XMB Forum Software - Privacy Act in Australia - Powered by XMB 1.9.12 (Debug Mode)

Privacy Act in Australia

rightyo - 3-20-2007 at 09:26 AM

Given the removal of the ability for Admins to view member u2u's via the xmb scripts, thought this would be of interest to Australian's in regard to their Privacy Act:

Source: http://privacy.gov.au

"Personal information

Personal information is information or an opinion that identifies an individual or allows their identity to be readily worked out from the information. It includes information such as a person's name, address, financial information, marital status or billing details. Some personal information is sensitive information. This includes information about ethnicity, religion and health."

The Australian Privacy Act is there to protect individual's personal information. Viewing a member's u2u's for the sake of it is morally incorrect however it does little in the way of identifying an individual and unless you are publishing their u2u's and their real names, I see nothing in the Privacy web pages that indicates a breach.

Anyone care to look at the web site and correct/clarify this?

As for common law and Ansett, Ansett have long gone so not sure how they could be held to anthing. I'd be interested in seeing some successful examples of where an organisation has been found guilty of any breach of law where they have previously published their guidelines for useage.

In saying this, I'm not condemning the removal of the feature, however the reality is that Admins will read u2u's, hopefully only in cases where misuse has been reported (and at the end of the day there is still only one active dev here so who's going to argue the point).

rightyo - 3-20-2007 at 09:42 AM

from http://www.privacy.gov.au/internet/email/index.html

"The Office of the Privacy Commissioner receives many enquiries regarding the privacy of workplace e-mail and web-browsing activities. It is apparent from these calls that there is a general expectation, by staff, that law exists which protects their privacy in the workplace. There is no general constitutional or common law right to privacy in Australia."

vanderaj - 3-20-2007 at 12:41 PM

The Privacy Act is primarily about organizations collecting your information and how they must deal with your information. In part, they have generate a Privacy Policy, which you must agree to and it must be explicit about the sorts of ways you use the data.

We don't have a privacy policy T&C on this software.

However, the bottom link is incorrect. Here's is the NSW law I was telling you about.

[link=http://www.parliament.nsw.gov.au/prod/parlment/NSWBills.nsf/0/941266a03eb10718ca256ff600242edb/$FILE/b04-027-20-p02.pdf]NSW Workplace Surveillance Act[/link]

It criminalizes employers snooping on employees e-mails. Other states are in the process of adopting the same legislation.

Outside of that, why is me opening your mail any different or less moral than me opening your U2U's? Sure on my forum, I can do it with SQL queries, but that shows that I have zero ethics. Would it change your opinion if I told you that it happens here, and regularly?

Andrew

rightyo - 3-20-2007 at 01:13 PM

I'm not disputing the moral ethics of it at all, ever as I agree (but.... I also believe I have to protect my members and need proof when specific claims are made) and part of my forum sign up rules state the instances of when a u2u could be read.

No, my opinion would not be changed if I knew my u2u's were read here or on any other forum as I know the capability is there whenever a database exists and ppl being ppl, they either have a valid reason or they are just snooping.

I'll read that pdf in the morning thanks Andrew.

rightyo - 3-20-2007 at 01:17 PM

p.s. can someone pls tell ultimabb to not show members email addresses when you view their profiles???!!!!

Martijn_cbc - 3-20-2007 at 02:05 PM

rightyo, what do you mean? With UltimaBB the email address is "hidden" on the actual profile page...

FunForum - 3-20-2007 at 03:29 PM

I guess there is an option to hide/unhide the email address?

As for the u2uadmin.hp - I've never been a fan of it. I for one wouldn't want others to read my private messages, even if they are complete nonsense sometimes.
Yet I do see your point. If someone comes along and says they are being threatened for example per U2U and give you permission to check this/her inbox ... Then again, would you need permission of the one who send it as well?

Quite an interesting thing

Here it's even so ... (heard in a college) that if your company grants you a Homefolder, like quite some companies do, they have no right to check that Homefolder. You could keep a porn collection on it, they can't check it.
Unless you signed some sort of paper/agreement if I mean to recall?
The guy said, and this is almost quoted; the employee could keep hardcore childpornografie on his Homefolder, the company couldn't do anything, but they would get sued for having it on their servers.

*don't know how accurate this is, but seeing he owns his own successfull company and is busy with these kind of things daily...*

vanderaj - 3-20-2007 at 03:55 PM

Generally, the rules are commonsense.

If someone has a warrant, LEA can search. Without a warrant, they can't unless the owner grants them permission.

If an employer tells their peeps that they have no privacy, and that they can read e-mails and u2u's as a matter of normal business, well that is legal in the US, and illegal in NSW. Not ethical however.

