In Google We Trust - Monday 9 September 2013

Every hour of every day, our digital interactions are being recorded and logged. We live in the age of 'big data', where seemingly mundane information about how we go about our lives has enormous value.

Next on Four Corners, with the help of expert data trackers, we follow the information trail of an ordinary Australian family. We follow their data over a typical day, watching as it is surreptitiously recorded by government agencies and private organisations.

Who gathers the information, what are they doing with it and what are your legal rights?

The internet has brought us conveniences once unimaginable. You can shop online, diagnose illnesses, and send 'selfies' whenever you want. But it isn't all one way traffic. Every time you use a search engine like Google, or access an 'app' on your smartphone, your activity is logged by companies around the world - many you've never even heard of.

That sometimes intensely personal data is either used or sold to make money.

At one level this could be to your advantage. Marketing and advertising is ever more accurately tailored to your wants and needs.

"The sort of products you're buying can tell a marketer an awful lot about what else you're likely to buy, you know, what model of car you're likely to buy, the political party you're likely to vote for, you know, what sort of job you're likely to have." John Ostler, Data Marketer

But where does it end, and what are the consequences? Is your information secure? Not always, Four Corners reveals.

If your user patterns are valuable and being sold on the open market, should you have a say in it? Should you be told who your data is going to, and exactly how it is being used? If your data is being matched with other data for more valuable results, should you be informed?

Four Corners' investigation reveals that not only are we being tracked online by marketers but Australia's own government agencies are secretly monitoring our digital travels.

On the road, devices in your car are being logged to register your movements.

When you pass by a police car you will be surprised to discover what modern technology is discovering about you.

This kind of information is already being used in court cases, but public officials can access your data without a warrant and without your knowledge:

"That is one of the areas of law reform that we have to, I think, take the greatest interest in. Which agencies can access this material? What can they do with it? And where on earth are the courts… where's the legal oversight that applies to a regular search warrant?" Scott Ludlam, Greens Senator

The digital detectives are in shopping centres too, where your movements can be tracked to provide a physical profile of where you go and what you do. Millions of Australians hold supermarket loyalty cards. The data you give away to get them is now being cross-referenced with data from banks to better predict your behaviour.

Companies like Google and Facebook know more about you than your family or your best friends. How did we get to this point and should we care?

No political party has ever explicitly sought your permission for this to happen.

It is a situation that alarms many experts:

"I don't think any social system, any government, can survive knowing everything about its citizens without ultimately that being corrupted." Danny O'Brien, Privacy Advocate

"In Google We Trust", reported by Geoff Thompson and presented by Kerry O'Brien, goes to air on Monday 9th September at 8.30pm on ABC1. It is replayed on Tuesday 10th September at 11.35pm. It can also be seen on ABC News 24 on Saturday at 8.00pm, ABC iview and at abc.net.au/4corners.

Transcript

"In Google We Trust" - Monday 9 September 2013

KERRY O'BRIEN, PRESENTER: Digital age, welcome to Four Corners.

It's hardly news in this era of information rich technology that privacy is gradually being eroded, or that our digital profiles are being converted to all kinds of uses, without us having much idea of exactly what's going on.

But tonight's story will still startle you, because we use one fairly typical Australian family to illustrate just how the mostly innocuous tool of the internet in common use are being used globally to compile our histories, our interests, our activities, for government or commercial purposes. The cash that's generated by corporations is mind-boggling. What governments get up to could be useful for the broad community, could be innocuous, or could be a breach of your privacy. Largely we take them on trust.

The question of course doesn't just relate to the here and now, it relates to where we're headed. Because the explosion of information being generated, stored and analysed is going to grow massively in the years ahead.

And it can do your head in to try to think the implications through.

Reporter Geoff Thompson presents this simple but fascinating story of a day in the life of one family in the digital age.

GEOFF THOMPSON, REPORTER: The human race now produces 28 billion gigabytes of data every day. And ninety per cent of the data currently in existence was created in just the last two years.

Australians are among the most connected people in the world.

(Pappas's family home)

In Sydney's Eastern Suburbs, this is the home of a family we'll call the Pappas's.

They are waking up and getting ready for an average day of work, school and life at home.

The five family members agreed to let us intercept and record their online data over 24 hours.

Helen and Jim are Mum and Dad.

Twenty-four year old Katerina is their eldest child, Alexi is 16 and Christina is 12.

CHRISTINA PAPPAS: Well first of all I probably check my Instagram.

GEOFF THOMPSON: Christina's favourite things to check online are YouTube, Tumblr and Instagram.

CHRISTINA PAPPAS: I like it because like, you can check out what people are getting up to and what they're doing, and you can usually see what celebrities are getting up to.

GEOFF THOMPSON: The Terms and Conditions of these sites say you have be at least 13 to use them.

But like most users of free internet services and mobile apps, no-one in the Pappas family ever really reads the fine print.

HELEN PAPPAS: No I don't actually read the fine print.

ALEXI PAPPAS: I've never read the terms and conditions in my life, and I think they've deliberately, made them like 10 or 15 pages long so that people don't actually read it. But yeah, no, I don't read terms and conditions at all.

