A Lesson in Data Courtesy

Privacy Commissioner Stephen Lau asks why we forget our manners on the Net

INTERNET users often seem to regard cyberspace as a priviledged and unregulated zone. When online, they seem to believe that they are no longer bound by the same moral standards and social protocol they abide by offline. No doubt sooner or later sociologists will be talking about 'cyber rage' (after 'road rage' and 'air rage') to explain bad online behaviour by otherwise innocuous individuals.

One example of online mischief that has come to light in Hong Kong recently is the extent of non-compliance with privacy principles. A survey completed in October 1998 by the Office of the Privacy Commissioner (PCPD) found that 70 per cent of the Hong Kong-based websites, from both the public and private sector, that collect personal data were technically in breach of the Personal Data (Privacy) Ordinance (the privacy ordinance).

The privacy ordinance requires that data collectors must state the purpose for which data are collected. Offline this has led to about 80 per cent of companies including 'personal information collection' (PIC) statements on all forms that solicit personal data. These statements are supposed to inform individuals not only of the purposes for which the data collected are to be used, but also to warn of any potential disclosure of the data to third parties and explain the individuals' right to access to and correction of their personal data.

Online, 70 per cent of the 531 local websites surveyed had no such statement. The survey also found that only 21 out of the 339 sites which had forms for collecting personal data displayed a privacy policy statement (PPS) on their sites. Displaying a PPS on a website is not, strictly speaking, a statutory requirement, but the PCPD recommends that organisations make such statements available online ' possibly as a linked page accessible from their home page and other pages from which personal data are collected.

Covert Monitoring
The omission of such purpose and policy statements may seem relatively innocuous, but has to be seen in the context of the ease with which personal information ' such as an individual's name, company, e-mail address and buying preferences ' can be discovered on the Internet. Most visitors to websites are unaware of the fact that their pathways can be covertly tracked. Many websites, for example, use 'cookies' small files sent from a web server to a user's computer for the purpose of future identification of the computer on future visits to the same website. Their ostensible purpose is innocent in that they enable you to revisit the site without having to register each time, but often site visitors are unaware that cookies have been downloaded, and that they can track their pathway through the site.

Similarly, Internet Service Providers (ISPs) are able to record so-called 'clicktrail' data. Initially used for troubleshooting and system maintenance, the 'clicktrail' preserves all the links that a user has followed in negotiating websites. The fear with all these forms of covert monitoring is that the information could be used for purposes other than those for which it was collected ' it is not hard to imagine the use direct marketing would have for such information.

Privacy Commissioner Stephen Lau stresses that his purpose in commissioning the PCPD survey was to get an idea of the extent of the problem. 'No-one has done this before. The survey was done to provide statistical information relating to how Hong Kong-based websites involved in the collection and use of personal data comply with the law. The results show that compliance is not good.'

The survey also looked at websites' standards of security in the collection and disclosure of personal information. Of the 248 sites which were found to provide facilities for online transmission of personal data collection forms, only 26 sites (10.5 per cent) provided encryption for the transmission of such data. The survey also found that some websites allowed easy and uncontrolled access by anyone who surfs the Internet to individuals' personal data displayed at the websites ' for example, detailed resumes of job seekers held by some employment agencies.

'On some sites anyone can go in and look at personal data, which is not very good from a security point of view,' Lau says. 'We have been working now for two years promoting the new privacy law, so the message generally is out there. Somehow in cyberspace it seems to be different. Maybe the people involved are more technology-oriented and haven't paid that much attention to privacy issues, but I don't think it's a conscious decision to break the law.' He adds that the PCPD will contact all the surveyed websites which are in breach of the privacy ordinance to familiarise them with the application of data use principles to the Internet.

'My principle is that whatever is illegal offline should be illegal online,' says Lau. His message is that data users collecting personal information online have to abide by the same data protection principles as data users have been offline. These principles are in fact designed to be technology neutral to be applicable to all forms of data collection and use. 'If the law was too specific, it could not keep pace with technological developments, if you look at our law on data protection it is technology neutral ' it was written in such a way that the data protection principles are very generic,' Lau says.