrists — all demand large volumes of personal information without ever explaining why it is necessary. As most of us know, it is impossible to visit a dentist or get a new pair of glasses from an optometrist without being later bombarded with reminders, marketing messages and special offers.

For example, optometrists obtain customer details under the pretext of being “healthcare providers” under the Health Practitioner Regulation National Law (which, by the way, says nothing about personal data collection and usage), and then use that data for marketing and spam. The customers are never given the choice of not being included into the mailing lists, or for their data not to be shared with numerous third parties, including mailing list services, which often are foreign third parties. The only option is to opt out once the spam starts coming. Unfortunately, opting out at that stage doesn't erase personal data from the marketing databases or stops its further disclosure and misuse, it only stops the unwanted communications, sometimes only for a limited time.

Medical establishments have become frequent targets of hacker attacks and honeypots for identity fraudsters: doctors and other medical professionals collect and keep huge volumes of highly personal and private data, yet have no skills or expertise to keep it secure. How many people dare to question why a medical centre is asking for certain personal information and what they are going to do with it? People simply comply and supply. Medical centres often engage other companies too look after their technology needs (which means those companies have access to your health information without being bound by healthcare privacy laws), or use third-party software for managing bookings, medical records and communications. That software is often made overseas and uses cloud facilities located in other courtiers, which means nobody knows what happens to your data and who has access to it.

Be careful and vigilant every time you are filling a form, and keep in mind that the company is most likely going to use all this data for marketing purposes, and in case of a medical or semi-medical establishments, pass information about you to the government systems, which can share it with other government branches or link it to census and other data. If some information is demanded as “mandatory”, ask why. If there is no satisfactory answer, ask yourself whether you still want the “service” on these terms? Is it really worth the loss of control over your personal information, privacy and safety?

Credit cards, loans, mortgages

Once you borrowed any funds, your personal information goes into the credit history and is shared with all sorts of third-party companies and credit reporting agencies, which may use and misuse the data as they please. By borrowing money you not only enter the financial slavery and enable the lending institutions to make money off the interest you play, you are also forced to supply a load of your personal information which will be used by other companies to make money off selling or sharing access to it — all without your control or explicit consent. Given the fact that credit reporting agencies like Veda/Equifax can easily navigate their ways around the law, can they be trusted to do a decent job of safeguarding your privacy? It is also worth noting that many credit reporting agencies, such as Equifax and Experian, which receive your personal information from your banks, utility services and phone provides without giving you any choice in the matter, are foreign-owned companies that not only may accumulate, store and share your data overseas, but are also subject to massive hacker attacks, security breaches and data theft.

Money management and budgeting tools offered by banks

Personal online budgeting services and software like NAB's Spending (formerly Money Tracker), St George/Westpac's Budget Planner Calculator, or ANZ's MoneyManager are actively advertised as invaluable services to help the customers take control of their money and develop a better understanding of where they are spending and how much they are saving. Sounds great, but keep in mind that first of all, banks always help themselves.

The online personal finance planners have sophisticated transaction analysis engines for organising and categorising user data. Along with promising their customers to take all of the headache and guess work out of budgeting, tracking money and saving for goals, the banks are able to run rich customer analytics, for example by customer segment for more targeted marketing and to get valuable insights to our customers, for example, to see a comparison of spending patterns to others like them. Customers who use money management tools are providing the bank with a live picture of their financial situation at any point in time. When you use the budget planner or the “what if” scenario analysis option, you are giving your bank the important insights on your future plans. If you would rather keep your plans for your future to yourself, you may want to avoid using these tools. If your bank made it impossible to disable these tools, at least avoid adding more data to them.

By monitoring your financial transactions, banks continuously watch what you are doing, where you are staying, working, holidaying and shopping, what you are choosing and buying, who your insurers, doctors, friends and family are... Your everyday life is monitored, analysed, and that information being used by the banks and their partners. The only sure way to avoid being watched, analysed, categorised and targeted is to pay in cash whenever possible.