ALASTAIR MACGIBBON, CENTRE FOR INTERNET SAFETY, FORMER AUSTRALIAN FEDERAL POLICE OFFICER: Even if there are 156 pages of terms and conditions very conveniently though that checkbox is on page one, and I suspect that the majority of Australians have never read a privacy policy and if they had, they probably couldn't understand it.

GEOFF THOMPSON: The morning we track the family's activity, Christina is the busiest online. But the connections she's making are not one way.

ALASTAIR MACGIBBON: If we think that we're in our lounge room or bedroom engaging in the internet, that it's just us - there're an awful lot of people looking over your shoulder.

(Christina says bye to family as she leaves the house)

GEOFF THOMPSON: As Christina leaves for school; her data is already travelling to America, the Netherlands and Britain. Two dozen sites she never even clicked on know she likes Selena Gomez and have witnessed her peruse photos of her friends and plan a trip to the movies.

CHRISTINA: I don't really mind because I'm not doing anything like that secret, on my accounts, so it not a big deal to me

JON OSTLER, GENERAL MANAGER, BEYOND D, DIGITAL MARKETER: So when you visit a website, you'll be given a cookie in your browser. And that can be from that website or it could be from an app network which has placed that code on that website. They can then, using that cookie, track what you look at on the website, and then when you visit other websites that have the same technology, they can serve you ads based on the behaviour that you've shown across a number of websites which they're tracking.

(Christina walking to school)

GEOFF THOMPSON: Tracking websites are following Christina unseen from the internet's shadows, learning her online habits so that advertisers can target her more accurately.

[Talking to Jim]: What would you do if people you didn't know were following her around like that in the real world?

JIM PAPPAS: What would I do? I'd go crazy probably; I'd be very upset, yeah.

ALASTAIR MACGIBBON: The issue of tracking a child, according to the law, they're a child; according to most human beings they're a child, and do these companies discriminate between the internet activity of a child and that of an adult? And the answer is no, and that does have massive social implications for us.

GEOFF THOMPSON: Popular free internet services like those offered by Google and Facebook are among the most intensive trackers of our online lives.

They know more about you than your best friend.

The two companies are less than 15 years old, but generate about $61 billion a year.

$56 billion of that is made by Google alone and 95 per cent of that income derives from targeted advertising based on your online behaviour.

ALASTAIR MACGIBBON: Unfortunately when you're talking about free online, it usually means you've become the product.

TROY HUNT, INTERNET SECURITY RESEARCHER: We're ticking the box and going 'Yep, get me into this free service so I can get on and, and do my things'. They're giving away the same things that we are which is, you know, something like Facebook is a free service, they're giving away themselves, as a bit of an advertising target to begin with. They're going to get targeted with information that, that fits their demographic. You know, that's the nature of a free service.

(Pappas's house)

GEOFF THOMPSON: Alexi has more apps on his phone than anyone else in the family.

TROY HUNT: I think that we sometimes forget that at the end of the day, apps are talking over the internet just like your browser is, you know maybe it's the fact that it's such a little device in your pocket and it's a more comfortable sort of environment, I dunno, but at the end of the day, they're doing the same thing that the browser on your PC is doing. The difference is you're doing it all day long, you're doing it while you're sitting on the toilet you know, it can happen any time.

(Troy Hunt in the Pappas's home talking to Alexi)

TROY HUNT: So basically as soon as you open a web page on your phone, all of those requests can be intercepted by anyone who's sitting in the middle of the traffic.

GEOFF THOMPSON: We arranged for internet security researcher Troy Hunt to drop around to the Pappas's home to check out Alexi's apps.

TROY HUNT [talking to Alexi]: And we'll look at the data that was sent, so there's your email address and there's your nice strong random password that has lots of good characters and length, and unfortunately this NRL app has just sent it over the internet without any protection.

GEOFF THOMPSON: Troy finds serious security flaws in three of the apps on Alexi's phone. Apps for America's National Basketball Association and Australia's National Rugby League, failed to secure user information over the internet.

TROY HUNT [talking to Alexi]: So let's take a look at Roosters, this is another good example. If we jump into say the store, and as we browse the store we can see all the traffic going through here, and say you want to grab a cap and we'll take one of those, we'll add that to the basket, ok, so we've got that in our shopping basket. Let's now go and proceed to the checkout.

And then what we'll do, we've got a bunch of dummy data in here, let's go through and put in a dummy credit card number as well.

GEOFF THOMPSON: The worst flaw was found in the app of NRL team the Sydney Roosters.

TROY HUNT [talking to Alexi]: And what we see is that the protocol is http, so what that means is that it's not an encrypted protocol, it means all that credit card data would be available to anyone who was able to observe the connection.

And we'll use an expired....

That's particularly alarming, it's, it's something that there are industry standards around, so that, that's probably not real good for the Roosters. But the other thing is that when you do this in a mobile app, you don't get to see the address bar, you don't get to see HTTPS or a padlock or anything like that. So he could've used that app with the best of intentions thinking that they'd done their security right and had no idea that his credit card information was flowing around the internet unprotected.

TROY HUNT [talking to Alexi]: So what we now get is that we can see that there's the first name, there's the last name, the phone number, we've got an email address, we've got all the delivery data, which is probably going to be your home address, and that's the sort of stuff attackers want in order to go and do an identity theft. And then when we go down a little bit, what we find is that here's the credit card number, so we've got that, we've got the credit card expiry and we have got the credit card verification number, as well as obviously the name on the credit card. And what we see is that...

