Publicity:

Every hour of every day, our digital interactions are being recorded and logged. We live in the age of 'big data', where seemingly mundane information about how we go about our lives has enormous value.

With the help of expert data trackers, we follow the information trail of an ordinary Australian family. We follow their data over a typical day, watching as it is surreptitiously recorded by government agencies and private organisations.

Who gathers the information, what are they doing with it and what are your legal rights?

The internet has brought us conveniences once unimaginable. You can shop online, diagnose illnesses, and send 'selfies' whenever you want. But it isn't all one way traffic. Every time you use a search engine like Google, or access an 'app' on your smart phone, your activity is logged by companies around the world - many you've never even heard of.

That sometimes intensely personal data is either used or sold to make money.

At one level this could be to our advantage. Marketing and advertising is ever more accurately tailored to our wants and needs.

"The sort of products you're buying can tell a marketer an awful lot about what else you're likely to buy, you know, what model of car you're likely to buy, the political party you're likely to vote for, you know, what sort of job you're likely to have." Jon Ostler, Data Marketer

But where does it end, and what are the consequences? Is our information secure? Not always, Four Corners reveals.

If our user patterns are valuable and being sold on the open market, should we have a say in it? Should we be told who our data is going to, and exactly how it is being used? If our data is being matched with other data for more valuable results, should we be informed?

Four Corners' investigation reveals that not only are we being tracked online by marketers but in Australia, government agencies are secretly monitoring digital travels.

On the road, devices in cars are being logged to register movements.

When vehicles pass by a police car many will be surprised to discover what modern technology is discovering about them.

This kind of information is already being used in court cases, but public officials can access a driver's data without a warrant and without their knowledge:

"That is one of the areas of law reform that we have to, I think, take the greatest interest in. Which agencies can access this material? What can they do with it? And where on earth are the courts... where's the legal oversight that applies to a regular search warrant?" Scott Ludlam, Greens Senator

The digital detectives are in shopping centres too, where movements can be tracked to provide a physical profile of where people go and what they do. Millions hold supermarket loyalty cards. The data given away to get them is now being cross-referenced with data from banks to better predict behaviour.

Companies like Google and Facebook know more about us than our families or our best friends. How did we get to this point and should we care?

No political party has ever explicitly sought our permission for this to happen.

It is a situation that alarms many experts:

"I don't think any social system, any government, can survive knowing everything about its citizens without ultimately th

at being corrupted."

Danny O'Brien, Privacy Advocate

Earth from space

Music

00:14

GEOFF THOMPSON, REPORTER: The human race now produces 28 billion gigabytes of data every day. And ninety per cent of the data currently in existence was created in just the last two years. Australians are among the most connected people in the world.

00:20

Pappas family home. Pappas children on mobile devices

Music

00:37

GEOFF THOMPSON  In Sydney's Eastern Suburbs, this is the home of a family we'll call the Pappases.

00:54

They are waking up and getting ready for an average day of work, school and life at home.

01:00

Pappas family at breakfast

The five family members agreed to let us intercept and record their online data over 24 hours.

01:07

Helen and Jim are Mum and Dad. Twenty-four year old Katerina is their eldest child, Alexi is 16 and Christina is 12.

01:17

Home exterior

CHRISTINA PAPPAS: Well first of all I probably check my Instagram.

01:28

Christina on mobile phone

GEOFF THOMPSON: Christina's favourite things to check online are YouTube, Tumblr and Instagram.

CHRISTINA PAPPAS: I like it because like, you can check out what people are getting up to

01:32

Christina

and what they're doing, and you can usually see what celebrities are up to.

01:43

Christina on mobile

Music

01:49

GFX:  Terms of Use... Basic Terms... You must be 13 years or older...

GEOFF THOMPSON: The Terms and Conditions of these sites say you have be at least 13 to use them.

01:52

But like most users of free internet services and mobile apps, no-one in the Pappas family ever really reads the fine print.

01:57

Helen

HELEN PAPPAS: No I don't actually read the fine print.

02:06

Alexi

ALEXI PAPPAS: I've never read the terms and conditions in my life, and I think they've deliberately, made them like 10 or 15 pages long so that people don't actually read it. But yeah, no, I don't read terms and conditions at all.

