The ABC says it is “committed to protecting your privacy”. So why are they giving our data to Facebook and Google?
The ABC Privacy Policy was updated in late 2021, to “reflect some changes to the way in which your information will be handled as we look to help Australians find more content likely to be of interest to them”.
The changes include “disclosing hashed email addresses to Google and Facebook to show you promotions for ABC Content likely to be of interest to you on those platforms, unless you choose to opt out”.
In other words, if you have an ABC Account (e.g. if you login to watch iview or use the ABC Listen app), you will be individually profiled and potentially targeted by Facebook or Google, based on information about you given to those companies by the ABC – unless you have first figured out this practice is going on and then activated your privacy settings to opt out.
Is this legal? Can the ABC really match up data about its viewers and listeners with Google and Facebook, without your consent?
That depends on your interpretation of the Privacy Act as it stands today. The confusion over what is allowed is a good illustration of why the Privacy Act is in need of reform – but I will come back to that later.
Won’t hashing protect me?
The AdTech and data broking industry like to say that they are protecting your privacy, or sharing only ‘de-identified’ data, by using ‘hashed’ email addresses when they exchange data about you. Hashing is a one-way scrambling process: your email address becomes a string of gibberish which cannot be reverse-engineered, so your ‘real’ email address cannot be guessed at. But if you use the same email address to log in to two or more sites (and most of us do), and if those two or more companies use the same hashing algorithm to scramble your email address, the string of gibberish becomes a unique identifier about you, which can be then be used to match and link up all the other data held about you, by those companies.
So that claim about protecting your privacy is a furphy.
The fact that no ‘names’ or even ‘real’ email addresses are exposed in the middle of the data-sharing process makes no difference to the end privacy impact, which is that you will be shown specifically targeted ads or other forms of personalised content, because of the richness of the information about you that has been shared between companies, behind your back.
In this case, the ABC has clearly admitted that what it is doing is giving information about its viewers and listeners to Facebook and Google.
Why would the ABC do this?
It does so to enable both profiling and individualised targeting of content and ads to its current or prospective viewers. So, for example, as the ABC itself explains, if the ABC already knows that you have watched The Newsreader, it won’t waste money paying Facebook or Google to show you ads on those platforms exhorting you to watch The Newsreader. (Sidenote: enjoy the irony of the public media paying to advertise on social media a TV show about a TV show set on commercial media, in a time before social media existed.)
This also means that the ABC can pay to advertise other shows to you, if it thinks – because of your viewing history – that you might like them. And it can target ads for ABC shows to ‘lookalike’ audiences: people who Facebook and Google have profiled as similar to ABC viewers, but who are not known to be ABC viewers… including all the privacy-protecting people who try to avoid this kind of profiling by laboriously using different email addresses across sites, or who refuse to create accounts to log in at all.
More disturbingly, it also means that Facebook and Google could now know even more information about you than before, and add to your profile. (Because let’s face it: they’re not mugs. They’re going to monetise that data as much as they can.) Which means that – and this is the part that surely the ABC doesn’t fully realise or it wouldn’t be letting its valuable first party customer data out of its own hands – the ABC’s rivals can also now even better target ads for rival TV shows to you. (Liked The Newsreader? Forget the ABC, try Apple TV’s Morning Wars!)
(Updated 7/1: Note that it has been pointed out to me that the use of Facebook’s Custom Audiences targeted marketing technique would usually involve terms to preclude Facebook from re-using the data shared with it by advertisers, so perhaps ABC customers are not at risk of this final scenario happening. However my understanding is that to date the ABC has not released the terms of its engagement with Facebook despite FOI requests from privacy advocates going back some months, so we can’t yet tell what those terms are. And the Privacy Policy doesn’t mention FB’s Custom Audiences; that’s just what a reader has told me the ABC is using. Also, the ABC Privacy Policy, after talking about the information it discloses to third parties for the purposes of marketing via other platforms, states “Some third parties may be able to match information about your use of our digital services with personal information they already have about you”. Because that statement appears before mention of the sharing of hashed email addresses, it is not clear whether that statement is only about data collected via third party cookies and similar online identifiers whether customers are logged in or not (see more about that below), or if it also includes data shared via techniques like using hashed email addresses to build Custom Audiences.)
So, can they really do this?
The sharing of a ‘hashed email address’ is an example of the disclosure of information which, taken alone, might be argued by industry players to be ‘de-identified’, such as to escape regulation under the Privacy Act. That’s because information which cannot ‘reasonably identify’ an individual is excluded from the reach of our privacy laws. And a hashed email address, alone, should not be capable of identifying anyone.
But the privacy regulator in Australia, the OAIC, has said that the test as to whether or not something meets the definition of ‘personal information’ (which means it will be regulated by the Privacy Act), is not about considering information in a vacuum: “Some information may not be personal information when considered on its own. However, when combined with other information held by (or accessible to) an entity, it may become ‘personal information’.”
So, given that a hashed email address can be – and indeed is intended to be – linked back to other information held about identifiable individuals by Facebook and Google, I would argue that the hashed email address, along with all the other ABC-collated information shared about the ‘de-identified’ individual it relates to, is ‘personal information’ regulated by the Privacy Act.
But despite the OAIC’s guidance, the letter of the law about what is ‘personal information’, and what is not, is not quite so clear, which leaves room for argument from the digital platforms and others in the AdTech ecosystem. (Facebook for one argues that this information is not regulated because no-one is ‘identifiable’.)
This alone is a compelling reason why the Privacy Act is currently being reviewed, and why the Australian Government has already proposed strengthening and clarifying the definition of ‘personal information’.
