SECURITY  2001

 

Sydney:    18-19 July 2001

_________________________________________

 

 

SECURITY  vs  PRIVACY:

 

Just  how  far  can  you  go?

 

 

 

Nicholas Cowdery QC

Director of Public Prosecutions, NSW

President, International Association of Prosecutors

 

__________________________________________

 

 

 

INTRODUCTION

 

I am under no illusion about the answer to the question posed that would be given by most of the audience at this conference. It would probably be: “As far as legally possible – and then further, if we can get away with it”!

 

I am not here to tell you what you can get away with beyond the legal bounds or even within them. You will have to work that out for yourselves. But I am going to attempt to identify some of the issues that arise and, if possible, where some of those legal bounds may be found. I shall do so by looking at the law derived from international sources, the Commonwealth of Australia and the State of New South Wales.

 

Those who wish to explore relevant provisions and the law operating in other States and Territories are invited to do so in your own time. (There is not much to be found outside New South Wales and South Australia, in any event.)

 

I shall also touch on some of the challenges that are confronting all of us.

 

 

PRIVACY

 

Generally speaking, I believe that we are not served as well as we should be in Australia in the protection of our privacy and there is little sign that the situation is improving – indeed, it is possibly getting worse. (In fact, I could have made this a very short paper.)

 

But first, what do we mean by “privacy”? One useful definition is:

 

“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.” [1]

 

This definition focuses in its terms on information privacy, but it is capable of extending to personal privacy as well, by interpretation of those very terms. “Information” may include the product of observation.

 

Privacy is a relative and constantly changing concept. Its content is influenced by social, developmental and historical factors. It arises, for present purposes, in the areas of:

 

-         intrusions into personal life;

-         the collection of information by surveillance devices;

-         unwanted publicity;

-         unauthorised use of one’s identity; and

-         the disclosure and misuse of personal information, wherever it is stored.

 

Therefore, our privacy is vulnerable to attack on many fronts.

 

Only last month we saw some examples of invasions of privacy in most dramatic and significant ways. Newspapers reported the allegations of a number of women against the Chairman of the Aboriginal and Torres Strait Islanders Commission (ATSIC). The only available remedy for that attack would be to sue for defamation; but we are constantly reminded of the downside of that option (the Marsden case being but one recent example).

 

Also last month a Federal Senator, under the cloak of Parliamentary privilege, made allegations of criminal wrongdoing by another prominent Aborigine. There is no remedy available for invasions of privacy of that kind – and there will not be unless and until we have a Bill of Rights.

 

But you are interested in more practical issues – what invasions of privacy are tolerable in the pursuit and protection of the security of persons, places, property, events and, indeed, information itself? What is permissible in the prevention and detection of theft, fraud and cybercrime? How far can you go in collecting evidence? What regulation presently exists?

 

Twenty-five years ago the newly formed Privacy Committee of NSW (in its second Annual Report in 1976) indicated that it was not in favour of a statutory scheme of privacy protection, preferring to rely on general principles in voluntary codes. But by 1982 the Committee had formed a different view. (As the Privacy Commissioner said in his 1998-99 Annual Report, it had been “mugged by reality”.) The Committee  reported at that time:

 

“The potential for serious invasion of privacy is large and increasing rapidly. Legislation is now necessary, not merely as a remedial response to existing violations of privacy rights, but as a general preventative means of protecting privacy rights and laying down privacy protection standards.”

 

It was to be another 16 years before legislation was passed in this State; but even then it fell short of what was truly required.

 

We are a little better regulated, as a result of legislation of this kind, in the protection of private information; not so much in the protection of personal privacy. But developments in information technology – computers and so on – make the protection of private information increasingly problematic; and in general terms, the optical surveillance of private behaviour or activity and its product are not regulated at all in Australia.

 

The NSW Privacy Commissioner in his 1998-99 Annual Report wrote this:

 

“Back in 1975 issues such as the use of closed circuit television monitoring; biometric identification; electronic commerce on the Internet; correspondence by e-mail; the electronic linking of health records; the vast collection and centralisation of consumer information; caller line identification on the telephone; the operations of call centres; and the collection of DNA samples for forensic and law enforcement purposes were barely on the privacy agenda – they are now all competing for centre stage. Each day the cost of intrusive surveillance becomes less and the technology more available; the ease with which data can be aggregated and matched increases and the amount of highly sensitive personal information which can be obtained from a minute genetic specimen grows exponentially.