Not shredding

Shred all paper documents before throwing them out. Don't just crumple the paper up or tear it in half! Cut the paper to small pieces across the lines or text, paying special attention to the areas where your personal details are printed. If you have a garden compost bin, it is the best place for the paper shreds. Compost worms can be trusted with your privacy better than any human. :)

Ignoring fine print and privacy policies

They are usually deliberately long and boring, but worth a look. Make note who your private information may be disclosed to. The fact that the company you are dealing with promises to protect your information doesn't necessarily mean that the third parties it shares your information with are going to do the same. Don't deal with a company if their privacy policy is vague, or you are not satisfied with its conditions. This also includes government agencies — they are notorious for passing personal information further. For example, Australia Post supplies customer details to Australian Electoral Commission and the Department of Transport, Australian Medicare passes data to Immigration Department, Immigration Department gives it to Australian Bureau of Statistics, state governments let information brokers sell driver licence, vehicle/property ownership and court information, and so on; and yet each department swears in their privacy policy that your privacy is very important to them.

Travelling to or through certain countries

Countries collecting biometric data from visitors

What was once a procedure reserved for criminals, is now becoming a “normal” part of holiday travels. One by one, countries begin demanding tourists and visitors to submit their fingerprints, iris scans or photographs for facial analysis under the same overused pretexts: counter-terrorism and national security. It remains unclear how, by looking at fingerprints, the border security is going to tell who is a potential terrorist and who isn't; yet it is clear that this process harms civil liberties, invades privacy, and creates a serious risk of identity theft, because any leaks from biometric databases could be used by criminals or hostile individuals.

Countries demanding excessive personal information

For example, the US require all visitors to supply their parents names, all current and past citizenships, details of all past travels, national identity documents ever issued by any country, all present and past email addresses, phone numbers and social media accounts. Travellers are also obliged to supply passwords for any of their mobile devices or accounts to allow all the data to be searched and copied by security forces. The same is demanded from transit travellers who have no intention of leaving the airport! This violates not only the privacy of the travelling individual, but also the privacy of their family, friends and colleagues who ever shared any private messages, pictures or documents with that person. Doctors, lawyers, scientists and business people may be forced to break the law and moral obligations by disclosing sensitive information about their patients, clients, research or business to border agents; and after Snowden and Manning revelations, every person has solid grounds to distrust the US government promises or intentions regarding the data. These demands also severely undermine the freedom of speech, which is absolutely essential for a democracy, as people who have to travel to or through such country will be forced to censor everything they ever publish online, and because the US authorities do not give any explanations as to why the entry to the country was denied, any criticism of anything relating to the country can potentially impede the person's movements at any point in life. Unfortunately, the US disregard the much-quoted words of their very own Benjamin Franklin: Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.

If you do not wish to be treated like a criminal and be forced to supply your fingerprints or personal data for a foreign regime to keep and use in any way they see fit, you may want to research the entry or transit requirements of the countries before making your travel plans and instead spend your tourist money in the countries who don't think they are entitled to damage civil liberties and jeopardise personal safety of innocent individuals. Sadly, the choice is steadily narrowing.

Australian border security now use the SmartGate technology, and airport staff is often quite pushy in their attempts to get the travellers from “eligible” countries to use SmartGate electronic kiosks rather than being processed by a fellow human. At the moment, unless forcibly herded by the airport employees to the SmartGates, people still have a choice to be processed by a real human officer. However it may no longer be an option in the future. Presumably, the plan is to first make people get used to machines, get rid of the highly-trained and famously polite Australian border security officers. Then say that no system is perfect, SmartGates make errors and a facial recognition is not enough, so more biometrics are needed, and under that pretext start collecting fingerprints, iris scans, body parameters, DNA samples, or anything else the authorities may want. If people don't insist on being processed by human staff now, biometrics collection won't stop at facial recognition. There is nothing more intelligent and sophisticated than a trained person who can do more than any machine, such as analysing behaviour and other clues. Using machines has nothing to do with increasing the country's security, it is just another way of harvesting more data.