ALEXI PAPPAS: It just kind of shocked me a bit that the apps that I thought were official and mainstream and kind of trustworthy, they're not, they're not what they seem. So yeah, it's just kind of interesting that I- that something that I trust isn't actually, isn't actually trustworthy at all.

TROY HUNT: So that's a real problem with this app and it's unfortunate when you're sitting at a PC and you're doing your banking or you're doing your shopping, you get a little padlock icon and you can sort of look for that, and you get some sort of confidence in the security of the website. But you don't get that in an app, so all you know with an app is that these guys are saying, hey trust me with your credit card details - so that one basically has not even an attempt at securing your credentials.

GEOFF THOMPSON: Since being told of their app's security flaw by Four Corners last week, the Sydney Roosters say the problem has been fixed.

(Jim Pappas starts up his motorbike and rides it)

A self-employed financial planner, Jim Pappas can afford to wait at home until the peak hour rush into the city is over.

Like most of us he has toll tags attached to his vehicles and accepts the convenience of automatic billing in exchange for transport authorities knowing when he uses tollways.

What he doesn't know is that when he passes some traffic lights NSW Roads and Maritime Services is downloading information from his mobile phone by scanning its Bluetooth signal.

JIM PAPPAS: I hadn't thought about it because I didn't know that that occurred. It's a bit of a privacy issue there I suppose. Yeah, I wouldn't be too happy with it, yeah, depending on who gets the information and how it's used.

GEOFF THOMPSON: Do you feel like you should be asked permission first?

JIM PAPPAS: Absolutely.

TROY HUNT: It's a question of what they're actually capturing and saving, I mean the concern that I would have is are they tracking identifiable information about individuals, because if they're tracking identifiable information and they're doing it at multiple points, then they're tracking everything from your personal movements, to the average speed that you could be carrying, that would be a bit of a concern to me, it's a question though of whether it's de-identified or not.

GEOFF THOMPSON: The RMS is collecting the MAC addresses of mobile phones at 16 sets of traffic lights in inner Sydney.

In a statement the RMS says that "no other identifying information" is captured and that "MAC addresses are anonymous data".

MAC address stands for Media Access Control address. It's a unique identifier of devices such as mobile phones.

TROY HUNT: think this might be one of those cases where you you wanna get a definition of personal information, is a unique device address personal information? You know, maybe it is not, but it does still track an individual's movements, ah so whether or not they admit to actually tracking it, the capability is there.

GEOFF THOMPSON: Australia's privacy laws do not regard MAC addresses as personal information, because they don't easily identify a phone's owner.

However public outrage over the collection of MAC addresses recently shut down a similar trial in London.

There, it was garbage bins carrying advertising which were recording MAC addresses from the mobile phones of passing pedestrians.

Data which might be harmless enough on its own.

DANNY O'BRIEN, ELECTRONIC FRONTIERS FOUNDATION PRIVACY ADVOCATE, SAN FRANCISCO: So bit by bit we're having our privacy chipped away, and each of those tiny bits doesn't seem to reveal that much about us. So to give an example from here in San Francisco, the tracking of, of cars is mainly used here to track people going over the Golden Gate Bridge because they want to pay their, their, their fee as they go over so they have a little device.

Well it didn't take long for divorce courts here in the United States to subpoena that information because that's a useful bit of knowledge to know about a spouse that you're trying to collect data on. I don't think that when we first started tracking cars in that way anyone thought about how it was gonna transform divorce proceedings. But that's what happens. You take a little bit of this data and someone's gonna find a use for it.

(Jim Pappas riding his motorbike)

GEOFF THOMPSON: On his way to work Jim Pappas also passes several police patrol cars. Some carry the Automatic Numberplate Recognition Technology known as ANPR.

Introduced in late 2009 ANPR cameras now sit on top of 280 police cars across NSW. They take six photos a second and almost never miss a passing plate.

SERGEANT MATT REES, NSW POLICE HIGHWAY PATROLMAN: When we were trialling it we dropped a numberplate in front of the car and as the plate fell through the air it read it. I suppose as I said...

GEOFF THOMPSON: NSW Police Highway Patrolman Sergeant Matt Rees agreed to demonstrate to us the technology's astonishing capabilities.

(Sergeant Matt Rees in his patrol car)

SERGEANT MATT REES: I can tell that it's hit on an unregistered car without even looking at the screen because I can hear the tone and it's different to stolen cars and cars with warnings. The car's fitted with three cameras - there's two forward facing cameras on the roof and one on the side of the car, facing sideways. The cameras read the numberplates as they pass the police car. Because it works on infrared, at night I can't even see the numberplates of cars coming towards me because of the headlights, it will still read them.

GEOFF THOMPSON: While we're with Matt alarm bells ring for a car alongside us, which was previously used in a funeral procession for a Hells Angel motorcycle gang member.

[Directing a question to Matt] So that's told you quite a lot of information.

SERGEANT MATT REES: Yeah that one tells me that I need to be careful if I stop that car.

GEOFF THOMPSON: For police on patrol it's a remarkable tool, automatically identifying suspect vehicles.

