In 2022, ÌÇÐÄVlog reported that Kmart, along with Bunnings and The Good Guys were capturing the biometric data, or unique facial features known as a ‘face print’, of customers entering their stores. 

Our investigation prompted the Office of the Australian Information Commissioner (OAIC) to launch a probe into whether privacy laws had been breached with the Facial Recognition Technology (FRT).

In 2024, Privacy Commissioner Carly Kind found that Bunnings had breached the law and today an announcement was made that Kmart had done so too. 

Kmart sought to justify its use of FRT in stores between June 2020 and July 2022 as a measure to prevent refund fraud. However, the Commissioner said Kmart did not seek customer consent to collect biometric information and its collection was not proportional, as there were other means available to address refund fraud. 

“I do not consider that the respondent (Kmart) could have reasonably believed that the benefits of the FRT system in addressing refund fraud proportionately outweighed the impact on individuals’ privacy,” Kind says. 

No penalty 

OAIC did not seek a financial penalty against Kmart in this case, similar to the case with Bunnings last year. 

In a statement a Kmart spokesperson says they are “disappointed” with the ruling and are reviewing options to appeal the determination. 

“Like most other retailers, Kmart is experiencing escalating incidents of theft in stores which are often accompanied by anti-social behaviour or acts of violence against team members and customers,” the spokesperson says. 

Commissioner Kind says that despite the two rulings against Bunnings and now Kmart, FRT was not ‘banned’ in Australia. 

“The human rights to safety and privacy are not mutually exclusive; rather, both must be preserved, upheld and promoted. Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act,” she stated.

The post Kmart’s facial recognition technology broke the law, commissioner rules appeared first on ÌÇÐÄVlog.

Like many aspects of modern life, driving a vehicle isn’t what it used to be. 

And while few Australians would want to go back to balancing a book of maps on their lap at the traffic lights, the digital age increasingly comes with a catch. These days, the extent to which cars collect and use data gathered on their drivers would come as a surprise to many. 

In February, ÌÇÐÄVlog wrote about a Queensland man’s battle with Toyota after a dealership refused to give him a full refund for a vehicle he never picked up. He had serious concerns about data privacy and the tracking features he wasn’t told about at the point of purchase. 

After we published that story we received an avalanche of correspondence from ÌÇÐÄVlog readers wanting to know about the policies of various car brands when it comes to collecting, using and sharing driver data and biometric information. 

We wrote to the makers of the ten most popular car brands in Australia and asked detailed questions about the data they collect, what they do with it and whether they allow consumers to opt-in or -out of their connected features. 

Collecting your data 

Seven of the most popular brands collect some level of driving data through a connected services feature and send that data back to the company. 

The three brands that don’t currently have connected services features enabled on vehicles sold into the Australian market are Mitsubishi, Subaru and Isuzu Ute. 

Australia’s biggest car brand, Toyota, says it collects vehicle location data and what it calls ‘”Drive Pulse” data, which scores a driver’s acceleration, braking and cornering behaviour during each trip. This data is then shared with Toyota, “related companies”, and third-party service providers engaged by Toyota. 

Ford also collects and shares driver data with third parties, such as related companies and contractors, though it says it doesn’t “sell data to brokers” . 

MG says it collects and shares data with a range of “service providers”, but says it doesn’t share with third parties “other than to provide functionality”. We considered that clause vague and MG refused to respond to our repeated requests for clarification.   

Mazda says it collects “voice consumption” data and shares it with service providers and undisclosed third parties, but did not respond to our requests for clarification as to what this meant. It also shares data with third parties for advertising purposes

Voice and biometric data

Even more concerning than the tracking and sharing of your driving data are the number of brands that collect your voice recognition data and share that information with third parties. 

Voice recognition, like facial recognition, is considered biometric information as it’s uniquely identifiable to individual people. 

This means it is considered to be “sensitive data” under privacy law, and it’s meant to have an enhanced level of consumer protection and consent before it can be gathered and shared. 

Kia says it collects data from your use of voice recognition technology and that the company “shares data on an aggregate and on identifying basis (sic) with Cerence, our third-party provider of automotive voice and AI innovation products”. 

Cerence, a US-based company, says it is a “global industry leader” in AI-powered interactions across transportation.

Hyundai, which has the same parent company as Kia, also shares voice recognition data with Cerence.

Tesla gathers voice command data as well as “short video clips and images” captured from the camera onboard the vehicle. The company also shares some data with third parties and Tesla’s privacy policy assures drivers that the data is subject to “privacy preserving techniques” that are “not linked to your identity or account”, but doesn’t explain what those are. 

“De-identified” data

Dr Vanessa Teague from the Australian National University’s College of Engineering, Computing and Cybernetics says these companies’ assurances that biometric information can somehow be shared in a de-identified manner is “complete baloney”. 

“The idea that you can de-identify an image, or a voice is de-identified, it’s nonsense,” she says. 

“What these car companies are doing is totally unacceptable. It should be illegal. These practices are good evidence that we need the Privacy Act updated or the Privacy Act enforced, because none of this should be acceptable in our country,” Teague adds. 

Consumers concerned 

Given the number of companies engaging in intrusive data collecting and sharing, it’s little wonder that drivers are becoming concerned. 

A nationally representative ÌÇÐÄVlog survey conducted in June 2024 of more than 1000 consumers found almost three in four respondents disagree or strongly disagree with video or audio recordings from inside the car being collected by the car company. 

While support for car companies collecting safety data (such as seatbelt use) was stronger at 39%, only 30% said they supported the collection of driving data such as braking behaviour and speed. Just over one in five respondents said they neither agreed nor disagreed with the collection of driving data. 

Giving the option to opt-out isn’t enough

All car companies with connected features who responded to us said they offer customers an opt-out function. But drivers are often opted-in automatically when buying the car or downloading the car’s app, and would then need to read long and indecipherable privacy policies to know what they have agreed to. 

While customers may be able to “deactivate” their connected features, those wanting to remove the connected features devices altogether may find they can’t. In some cases, removing the connected features disables other functions of the vehicle, such as maps and weather. In Toyota’s case, customers may void part of their warranty by totally removing the data communications module. 

Teague says there is a lot of “deliberate deceit” when it comes to car companies and connected features and she questions how many consumers would agree to the terms and conditions of their vehicles if they understood them. 

“Opt-out is not the answer; you should have to opt-in to some of these features if you want them. Many of these other features should simply be illegal,” she says. 

Protecting the data 

Ibrahim Khalil, professor of cloud systems and security at RMIT University, says it is concerning that raw data from Australian drivers is being transferred to car companies overseas and to the AI machine-learning companies they’re partnered with. 

“You can use AI systems within the car to build the learning model off the driving data, and then transfer the model,” he says. “You don’t need to transfer the raw data. If you transfer the raw data, then of course, you expose everything.”

“Europeans wouldn’t accept this, [but] here in Australia we don’t make a fuss, we don’t talk about it, we don’t complain about anything when it comes to privacy,” Khalil adds. 