If you are tired of telemarketing, add your number to the Do Not Call Register. For Australia, visit www.donotcall.gov.au. For other countries, do a search and see if there is an organised way to opt out.


If you are unexpectedly contacted by someone claiming to be an insurance company, a bank, a government agency, a debt collector, no matter what the reason, never give them any of your personal details. You can't be sure who the caller really is. If they are really your insurance company, bank or a government agency, they already have all the necessary information. If they want to “confirm”, “verify” or “make sure everything is correct because they are updating their system”, they are either too dodgy to do the update properly without such verifications, or are scammers trying to steal your identity. The easiest way to check is to call back via an official contact number and ask whether such verification has really been required. Never call back using the phone number the stranger gave you without making sure that number really belongs to the company they claim to work for.

Mission creep

If you notice that a company or institution suddenly needs more personal information than they needed before for the same service saying that they “will be unable to provide you with the service” without that information, demand an explanation. This is common, and is a direct result of unnecessary data harvesting combined with inability to keep the harvested data secure. First they need your full name and address, which quickly leaks out because every Tom, Dick and Harry asked for this data and added it to their flimsy databases, contact lists and apps. So they want your date of birth, to “enable you to be identified securely”; which of course also leaks from social media, email provider snooping, or a database of any entity that has it. Now they want your photo ID details, which will of course eventually be leaked too, because nothing can be kept secure forever, especially if everyone demands to have a copy of your ID and keeps storing that information in their databases even when it is no longer needed. With all personal details leaked, email accounts hacked and phone communication snooped upon, what is next? What will people have to provide for secure identification? Fingerprints? DNA samples? You get the gist.

Low quality of online systems and software

Unfortunately, programmers and IT specialists are not chosen from geniuses and brain elite anymore. Companies are cutting corners and are happy to outsource programming jobs, which means they are getting lower quality for lower cost. They know that everyone is pretty much forced to use online services these days and will have to put up with bugs and errors because too often there is no alternative.

Rapidly growing IT industry also means time pressure — to be quick, to be the first. New websites, online shops, e-government services and internet banking systems are rolled out as quickly as possible, often ditching the thorough testing stage in the software development process. Illogically, companies don't mind spending extra time and money on unnecessary, fancy-looking design features, and would rather cut costs of proper security and testing. After all, a pretty interface is what gets the majority of new customers in. Once they signed up — the target is achieved, it will be too late when the customers discover the poor quality and unacceptable level of security of the system, their data is already in the system.

Promises of secure server connection or encrypted data transfer do not guarantee that your data will be securely stored and correctly used once it has passed through that connection. Solemn mentions of long cipher key, strongest industry standard encryption technology or military grade security have nothing to do with long-term safety. The system is as secure is its weakest component; and the vast majority of breaches happen because there are holes and errors in badly tested software often made by cheap, outsourced software developers, and because of poor security training or negligence of human staff using that software.


If you are thinking about becoming a small business owner or sole trader, check how Australian Business Register and Australian Securities and Investments Commission work. First, Australian Business Register (ABR) charges people for the registration of a business or a company. Then it charges annual fees, which are basically payments for database record maintenance, which should include secure and safe storage of private and personal information. Nevertheless, ABR is making money off people's personal details twice: once, by charging them for entering the information, and then — by selling that information to other companies and interested parties, stripping people of their privacy.

The free publicly available lookup in Australia Business Register and Australian Securities and Investments Commission (ASIC) disclose only limited information about a company or a business name holder. However, for a small fee, anyone can obtain a much more detailed set of data. ASIC sells access to the information to an array of private companies, so-called Information Brokers (SAI Global, Veda, InfoTrack, Tri-Search and others; many of them are international commercial entities). These companies, in turn, are making money on reselling your personal details further, and the data can eventually end up in the hands of spammers and scammers. ABR's privacy policy states We may give your personal information to other government agencies, including regulatory and law enforcement bodies and assistance agencies, but only where authorised or required by law to do so. They don't mention that it will also be sold to whoever is willing to pay for it.

