close
MENU
How to guide
How to guide
Home
The NBR List
NBR View
NBR Marketplace

Categories

Australia Business Comings and Goings Economics Investment Law NZ Aviation News Politics Professional Services Property Retail Tech & Innovation

Analysis

All Economy Matters Edwards on Politics Hunter’s Corner Last Word Margin Call On the Money Shoeshine Underarm NBR Focus

Featured

NBR View Audio Articles Entrepreneurs Your Business Beehive Banter Morning Brew Toil & Trouble NZ Aviation News Back Issues Market Outlook Dollars & Sense Private Bin Opinion (Archive) NBR Radar (Archive) NBR Rich List (Archive)
3 mins to read
2

Can a New Zealand ISP sell your web browsing history? The surprising answer

PLUS: Eric Crampton argues internet providers should be able to sell to hawk your web browsing history to advertisers.

Fri, 31 Mar 2017

In the US, Congress has voted to free ISPs from privacy limits that were due to kick in this year, allowing them to sell their customers’ web browsing histories.

President Donald Trump says he will sign the bill as part of his push to cut regulations.

NZ Initiative research head Eric Crampton says, “Why not?”

In a high-temperature exchange with NBR Radio’s Grant Walker, he argues market forces will take care of things. If there’s demand for a service that guarantees privacy, ISPs will supply it. Even a monopoly broadband provider would offer privacy-protecting plans if demand warranted, he maintains.

Conversely, if some people want to subscribe to a plan that is, say, $10 cheaper a month because their data will be hawked to advertisers, then they should have that option, Dr Crampton argues.

One thing Dr Crampton and Mr Walker agree on is that the government shouldn’t get its mitts on your data – but it’s something you can imagine happening indirectly if, say, a credit rating agency buys browsing histories from an internet service provider, then onsells to the IRD or another Crown agency.

Mr Walker also argues that privacy shouldn’t just be for people who can afford it. Bear in mind, too, that we’re in a market where most people are locked into 12 or 24-month plans with stiff break fees, so it’s not cheap or easy to hop between providers (listen to Crampton v Walker on SoundCloud here).

Privacy Commissioner John Edwards: “In New Zealand, there is no prohibition on selling customer information."

No prohibition in New Zealand
It's been established that privacy is being chucked out the window in the US. But what’s the situation here?

“In New Zealand, there is no prohibition on selling customer information but I would be concerned about such a practice if it were widespread, given the potential to associate an individual with an access log,” Privacy Commissioner John Edwards says.

He has seen no evidence this is an issue with ISPs here but if they did decide to sell someone's web browsing history, then under the Privacy Act they would have to tell the person first. They also have to tell the person if they’re collecting his or her data in the first place.

The important thing is that ISPs are upfront about things, so customers can exercise choice, he says.

Selling data would also provoke a portion of customers into using VPNs (virtual private networks) and other software and services that can mask your identity and/or hide your web tracks. The downside: They often slow performance or reduce website's functionality.

Like Mr Edwards, NBR is not aware of any instances of internet providers selling browser histories. Perhaps the most creepy assertive example of customer data going on sale comes from Spark's "big data" unit Qrious, which has drawn controversy for selling (anonymised) data about Spark mobile customers' physical movements to customers including Auckland Council's Ateed.

The situation today
The pending Privacy Act overhaul will have a number of positives, including a new requirement that makes it mandatory for organisations to report data breaches. But Mr Edwards does not expect it will directly address ISPs.

So here's the specifics of the situation today, which will likely remain:

“Under the Privacy Act, ISPs have the same obligations as all agencies to tell their customers what personal information they collect and what they do with it. This is set out in the act's information privacy principles,” Mr Edwards says.

 “Principle one says personal information shall not be collected by any agency unless:

  • the information is collected for a lawful purpose connected with a function or activity of the agency;
  • the collection of the information is necessary for that purpose.

"Principle eleven says an agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes the disclosure is:

  • one of the purposes in connection with which the information was obtained;
  • directly related to the purposes in connection with which the information was obtained;
  • the source of the information is a publicly available publication;
  • the disclosure is authorised by the individual concerned.

 “ISPs have to comply with these requirements, just as all agencies are required to do," the privacy commissioner says.

"The important thing is that by informing customers, customers will be able to choose which provider they trust and adopt.”

© All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.
Tags
Technology Business Privacy John Edward Eric Cramton
Related News
15

US Congress votes to put people's web browser histories up for sale
Related News
15

US Congress votes to put people's web browser histories up for sale
Can a New Zealand ISP sell your web browsing history? The surprising answer
66000
false
Subscribe Login