Reforming the Privacy Act 

ÌÇÐÄVlog senior campaigns and policy adviser Rafi Alam says privacy laws are woefully out of date and not fit for purpose in a market where cars are fitted with biometric scanners and driving data is mass-collected.

“At the moment, businesses are able to write their own rules through their privacy policies. As long as a customer ‘consents’ in a way the seller decides is sufficient, the business can mostly do what it pleases with our data,” he says.

Alam says the government’s most recent amendments to the Privacy Act, introduced to parliament in September, don’t go far enough to protect drivers from over-reach by car companies. 

“Change needs to come from the top. At a minimum, the federal government must implement a fair-and-reasonable-use test to legally require businesses to only collect and use our data in line with customer’s expectations,” he says. 

“We are urging the government to ensure this obligation is included in the second phase of amendments to the Act,” Alam adds. 

UPDATE 16/10/24: 

Following publication of this article, MG and Tesla, who both initially declined to comment, provided the following statements to ÌÇÐÄVlog. A spokesperson for MG says, “No data is shared with insurance companies or advertising agencies. The only reason that customer data is shared with third parties is where it is being used to deliver services or functionality to the owner or user of the vehicle.”

Tesla clarified that its vehicles don’t collect audio voice recordings, only the processed transcription of the voice command, known as voice command data.” At Tesla, we’re committed to protecting our customers anytime they get behind the wheel of a Tesla vehicle. That commitment extends to customer data privacy. Our privacy protections aim to go beyond industry standards, ensuring personal data is never sold, tracked or shared without permission or knowledge,” says Thom Drew, country director of Tesla Australia and New Zealand.

The post Drive one of these car brands? This is how much of your data they’re tracking appeared first on ÌÇÐÄVlog.

How many words are behind the little ‘I accept’ box on that website’s privacy policy? And how many minutes would it take to tweak your privacy settings on every app and website you use?

A new report from the Consumer Policy Research Centre (CPRC) has assessed the time it takes to control your privacy. They found that, on average, Australians would have to spend 30 minutes each day adjusting privacy settings on websites and apps instead of accepting the default settings. 

In addition, it would take an average of 14 hours to read through all the privacy policies encountered in one day.

Australia vs Europe

To contrast the privacy environment in different jurisdictions, the report looked at the experience of eight Australians and one European to measure the privacy policies and settings encountered in a 24-hour period. Participants timed how long it took them to find and change the privacy settings on each website or app they used.

The Australian participants recorded that it took an average of two minutes for each unique website or app, with some platforms taking up to ten minutes. While the European participant spent an average of only three seconds managing their privacy settings.

“EU protections and privacy are far stronger than here in Australia,” says Chandni Gupta, deputy CEO and digital policy director of the CPRC.

Navigating privacy settings

The Australian participants said that in 45% of their interactions it was difficult to manage their privacy settings. The hardest platforms to manage were health, wellbeing and lifestyle apps, with users finding these either difficult or very difficult 80% of the time.

“It’s really hard to find where particular privacy managing screens are,” says Gupta. 

This can be because of so-called ‘deceptive design’ features and trick questions that made participants unsure about what data they’re sharing.

Deceptive designs are features such as pre-ticked boxes, smaller font sizes or trick questions intended to steer users into clicking and agreeing to things they might otherwise not. 

Participants found that 37% of websites and apps had no option to adjust their privacy settings at all.

The study also measured the length of each privacy policy encountered in the 24-hour period. The average word count was 13,323, which would take about 56 minutes to read.

The longest privacy policy found in the study was Microsoft’s, which runs to over 90,000 words – the length of an average novel.

Do we have options?

Often a company’s privacy policy or terms and conditions require you to accept in order to access their product or service. “Our privacy protections are built on notification and consent and very much on a take it or leave it approach,” says Gupta

Consequently, Australians don’t feel they have control over their personal data. A previous report from the CPRC found that only 7% of people feel companies give them real choices to protect their privacy online.

What needs to change?

There’s a mismatch between community expectations and what privacy policies are providing, says Gupta.

“The mental load is currently on you as an individual to navigate your privacy and to stay safe, as opposed to that accountability being on businesses who are profiting from that data.”

The CPRC is calling for a number of privacy reforms to account for “consumer burden”. These include adopting a “fair and reasonable approach to data collection”. This would require companies to be accountable for what they’re collecting, sharing, and selling.

They are also calling for “genuine privacy by default” so consumers no longer have to opt-out of harmful practices, and to empower the regulator to ban or restrict them.

The federal government is currently deliberating on reforms to the Privacy Act, with a bill expected to be introduced into parliament later this year. ÌÇÐÄVlog senior campaigns and policy advisor Rafi Alam says privacy reform in Australia is long overdue. 

“It’s unacceptable that people in this country have to jump through hoops to get the slightest control over their own personal information, and even then are still vulnerable to data breaches, price discrimination, and manipulative marketing. Consumers shouldn’t be forced to consent to their own privacy harms,” says Alam. 

“Fortunately, the government has committed to big changes to our privacy laws that can reset the power balance between businesses and consumers, and modernise Australia’s data economy to reach the standards being set overseas.”

The post Who has 14 hours to read privacy policies? appeared first on ÌÇÐÄVlog.

On this page:

• The data you robot vacuum could be collecting on you
• Is any data shared with third parties?
• How to protect your data when using a robot vacuum

Scooting around our homes, sucking up dust and debris, robot vacs can make an attractive addition to our household cleaning arsenal.

ÌÇÐÄVlog has been regularly testing robot vacuums for 12 years and in that time they’ve become smarter and packed with more features.

“Robot vacuum mapping, obstacle avoidance and general app features have gotten much more advanced [and] give the user much more control,” explains ÌÇÐÄVlog robot vacuum tester Adrian Lini.

“These features can be pretty useful and give the user much more customisability, but they also require the user to give away more information about themselves and their home in order to work to their full potential.”

So what details could your robot vacuum be collecting on you?

We’ve looked at some of the latest (and smartest) robot vacuums on the market, from brands such as iRobot, Ecovacs and Dreame, to find out.

The data you robot vacuum could be collecting on you

Maps of your home

All but one of the 12 robot vacuums we looked at in our latest review create maps of the spaces where they’re used, with some promising to “learn your home” and prioritise the dirtiest rooms.

Lini says live mapping is one of the most useful features robot vacuums offer users.

“It allows the robot to know the most efficient way to clean the space and also lets the user schedule which rooms should be cleaned and when, without having to physically put the robot there,” he explains.

“It will also show the user how the space has been cleaned and if any parts have been missed.”

Some of the smartest robo vacs create sophisticated 3D diagrams of household spaces, which you can view via a connected app on your smartphone.

Robot vacuum companies say allowing their products to map your home lets them identify the areas they’ve already cleaned and perform more efficiently.

Where does the data go?

If the thought of someone having access to a detailed floor plan of your home bothers you, it’s worth knowing how this information is stored.

Some brands such as Arlec and Roborock tell us that maps of customer homes are kept on the robot itself and not uploaded elsewhere.