Unfortunately, the entire expectation of privacy thing has gone out the window with electronic communication. I see U2U's as a form of e-mail (in fact, they can trigger e-mail). It's no different to reading your sibling's diaries - nothing really to stop an unethical admin, but their sense of morals.

If you need to read someone's u2u with their permission, reset their password and take over the account or ask them to forward it. Don't do it surreptitiously.

Andrew

Passthru - 3-20-2007 at 04:52 PM

Then put an On/Off button in the Admin Settings to disable U2Us please, that is all I ask. By that I mean no links showing anyplace on the forums..if they dont see it they wont try to use it.

vanderaj - 3-20-2007 at 07:14 PM

In UltimaBB (which will most likely be the next version, modulo a lot of discussions), has the following u2u controls:

U2U's on/off
# of posts before U2U's are allowed (prevents spam)
Individual U2U post permissions (i.e. can read, but not post)

I think as we're closing out 1.9.7 right now, I do not want to make any more schema changes at this very late stage, so it's too late for this release.

Andrew

rightyo - 3-20-2007 at 11:33 PM

My interpretation of the NSW law link you provided is that it is for workplaces, where an employer/employee arrangement exists:

"5 Meaning of “at work”
(1) For the purposes of this Act, an employee is at work for an employer when the employee is:
(a) at a workplace of the employer (or a related corporation of the employer) whether or not the employee is actually performing work at the time, or
(b) at any other place while performing work for the employer (or a related corporation of the employer)."

However, even if it could/does apply to web site operators, there is a provision for 'surveillance' which indicates employers can, providing they give prior notice:

"10 Notice of surveillance required
(1) Surveillance of an employee must not commence without prior notice in writing to the employee.
Note. Subsection (6) provides for an exception to the notice requirement.
(2) The notice must be given at least 14 days before the surveillance commences. An employee may agree to a lesser period of notice.
(3) If surveillance of employees at work for an employer has already commenced when an employee is first employed, or is due to commence less than 14 days after an employee is first employed, the notice to that employee must be given before the employee starts work.
(4) The notice must indicate:
(a) the kind of surveillance to be carried out (camera, computer or tracking), and
(b) how the surveillance will be carried out, and
(c) when the surveillance will start, and
(d) whether the surveillance will be continuous or intermittent, and
(e) whether the surveillance will be for a specified limited period or ongoing.
(5) Notice by email constitutes notice in writing for the purposes of this section.
(6) Notice to an employee is not required under this section in the case of camera surveillance at a workplace of the employer that is not a usual workplace of the employee."

and section 12 also allows a provision if there is a clear policy:

"12 Additional requirements for computer surveillance
Computer surveillance of an employee must not be carried out unless:
(a) the surveillance is carried out in accordance with a policy of the employer on computer surveillance of employees at work, and
(b) the employee has been notified in advance of that policy in such a way that it is reasonable to assume that the employee is aware of and understands the policy."

The way I read it is that providing you make it clear you can and will in specific circumstances, it is allowable.

vanderaj - 3-20-2007 at 11:40 PM

I am saying that we want to be ethical, not just because it is allowed under weak or inconsistent law.

In the 1840's it was legal to own slaves in many parts of the USA.
In the early 20th century, only New Zealand allowed women to vote
In the 1940's it was legal to discriminate against folks who weren't white in many parts of the world.
In the 1960's it was legal to discriminate against gays and lesbians
In the early 21st century, it is still legal to snoop on your fellow humans only in electronic form in some countries

It is not *right* to snoop on your fellow humans. Not if it's on paper (where almost everyone has legal rights to privacy). Not if it's electronic format (whether its called U2U or e-mail). To me they are the same. I don't use paper, but I expect my rights to be the same in both media. The fact that they aren't means the law simply hasn't caught up to common sense as yet.

This is not a feature I would want in a forum and I would hope that everyone has the ethics and moral courage to make that stand.

Andrew

Martijn_cbc - 3-20-2007 at 11:40 PM

Quote:

The way I read it is that providing you make it clear you can and will in specific circumstances, it is allowable.

I think that's exactly the main issue for taking the feature out of the software, rightyo; it is legal only in a very conditional context. To avoid complexities by default and to not encourage illegal snooping, I think it's better such a tool is left out of the standard forum-software.

A hack to make the tool available again will resurface soon enough, I'm sure. In which case the fact weather you are snooping or not is no longer XMB's responsibility/concern

rightyo - 3-20-2007 at 11:57 PM

I guess we have to agree to disagree!

The NSW law is there to protect employers AND employees. I see no difference where a clear policy is published for a web owner to ensure the protection of their site and members. Yes there will be people who have nothing better to do and snoop, but if that's their bent, they will find the way anyway.