SERGEANT MATT REES: Well the beauty of this system is that it frees me up to look for other things, So I can - instead of having to look for unregistered cars or stolen cars, I'll let the cameras do that and I can look for offences like seat belts and mobile phones, traffic light offences.

GEOFF THOMPSON: But the cameras don't only shoot offenders - every single numberplate they see is photographed and logged.

SERGEANT MATT REES: I suppose it can read thousands of plates.

GEOFF THOMPSON: In fact, ANPR cameras have taken and stored hundreds of millions of photos of cars since 2009 - more than 208 million, 799,000 of them. The NSW Police were happy to explain how they've obtained this vast amount of information. But they don't want to talk at all about how it is being used.

In a written statement, the police will say only that:

POLICE STATEMENT: "The information collected by the ANPR units - car photo, registration plate number ... and where and when the photo was taken - is stored in a separate data base for about five years."

GEOFF THOMPSON: There are 5.7 million vehicles currently registered in NSW.

That means there is an average of 37 photos for every car in the State.

That's a four year old searchable database of where you've been and when.

TROY HUNT: Without any confirmation to the contrary, and I can understand why they'd want to be cagey about something like this, that's really the only conclusion you can draw right? Because we know that the data's being collected, we know we have the technology to match a numberplate in one location to a numberplate in another location, I mean this is, this is very basic stuff. So you have to draw the conclusion that that yes they, you know, this is all getting put together at some point.

(Sound of traffic)

GEOFF THOMPSON: The NSW police statement says there are strict protocols for accessing and retrieving information, and none of it is personal.

But the police can of course routinely match numberplates with their owners.

ELIZABETH COOMBS, NSW PRIVACY COMMISSIONER: I think it's unlikely that the majority in the community are aware of the potential of that collection, and I think many would actually be quite taken by surprise that that is occurring.

GEOFF THOMPSON: [talking to Jim Pappas] : Do you think that the police should ask you before they automatically record when you're somewhere in your car or motorbike?

JIM PAPPAS: Definitely. We pay their wages so I'm sure they should do us the courtesy regarding privacy and, yeah I'm I definitely think they should.

GEOFF THOMPSON: As a successful businessman, Jim Pappas believes he's got nothing to hide. But it's not just the NSW Police or Roads and Maritime Services, which can record his data without his permission.

Dozens of other regulatory authorities can do so too, if he is suspected of committing an offence or somehow pinching from the public purse.

ALASTAIR MACGIBBON: The threshold is surprisingly low I think to people outside of the, the law enforcement and regulatory agencies. Most people would expect that it would be a warrant signed by a judge or a magistrate, and the short answer is it's not.

GEOFF THOMPSON: Under the Telecommunications Interception and Access Act, bureaucrats in government agencies can search your metadata without a warrant and without your knowledge.

SEN. SCOTT LUDLAM, GREENS SENATOR: Yeah and it happened without anybody noticing. You've got to remember these, this stuff we call metadata barely existed two decades ago. The time of the Australia card debate, nobody really had heard of metadata and a whole vast categories of it simply didn't exist.

GEOFF THOMPSON: Metadata tells them who, when, and where you've phoned or emailed someone.

TIMOTHY PILGRIM, AUSTRALIAN PRIVACY COMMISSIONER: Metadata can tell quite a lot about a person's activity in terms of the times they're transmitting and who they're transmitting data to or having communications with, certainly it can provide quite a lot of information.

GEOFF THOMPSON: More than 3000,000 metadata requests are made each year by a growing list of agencies, for reasons they are not required to disclose.

They include Centrelink, Australia Post, local councils and the RSPCA.

SEN. SCOTT LUDLAM: That is one of the areas of law reform that we have to, I think take the greatest interest in. Which agencies can access this material? What can they do with it? And where on earth are the courts? Where are the, where's the legal oversight that applies to a regular search warrant? Those are the democratic norms that have prevailed in Australia for a hundred years, that we need to update and bring into the digital age.

(Pappas house, Helen drives to Coles)

GEOFF THOMPSON: Back at the Pappas home, Helen is heading out to do the family's weekly shop.

She goes to the local Coles because it's close, easy to park and always uncrowded.

The Coles loyalty card system known as "Fly Buys" has been running since 1994.

ROB SCOTT, FINANCE DIRECTOR, COLES: Well Fly Buys is really an extension of what retailers have been doing for, for many years. If you go back 100 years ago when Coles opened its first store, the shopkeeper understood their customers by name, knew what their preferences where, what they wanted to buy and when they wanted to buy it, and that helped them tailor their offer - and really Fly Buys is an opportunity for Coles to do that at scale.

GEOFF THOMPSON: And how does it work?

ROB SCOTT: Well within Fly Buys we, we collect information that the customer provides us, an opt-in programme, and then we can send both targeted offers to the customer. It also helps inform us around what customers like in order for us to put the right products into store, and importantly it delivers significant value. So an average family, if they fully explore the opportunities of Fly Buys, could realise an additional $500 of value per year.

COLES CHECK OUT MACHINE: If you have a fly buys card, please scan it now.

GEOFF THOMPSON: But the data customers surrender in exchange for rewards has a dollar value too.

ALASTAIR MACGIBBON: Loyalty cards and reward systems are about collecting information about you. Again, it's a perfectly legitimate thing to do, so long as you go into it with your eyes wide open.