Others say mapping information is sent to a secure server, especially if users request to view it in the device’s relevant app.

Household objects

Several of the models we looked at in our latest test also claim to be able to use cameras and AI to identify and recognise the objects in your home.

Lini says this function helps ensure a vacuum will cover all the space it needs to clean.

“Sometimes a robot will miss a whole area because it believes it was blocked off when really it was a small item that could have been pushed out of the way or driven over,” he notes.

Some manufacturers even say their devices are specially trained to be able to identify your pets and be more careful around them and any mess they leave.

ÌÇÐÄVlog tip: We test robot vacuums on how good they are at removing pet hair. Check our reviews to see how different models compare.

Most of the obstacles a robot vacuum will likely be identifying are everyday items such as furniture, although some brands claim their models are able to recognise over 100 different objects. 

As handy as it claims to be, this feature hasn’t come without controversy. In 2020, intimate images taken by robot vacuums of people in their homes (even using the toilet) were posted online, .

The publication reports that the pictures were shared by workers who had been tasked by the vacuum manufacturer with identifying household objects the vacuum saw, in order to train its recognition system.

The manufacturer, iRobot, told MIT Technology Review the images were captured by models that were in development and not available to consumers and the people whose homes they were in knew the vacuums were sending video data to the company.

Where does the data go?

So could your robot vacuum be sharing images of your home with strangers? It depends on what it sees.

When we questioned brands whose products claim to be able to recognise household items, some said these pictures are automatically deleted after the vacuum itself has identified what it is.

Others said images are stored on a cloud server if a user requests to view them on the vacuum’s connected app.

Different processes can emerge, however, if your robot encounters something it doesn’t recognise.

For example, in a policy outlining the privacy practices of its robot vacuums, Ecovacs explains that if a vac comes across something it can’t identify, it will take a photo and ask the user if they consent to the image being shared with the company for further investigation.

If permission is granted and the company’s AI is also unable to recognise the object, the image will then be shared with and viewed by employees of Ecovacs’ China-based affiliates.

Ecovacs didn’t respond to our request for comment, but it’s worth noting that its privacy policy also clarifies that its devices work to “eliminate the possibility” of identifying a person in images by blurring areas where it detects the shape of a human body.

Live video and app information

Some newer robot vacuum models allow users to remotely access the appliance’s camera via an app so they can monitor their home from the device’s point of view as it carries out its cleaning duties.

Dreame, one brand with models that do this, told us the camera doesn’t capture and store any photos or videos when this function is being used unless users decide to save footage themselves while viewing it on their phone. In this case, photos and videos will be stored on a cloud server.

Finally, it’s also worth noting that the aforementioned apps are becoming integral to owning and operating a robot vacuum.

While these new access avenues are a boon for usability and efficiency, they also gather their fair share of data.

For example, the apps attached to many of the robot vacuums we’ve looked at record not just the personal and contact details you’ll need to give over to set up an account, but also location information and your activity on the app.

Is any data shared with third parties?

As mentioned previously, problems with a robot vacuums’ image recognition function may lead to images of your home being shared with individuals and organisations outside of you and the vacuum’s manufacturer.

In day-to-day functioning as well, some robot vacuums will share information with third parties.

Dreame, for example, says it may share user data with separate entities for storage or to carry out services for customers, such as delivering its products.

Others say they only share data to improve “device functioning and customer support” and not for advertising or marketing. Others told us they don’t share any consumer information at all, while some companies didn’t respond to our queries.

How to protect your data when using a robot vacuum

Option 1: Choose a model that isn’t ‘smart’

First up, if you’re concerned about privacy, consider getting a robot vacuum that doesn’t connect to the internet, and has no app or smart features such as mapping and AI object recognition.

But be aware of their downsides: “Robots with no mapping may clean randomly and miss large areas,” Lini explains.

“They also don’t tell the user where they’ve cleaned, meaning you’ll have to guess, and some also have no way of knowing when they’ve covered the whole area, so will clean for much longer than necessary.”

Option 2: Buy a smart model, but take precautions

Lini says anyone wanting to use and get the most out of a smarter model will have to provide information about themselves and their home in return.

“The more complex and specific the job, the more privacy you need to be willing to lose,” he says.

“At the end of the day, these are products that clean your home for you – they’re going to know quite a lot about you if you want to use all the features.”

But if you are concerned about the privacy issues associated with buying a robot vacuum, there are some strategies you can adopt to limit your risk:

• Look for a model that allows you to set “no go” areas or virtual walls in your home – these can be configured to keep it out of sensitive areas.
• Pay close attention to any information about privacy that comes with the product, or look up the manufacturer’s privacy policy online.
• When setting up the robot vacuum and app, be aware of any requests for consent to share information or to opt-in to similar processes.
• Know that saving or viewing mapping information, photos or videos recorded by your vacuum on its app could also mean that data is being uploaded to an external server.

“The type of information generated by robot vacuums is highly valuable,” says ÌÇÐÄVlog consumer data advocate Rafi Alam. 

“People should be wary of agreeing to anything that lets businesses have free reign over their personal data.”

If you’re prompted to share images taken by your vacuum to aid in object recognition, Alam advises considering what’s featured in the image and the privacy practices of the vacuum company.

“It’s important to be aware of the risks when sharing images with the manufacturer, especially when these images may be shared with third parties,” he explains.

“Robot vacuums might be operating discreetly in very intimate places in our home, and once that data is collected and shared it may be vulnerable to privacy breaches.”

The post What your robot vacuum knows about you appeared first on ÌÇÐÄVlog.

Spotify Wrapped tells users their top artists, genres, how they compare to other listeners globally, and in 2023 it even assigned listeners a personality profile based on their listening habits.

With over 600 million users, the world’s most popular music streaming app collects data from, and monetises its customers in number of ways. But apart from our listening habits, what else does Spotify know about us? And besides creating slick graphics so users can publicly share their music taste and habits, what does it do with that data?

What data is collected by Spotify?

Marc Cheong is a senior lecturer in information systems and Xanthe Lowe-Brown is a PhD candidate in human-computer interaction, both at the University of Melbourne. They say Spotify’s privacy policy and terms of service took them about one-and-a-half hours to read and understand. 

Spotify’s privacy policy has a non-exhaustive list of the data it collects. Some of this is basic information collected during the creation of your account like your email address and billing information. 

But it also lists a wide range of ‘usage data’ that it collects. This includes streaming history, search queries, and your entire music library. Importantly the information it collects is not limited to what it mentions in its privacy policy, giving Spotify a broad scope for what data it can gather and keep in its systems.

Lowe-Brown says that the streaming platform is collecting more data than people know. This includes your phone’s sensor data, which is information about “the way you move or hold your device”, voice data (when you use voice controls), information about other devices on your Wi-Fi connection that can connect to Spotify, and data about what music you listen to, which she says can be used to infer your personality traits and emotional state. Cheong says these data points set it apart from other data collection companies like social media platforms.