 

In these circumstances the need to secure better protection for our right of personal autonomy and space, our right to be left alone to go about our lawful business and our right not to be challenged at every stage and level to ‘prove’ who we are to some department, agency or organisation, has never been more compelling.”

 

 

 

INTERNATIONAL PROVISIONS

 

The Universal Declaration of Human Rights (UDHR) of 1948 (to which Australia is a party) provides in Article 12:

 

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

 

This provision is echoed in Article 17 of the International Covenant on Civil and Political Rights (ICCPR) of 1966, to which Australia became a party in 1980. Australia made a qualified commitment to this Article in the following terms:

 

“Australia accepts the principles stated in Article 17 without prejudice to the right to enact and administer laws which, insofar as they authorise action which impinges on a person’s privacy, family, home or correspondence, are necessary in a democratic society in the interests of national security, public safety, the economic well-being of the country, the protection of public health or morals, or the protection of the rights and freedoms of others.”

 

Australia is also obliged to comply with the Guidelines of the Organisation for Economic Cooperation and Development (OECD) concerning the protection of privacy and trans-border flow of personal data.

 

Provisions in instruments of this kind are prescriptions for the countries that are parties to the instruments, but in Australia they are not the law. For that we depend on laws passed by the Parliaments of the Commonwealth and of the States and Territories and their interpretation and application by the courts.

 

 

A RIGHT TO PRIVACY?

 

The High Court of Australia has stated:

 

“However desirable some limitation upon invasions of privacy might be, no authority was cited which shows any general right of privacy exists” [2]

 

That statement in 1937 remains authoritative to the present day, notwithstanding Australia’s adoption of the UDHR and ICCPR. Our position contrasts with that in other countries, such as the USA where there is an implied constitutional right to privacy in some circumstances and where people may sue for invasion of privacy. We will not enjoy such protection without a Bill of Rights.

 

Consequently, privacy may only be enforced in Australia by reliance upon specific legislation passed for those purposes or upon actions at law for remedies for the torts of:

trespass (unauthorised entry upon or interference with private property or oneself);

negligence (which requires the breach of a duty of care not to make false statements, for example);

nuisance (which requires the proof of damage);

breach of confidence (which requires a confidential relationship between the parties to the breach – which will encompass information obtained under statutory power); or

defamation (to which I have already referred).

 

Sometimes breach of contract or of professional duties may be able to be established.

 

 

COMMONWEALTH PROVISIONS

 

The Privacy Act 1988 is the primary piece of Commonwealth legislation affecting information privacy for individual persons at the national level. It prescribes Information Privacy Principles for Commonwealth agencies, provisions for credit providers and credit reporting agencies and Tax File Number Guidelines for all those who handle tax file numbers.

 

Guidelines have also been issued by the Privacy Commissioner on surveillance – the Covert Optical Surveillance in Commonwealth Administration Guidelines. They are intended to provide a framework for Commonwealth agencies within which to develop their own detailed guidelines for conducting covert surveillance. The first part covers optical surveillance and the second part the surveillance generally of claimants for Commonwealth compensation. They are advisory only, but they provide standards against which Commonwealth agencies can be judged if complaints are made.

 

Injunctions may be obtained to restrain breaches of the privacy legislation and investigations and audits of Commonwealth agencies may be carried out by the Privacy Commissioner. Complaints may be resolved by negotiation and may include declarations (including determinations that complainants be paid compensation and reimbursed their expenses).

 

There are also some provisions affecting privacy in legislation on data-matching between Commonwealth agencies, the operations of the National Health and Medical Research Council, Medicare and the Pharmaceutical Benefits Scheme and in the Crimes Act 1914 (for example, concerning spent convictions, interference with mail, unlawful use of telecommunications services and unlawful access to Commonwealth computer data).

 

The Telecommunications (Interception) Act 1979 regulates the interception of communications passing over a telecommunication system. This may be done lawfully only pursuant to a judicial warrant.

 

 

NEW SOUTH WALES PROVISIONS

 

The principal piece of legislation in NSW is the Privacy and Personal Information Protection Act 1998. It deals mainly with privacy standards for most NSW public sector agencies when dealing with personal information about individuals – its collection, storage, use and disclosure – and it provides legal remedies for breaches of those standards.

 

“Personal information” is any information that relates to an identifiable person, including information from paper files, electronic records, audio or video tapes, photographs, fingerprints, genetic material and so on. It does not include information contained in a public register, in a publicly available publication, about an individual’s suitability for public sector employment, about a person who has been dead for over 30 years or in some cases information gathered in the proper operations of public law enforcement or investigative agencies.