02:11

MacGibbon. Super:
ALASTAIR MacGIBBON
Centre for Internet Safety
Former Australian Federal Police Officer

ALASTAIR MACGIBBON, CENTRE FOR INTERNET SAFETY, FORMER AUSTRALIAN FEDERAL POLICE OFFICER: Even if there are 156 pages of terms and conditions very conveniently though that checkbox is on page one, and I suspect that the majority of Australians have never read a privacy policy and if they had, they probably couldn't understand it.

02:23

Ext. Pappas home/Christina on mobile

Music

02:40

GEOFF THOMPSON: The morning we track the family's activity, Christina is the busiest online. But the connections she's making are not one way.

ALASTAIR MACGIBBON: If we think that we're in our

02:44

MacGibbon

lounge room or bedroom engaging in the internet, that it's just us - there're an awful lot of people looking over your shoulder.

02:54

Christina says farewells family as she leaves the house

Music

03:02

GEOFF THOMPSON: As Christina leaves for school; her data is already travelling to America, the Netherlands and Britain. Two dozen sites she never even clicked on know she likes Selena Gomez and have witnessed her peruse photos of her friends and plan a trip to the movies.

03:05

Christina

CHRISTINA: I don't really mind because I'm not doing anything like that secret, on my accounts, so it not a big deal to me.

03:23

Ostler. Super:
JON OSTLER
General Manager,  Beyond D
Digital marketer

JON OSTLER, GENERAL MANAGER, BEYOND D, DIGITAL MARKETER: So when you visit a website, you'll be given a cookie in your browser. And that can be from that website or it could be from an app network which has placed that code on that website. They can then, using that cookie, track what you look at on the website, and then when you visit other websites that have the same technology, they can serve you ads based on the behaviour that you've shown across a number of websites which they're tracking.

03:31

Christina walking to school

Music

03:57

GEOFF THOMPSON: Tracking websites are following Christina unseen from the internet's shadows, learning her online habits so that advertisers can target her more accurately.

03:59

Jim

[to Jim]: What would you do if people you didn't know were following her around like that in the real world?

JIM PAPPAS: What would I do? I'd go crazy probably; I'd be very upset, yeah.

04:09

MacGibbon

ALASTAIR MACGIBBON: The issue of tracking a child, according to the law, they're a child; according to most human beings they're a child, and do these companies discriminate between the internet activity of a child and that of an adult? And the answer is no, and that does have massive social implications for us.

04:24

Montage internet use

Music

04:41

GEOFF THOMPSON: Popular free internet services like those offered by Google and Facebook are among the most intensive trackers of our online lives. They can know more about you than your best friend.

04:48

Google/Facebook logo overlay. GFX Overlay:
95% Targeted Advertising

The two companies are less than 15 years old, but generate about $61 billion a year. $56 billion of that is made by Google alone and 95 per cent of that income derives from targeted advertising based on your online behaviour.

05:00

MacGibbon

ALASTAIR MACGIBBON: Unfortunately, when you're talking about free online, it usually means you've become the product.

05:19

Password screen on computer

TROY HUNT, INTERNET SECURITY RESEARCHER: We're ticking the box and going 'Yep, get me into this free service so I can get on and do my things'.

05:26

Hunt. Super:
TROY HUNT
Internet Security Researcher

They're giving away the same things that we are which is, you know, something like Facebook is a free service, they're giving away themselves, as a bit of an advertising target to begin with. They're going to get targeted with information that fits their demographic. You know, that's the nature of a free service.

05:31 

Pappas house - Alexi on mobile

GEOFF THOMPSON: Alexi has more apps on his phone than anyone else in the family.

TROY HUNT: I think that we sometimes forget that at the end of the day, apps are talking over the internet

05:48

Hunt

just like your browser is, you know maybe it's the fact that it's such a little device in your pocket and it's a more comfortable sort of environment, I dunno, but at the end of the day, they're doing the same thing that the browser on your PC is doing. The difference is you're doing it all day long, you're doing it while you're sitting on the toilet you know, it can happen any time.

05:59

Troy Hunt in the Pappas home talking to Alexi

TROY HUNT: So basically as soon as you open a web page on your phone, all of those requests can be intercepted by anyone who's sitting in the middle of the traffic.

GEOFF THOMPSON: We arranged for internet security researcher Troy Hunt to drop around to the Pappases' home to check out Alexi's apps.