Spotify’s privacy policy mentions that voice data is collected “if voice features are available in your market”. According to its voice control policy – or lack thereof – this feature is currently not available in the Australian market.

Collecting more intimate information

In 2021 Spotify received a controversial patent to collect data on users’ emotional state, gender, age, accent, and environment based on an audio input. At the time Spotify told Pitchfork, “Spotify has never implemented the technology described in the patent in any of our products and we have no plans to do so”.

The patent is still active, but it is unclear if Spotify is currently using it. ÌÇÐÄVlog contacted Spotify to ask and the company declined to comment.

How does Spotify use AI?

Not mentioned by Spotify in either its privacy policy or terms of service is its use of AI technology. But the company uses AI in a number of ways. Personalised playlists, Spotify Wrapped, and recommendations are all powered by AI. Spotify says it processes “half a trillion events” like searches, listens or likes, all of which power its machine learning algorithm.

“The fact that Spotify is not transparent or upfront about that type of data collection and how it’s used is probably quite problematic from the consumer’s point of view, says ÌÇÐÄVlog consumer data advocate, Kate Bower.

How is Spotify getting your data?

Experts say that Spotify is not just getting data from its platform. Spotify can also collect data from companies it absorbs, like music data company The Echo Nest which it acquired in 2014. 

Fabio Morreale, a senior lecturer in music at the University of Auckland, says The Echo Nest had a music recommendation dataset that it scraped from blogs, websites, and social media like Reddit. That means that Spotify now has data originally collected by The Echo Nest on people who are not Spotify users.

Spotify also receives “inferences from certain advertising or marketing partners”. It says this allows it to deliver more relevant ads and marketing. 

Third party applications, services, or devices that are connected to your Spotify account can also send information to Spotify. This includes social media, smart watches, cars, and mobile phones. Spotify’s privacy information on Apple’s App Store mentions that it may collect your health and fitness information.

What does Spotify use your data for?

Spotify lists 16 different ways it processes and uses your personal data. These range from “personalised recommendation algorithms” to “marketing, promotion and advertising purposes” and “to conduct research and surveys”.

Spotify’s partner organisations may also combine the personal data that it shares, which can be used to build a more complete user profile. Spotify markets this to customers as driving a powerful recommendation algorithm that creates “the best overall user experience”.

“As you engage with Spotify, actions such as searching, listening, skipping, or saving to your library influence our interpretation of your taste. We call this your ‘taste profile’,” the streaming platform says.

Spotify also says that recommendations are based on your location, language, age, and who you follow.

Spotify Wrapped helps market Spotify’s data collection as a desirable feature of the service. “Wrapped or it didn’t happen” was the slogan for 2023’s Wrapped campaign. This encourages people to allow Spotify to collect their listening data, and even increase their use of the service, says Lowe-Brown.

Other reasons that Spotify collects data include “to fulfil contractual obligations with third parties”, whereby they may provide users’ “pseudonymised” listening data. Your data is also used to conduct research, which Spotify justifies as being motivated by a legitimate interest in understanding “more about how users think about and use the Spotify service”.

But perhaps Spotify’s biggest interest in your data is for advertising.

Spotify ad targeting is shockingly specific

Spotify’s ad studio boasts “advanced targeting options” that can reach specific audiences based on a huge array of demographics and categories. 

General demographics

To start, advertisers using Spotify can target you based on your age, gender, language, the platform you access Spotify from, and your location. Location targeting can be as broad as your country, or as narrow as your postcode. Currently only advertisers within Australia can target Australia and its regions.

Interests

You can also be targeted based on your interests. For example, if you listen to podcasts about books or literature, you will probably be a part of the “books” interest category. It’s not just what you listen to that decides your interest category though. If you listen to Spotify on a gaming console, you’ll probably end up in the “gaming” interest category.

Emotions and activities

Spotify also identifies playlists associated with specific activities and emotional states like cooking, working out, or “chill” so that advertisers can reach audiences based on “real-time context targeting”.

The value of targeting

Bower says Spotify’s ability to segment its audience into groups can be very attractive to advertisers and marketers. “Even though it seems pretty benign it’s actually an incredibly valuable asset in terms of the data that they can then sell.”

Spotify says it has over 615 million users, 239 million of whom pay for the service. The remaining 376 million are on an ad-supported tier. But just because you pay for Spotify, it doesn’t mean the platform can’t advertise to you. 

Lowe-Brown says that because Spotify shares data that it has collected with its partners, that data might allow you to be targeted on other platforms that Spotify has shared your data with. 

You can also still get ads as a paid subscriber when you listen to podcasts. In 2020 Spotify launched “Streaming Ad Insertion” which brings targeted advertising into podcasts for all listeners.

Does Spotify control what you listen to?

Morreale says it is extremely likely that users are getting their music suggestions from Spotify rather than other sources. 

He adds that by being exposed to music recommendations from just one provider, people’s listening preferences and habits end up being shaped by how streaming services perceive users, “rather than our digital identity being closer to us”.

The risk is that users’ taste is homogenised by categorising people into predefined listener categories, and Morreale says that Spotify might have a financial interest in doing this because it allows them to help advertisers target users more effectively.

Can you take control of your data on Spotify?

Spotify has settings that allow you to opt out of targeted advertising, and to stop Spotify from processing your Facebook data. You can do this easily using the privacy settings on their website. 

You can also access a private mode which hides what you are listening to from your followers. Although it’s important to note that this does not hide anything from Spotify –  the platform records what you listen to whether you’re in private mode or not.

You can also download your Spotify data, including account data, extended streaming history, and technical log information. We did this and received over 150 separate files that detail every aspect of our interactions with Spotify

Requesting for your Spotify data to be deleted

Spotify’s privacy policy says, “to request erasure of your personal data from Spotify, follow the steps on our support page”. This has a link that redirects to a page titled “Closing your account and deleting your data”. Deleting your account appears to be the only way to truly take control of your data on Spotify.

However, when it comes to wiping your streaming history or listening habits, the privacy policy states that Spotify has the option to de-identify your data rather than delete it. Cheong says previous research has shown that de-identified data can still be used by companies to “build a shadow profile of you” which can be matched with other data.

Spotify also does not have to delete your data if its interest overrides your own. It says this could be the case in instances where it needs to protect itself from fraud or if there is a legal obligation to retain your data. Spotify also says it may keep your data if “it’s still necessary to process the data for the purpose we collected it for”. Bower says this means users likely don’t have any right to deletion, and Spotify can choose to keep whatever data they want.

Protecting your data

Bower says it’s worth remembering that Spotify is not just a music streaming service, but also a data and AI product. Its data practices are part of its service. “If you are uncomfortable with that, your only option is not to use Spotify or not to use any kind of streaming service.”

ÌÇÐÄVlog is working towards better privacy laws that put some responsibility back on businesses to do the right thing. Some of the proposed reforms include changing the definition of personal information to include any information that can uniquely identify you, and introducing a fair and reasonable use test for any business that collects personal data on you.

The post How much of your personal data does Spotify collect? appeared first on ÌÇÐÄVlog.