One may argue that business registration is not a private affair in Australia, yet all this unlimited information trading may be very disturbing for the owners of small business who have no choice other than providing their home address for business registration, which may jeopardise the safety of their families if made publicly available. This whole arrangement is discouraging small business while benefiting large corporations, which is discriminating and has negative impact on Australian economy.

Australian Bureau of Statistics

Be aware of privacy issues with the ABS census and compulsory household surveys.

Plunging into using new gadgets, websites or online services

In the past, we lived with anticipation and curiosity about the technology evolution, we were wondering what a new, interesting and useful discovery will be implemented next. And those new implementations were indeed interesting and useful. Today, the world has changed. For the majority of people, the technology evolves too rapidly to follow it with deep understanding. Nearly every day we discover that now we have to do things differently; sometimes we have a choice, sometimes we don't. Too often we are told that now we have to update, move, sign up, create an account or login in order to be able do the same things we were dong before (for example, the infamous my.gov.au portal). The changes are always touted as “improvements”, as something faster, more efficient and convenient.

Everything advertised as “one click away” is in fact a profile full of personal data away. People suddenly need to create so many profiles and logins, fill so many online forms, and accept so many “Terms and Conditions” that it is virtually impossible to carefully research, remember and keep track of each one. Usually, the users just tick the ‘accept’ box and submit a load of private information to the service, which will store, analyse, merge, verify, disclose, sell and use the personal information to its advantage in any way it sees profitable. Every bit of personal information we give away means we are tracked, targeted, profiled, and subjected to surveillance for “safety and security reasons”, at the same time increasing the danger of theft of our identity. The database with our data may be misguarded, misused, hacked or leaked, our identity may be forged or stolen, and once the information is passed into someone else's hands, there is no way back.

Freedom, privacy and safety are worth spending some extra time researching the true benefits and drawbacks of a new trinket or service before rushing into using it. Very often, the old trusty cash, cheque or paper form is more secure than all the “new and improved” apps and online frills. It also very beneficial for one's health to pick up a pen every now and then to exercise the fine motor skills with the old-fashioned writing rather than tapping the screen or pushing the buttons.

The most effective way of controlling and protecting information about oneself is not to share it in the first place.

“We value your privacy”. Really?

Even if you are dealing with a government agency, it is still wise to read all the fine print, privacy policy, and ask questions. There is no guarantee that one day all the private and sensitive information entrusted by people to what once was a government agency cannot be privatised and sold. Look at CITEC: an organisation given a power to manage shared services for the whole of government, including a major consolidation of Queensland government data centres; an organisation given access to more than 40 government and commercial information sources, including the data in investigative reports, property registers, motor vehicle registers, traffic incident reports, crime incident reports, is not just already making money off the private information people had to provide for free due to the government's requirements, but it is also considered that it could be sold off as part of a revenue drive to bring the economy back into the black.

Nearly every privacy policy document of each organisation starts with the solemn words “we value your privacy”. Unfortunately, too often this value is measured in dollars the organisation can make off the possession, use and sale of your personal information.

Further reading:

ID protection at crisis point, Sydney Morning Herald

The Australian Privacy Foundation dedicated to protecting the privacy rights of Australians, it aims to focus public attention on emerging issues which pose a threat to the freedom and privacy and defend the right of individuals to control their personal information and to be free of excessive intrusions

Australian Information Commissioner, a government website dedicated to privacy issues with a special focus on information technology and the Internet

No one likes to see a government folder with his name on it.

Stephen King

Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding.

Louis D. Brandeis, Lawyer and Associate Justice of the Supreme Court of the United States

The right to be let alone is indeed the beginning of all freedom.

William O. Douglas, Associate Justice of the Supreme Court of the United States

Big Brother in the form of an increasingly powerful government and in an increasingly powerful private sector will pile the records high with reasons why privacy should give way to national security, to law and order ... and the like.