JOHN OSTLER: The sort of products you're buying can tell a marketer an awful lot about what you're, what else you're likely to buy, you know, what model of car you're likely to buy, what, you know, political party you're likely to vote for, you know, what sort of job you're likely to have. And you'd be surprised about the, you know, the choices you make in the in the supermarket or wherever it might be, and what that tells marketers about who you are and what you're likely to do next.

GEOFF THOMPSON: Helen Pappas used to be a Fly Buys member, but opted out of the program.

HELEN PAPPAS: I used to but I decided that I had too many cards in my wallet and I wasn't really utilising it properly,

GEOFF THOMPSON: But almost seven million Australians do use Coles FlyBuys Cards and Woolworths' "Everyday Rewards" loyalty card program boasts 6.3 million members.

QUANTIUM COMMERCIAL: Business's compete in an ever-changing and fiercely competitive....

GEOFF THOMPSON: Earlier this year Woolworths made a bold leap into the big data space, by buying a fifty per cent stake in the data analytics company Quantium.

QUANTIUM COMMERCIAL: Today how we live leaves a trail of data, clues about out lifestyle, preferences and shopping habits.

GEOFF THOMPSON: The deal gives Woolworths access to what it calls "the full wallet" - that is an understanding of not just the buying habits of its own customers, but the customer habits of Quantium's many other clients, including the National Australia Bank.

QUANTIUM COMMERCIAL: Talk to Quantium.

ALASTAIR MACGIBBON: I'm not too sure how many National Australia Bank customers have consented to another company having access to that type of information, and, and that example is one of the, I suspect, many social questions we should be asking.

GEOFF THOMPSON: Once again, both Woolworths and Quantium are only too happy to have your data, but are reluctant to discuss what they do with it.

In a written response to questions, Woolworths emphasised that the companies share only data that does not identify you.

But even without your name, your data is hugely valuable.

RICHARD BERGMAN, PWC CYBER SERVICES, ONLINE SECURITY EXPERT: A lot of companies have realised is one, there's enormous value in them mining their own data, but there's a lot more value that can be obtained by combining data sets.

So when you look at a retailer and you look at them analysing their loyalty programme, that's all they see, but what they don't see is what that customer does for the remainder of the week, where they may shop elsewhere and what other patterns and habits they have.

So if you can combine data sets and get a true representation of what your customer does when they're not your customer, it allows you to once again focus your attention on, you know, what that customer is looking for.

(Pappas house, Helen unloading shopping from car)

GEOFF THOMPSON: Helen Pappas has just returned home with her shopping. She doesn't spend much time on the family computer. But Helen does take advantage of the few quiet moments left in the day, before her kids get home from school.

HELEN PAPPAS: I basically check my emails and check anything that's of concern to me immediately.

GEOFF THOMPSON: Helen uses a Yahoo account. That means her data - like the data of Gmail or Facebook users - likely passes through computer servers in the United States. Making even her emails subject to the scrutiny of US intelligence agencies.

DANNY O'BRIEN: I think the biggest worry about the international level of the internet right now, is that that data that you put into a website that's running out of another country, usually the United States, is that it's really out of your control and it's out of the legal constraints of the Australian legal system too.

GEOFF THOMPSON: In June this year - it took a computer systems administrator working for America's National Security Agency out of Hawaii, to shatter any lingering faith we had in the internet as a place where privacy is possible.

EDWARD SNOWDEN, NSA WHISTLEBLOWER: The NSA specifically targets the communications of everyone, it ingests them by default. It collects them in its system and it filters them, and it analyses them, and it measures them, and it stores them for periods of time. Simply because that's the easiest, most efficient and most valuable way to achieve these ends.

GEOFF THOMPSON: Escaping to Hong Kong, Edward Snowden revealed the vast reach of America's surveillance of our online lives, by accessing the data of trusted companies through programs such as PRISM.

EDWARD SNOWDEN: So while they may be intending to target someone associated with a foreign government, or someone that they suspect of terrorism, they're collecting your communications to do so.

GEOFF THOMPSON: The world suddenly knew that decisions to trade our civil liberties for extra security were being made for us and not by us.

BARACK OBAMA, PRESIDENT OF THE UNITED STATES: We have to strike the right balance between protecting our security and preserving our freedoms.

GEOFF THOMPSON: Reaching Moscow, Snowden stayed beyond the reach of the US Government.

The same can't be said for the data of Australians using the internet services of American companies.

DANNY O'BRIEN: US citizens have, at least in theory, some constitutional rights that protect their data from access by the US government. Those rights don't extend to non-US persons, which means that Australian's data, when it's kept in the United States, has no real legal protection from the government.

ALASTAIR MACGIBBON: The implications for Australians when it comes to prisms specifically is that your metadata the, the equivalent of the front and back of the envelopes of the letters that you either send or receive, will be stripped and you know, amalgamated in, in these servers of a US government agency. For the vast bulk of us that has no implication whatsoever. If you're doing something that either is of interest or is construed to be of interest to those intelligence agencies, then it might have quite significant implications for you.