The amount of personal data collected by media devices and services is extensive, and smart TVs are no exception. 

Many Australians are likely unaware that they have agreed to data collection during their TV’s set-up. Data is used by manufacturers to personalise your experience, but also to sell advertising and build data profiles for third-party marketers.

Here we help you decide what data you need to hand over to your TV and what you can say no to.

Using your TV in ‘dumb’ mode

It is entirely possible to use a smart TV for offline use only – for watching traditional broadcast TV, or as a display for gaming consoles or media players. 

This is the safest option for the very privacy-conscious. TVs that are not connected to the internet cannot share your data – although some brands (including recent Kogan and TCL models) will still require you to agree to terms and conditions, privacy notices or vague disclaimers in order to use basic TV functions. 

Of course, most people use a smart TV precisely for its smart functionality and want to connect it to the internet. In our research at RMIT University, we found that 94% of Australian smart TV users access online services, which means we are also feeding our data into platform ecosystems.

So let’s take a look at how your data is collected.

Data collected during set-up

During set-up, most TVs will ask you to create or log in to an account with the manufacturer or platform operator (such as a Samsung, LG, Google or Hisense VIDAA account). This allows the TV to link you to your other services and devices  from that same brand or platform, such as smart speakers or internet refrigerators.

Information collected at this stage may include your email address, home address, date of birth, credit card number, and the streaming services you subscribe to.

Signing up for a manufacturer account is often presented as affording you extra benefits or enhanced features, when in fact it makes little difference to the user experience, as far as we can tell. This is an example of a manipulative dark pattern in interface design.

You don’t generally need an account to watch free-to-air TV, so feel free to skip this step if all you want to do is watch ABC or Nine. However, you will need a manufacturer account to download any apps that aren’t pre-installed on your TV.

Keep in mind that if you have a Google TV, you won’t even be able to access the home screen without a Google account.

Data collected during use

Significant amounts of user data are also passively collected while you are using your smart TV.

The data collected at this stage includes the apps you download, which services you use (and when), and how you navigate around the TV’s interface.

This data is shared with a wide range of third-party services, including data brokers and ad-tech platforms and/or integrated into existing customer data profiles arising from shopping and web searches.

And if you have consented to Automated Content Recognition (ACR), the TV will also be able to see what you watch within each app, and send this information back to the manufacturer and/or platform operator.

Finally, activating your voice assistant enables the device to listen to your conversations and household sounds while it is trying to capture your instructions. This is necessary to use voice features but has been cause for concern in the past.

How can I protect my data but still use my smart TV?

Many Australians are providing their smart TVs with more personal information than they need to.

There are a few things you can do about this.

First, look carefully at whether the information you’re being asked for during setup is required to use the device or just being requested. Can you skip through to the next window instead of agreeing? Which boxes are pre-ticked – and which can be unticked – before you “Accept all”? Many data requests can be declined without impacting your TV’s functionality.

Second, only consent to the terms and conditions for features you are likely to use. For example, if you don’t use the TV’s voice assistant then you may not need to turn this feature on.

Third, get to know your privacy settings. Our research indicates that more than half of Australian smart TV users don’t check their privacy settings, which is understandable because these may be buried deep in the menus. We suggest pressing the settings button to find out what you can opt-out of or disable. For example, ACR can typically be disabled so that you are not sharing your viewing with the manufacturer and its advertising partners.

With these few quick tweaks, you can significantly protect your privacy and reduce the amount of data your TV collects.

The post How much personal data is your smart TV collecting – and what can you do about it? appeared first on ÌÇÐÄVlog.

Nowadays it’s common knowledge that businesses are tracking everything we do, from shopping behaviour, to search histories and even how we drive our cars.

But you might not be aware of how often this data is bought and sold.

It’s commonly referred to as “data broking” and it’s big business. One industry insider tells ÌÇÐÄVlog that some companies are skirting the law to monetise your data well beyond what you consent to.

Australians for sale

In December, a report released by titled  detailed the ways that profiles of Australian consumers are broken down into micro-categories based on socio-economic status and spending habits and then sold to advertisers.

Experts say these practices are likely just the tip of the iceberg. In the murky world of data broking, much of what goes on remains hidden.

Dr Katherine Kemp, deputy director of the Allens Hub for Technology, Law & Innovation at University of New South Wales says, “The average consumer would have next to no knowledge about what data of theirs is collected by data brokers, combined to make inferences about them and disclosed to other companies. They’re completely in the dark.”

A government survey released in August last year showed widespread community concerns about data broking with nine in ten adults saying the trading of personal information was not fair and reasonable and calling for a right to object to certain data practices.

No option to opt out

Kemp says many retailers and other ‘first party data collectors’ we shop with claim to have consumer consent for data to be sent to ‘third parties’ such as data brokers, but the so-called consent comes through long and complex privacy policies that consumers generally don’t read and wouldn’t understand even if they did. 

Yet we’re compelled to indicate that we agree with them as a condition for continuing on the website, app or making a purchase.

Kemp questions whether consumers would consent if they were given a chance to opt out.

Chandni Gupta from the agrees that the wording of many retailers’ and companies’ terms and conditions are deliberately vague. 

“Businesses might use obscure terms like ‘our trusted partners’, but it doesn’t provide much clarity or genuine choice for consumers to use a service without having to share that data with third parties,” she says. 

Tricks of the trade: How companies sell your data

Kemp says many data brokers make money by collecting multiple data points on individual consumers and combining them to make an “enriched” profile of a shopper’s habits, which can then be sold back to retailers or to advertisers. And while they might “anonymise” your data by removing your name, they will keep other identifying information that is useful to advertisers and other parties who buy data. 

“Sometimes the companies with data businesses will actually be claiming that they are not dealing in personal information at all, because they are using pseudonyms for the data. They may argue that the privacy act doesn’t apply to them in this instance,” she says. 

Anna Johnston, a privacy consultant and founder of , says the distinction between first party data collectors (mostly retailers and businesses) and third party data sellers or brokers is vague. Many of the companies can be one and the same or shell companies of the other. 

“The industry has come up with those phrases themselves to try and make what they’re doing sound legitimate. It is as if there’s some magical world in which as long as you can call your data ‘first party data’ then suddenly none of the privacy rules apply,” she says.

‘Give me my data’: Brokers not taking their obligations seriously

In an attempt to probe the depths of third party data brokers and the information they have on us, six ÌÇÐÄVlog staff wrote to some of the biggest data broking firms in Australia.

We asked them to provide any personal data they had on us.

We requested our data from Quantium, LiveRamp, Experian, Oracle, Equifax and TEG/Ovation (better known as the owner of the ticket selling company Ticketek). 

Under the law, these companies are meant to respond within 30 days, but some of our requests went unanswered within the timeframe. In some cases Quantium responded months later saying they were not a data broking company and don’t collect, store or process personal information, but were involved in data analytics.

The relevant privacy laws apply regardless of whether the company considers itself a data broker or not.  