 

However, a “public sector agency responsible for keeping a public register must not disclose any personal information kept in the register unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept.” [3]  The agency may therefore require any applicant for information to give particulars, even in the form of a statutory declaration, as to the intended use of the information before it is handed over.

 

How is the private sector otherwise affected by the Act? Most of its provisions concern only public sector agencies and public registers. It affects the private sector largely by empowering the Privacy Commissioner to investigate and conciliate complaints made (which the Commissioner may also generate) about violations of, or interference with, the privacy of an individual – by anyone. [4]

 

The Commissioner has some of the powers of a Royal Commissioner when carrying out an investigation (subject to certain qualifications), although there is an emphasis on informality of procedure. He/she cannot impose penalties, however – he/she must work towards a conciliated outcome.

 

The use of listening devices is regulated by the Listening Devices Act 1984. Generally speaking, it is an offence to record a private conversation, even when the person doing the recording is a party to the conversation[5]. There are some limited exceptions, notably:

 

-         where a judicial warrant has been obtained;

-         where it is necessary to use a device to obtain information or evidence in connection with “an imminent threat of serious violence to persons or of substantial damage to property” or a serious narcotics offence;

-         where all principal parties consent to the making of the recording;

-         where a principal party consents and the recording is “reasonably necessary for the protection of the lawful interests of that principal party”; and

-         where a principal party consents and the recording is not made for communication other than to the parties to the conversation.

 

The Workplace Video Surveillance Act 1998 makes it an offence for an employer to carry out, or cause to be carried out, covert video surveillance of an employee of the employer or of a related corporation of the employer, unless it is done “solely for the purpose of establishing whether or not the employee is involved in any unlawful activity in the workplace” and it is authorised by a covert surveillance authority (issued by a magistrate).

 

There are some exceptions in relation to law enforcement, corrective services and the Casino.

 

It is a defence to any such charge that the surveillance was done “solely for the purpose of ensuring the security of the workplace or persons in it and that video surveillance of any employee was extrinsic to that purpose” or “that there was a real and significant likelihood of the security of the workplace or persons in it being jeopardised if covert video surveillance was not carried out”. Notice of such intended surveillance must be provided.

 

There is no bar to overt video surveillance of the workplace.

 

The Criminal Records Act 1991 makes it an offence to disclose information about any spent conviction (very broadly speaking, any conviction followed by at least 10 years of conviction-free life).

 

 

COMPUTERS

 

The development of computerised information technology has changed the game for information privacy. No visa is required to enter cyberspace and no-one governs there. It does not recognise nation states. Nor is privacy respected there.

 

Cyberspace is a world of rapid and constant change. As soon as software is developed work begins on adapting or avoiding it. It is a bit like an arms race with an unlimited number of competitors with almost unlimited imagination. We cannot place complete confidence in firewalls, virus detectors, network intrusion detection systems [which, if used to track and monitor, may in fact be contrary to the Telecommunications (Interception) Act (Cw)] and the like. There is no lasting barrier to the determined and resourceful hacker (or even the dedicated “script kiddie”). Even morally upright, adult investigators can trace e-mails to their source, for example.

 

Consequently, electronically stored private information is always at risk. The instability of the development process means that comprehensive security measures cannot be implemented uniformly. There may always be gaps through which our privacy can be breached.

 

The FBI in the US has developed a program called “Carnivore” which enables it to isolate, intercept and collect communications of a particular kind (always, of course, pursuant to court orders). It is called an e-mail “sniffer” and operates at the Internet Service Provider. It enables the FBI to record the senders and receivers of messages, but only to look at the content of the message if lawful authority has been given for that to occur. It then transfers all this information to a more secure medium, such as magnetic tape.

 

But if the FBI can do it, surely so can others – without even paying lip service to legal controls. And what guarantees are there that, even when it is done lawfully, it is done accurately?

 

In the UK about a year ago a law was passed allowing police and intelligence agencies, by warrant, to inspect every use of a website and providing that if an e-mail user encrypts private e-mail, he/she can be ordered by police to provide the key to decoding the messages. If they refuse, they can be gaoled.

 

These measures are further incidences of the ever-present tension between public security and personal privacy. It raises issues about the extent to which “the authorities” should go to monitor private activity. And if “the authorities” can do it, others can. There are no effective laws or even practical barriers against it if it is done by someone sufficiently skilled.