DANNY O'BRIEN: It gets worse because, not only is there no good legal protections from the US government, 'cause the US government shares its intelligence and research with the rest of the world, including potentially the Australian government. So you have this incredible trade off where the Australian legal system has good protections to prevent data just ending up in the hands of the Australian law enforcement, without you know a good warrant or a judicial process. But that doesn't stop the US from handing data on Australian citizens straight over to those same parties without any of those legal safeguards.

HELEN PAPPAS: I'm not feeling comfortable with the idea at all. Of course, anybody reading my emails would be very bored, but, again the fact that they can do this to anybody is cause for concern.

SEN. SCOTT LUDLAM: What's difficult to comprehend in Australia, where both of the old parties are running dead and pretending this simply isn't happening, is that this has caused a massive furore in the United States, across both sides of the political divide and in Europe and in Latin America and in East Asia, and in fact it only appears to be in Australia, where the major political parties are just hoping that this will all go away. In the US this is being heavily contested, politically, legally, constitutionally, and in terms of of the social rights of intelligence agencies to do what they've been doing.

(Katerina walking through train station)

GEOFF THOMPSON: Katerina Pappas is leaving the city where she works for a consumer advocacy group. On the way home, she's agreed to meet a friend for coffee in Bondi Junction.

They meet at the Westfield Shopping Centre where her movements are captured on CCTV.

But Westfield's privacy policy allows it to capture a lot more than that. It says:

WESTFIELD PRIVACY POLICY: "...where devices are able to connect to, or are identifiable by, in-centre infrastructure, we may collect data including usage, location and type of device"

GEOFF THOMPSON: Right now, Westfield has the capacity to track your devices in three of its Australian shopping centres, but says it is not doing it yet.

WESTFIELD PROMOTION: "Westfield Labs is a new division of the Westfield group ...

GEOFF THOMPSON: Meanwhile, at a new research centre in San Francisco - called Westfield Labs - the company is working to perfect this technology.

WESTFIELD PROMOTION: ...our focus is to discover, to develop and build applications and services within the middle of the convergence between the digital and physical shopper."

RETAILNEXT PROMOTION: What if all systems worked as one, providing real-time data...

GEOFF THOMPSON: While Westfield plans its future, another company - RetailNext - is already there in the United States. They call it in-store tracking.

TIM CALLAN, MARKETING CHIEF, RETAILNEXT, SAN FRANCISCO: We think that one way or another Australians are gonna do this because it's just such a basic piece of making your stores effective.

RETAILNEXT PROMOTION: With Retailnext, the comprehensive solution for gathering in-store performance data, analysing findings, and visualising key insights, you'll know exactly how your customer behaves.

TIM CALLAN: what in-store analytics does is it takes the same kind of capabilities that e-commerce sites have had for more than a decade and it brings those to physical brick and mortar stores. So the stores can understand how many shoppers are coming in, where they're going inside of the stores, where they're stopping, what products or displays or parts of the store they're engaging with, and ultimately how all of that translates to sales at the register.

[Tim showing RetailNext technology] In this case we a view from a camera that's not in the ceiling...

GEOFF THOMPSON: RetailNext's technology relies on the security camera networks already in shopping centres around the world.

TTIM CALLAN: If they move from the field of vision from one camera to the next, there's software that will actually stitch those pads, we call 'em, from one camera to another and if you have full camera coverage of the store in principle, you can watch the whole store and understand what people do in the entire store.

GEOFF THOMPSON: Katerina is not comfortable with the idea of being tracked in a shopping centre.

KATERINA PAPPAS: To me it feels like the sole purpose would be to maximise money, maximise where you buy things and how much you buy, what kind of stores you go into, and I, yeah I completely, just that, doesn't sit well. Like I don't want to be, yeah I don't I don't like that.

Yeah I would want to opt in or out and have the option.

GEOFF THOMPSON: Helen is on her way to Westfield to pick Katerina up. Westfield's parking station has been a testing ground for a new technology, which helps shoppers find their cars.

Every car parked is photographed and uploaded to a searchable mobile phone App.

In 2011 Troy Hunt discovered that the App was less than secure.

TROY HUNT: That information was made available via an iPhone App so that you could search for your vehicle, and in theory you would only see grainy photos of four possible matches. Unfortunately the way they had implemented it was that they returned much more information than that and it was possible to find all the other vehicles that were in the shopping centre.

GEOFF THOMPSON: When told about the security flaw, Westfield fixed the problem.

But without Troy Hunt alerting the company, anyone with an internet connection could keep a running tab on which cars were in the shopping centre and when.

TROY HUNT: And they would get a list of every vehicle that was currently in the car park and then they could repeat it every sixty seconds, every five minutes, whenever they wanted to, so you would get a profile of who's coming and going and how long they're staying.

(Pappas's house)

GEOFF THOMPSON: As evening comes to the Pappas house, Helen and the kids are catching on the family history.

KATERINA PAPPAS: Oh that's a really nice photo.

GEOFF THOMPSON: They still enjoy old photo albums and Mum and Dad keep a collection of old records and books.

HELEN PAPPAS: We go back to my generation, how I came to Australia, the boat I was on, I still have black and white photographs from that time.

GEOFF THOMPSON: But, like most modern families, their memories and music increasingly exist only in digital form.

KATERINA PAPPAS: There's a sense of detachment when you look at an image on, on a screen, the screen is a very desensitised way of viewing, viewing things, viewing the world I think.