William O. Douglas

A desire for privacy does not imply shameful secrets; without anonymity in discourse, free speech is impossible, and hence also democracy. The right to speak the truth to power does not shield the speaker from the consequences of doing so; only comparable power or anonymity can do that.

Nick Harkaway, novelist and commentator

I don't like to share my personal life... it wouldn't be personal if I shared it.

George Clooney

Privacy is not something that I'm merely entitled to, it's an absolute prerequisite.

Marlon Brando


Write a Comment

There is a big difference between a company that DID something to earn its customers' trust, and a company that HASN'T DONE anything [yet/known] to lose the trust of its customers. For example, Apple actively pushes its users to create Apple ID and backup/sync all personal data to its cloud. It actually takes quite a bit of determination and vigilance to bar the numerous attempts of any iDevice to upload your data to Apple. There is no simple "don't touch any of my information" settings, and the is no option to create an Apple ID without giving them your name and contact details. Apple portray themselves as a defender of its customers' privacy, yet they haven't actually done anything to prove it. Simply popping up a screen saying "Apple believes privacy is a fundamental human right..." proves nothing. Believing is not enough, it's the actions that matter. Speaking of which, Apple quickly ditched its plans for end-to-end encryptions when FBI didn't like it. Had Apple say 'no', stood for its beliefs in the fundamental human rights, and, in an extreme case, moved their operations to a country that aligns with their beliefs, then we would have had grounds to trust Apple's promises. But since Apple only "believes" in human rights, but prefers to have an easy life and cooperate with secret and intelligence services, I will never use their iCloud, backup or syncing, and always try to reduce the amount of personal data I keep on any devices made by Apple. There is just no way of knowing who this data will be shared with. The only personal data I have on my iPhone is contact phone numbers and emails of my friends, family members and colleagues (I never add addresses, photos or birthdays there), but I loved your idea about avoiding using names for my contacts as well. Initials or nicknames are an excellent way to add a bit more privacy even if Apple grabs my contacts and uploads them to its cloud against my wishes.

Anonymous, 27 June 2019

Our family was one of the 500 million victims of the Marriott hack in November 2018. We received a canned apology from them and an ass-covering 'warning' that our private details might have been compromised because we stayed with them a few years prior. We were furious that they kept our data for so long! If they deleted our data after we checked out, it would not have been hacked. But the biggest shock was to discover that they still want visitors' ID upon check-in even after that breach. We said NO and found a place in another hotel. Having just read in the news that Marriott has been hacked again, we are so glad we went to another hotel then. Will never stay with them in the future.

Anonymous, 3 April 2020

We have an appalling situation with covid vaccination bookings in Australia. As if vaccine shortages weren't bad enough, now we are coerced by our own government into creating HotDoc accounts and signing up for third party crap just to be able to book the vaccination. Doctors decline to accept phone bookings and walk-ins, and demand that we book through HotDoc, which is a commercial organisation and should not be permitted to take advantage of this pandemic disaster to became a middleman between the taxpayer-funded government-run vaccination program and the taxpayers!

Anonymous, 7 August 2021

These Australian government and hotdoc online covid vaccination bookings are pure evil. You have to give them a phone number to be able to register. There is no way around it. And because a photo ID is mandatory for mobile phones in Australia, we have a situation that unless you give your ID data to a phone provider first, you can't get a vaccine. Telcos and commercial booking systems like hotdoc are in business, while ordinary Australians are in deep shit with zero privacy.