Other companies responded saying they didn’t hold any data on us, despite some of the ÌÇÐÄVlog staff involved being regular online shoppers and members of loyalty programs like Everyday Rewards and FlyBuys. 

Rafi Alam from ÌÇÐÄVlog’s consumer data team, says it is “hard to believe” that these companies have so little information on ÌÇÐÄVlog staff. 

“It’s disappointing to see some data brokers not taking their obligations to consumers seriously enough,” he says. “Businesses should be investing as much effort into their privacy obligations as their data broking operations.” 

Kemp suggests the reason the ÌÇÐÄVlog experiment drew a blank with many data brokers is because they put pseudonyms on the data they collect almost immediately and then can claim to not know who you are when you put in a request. 

“They will take your name off the data, but give it a unique code that all the companies involved will use. That way they can say ‘I’ve never seen your name,’ but they have been exchanging the unique code for you and building a detailed profile around that,” she says. 

“Claiming that kind of practice falls outside the Privacy Act makes a mockery of the objectives of the Act.”

Industry insider speaks out 

Paul* was a long-time data analyst for one of Australia’s biggest data brokers. 

He says the industry in Australia takes a cavalier approach to regulation and that the system of audits and accreditation is a “complete joke”. 

“Australia has super lax laws when it comes to what you can do with data, what is stored, what it’s stored for, what you can do with it. It’s mostly regulated by the industry bodies themselves,” he says. 

All the academic experts we spoke to said that the Office of the Australian Information Commissioner (OAIC), the body responsible for overseeing privacy laws, was vastly under-resourced for the task of policing the industry. 

“Consumer data issues have grown rapidly since the Optus data breach, so we’d like to see long-term solutions in place” Alam says. 

Reforms are needed, but so is better enforcement 

The federal government is working on reforms to the Privacy Act, a move that is welcomed by the experts we spoke to. However, Johnston says that ensuring companies are held accountable to the laws that already exist is also important. 

“There’s been very little enforcement and I think the data broking industry has benefited. Privacy principles are being so often forgotten in practice, and the industry is really built on widespread non-compliance with the laws,” she says. 

OAIC says they welcome the Australian government’s announcement last year of an in-principle agreement to introduce “fair and reasonable” obligations for personal information handling. 

“This would require organisations to only collect, use or disclose information fairly and reasonably, and would place individuals at the centre of the privacy framework,” an OAIC spokesperson says. 

Alam agrees with Kemp that governments and regulators need to step up to growing challenges. 

“Despite playing with millions of people’s data, there’s very little public knowledge on who is a data broker and what they’re doing. A public registry of data brokers as seen in California would be a step in the right direction,” he says. 

“A prohibition on unfair trading in general would also strengthen any privacy guardrails on the data practices of data brokers and other businesses,” he adds. 

*Names have been changed.

The post Data brokers are selling your information. Can you stop them? appeared first on ÌÇÐÄVlog.

Mathew has been a Toyota man for a very long time. Over the years he has bought five of their cars. 

But the Queensland father says his latest experience with the company has left him questioning his loyalty. He struggled to get a deposit of $2000 returned, and has vowed to steer clear of Toyota from now on.  

“I’m just really disappointed,” he says. “You should have a choice not to be dictated to, I really believe that.” 

Mathew’s concerns centered on the invasive tracking and data sharing practices that came with his new Toyota, services he says he was never told about when buying the car. 

Toyota’s tracking technology

In July last year, Mathew paid a deposit and arranged finance for a $68,000 Toyota Hilux. He was told by the dealer there would be several months’ wait for the vehicle to arrive. When the car finally arrived at the dealership, he began getting emails from Toyota telling him to sign up for ‘Toyota Connected Services’.

“I’d never heard about it, and the dealer never told me about it at all,” he says.

Toyota describes Connected Services as “a suite of technology focused on safety and security, convenience and a better driving experience”.

Rollout started in late 2020, with vehicle movement tracking and driving data collection later added to Connected Services across the Toyota range. The more Mathew researched the privacy policies and read about how his data would be collected and shared, the less comfortable he became with having it in the car. 

He asked the dealer if Connected Services could be removed before he took ownership of the car. He was told Toyota could temporarily deactivate the features, but they could be reactivated remotely. 

“I was told if you remove it you will void your warranty and you’ll likely put your insurance at risk as well. And that was when I said, ‘you guys can keep your vehicle’,” says Mathew. 

Mathew canceled his finance and never picked up the vehicle, but the Toyota dealership refused to repay the $2000 deposit. He lodged complaints with the Queensland Office of Fair Trading and the Queensland Ombudsman.  

The Toyota dealership did not respond to our questions about refusing to return Mathew’s deposit. In an email the dealer told Matthew: “If you failed to do your own in depth research on a vehicle you’re purchasing then that’s on you.”

What kind of data is being collected and how is it used?

Cars are changing. Almost every new car released today has some form of tracking. The car companies say it increases driver safety, but in a surveillance world of data hacks, data broking and sharing, it’s yet another way for companies to gain valuable insights on you, whether you want it or not. 

Toyota Australia’s privacy policy says the Connected Services features will collect data such as fuel levels, odometer reading, vehicle location and driving data, as well as personal information like phone numbers and email addresses.

The policy says if you don’t opt out of Connected Services it will collect, hold, use and disclose vehicle data for research, product development and data analysis purposes. 

It goes on to say Toyota may share collected data with third parties with your consent, such as finance and insurance companies, promotions and market research organisations, debt collection agencies and information technology service providers.

Despite the excessive reach, in response to our queries in January Toyota Australia told ÌÇÐÄVlog that it took customer privacy seriously and was assessing Mathew’s complaint about not getting his deposit back. 

The dealership later rang Mathew and told him he would be getting his full $2000 refund.  

Dealerships supposed to tell customers about tracking

It seems the dealership was supposed to tell Mathew about Connected Services.

“The standard process is to inform customers of the Connected Services feature as part of the sales contract, which includes information about Connected Services and to ask them to sign confirmation they have been informed and agree to those services being activated,” the Toyota spokesperson says.

Despite what Mathew says the Toyota dealer told him, Toyota Australia says disconnection of the SIM card does not void the vehicle’s warranty, but having a non-Toyota repairer remove the system carries risks. 

They add that when modification by a non-Toyota repairer causes a problem with another part of the vehicle, the warranty won’t cover it, but the rest of the warranty won’t be affected. Things like the car’s Bluetooth and speaker systems may not work when the Connected Services system is removed. 

Most car brands have privacy problems 

According to a report released in September 2023, cars are one of the worst product categories when it comes to privacy protections.

The US-based Mozilla Foundation came to that conclusion, after an in-depth review of 25 major car brands.

Jen Caltrider from Mozilla says Toyota has a “vast business empire” and rather than sell collected car data to data brokers, they have created their own data broker which they charge other people to access. 

Toyota has a bad track record of keeping their customers’ data safe. A series of leaks in 2022 and 2023 accidentally revealed the data they held on more than two million customers.

But privacy concerns are not limited to Toyota. 