 

There is an interesting corollary to any right to privacy – freedom of inquiry. There is software called Smartfilter that can screen out particular communications. I understand that in the US State of Utah (not known for its progressive and inquiring state of mind) users in the education system were denied access to the Declaration of Independence, the US Constitution, the Bible, the Koran, Shakespeare’s plays and the Adventures of Sherlock Holmes.[6]

 

Developments in cyberspace have spawned new types of private security operations as well, mixes of old-style private security companies, corporate intelligence consultants and private investigators with IT security. It would seem to be a growth area, providing services to business and government equally.

 

There is scope for information (for example, client lists, sales records, details of financial transactions) to be accessed and sold. Smart cards and electronic banking create trails in cyberspace that can be extremely helpful in tracing the movements and activities of an individual.

 

 

 

SOME CHALLENGES

 

Personal information is capable of telling us much more than the bare facts it records. In 1973 in a dissenting judgment in California Bankers Assn v Shultz et al[7] Douglas J said (at pp 84-85):

 

“It would be highly useful to governmental espionage to have like reports [to the banking records under consideration] from all our bookstores, all our hardware and retail stores, all our drugstores. These records too might be ‘useful’ in criminal investigations.

One’s reading habits furnish telltale clues to those who are bent on bending us to one point of view. What one buys at the hardware and retail stores may furnish clues to potential use of wires, soap powders, and the like used by criminals. A mandatory recording of all telephone conversations would be better than the recording of [cheques] under the Bank Secrecy Act, if Big Brother is to have his way. The records of [cheques] – now available to the investigators – are highly useful. In a sense a person is defined by the [cheques] he writes. By examining them the agents get to know his doctors, lawyers, creditors, political allies, social connections, religious affiliation, educational interests, the papers and magazines he reads, and so on ad infinitum.”

 

Hacking into the electronic records of a bank will give an investigator access to just such information. To do so is certainly immoral and probably unethical. Is it illegal? Yes – and the maximum penalty in NSW is 2 years imprisonment.[8]

 

A famous article which first appeared in Computers and Automation in 1969 and was then reprinted twice in Computers and People is attached to this paper.[9] It was intended to amuse: but it does show how much can be done with so little of the right sort of information – and why we should all be deeply concerned about our privacy.

 

            DAILY SURVEILLANCE SHEET, 1987, from a Nationwide Data Bank

 

SUBJECT:                   Dennie van Tassel, San Jose State College

                                    Male, Age 38

                                    Married, Programmer

 

PURCHASES: Wall Street Journal                               0.10

                                    Breakfast                                              1.65

                                    Gasoline                                               3.00

                                    Phone (328 1826)                                0.10

                                    Phone (308 7928)                                0.10

                                    Phone (421 1931)                                0.10

                                    Bank (cash withdrawal)                   (120.00)

                                    Lunch                                                   2.00

                                    Cocktail                                               1.00

                                    Lingerie                                              21.85

                                    Phone (369 2436)                                0.35

                                    Bourbon                                               8.27

                                    Newspaper                                          0.10

 

 

COMPUTER ANALYSIS

 

·                    Owns stock (90 per cent probability)

·                    Heavy starch breakfast. Probably overweight.

·                    Bought $3.00 gasoline. Owns VW. So far this week he has bought $12.00 worth of gas. Obviously doing something else besides just driving the 9 miles to work.

·                    Bought gasoline at 0757. Safe to assume he was late to work.

·                    Phone no. 328 1826 belongs to Shady Lane. Shady was arrested for bookmaking in 1972.

·                    Phone no. 308 7928: expensive men’s barber – specialises in bald men or hair styling.

·                    Phone no. 421 1931: reservations for Las Vegas (without wife). Third trip this year to Las Vegas (without wife). Will scan files to see if anyone else has gone to Las Vegas at the same time and compare to his phone call numbers.

·                    Withdrew $120 cash. Very unusual since all legal purchases can be made using the National Social Security Credit Card. Cash usually only used for illegal purchases.

·                    Drinks during his lunch.

·                    Bought very expensive lingerie. Not his wife’s size.

·                    Phone no. 369 2436: Miss Sweet Locks.

·                    Purchased expensive bottle of Bourbon. He has purchased 5 bottles of bourbon in the last 30 days. Either heavy drinker or much entertaining.

·                    Left work at 1600, since he purchased the Bourbon 1 mile from his job at 1610 (opposite direction from his house).

·                    Bought newspaper at 1830 near his house. Unaccountable 2 ½ hours.

·                    Made 3 purchases today from young blondes (v statistical 1 chance in 78). Therefore probably has weakness for young blondes.