Chris, 11 August 2021

This is not a coronavirus pandemic. This is a data grab pandemic.
Want to get food? You must have a check-in app, and an email address, and a phone number.
Are you forced to have a phone number? You must give your photo ID to Telstra, Optus, Vodafone, or some other telco. And then wait and watch how all your communications become the property of ASIO spooks.
Are you forced to have an email address? You must give your personal data to Gmail, Hotmail, Yahoo, or some other overseas email provider, and let them read all your private correspondence.
Are you forced to have a check-in app? You must create an Apple or Google account to download it. And then watch how US secret services go through your personal data.
Are you forced to have a covid test? You must give your personal data, and of course you must have a phone number. And then wait and see how your personal data is used to lock you up.
Are you forced to have a covid vaccine? You must book online, enter your personal data, and you must have an email and a phone number. And then watch how you personal data and medical information is sold off by someone like HealthEngine.
Are you vaccinated and now forced to show a proof of vaccination or vaccine passport? You need a Medicare app.
Are you forced to use a Medicare app? You must have an Apple or Google account to download it. And then it must be tied to a mygov account.
Are you forced to have a mygov account? You must enter personal details and provide an email address.
Have you finally got your vaccine passport? Now you have to show your personal details and medical information to every Tom, Dick, and Harry who think they have the right to see it.
And the worst thing: none of this will end even when this pandemic is over. The government will find another excuse why the status quo must remain.

Anonymous, 12 August 2021

One explanation why people are not allowed to test for covid anonymously is that these test samples can be used by the authorities for DNA profiling. It is exactly the same procedure when police collects DNA samples for criminal investigations. Only with covid it is much more convenient for them, no consent is needed. People are queuing up to provide the samples voluntarily. Nowhere in the paperwork it guarantees or even mentions that your covid test sample will never under no circumstances be used for anything else. Anyone who questions this are labelled conspiracy theorists, sure enough, as if the government has never lied or covered anything up before! Having everyone's DNA data is a dream of governments, insurance companies and financial corporations. Why would they pass on such a perfect opportunity?

Anonymous, 14 August 2021

A brilliant quote from one of the Electronic Frontiers Australia talks:
"Power is enacted for a particular reason, but then it is used in a different context. And we've seen this time and time again with the legislation that gets passed; a lot of if is the legislation since 2001. A global war on terror was declared, and the terror won; just as in the war on drugs, the drugs have pretty much won. What we've got was more terror, but we've also got more responses to that: it became an authoritarian ratchet, where every time the power is given it is never taken away. And the problem is never resolved because it is a war on an abstract noun. You can't win one of those, but it is very convenient for someone who wants to accumulate power."
You can watch the whole video here: EFA Talks: Stepping Stones to Dystopia

Bob, 18 August 2021

We can't be too careful with our privacy, especially in Australia. While everyone is busy surviving this pandemic and vaccine shortages courtesy Australian government, the same government pushed through a hideous surveillance bill that shocked the free democratic world. With the new Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021, Australian police and intelligence services can hack your computer or any other devices. They can access, collect, delete, modify and falsify your data, and take over your social media accounts, and all that without a judge warrant.
Australia became a prison colony once again. Anyone can now potentially be framed for a serious crime by ACIC or AFP. There are no safeguards in the law that can stop them from simply changing your data to suit their agenda. There are no limits, no oversight.
As usual, it was done under the anti terrorism, drugs and child exploitation pretext, nothing new there! But really isn't it about keeping the rich powerful? An arm of government or a multi-billion corporation that is breaking laws, tired of human rights defenders, or inconvenienced by some investigating journalist could get the police to hunt people down using government-sponsored malware, break into and plant things on people's phones, and make all corporate and political problems go away.

Anonymous, 1 September 2021

Mass surveillance is not about the hackneyed terrorists or pedophiles, it is about having control over every single person in the country. Very convenient for the government and for those who line their pockets.

Rick M., 2 September 2021

Does anyone have any doubts that today's Auckland supermarket attack will be used by New Zealand government for levelling our laws with Australia? The timing of events is unbelievable. A few days ago Australia amends their surveillance laws to a draconian extent, and suddenly New Zealand desperately needs to do the same. The most heartbreaking part is how ordinary people are always at loss. We already lost almost all privacy to our government's anti-terrorism travesty, and yet we are still getting stabbed when we go shopping!