GEOFF THOMPSON: But what happens to our digital possessions when we die?

RICHARD BERGMAN: I think actually everyone thinks they do own their digital assets and I think that's what they think they're signing up to with the terms and conditions, and in fact most terms and conditions will attribute ownership to you whilst you're using those assets but it does vary. So for example, with Apple and, and iTunes, your ownership is a license agreement, so technically your iTunes music, you have a license to own and operate.

But when you pass away that license agreement ends because it's with you as an individual. So it's not like leaving a record collection to your family members anymore. It's actually around 'Well what do we do with these songs that may not sit on a physical device?'

ALASTAIR MACGIBBON: The data is assumed to be owned by the companies you've given it to and it certainly will outlive us, and there are some quite sad examples of where families are marketed to based on data of, of deceased now deceased relatives. You know, suggestions that you connect to a person that may not be alive anymore, and there's a new industry online being built up about what to do with your data post-death.

JON OSTLER: That is a really interesting, another really interesting new phenomenon that no-one's really taken into to account, as far as who owns that data and what could be done with it and if it's going to get deleted, or if it's going to get kept. Um and yeah, I guess as a, as a society we really are in the early stages of the ultimate information technology revolution, and I don't think anyone's got all the answers to how it's all going to end.

GEOFF THOMPSON: It is already virtually impossible to distinguish between our actual and our digital personalities.

Throughout the evening, members of the Pappas household take turns on the family desktop.

The data breadcrumbs they sprinkle around the world paint an increasingly detailed picture of their interests, plans and even secrets.

KATERINA PAPPAS: It's in a sense shocking, but also at the same time it's something that you'd expect, which I think is how a lot of things work these days.

GEOFF THOMPSON: But Katerina was surprised to learn that our logging of her data trail reveals that she's been looking at boutique hotels in New York - where she plans to holiday - and that she's interested in a personal loan.

KATERINA PAPPAS: I think it is private information and I think, you know, with, especially the financial part of it, if I was looking for a home loan. I think if people sell that information about me, then that that could be, yeah, really worrying.

ALEXI PAPPAS: Just before I'm going to bed you know, maybe I should be encouraging myself to read a little bit more or do something more productive. But instead I'm usually just zoned out on my phone, looking at the apps, you know, the websites and all that.

GEOFF THOMPSON: Alexi's late-night activity on Facebook tells us - and online trackers - something about him he mostly keeps to himself.

He has an interest in graffiti.

ALEXI PAPPAS: I'd be uncomfortable if anything that I looked up on the internet that I shouldn't have, and my parents found out about it, not from word of mouth or from what I left the tab open or something, but if they just found it out from advertising then I think that'd be a little bit scary. There's no, there's no escape really.

GEOFF THOMPSON: By the time the Pappas's go to sleep, our investigation reveals that their data has been logged by hundreds of tracking sites they barely knew were watching them.

(Music)

Information about us has never been so easily available, not only to our friends and employers - but also to the corporations and governments we have chosen to trust.

SEN. SCOTT LUDLAM: We have to rely on trust, and I've been working in politics for a decade and you have to ask yourself, do you trust these tools in the hands of government anywhere or everywhere? And I don't.

DANNY O'BRIEN: I don't think any social system, any government, can survive knowing everything about its citizens without ultimately that being corrupted. I mean I wouldn't be able to take that power. I don't think anyone would want or to take that power, um. But once you've got it, you're gonna find a use for it.

KERRY O'BRIEN: And you thought you felt powerless before this story, how about now?

That's the program for tonight, until next week, goodnight.

END

Background Information

RESPONSES AND CORRESPONDENCE

Four Corners received feedback and responses to issues surrounding privacy and security from the following authorities, companies and sporting bodies that feature in the report "In Google We Trust". Read their responses:

- New South Wales Police Response [pdf 163kB]

- NSW Roads and Maritime Services Response [pdf 156kB]

- Westfield Response [pdf 151Kb]

- Woolworths Q&A Response [pdf 315Kb]

- US National Basketball Association Response [pdf 152Kb]

- National Rugby League Response [pdf 150kB]

NEWS COVERAGE - PRIVACY, GOVERNMENT AND AUTHORITIES

NSW Police photographing numberplates and storing data for five years | ABC News | 9 Sep 2013 - NSW Police cars are photographing the numberplates of every vehicle they pass on the state's roads and storing the data in a vast searchable database with more than 200 million entries.

Greens propose to force IT companies to disclose govt agreements | ZD Net | 28 Aug 2013 - The Australian Greens party has proposed requiring IT providers to release to customers the exact details of their agreements with foreign governments over the provision of customer data.

AUDIO: Internet privacy for Germans and Internet licences for kids | Radio National | 7 Jul 2013 - Imagine you lived in a country that had survived a fascist government, world war and secret police: how would that change your attitude to surveillance? But when Deutschland demands data protection and privacy, it gets it.

Government refuses to be drawn on whether MPs' emails are spied on | ABC News | 20 Jun 2013 - The Federal Government has refused to confirm if the official or unofficial email addresses and the metadata content of federal parliamentarians is spied on by the US electronic spy program knows as PRISM.