06:16

TROY HUNT [talking to Alexi]: And we'll look at the data that was sent, so there's your email address and there's your nice strong random password that has lots of good characters and length, and unfortunately this NRL app has just sent it over the internet without any protection.

06:31

GEOFF THOMPSON: Troy finds serious security flaws in three of the apps on Alexi's phone. Apps for America's National Basketball Association and Australia's National Rugby League, failed to secure user information over the internet.

06:46

TROY HUNT [talking to Alexi]: So let's take a look at Roosters, this is another good example. If we jump into say the store, and as we browse the store we can see all the traffic going through here, and say you want to grab a cap and we'll take one of those, we'll add that to the basket. Okay, so we've got that in our shopping basket. Let's now go and proceed to the checkout. And then what we'll do, we've got a bunch of dummy data in here, let's go through and put in a dummy credit card number as well.

07:02

GEOFF THOMPSON: The worst flaw was found in the app of NRL team the Sydney Roosters.

07:3

TROY HUNT [talking to Alexi]: And what we see is that the protocol is http, so what that means is that it's not an encrypted protocol, it means all that credit card data would be available to anyone who was able to observe the connection.

07:37

That's particularly alarming, it's, it's something that there are industry standards around,

07:48

Hunt

so that, that's probably not real good for the Roosters. But the other thing is that when you do this in a mobile app, you don't get to see the address bar, you don't get to see HTTPS or a padlock or anything like that. So he could've used that app with the best of intentions thinking that they'd done their security right and had no idea that his credit card information was flowing around the internet unprotected.

07:53

Troy Hunt with Alexi

TROY HUNT [talking to Alexi]: So what we now get is that we can see that there's the first name, there's the last name, the phone number, we've got an email address, we've got all the delivery data, which is probably going to be your home address, and that's the sort of stuff attackers want in order to go and do an identity theft.

08:12

And then when we go down a little bit, what we find is that here's the credit card number, so we've got that, we've got the credit card expiry and we have got the credit card verification number, as well as obviously the name on the credit card. And what we see is that...

ALEXI PAPPAS: Yeah, it just kind of shocked me a bit that the apps that I thought were official

08:27

Alexi

and mainstream and kind of trustworthy, they're not, they're not what they seem. So yeah, it's just kind of interesting that I- that something that I trust isn't actually, isn't actually trustworthy at all.

08:48

Troy Hunt with Alexi

TROY HUNT: So that's a real problem with this app and it's unfortunate when you're sitting at a PC and you're doing your banking or you're doing your shopping, you get a little padlock icon

09:05

and you can sort of look for that, and you get some sort of confidence in the security of the website. But you don't get that in an app. So all you know with an app is that these guys are saying, hey trust me with your credit card details - so that one basically has not even an attempt at securing your credentials.

09:12

Roosters app showing on mobile

GEOFF THOMPSON: Since being told of their apps' security flaw by Four Corners last week, the Sydney Roosters say the problem has been fixed.

09:31

Jim Pappas starts up his motorbike and rides it

Music

09:41

GEOFF THOMPSON:  A self-employed financial planner, Jim Pappas can afford to wait at home until the peak hour rush into the city is over.

09:51

Like most of us he has toll tags attached to his vehicles and accepts the convenience of automatic billing in exchange for transport authorities knowing when he uses tollways.

09:58

What he doesn't know is that when he passes some traffic lights New South Wales Roads and Maritime Services is downloading information from his mobile phone by scanning its Bluetooth signal.

JIM PAPPAS: I hadn't thought about it because I didn't know that that occurred.

10:11

Jun in office

It's a bit of a privacy issue there I suppose. Yeah, I wouldn't be too happy with it, yeah, depending on who gets the information and how it's used.

GEOFF THOMPSON: Do you feel like you should be asked permission first?

JIM PAPPAS: Absolutely.

10:27

Hunt

TROY HUNT: It's a question of what they're actually capturing and saving. I mean the concern that I would have is are they tracking identifiable information about individuals, because if they're tracking identifiable information and they're doing it at multiple points, then they're tracking everything from your personal movements, to the average speed that you could be carrying, that would be a bit of a concern to me, it's a question though of whether it's de-identified or not.

10:41

Road/Traffic montage

Music

11:05

GEOFF THOMPSON: The RMS is collecting the MAC addresses of mobile phones at 16 sets of traffic lights in inner Sydney.

11:07

GFX overlay: "...no other identifying information is captured."
"MAC addresses are anonymous data".