The Mozilla report says all 25 car brands they reviewed in the American market collect more personal data than necessary, and 84% of them share or sell data to third parties. Only two companies, Renault and Dacia, gave the drivers the option of having their data deleted. 

“Consumers don’t have a real choice. It’s have a car and have no privacy, or don’t have a car. It’s not a real choice,” says Caltrider. “This is a big issue and it’s only going to keep growing.” 

Car companies abusing data

Last year, Reuters reported that between 2019 and 2022, a group of Tesla employees shared among themselves images and videos captured from customers’ car cameras and connected systems, including images of people naked. 

Ibrahim Khalil, professor of cloud systems and security at RMIT University, says the issue of privacy protection is only getting more challenging. 

“These manufacturers are saying we’re collecting data to make sure driving is safe and they are applying AI techniques to improve lots of different things like situational awareness, but of course that’s not the whole story,” says Khalil. “We are exchanging data that they can actually abuse.” 

Rafi Alam from the ÌÇÐÄVlog consumer data team says while some people may enjoy the benefits of car connectivity, consumers should be informed about the associated risks. 

“It seems like every product is getting a ‘smart’ connection, and cars have joined the trend,” he says.  

“The government has a role to put strong safeguards – and even prohibitions – on the use of this data once it’s collected, to ensure it’s in the best interests of the consumer.” 

Alam adds that Mathew shouldn’t have had to choose between losing $2000 or giving up his privacy rights. 

Mathew says the most important thing is having the option as a consumer. 

“I’m sure some people think all this stuff is a great thing. But I just think it’s something that really needs to be brought to people’s attention, because I’m sure I’m not the only person who thinks this isn’t a good idea,” he says. 

If you have a story about a connected car you would like to share, email ÌÇÐÄVlog investigative journalist Jarni Blakkarly at jblakkarly@choice.com.au.

The post New cars are tracking everything you do. Can you stop this? appeared first on ÌÇÐÄVlog.

On this page:

• The current arrangements
• What's being proposed?
• A Digital ID timeline
• The case against Digital ID
• Expert commentary

Most adult Australians already have one form of digital identification. That’s the myGovID they use to interact with the ATO, Centrelink and Medicare. They may even have other forms of digital identification, such as one of the digital driver’s licences that have proved popular with NSW motorists. 

Or just possibly an Australia Post “Digital iD”, which lets you confirm you are who you say you are when dealing with organisations ranging from Airtasker to the Australian Electoral Commission. But what Australians don’t presently have is a universally accepted form of digital identification.

The current arrangements

There are two significant issues with identification verification in Australia.

Firstly, there’s no “general purpose” form of digital identification. For instance, you can’t use your myGovID when you’re trying to verify your identity with a bank, utility company or internet service provider. 

The second problem, which arises from the first, is that private businesses often require Australians to hand over a treasure trove of sensitive personal data to verify their identity.

There are probably scans of your passport, driver’s licence, birth certificate and utility bills currently stored in many databases. And even multinational corporations with the resources and incentive to invest in cutting-edge cybersecurity won’t necessarily be able to stop cyber criminals from accessing those scans.

What’s being proposed?

Australia’s proposed “Digital ID” will function like a more powerful myGovID. In fact, many Australians will presumably use an (enhanced) myGovID as their Digital ID. Strictly speaking, the federal government is not so much minting a new form of digital identification out of thin air as trying to make the existing digital identification system more efficient. Chiefly by corralling existing digital identities into a single, user-friendly process.

There will likely be a range of Digital ID providers, including some businesses. Companies such as Mastercard are already involved in the “Trusted Digital Identity Framework” (TDIF), the federal government’s accreditation framework for digital ID services, and may become accredited participants in the Australian government’s Digital ID system.

You’ll still have to go through the usual, time-consuming process of verifying your identity when applying for a Digital ID. But once you have it, identity verification should become much less convoluted.

Instead of needing to locate then scan or photograph 100 points of identification, you’ll simply receive a one-time PIN via your Digital ID app, which you’ll supply to businesses, government agencies and other organisations that need to confirm your identity (much like how you type in a one-time PIN during a two-factor authentication log-in process).

Malicious actors could breach the cyber defences of one or more Digital ID providers, but it’s widely believed Digital ID will reduce risks for individuals and organisations. After all, the status quo allows cyber criminals to target the often unencrypted personal data of Australians that many organisations already possess.

The personal data you supply to get your Digital ID will be encrypted, making it difficult for any third parties – including the digital identity provider – to view or share it. That should reduce the incidence of online scams that cost Australians billions of dollars annually.

Also, given a range of public and private sector organisations will supply Digital IDs, there won’t be a central database cyber criminals can target.

The Minister for Finance, Katy Gallagher, who is overseeing the introduction of Digital ID, has said, “It’s like the online version of showing someone your passport or your driver’s licence to prove who you are, but it’s not giving them your licence to hold on to, or to scan and store on an unknown server or photocopy.

“Digital ID is not a card, it’s not a unique number, nor a new form of ID. It’s just an easy way of verifying who you are online against existing government-held identity documents without having to hand over any physical information.”

A Digital ID timeline

You can find out more at system which will be accessible across , but the current schedule is as follows.

2021–2023

Both Coalition and Labor federal governments consult extensively on Digital ID. ÌÇÐÄVlog made a submission to the Finance Department in late 2023 arguing Australians would “benefit from a trusted, accessible and robust national Digital ID system” and that such a system should result in consumers being “better protected from threats of scams, identity theft, and data misuse”. However, we also emphasised the need to ensure the proposed Digital ID system is well-designed, well-implemented and well-regulated.

²Ñ¾±»å–2024

All going to plan, the Digital ID will be introduced to federal parliament. As the Finance Department’s website explains, “The legislation when passed will move Digital ID to a nationally regulated system which will be accessible across both the public and private sectors and will include strong privacy provisions. It will establish the ACCC as the initial regulator.”

Late 2024

If the legislation passes through federal parliament, it’s hoped Digital ID can be rolled out quickly. The plan is to phase in Digital ID in the following manner:

• phase one will legislate for Digital ID, establish a regulator, and expand use of Digital ID across government and the private sector
• phase two will allow state and territory Digital IDs to be used to access Commonwealth services
• phase three sees myGovID used in the private sector – such as opening a new bank account, or verifying a telco contract or real estate lease
• phase four will allow accredited privately provided Digital IDs to be used when accessing some government services.

The case against Digital ID

“General purpose” forms of digital identification have been introduced in nations such as Singapore, seemingly with little or no political opposition. But Australians have a history of distrusting their federal governments.

In the pre-internet age, the Hawke Labor government abandoned plans to introduce a national identification card – the Australia Card – in the face of opposition from other political parties and a sizeable proportion of the electorate. Likewise, around 10% of Australians opted out of My Health Record, a digital health record platform, in 2019.

Digital ID was an initiative of the Morrison Coalition government but one embraced by the Albanese Labor government. Both businesses and consumer advocacy groups broadly support Digital ID.