Martijn_cbc - 3-21-2007 at 12:11 AM

True. Even with the tool removed, people'll find ways to snoop the U2U's anyway. However, by having the tool XMB'd be encouraging the use of it...

If we cannot agree on the ethical aspect, perhaps a more practical reasoning is: the majority of users/administrators do not use the tool.
If democracy is the way to go, the majority of votes would therefore go to removal of the tool.

rightyo - 3-21-2007 at 01:00 AM

My point is that the NSW law allows snooping, it does not disallow it. Their ethical viewpoint is that the Employer has the right to snoop providing prior warning is given. As an Employer paying for the facilities (email, web browser etc.) they have an ethical right to ensure those facilities are not abused which could harm their company. Forum owners (similiar role to an Employer who provides the facilities) have an ethical right to ensure members do nothing to harm their web site (physically or by reputation).

Employment is great but it's not a right. Membership of forums is nice but it's not a right. Misbehave and you get booted from either.

I have no issue with the removal of the tool, I use sql to investigate reported issues anyway.

vanderaj - 3-21-2007 at 02:25 AM

It's like arguing with water. Whatever.

Andrew

rightyo - 3-21-2007 at 03:15 AM

Quote:

Originally posted by vanderaj
It's like arguing with water. Whatever.

Andrew

Sorry you feel that way. Just trying to clarify for Aussie users, after all people may have interpreted your comment that it is against the law (it isn't):

Quote:

I am thoroughly against the inclusion of this file as it directly breaches EU Privacy laws, Australian common law (there is a court case against Ansett which says that employees have a reasonable level of privacy unless otherwise notified), directly 100% against NSW law preventing unauthorized snooping (whilst allowing wide ranging powers for law enforcement snooping).

John Briggs - 6-8-2007 at 04:55 AM

Unless there is a disclosure agreement regarding viewing U2Us said parties could pursue legal means against owners, mods, admins in access to said data in accordance to the laws in Australia. I removed it completely from UltimaBB the day I started development on it. I know of no other forum systems that make it a default feature either. It's a feature that must be modified to the forum application.

rightyo - 6-8-2007 at 07:29 AM

Quote:

Originally posted by JohnPB2005
Unless there is a disclosure agreement regarding viewing U2Us said parties could pursue legal means against owners, mods, admins in access to said data in accordance to the laws in Australia. I removed it completely from UltimaBB the day I started development on it. I know of no other forum systems that make it a default feature either. It's a feature that must be modified to the forum application.

again, incorrect - the laws in Australia mentioned above not do cover snooping data, they cover identification of individuals and disclosing data that can id individuals. while snooping data could be used to id individuals and thereby disclose said data would be a breach of the Privacy Act, simply snooping data does not appear to be covered by any law or any case bought to law.

however, morally you should disclose if you intend to snoop data such as u2u's whether through the old u2uadmin system or via direct u2u table access.

John Briggs - 6-8-2007 at 07:42 AM

As stated, if someone wanted to persue it legaly they could per the laws in place. It's poving the ability to snoop for unethical means. This could fall into any category such as inside trade secrets etc. It's simply that no precedent has been set forth yet. The law allows the argument and means to pursue. Remember that ethics and law are objective and arguable. They are open to course and action per proof of case.

rightyo - 6-8-2007 at 07:48 AM

I'd like to see a law that covers it. There isn't one.

John Briggs - 6-8-2007 at 08:00 AM

Quote:

Originally posted by rightyo
I'd like to see a law that covers it. There isn't one.

again, you fail yto see my point. The law has the scope to utilize it to pursue such matters. It's a point of proving it. The full scope of the law has entitlements that can be appointed to such a case. It's a matter of making the precedent.

A real example is the telecommunications laws regarding phones and how those laws were use in a applicable format to to arbitrate and pursue inter crime and privacy matters.

Nic-Isaac - 6-8-2007 at 02:49 PM

Personally I like the feature of being able to read the members U2Us. At times, it is appropriate to do so. Rather you have a member that is causing trouble on the forums or there are things going on behind your back within your forum staff.

All of this legal talk is for the AUS. I live in the USA. Here, it IS legal for an employer to look at employees files, e-mail, IMs, everything. Therefore, there is no LEGAL issue here in the states that is against this kind of thing.

When someone is being harassed on my forums... I look at the person that is doing the harassment because who is to say they are not doing it to other members that have not reported them?

In the states it is legal. Therefore, I do not see a problem with having this feature.

However, I understand that XMB can be held responsible in some countries for allowing this feature to be in place. Therefore as programmers... you can not put it in the software.