In a statement the RMS says that "no other identifying information is captured" and that "MAC addresses are anonymous data".

11:15

Traffic lights

MAC address stands for Media Access Control address. It's a unique identifier of devices such as mobile phones.

11:25

hunt

TROY HUNT: I think this might be one of those cases where you want to get a definition of personal information; is a unique device address personal information? You know, maybe it is not, but it does still track an individual's movements, so whether or not they admit to actually tracking it, the capability is there.

11:34

People on street using mobiles with GFX overlay

Music

11:53

GEOFF THOMPSON: Australia's privacy laws do not regard MAC addresses as personal information, because they do not easily identify a phone's owner. However public outrage over the collection of MAC addresses recently shut down a similar trial in London.

11-57

Garbage bins on London streets

There, it was garbage bins carrying advertising which were recording MAC addresses from the mobile phones of passing pedestrians. Data which might be harmless enough on its own.

DANNY O'BRIEN, ELECTRONIC FRONTIERS FOUNDATION PRIVACY ADVOCATE, SAN FRANCISCO: So bit by bit we're having our privacy chipped away, and each of those tiny bits

12:12

O'Brien. Super:
DANNY O'BRIEN
Electronic Frontiers Foundation
Privacy Advocate, San Francisco

doesn't seem to reveal that much about us. So to give an example from here in San Francisco -- the tracking of cars is mainly used here to track people going over the Golden Gate Bridge because they want to pay their fee as they go over, so they have a little device. Well, it didn't take long for divorce courts here in the United States to subpoena that information, because that's a useful bit of knowledge to know about a spouse that you're trying to collect data on. I don't think that when we first started tracking cars in that way anyone thought about how it was going to transform divorce proceedings. But that's what happens. You take a little bit of this data and someone's going to find a use for it.

12:31

Jim Pappas riding motorbike

Music

13:26

GEOFF THOMPSON: On his way to work Jim Pappas also passes several police patrol cars. Some carry the Automatic Numberplate Recognition Technology known as ANPR. Introduced in late 2009

13:29

ANPR cameras

ANPR cameras now sit on top of 280 police cars across New South Wales. They take six photos a second and almost never miss a passing plate.

SERGEANT MATT REES, NSW POLICE HIGHWAY PATROLMAN: When we were trialling it we dropped a numberplate in front of the car and as the plate fell through the air it read it.

13:41

Camera in police car/Rees in police car

I suppose as I said...

GEOFF THOMPSON: NSW Police Highway Patrolman Sergeant Matt Rees agreed to demonstrate to us the technology's astonishing capabilities.

14:04

SERGEANT MATT REES: I can tell that it's hit on an unregistered car without even looking at the screen because I can hear the tone and it's different to stolen cars and cars with warnings.

14:13

The car's fitted with three cameras - there's two forward facing cameras on the roof and one on the side of the car, facing sideways.

14:22

The cameras read the numberplates as they pass the police car. Because it works on infrared, at night I can't even see the numberplates of cars coming towards me because of the headlights, it will still read them.

14:33

GEOFF THOMPSON: While we're with Matt alarm bells ring for a car alongside us, which was previously used in a funeral procession for a Hells Angel motorcycle gang member.

14:44

[Directing a question to Matt]

So that's told you quite a lot of information.

14:56

SERGEANT MATT REES: Yeah that one tells me that I need to be careful if I stop that car.

GEOFF THOMPSON: For police on patrol it's a remarkable tool,

15:00

automatically identifying suspect vehicles.

SERGEANT MATT REES: Well the beauty of this

15:10

system is that it frees me up to look for other things, So I can - instead of having to look for unregistered cars or stolen cars, I'll let the cameras do that and I can look for offences like seat belts and mobile phones, traffic light offences.

15:14

Camera in police car

GEOFF THOMPSON: But the cameras don't only shoot offenders - every single numberplate they see is photographed and logged.

15:31

Matt Rees in police car

SERGEANT MATT REES: I suppose it can read thousands of plates.

15:41

GFX over ANPR Camera:
208,799,115

GEOFF THOMPSON: In fact, ANPR cameras have taken and stored hundreds of millions of photos of cars since 2009 - more than 208 million, 799,000 of them.

15:43

The New South Wales Police were happy to explain how they've obtained this vast amount of information. But they don't want to talk at all about how it is being used.