Invasions of Privacy | Aus Law Reform Commission | 12 June 2013 - On 12 June 2013, the Attorney-General Mark Dreyfus QC asked the Australian Law Reform Commission to conduct an inquiry into the protection of privacy in the digital era. The inquiry will address both prevention and remedies for serious invasions of privacy. The ALRC will provide its final report to the Attorney-General by June 2014. Read more.

Australian government to assess PRISM impact | CNet | 12 Jun 2013 - While cybersecurity is a "matter of real and present concern" for Australia, Foreign Minister Bob Carr has said that he doesn't think Australians should be concerned about PRISM, the secret National Security Agency (NSA) program to collect user data from some of the largest tech companies in the world.

Metadata Requests: Telecommunications (Interception and Access) Act 1979 | 30 Jun 2012 - Last year there were more than 300,000 instances when Government agencies were able to access metadata. Government agencies which request metadata searches are required, by law, to publish the number of searches they undertake each year. A full list of the government agencies can be found on the Telecommunications (Interception and Access) Act annual report. Go to pages 64-69. [PDF 895Kb]

TECH NEWS, CORPORATIONS AND OTHER STORIES

The Anonymous Internet Is Under Attack | Gizmodo Australia | 6 Sep 2013 - Last week left cybersecurity nerds scratching their heads after traffic to Tor, the free software suite that enables anonymity online, quintupled in less that a week. It was obviously too good to be true, and now we know why. A Russian botnet is threatening to bring the whole network down.

Woolworths: No ads, just data | Ad News | 5 Sep 2013 - One of the country's biggest advertisers, Woolworths, said it doesn't need big splashy ad campaigns to launch its insurance offering. Because its database tells it the people it needs to target directly.

AUDIO: Webdesign Tricking You, Facial Recognition Payment | Radio National | 1 Sep 2013 - Buyer beware, you're being watched: Wearers of Google Glass might not have ads popping up in their vision; instead a "pay-per-gaze" system could track how long smart glass wearers look at advertisements in the real world, then charge advertising companies accordingly.

Big customer data: the most valuable global currency | ABC Tech & Games | 16 Jul 2013 - Now, more than ever, so much information is available, it has even been given a common name: "Big Data". Now it's time to examine the standards by which we operate as a global community and develop ways to better use data for business and public benefit.

NSA Prism program taps in to user data of Apple, Google and others | The Guardian | 7 Jun 2013 - Top-secret Prism program claims direct access to servers of firms including Google, Apple and Facebook. Companies deny any knowledge of program in operation since 2007.

Quantium leap for Woolworths | AFR | 2 May 2013 - Woolworths has opened up a new front in the war over customer data by aking a strategic acquisition that will allow it to better analyse the shopping habits of Australians beyond its ustomer base.

Find my car, find your car, find everybody's car; the Westfield's iPhone app privacy smorgasbord | TroyHunt.com | 14 Sep 2011 - When news came through recently about the Bondi Westfield shopping centre's new "Find my car" feature, the security and privacy implications almost jumped off the page...

FACEBOOK AND PRIVACY

Opinion: The surveillance society is here | Al Jazeera | 6 Sep 2013 - We must be aware of the surveillance tools introduced into our lives - especially those that we already consent to.

Facebook says it received 546 data requests from Australian authorities in first six months of this year | ABC News | 28 Aug 2013 - Facebook has revealed it received 546 requests from Australian authorities for information about its users in the first six months of this year.

Facebook pays five users $22 million to settle privacy lawsuit | The Age | 27 Aug 2013 - Facebook will have to pay $US20 million ($A22 million) to settle a lawsuit over targeted advertising despite objections that the deal did not go far enough to protect children's privacy.

Reach for your privacy settings: Facebook graph search goes public | The Independent UK | 8 Jul 2013 - Facebook is making its 'Graph Search' public today in an attempt to mine the wealth of data produced by users, utilising everything from places you've visited to your likes and photos.

Facebook to pay $9.9 million to settle suit | SMH | 18 Jun 2012 - Facebook Inc has agreed to pay $US10 million ($9.9 million) to charity to settle a lawsuit that accused the site of violating users' rights to control the use of their own names, photographs and likenesses, according to court documents made public over the weekend.

Facebook hit with $15 billion class action user tracking lawsuit | ZD Net | 18 May 2012 - Facebook is once again being sued for tracking its users even after they logout of the service. The latest class action lawsuit demands $15 billion from Facebook for violating federal wiretap laws.

LINKS

The Defence Signals Directorate (DSD) is an intelligence agency in the Australian Government Department of Defence. www.dsd.gov.au/

Do Not Track has tips on how to stop your browser sending tracking information to third parties. donottrack.us/

DuckDuckGo is an Internet search engine that allows you to search the web anonymously. duckduckgo.com

Electronic Frontier Foundation (EFF) is a non-profit organisation promoting free speech, privacy, innovation, and consumer rights today. Danny O'Brien (https://www.eff.org/about/staff/danny-obrien-0) is group's the International Director. www.eff.org/

The Information and Privacy Commission NSW - www.ipc.nsw.gov.au/privacy/

Troyhunt.com Blog - Observations, musings and conjecture about the world of software and technology. www.troyhunt.com/

WATCH RELATED FOUR CORNERS

HACKED! | 27 May 2013 - Andrew Fowler reveals that hackers, working from locations overseas, have targeted key Federal Government departments and major corporations in Australia.