There doesn’t appear to be much concern about either side of politics using the Digital ID for nefarious purposes in the short term, even among opponents of Digital ID. But sceptics argue that political conditions can change and future governments may not behave as ethically as their predecessors.

A United Australia Party YouTube ad that doesn’t explicitly mention Digital ID but does warn of the possibility of Australia introducing a social credit scheme currently has more than 2.6 million views. The United Australia Party presently holds one Senate seat. 

One Nation, which is also opposed to Digital ID, holds two. One Nation Senator Malcolm Roberts has warned, “The Digital Identity sets out to link all government data related to a person. Future iterations of the Digital Identity propose to pair this data against private sector information, such as purchasing records, to create a rich digital view of a citizen. 

“While Australia lacks the corresponding technological infrastructure to utilise a Digital Identity to its sinister potential (such as China’s spying street lights and billboards), this Bill – whether intentional or accidental – acts as the foundation for a China-style Social Credit System.”

Expert commentary

Victor Dominello was formerly NSW’s Minister for Customer Service and Digital Government. Dominello is a Liberal but has been assisting two federal Labor ministers – Finance Minister Katy Gallagher and Minister for Government Services Bill Shorten – as they seek to get the Digital ID Bill through federal parliament then rolled out, ideally during the second half of 2024.

Rafi Alam is a senior policy adviser on ÌÇÐÄVlog’s consumer data team and has previously worked for organisations such as GetUp!.

Both Alam and Dominello are pro-Digital ID. But Alam insists Digital ID must have the appropriate safeguards to mitigate the risks of “exclusion and discrimination, data monetisation, and catastrophic data breaches”. 

Dominello agrees safeguards must be put in place but believes it’s high time for Australia to embrace Digital ID. “Digital ID will be a digital identity architecture that gives individuals far more control of their personal information than they currently have,” he says. “And let’s not forget Australians are currently being scammed out of billions online every year.”

Alam expects some political opposition to emerge but believes the Digital ID Bill will likely pass and that Digital IDs will be rolled out shortly after that.

“There’s broad agreement across the political spectrum that Digital ID will be far superior to the current arrangements,” he notes. “But the devil is always in the detail. There are still sticking points that need to be resolved. For instance, ÌÇÐÄVlog believes that Australians should be able to get a Digital ID at no cost. 

“They can do that if they use a beefed-up version of their myGovID as their Digital ID. But how will things work with for-profit businesses providing Digital IDs? Will they be able to charge? These are the types of issues that will need to be settled soon.”

If Digital ID is introduced, it will inevitably generate other political debates. For instance, there are already calls for Digital ID to be used for age verification purposes on certain websites. Australia’s Minister for Communications, Michelle Rowland, has indicated she’s open to using Digital ID to prevent “young people from having unfettered access to pornography”.

What if you throw a Digital ID party and nobody comes?

There are no plans to compel Australians to use Digital IDs. One of the built-in safeguards of the system is that Australians should continue to be able to confirm their identity without recourse to a Digital ID. So, both Dominello and Alam worry that the real challenge Digital ID could face is widespread ignorance or indifference rather than fierce resistance. 

Dominello is characteristically bullish. After pointing out the popularity of other forms of digital identification – around three-quarters of NSW drivers now possess the digital driver’s licence he introduced in 2019 – Dominello says, “Look at how commuters have embraced smart cards. Does anyone miss having to buy bus or train tickets? Digital ID is opt-in. But given how much friction it eliminates, I assume most people will opt in.”

Alam worries some Australians may struggle to opt in. “Consumer advocates are concerned there’s so little public awareness around Digital ID and would welcome a public education campaign,” he says. 

“In the coming months, more media and public attention will be paid to Digital ID. But even then, certain demographics, such as the elderly or those living in remote communities, might face challenges getting a Digital ID.”

Alam also points out that adoption rates can and do vary between nations. “Digital IDs have been around for years in Europe. The Belgians have taken to digital ID, the French not so much. The societies aren’t that different, but even small differences in how digital ID is rolled out seem to result in significant differences in adoption.”

Dominello accepts some demographics are likely to be late adopters of Digital ID but is comfortable with a “build it and they will come” approach. 

“My experience in state politics was that if you deliver a good product that protects people’s privacy and security, it will be embraced,” he says. “It won’t have universal appeal and there will likely be some teething issues. But I’m confident most Australians will choose the option that makes connecting the internet and power easier when moving to a new home.”

The post Digital ID: What it is and what it means for you appeared first on ÌÇÐÄVlog.

In an open letter to the government, the signatories – which include privacy experts and assistance services working with people affected by data breaches – urge the government to update the “outdated” laws. 

“We know all too well the harm that inadequate privacy protections cause. Gambling companies hound at-risk people with targeted advertising, data brokers sell our information without consent and automated systems discriminate against marginalised people,” says ÌÇÐÄVlog senior campaigns and policy adviser, Rafi Alam.

“We’ve also seen millions of consumers harmed by data breaches when businesses store too much personal information,” he adds. 

What needs to change?

In March the Attorney-General’s Department released its review into the Privacy Act and the federal government has since announced its support for the majority of the recommendations. 

“To ensure the Privacy Act is fit-for-purpose in a rapidly changing digital environment, we are calling on the federal government to urgently implement a number of recommendations to protect the safety, security and integrity of our personal information,” Alam says.

The joint letter calls for urgent action to modernise the definition of “personal information”, ensuring businesses only collect and keep data that customers want them to by establishing a fair and reasonable use test. 

It also calls for the Privacy Act to apply to all businesses, regardless of size, and for more resources and power for regulators and clear guardrails on high-risk technologies like facial recognition. 

Experts agree that our privacy laws are out of date

Anna Johnston, principal at specialist privacy consulting and training firm Salinger Privacy, supports the proposed reforms.

“Our privacy laws are well out-of-date. So much data is collected and used about us every day, much of it in ways beyond our understanding or control,” she says 

“Without a stronger Privacy Act, Australians will remain at risk of more data breaches, and our data will continue to be collected and sold by data brokers who track, profile and target us online without our consent. It is critical that the government enacts these reforms as soon as possible,” she adds. 

Carol Bennett from the Alliance for Gambling Reform says lax privacy laws have allowed the gambling industry to commercialise people’s information, especially children and those who struggle with gambling addiction. 

“We need to place responsibility where it should be – on the industries that benefit from the collection of personal data – to mitigate and reduce risks of harm related to their operations.”

Bennett cites the gambling industry as an area of high-risk for unreliable data privacy and information management. “It’s like putting Dracula in charge of the bloodbank,” she says.

In September, Attorney-General Mark Dreyfus said the government agreed “in-principle” to the majority of the review’s proposals and that the next steps would be to conduct impact analysis and work with communities, businesses, media organisations and government agencies to inform the development of legislation in this term of Parliament. 

“The Government will also consider appropriate transition periods as part of the development of any legislation,” he said. 

Download the Privacy reform open letter (PDF).

The post Why the federal government must act urgently on privacy reform appeared first on ÌÇÐÄVlog.