(For more on the Privacy Act review, and to inspire your own submission in support of the proposed reforms, or to argue like me that they need to go further to be truly effective, see our submission to the Privacy Act review. It includes plenty of other examples to explain why reform is needed to protect our privacy. But get in quick, submissions are due 10 January.)
But wait, it gets worse!
Let’s say that, like yours truly, you have thus far resisted all encouragements to create an ABC Account, and are therefore still enjoying iview without having to share any email address with the ABC. Are you immune from the data sharing? Turns out, no.
Check out this from the updated ABC Privacy Policy: “If you are not a registered ABC Account holder, or you are accessing an ABC digital platform while not logged into your ABC Account, we may disclose the identifier for your device or browser to Google and Facebook, via Tealium, for the same purpose. … If you don’t want to see promotional information on those platforms that is informed by your use of ABC digital services, you can opt out via the account settings on those platforms. ”
So, the ABC (with whom I have never had an account) is sharing my data with Facebook (with whom I have never had an account) and the way to opt out of that is via Facebook, but I can’t because I don’t have a Facebook account from which to access any ‘account settings’.
Way to go Aunty! Nice Kafkaesque nightmare you’ve got us in, all so you can show your loyal viewers ads for stuff they probably already know about.
Is this even legal?
Now, if the ABC is indeed found to be sharing ‘personal information’, can it do so legally? Without customer consent, I cannot see how.
(Have they got consent? They are relying on telling customers via their Privacy Policy, and letting people ‘opt out’ if they don’t like it. But in case after case, the OAIC has said that in order to be valid, consent requires an ‘opt in’, not ‘opt out’, and adding something to a Privacy Policy is not nearly enough. But spelling out the essential elements needed to gain a valid consent under the Privacy Act is also the subject of a law reform proposal: to make it absolutely clear in the letter of the law itself that to rely on ‘consent’, the customer needs to have exercised a clear and affirmative choice. So that’s reason #2 to make a submission to the Privacy Act review, ‘toot sweet’ as the ABC’s own Kath and Kim would say.)
The disclosure to any third party is regulated by Australian Privacy Principle (APP) 6, unless it is for ‘direct marketing’ in which case the rule is APP 7, which starts to make things murky as to whether or not consent is needed for that disclosure. But what is clear is that if the information is being disclosed to an organisation outside Australia, it also has to meet APP 8.
And as I previously noted to the ABC when it first proposed last year to make logging into iview mandatory, under APP 8.2, disclosure of personal information to an overseas organisation like Facebook, in jurisdictions such as the USA which does not have privacy protections equivalent to ours, requires the consent of the individual, after they have been expressly informed that their personal information will be sent to a jurisdiction without privacy protections. (And none of the exemptions to APP 8 are relevant here.) So that alone could pose a compliance problem for the ABC.
But regardless of whether or not the ABC is currently legally regulated in the way it shares data about the viewing and listening habits of its customers, surely it has a moral responsibility to protect its viewers and listeners from harm?
What’s so wrong with sharing our data?
When you think about it, a person’s ABC viewing or listening habits may be quite sensitive, and harm could be done when they are shared without consent. Many Australians go to the ABC as a trusted source of information on controversial issues. A student from an authoritarian country who likes to watch shows about democracy, or a teenager from a conservative family who takes an interest in gender fluidity or religious scepticism, may suffer significant harm if these preferences are exposed.
For example, if an Australian has watched Foreign Correspondent’s episode on the crackdown against Uighurs in Xinjiang, this could be used by Facebook or Google to inform an attribute such as “interested in human rights abuses in China”, which could then be used by the Chinese government to target propaganda directly to those viewers via paid advertising on those platforms. This has implications for societal political manipulation. The data is likely to be very easily identifiable by Google, Facebook, the Chinese Communist Party, or other sophisticated data gatherers with whom it might (directly or indirectly) be shared.
So what’s the solution?
If you are less than impressed with this state of affairs, start by making a submission to the review of the Privacy Act, ASAP. (Submissions close 10 January.) Tell the Government you are one of the 89% of Australians who believe that the information used to track us online should be protected under the Privacy Act.
Even if you have time for nothing else, email the review team to say that you support proposals 2.1-2.5 and 9.1-9.2, which are to clarify and strengthen the definition of personal information, and the elements of consent. Want more details? See our blog explainer here, and our detailed submission here.
And then let the ABC know; the bottom of their Privacy Policy tells you how, or write to the MD like I did. Letters from a few concerned viewers last year saw the ABC defer its plan to make it mandatory to log into iview, while it re-considered the privacy issues. Perhaps these recent changes to the Privacy Policy are the result of that review, because 10 points to Aunty for now making it much clearer for everyone to understand exactly what kind of intrusive data sharing is going on, whether people have logged in or not.
But transparency is not enough. This type of exploitative data extraction and surveillance capitalism has no place on our beloved Aunty.
Australians don’t want to be tracked online. Our public broadcaster should not be sharing data about its viewers and listeners with global tech behemoths without our active and informed consent. Aunty’s job is to tell us stories, not tell stories about us to Facebook and Google.
Privacy compliance is not rocket science. Meeting community expectations about our data is not hard. It’s about common sense, and good manners.
Perhaps I can best sum it up using my ABCs: Always Be Considerate.
(Post script for our non-Australian readers: ‘Aunty’ is a fond nickname for the Australian Broadcasting Corporation, our publicly funded national broadcasting service and – except on this issue – national treasure.)
Photo (c) Shutterstock