John Briggs - 6-8-2007 at 03:14 PM

Quote:

Originally posted by Nic-Isaac
Personally I like the feature of being able to read the members U2Us. At times, it is appropriate to do so. Rather you have a member that is causing trouble on the forums or there are things going on behind your back within your forum staff.

All of this legal talk is for the AUS. I live in the USA. Here, it IS legal for an employer to look at employees files, e-mail, IMs, everything. Therefore, there is no LEGAL issue here in the states that is against this kind of thing.

When someone is being harassed on my forums... I look at the person that is doing the harassment because who is to say they are not doing it to other members that have not reported them?

In the states it is legal. Therefore, I do not see a problem with having this feature.

However, I understand that XMB can be held responsible in some countries for allowing this feature to be in place. Therefore as programmers... you can not put it in the software.

XMB cannot be held responsible for allowing such a feature. It's a matter of the devs making the choice for you. If I told you why it was removed you would be shocked though.

It's not legal to invade someone's privacy. There are privacy acts in place in the USA. BY employee as you stated, you would have to prove they are your employee. it's is a matter of ethics as well. There are some states that do not allow such actions as well. Consult with legal council for more details on your state.

THis is a good example in my humble opinion of invasion of privacy.

Quote:

or there are things going on behind your back within your forum staff

Nic-Isaac - 6-8-2007 at 05:28 PM

i feel if i am providing a free place for people to enjoy... and i pay all this money for hosting, domain, etc... then i have the right to look at the information that is being held in my respective place.

its just like if someone came into your home and was talking privately about something. if you feel something is going on that you need to know about... it's your right to do whatever means you want to know.

it's not like i do it for the fun of it. i do it to protect the popular website that i have built, run, and pay for. if it was a paid service... i would feel totally different.

it would be like if i owned a store... it's a public place... however... i get to record anything i want to in there as long as there are notices in place. it is LEGAL in the USA to do that. it should be the same concept with message boards and such. as long as i place a notice that we have the ability to read any data including U2Us... then it's legal. and that can be held up in court.

i don't know what kind of "legal" trouble XMB devs could get into if any. i'm not that knowledgeable about that.

mostlysunny04 - 3-30-2008 at 10:01 AM

Interesting discussion, thanks folks, I had wondered why this facility had been phased out. I agree with the morality of the decision but does anyone know what the legal stance is in the UK on this subject?

HammerHead - 3-30-2008 at 03:13 PM

I can understand Nic-Isaac's point very well.
Though with this kind of function in the XMB board it would depend on the intention of the Administrator whether it is being used for appropriate reasons.

I am sure that it would be illegal in the Netherlands to have this function in a board.
It would be infringement of the rules on privacy here.

Is the providing of an optional mod an option Mr. Briggs ?

I have no intention to use or install it, but it seems some people have.
Usage rights could include that XMB takes no responsibility whatsoever for the means to apply this mod?

Just thinking along with both lines here...

Regards,

-Melvin

Train - 3-30-2008 at 09:16 PM

It wouldn't be a mod no.
There are methods of monitoring these messages without any such mod, and I can't say that anyone would make a mod which would be considered illegal by any such party.

HammerHead - 4-9-2008 at 07:32 AM

Then why do people ask for this function if it is allready somewhere in the package?

-Melvin

Train - 4-9-2008 at 08:13 AM

It's not "in the package" there are methods of monitoring the messages because XMB stores the messages as text in MySQL. There's no "encoding" of any kind on the messages.

vanderaj - 4-9-2008 at 09:13 PM

Quote:

Originally posted by mostlysunny04
Interesting discussion, thanks folks, I had wondered why this facility had been phased out. I agree with the morality of the decision but does anyone know what the legal stance is in the UK on this subject?

It's here, in the Data Protection Act:

http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_3#pt2...

Quote:

10 Right to prevent processing likely to cause damage or distress

(1)Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—
(a)the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b)that damage or distress is or would be unwarranted.

and if you don't do this as admin, this can be the result:

Quote:

13 Compensation for failure to comply with certain requirements

(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a)the individual also suffers damage by reason of the contravention, or
(b)the contravention relates to the processing of personal data for the special purposes.
(3)In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

Honestly, this is even more stringent than the Australian anti-snooping law. Any forum manufacturer would be extraordinarily stupid to provide snooping functionality as it would expose them to tortuous liability from the obvious potential for abuse. We can forsee (and have seen HERE at XMB in the past) illicit use of the old functionality. Therefore, including it means that XMB knew about the risks of abuse, and thus opens the forum backers (iEntry and any staff with deep pockets) to civil remedies.

It would be extremely dumb to keep this feature or make it available as a mod.

Andrew