Anita, Auckland, New Zealand, 3 September 2021

It still seems impossible to get covid vaccine without online booking, which requires that we must to provide unique email address and mobile number that have not been used to register before. My husband and I share one email account that is a paid service hosted in Australia. This means only one of us can get the vaccine. Contacting the government health department was a waste of time. Their response was that we should create another email account on Gmail, Outlook or Yahoo. Which is them basically saying, go and give your personal data and private correspondence to an overseas corporation that will spy on you. This is totally unacceptable! Email address or phone number should not be mandatory for any taxpayer-funded vaccine or service.

Anonymous, 6 September 2021

As Moderna vaccine is coming to Australian pharmacies, stay away from booking through the Pharmacy Guild of Australia sites www.guild.org.au and www.findapharmacy.com.au. According to their policy, they can use your contact details for marketing and promotional spam. It's a pity that some turn the pandemic emergency and desperation into data abuse for profits, which damages people's trust in pharmacies and vaccination program.

Anonymous, 17 September 2021

"Informed consent is a fallacy if the person cannot alter the consent they are giving; or if the consent is locked in a point of time, which allows the consent given today to be used for a different reason later." Electronic Frontiers Australia

H.S., 7 October 2021

It is all about personal data and control, always has been. Thousands of people die every year in Australia because of the fear or reluctance to see a doctor due to privacy concerns. Does the government and the medical system do anything about it? Do they offer an option to get medical help anonymously? Are they decreasing their demands for personal data? Nope! Instead they want to grab more data and share it with every arm of government that wants it. MyHR, MyGov, Medicare, ABS... That's in addition to forcing many patients into booking medical appointments online, through commercial booking systems, which of course are only too eager to grab all the personal data as well.
But...a few hundred people die FROM covid during the whole pandemic (not talking about those who died WITH covid, which the government still counts as covid fatalities), and the powers see it as an opportunity to turn this country into a prison colony, lock everyone in, force to undergo vaccination (which by the way didn't bring back our normal way of life), grab everyone's latest and freshest personal and contact data through travel passes, vaccinations and covid tests, and get DNA sample through covid tests as well. If they were allowing anonymous on-the-spot testing, that would at least be believable that it was done ONLY for medical reasons. But no, they want full name, dob, home address, medicare number, id, email, phone number,... so that they have a full file on each person.

Ole, WA Australia, 6 November 2021

As the attendance tracking apps with QR codes are now mandated by every state and territory, they became a part of the most extensive mass surveillance operation on Australian soil. Yet the laws that protect personal data are weak, vague, inadequate, and in some states non-existent. For example, Queensland still hasn't introduced the laws that would ban unauthorised access to that data. But then, what else can we expect from the state that practises forced hospitalisations of everyone who tests positive?
To have any public trust and cooperation, the whole country must have uniformed laws:
The collected personal information must be limited to the minimum necessary for achieving the stated legitimate purpose.
The data collected under the pandemic pretext must never be used for anything else or combined with any other data. No if-s, no but-s. No exceptions for police, ASIO and the rest of that wonderful bunch.
This data must be securely stored in Australia.
All pandemic-related apps and other software must be open source.
This data must be completely and irreversibly deleted once it is no longer needed for the purpose it was collected for, including all data from QR-code check in apps and vaccine status certificates.
All surveillance systems and tools must be dismantled when the state of emergency has been lifted.
The state of emergency must not continue beyond what's absolutely medically necessary.
There must be severe punishments for the governments and their employees for breaching these laws. There also must be severe penalties for employers, business operators and anyone else who abuses any data from covid tests, vaccine certificates or contact tracing apps.
Individuals must have the right to sue for breach of their privacy. Otherwise, the governments will continue do as they please without any repercussions.
And these have to be legislation/laws, not regulations. Because regulations can be changed by any minister at any time, while legislation changes must go through the parliament, which is the foundation of democracy.

Anonymous, 17 November 2021

Source:  annystudio.com