16:01

GFX over ANPR Camera:
"The information collected by the ANPR units - car photo, registration plate number ... and where and when the photo was taken - is stored in a separate data base for about 5 years."

In a written statement, the police will say only that:
POLICE STATEMENT: "The information collected by the ANPR units - car photo, registration plate number ... and where and when the photo was taken - is stored in a separate data base for about 5 years."

16:12

Aerials. Traffic

GEOFF THOMPSON: There are 5.7 million vehicles currently registered in New South Wales.

16:27

That means there is an average of 37 photos for every car in the State.

16:33

That's a four year old searchable database of where you've been and when.

16:39

Hunt. Super:
TROY HUNT
Internet Security Researcher

TROY HUNT: Without any confirmation to the contrary, and I can understand why they'd want to be cagey about something like this, that's really the only conclusion you can draw, right? Because we know that the data's being collected, we know we have the technology to match a numberplate in one location to a numberplate in another location, I mean this is, this is very basic stuff. So you have to draw the conclusion that that yes they, you know, this is all getting put together at some point.

16:46

City traffic

GEOFF THOMPSON: The New South Wales police statement says there are strict protocols for accessing and retrieving information, and none of it is personal. But the police can of course routinely match numberplates with their owners.

17:08

Coombs. Super:
ELIZABETH COOMBS
NSW Privacy Commissioner

ELIZABETH COOMBS, NSW PRIVACY COMMISSIONER: I think it's unlikely that the majority in the community are aware of the potential of that collection, and I think many would actually be quite taken by surprise that that is occurring.

17:24

Jim Pappas

GEOFF THOMPSON: [talking to Jim Pappas] : Do you think that the police should ask you before they automatically record when you're somewhere in your car or motorbike?

JIM PAPPAS: Definitely. We pay their wages so I'm sure they should do us the courtesy regarding privacy and, yeah I'm I definitely think they should.

17:39

Jim in office

GEOFF THOMPSON: As a successful businessman, Jim Pappas believes he's got nothing to hide. But it's not just the New South Wales Police or Roads and Maritime Services, which can record his data without his permission.

17:59

Dozens of other regulatory authorities can do so too, if he is suspected of committing an offence or somehow pinching from the public purse.

ALASTAIR MACGIBBON: The threshold is surprisingly low I think to people outside of the

18:14

MacGibbon. Super:
ALASTAIR MacGIBBON
Centre for Internet Safety
Former Australian Federal Police Officer

law enforcement and regulatory agencies. Most people would expect that it would be a warrant signed by a judge or a magistrate, and the short answer is it's not.

18:27

People on city streets using mobile devices

Music

18:39

GEOFF THOMPSON: Under the Telecommunications Interception and Access Act, bureaucrats in government agencies can search your metadata without a warrant and without your knowledge.

SEN. SCOTT LUDLAM, GREENS SENATOR: Yeah and it happened without anybody noticing.

18:41

Ludlam. Super:
SEN. SCOTT LUDLAM
Greens Senator

You've got to remember these, this stuff we call metadata barely existed two decades ago. The time of the Australia Card debate, nobody really had heard of metadata and a whole vast categories of it simply didn't exist.

18:55

People on city streets using mobile devices

GEOFF THOMPSON: Metadata tells them who, when, and where you've phoned or emailed someone.

TIMOTHY PILGRIM, AUSTRALIAN PRIVACY COMMISSIONER: Metadata can tell quite a lot about a person's activity in terms of

19:07

Pilgrim. Super:
TIMOTHY PILGRIM
Australian Privacy Commissioner

the times they're transmitting and who they're transmitting data to or having communications with, certainly it can provide quite a lot of information.

19:21

People on city streets using mobile devices

Music

19:30

GEOFF THOMPSON: More than 3000,000 metadata requests are made each year by a growing list of agencies, for reasons they are not required to disclose.

19:33

Computer screen

They include Centrelink, Australia Post, local councils and the RSPCA.

19:43

Ludlam

SEN. SCOTT LUDLAM: That is one of the areas of law reform that we have to, I think, take the greatest interest in. Which agencies can access this material? What can they do with it? And where on earth are the courts? Where are the, where's the legal oversight that applies for a regular search warrant? Those are the democratic norms that have prevailed in Australia for a hundred years, that we need to update and bring into the digital age.

19:50

Pappas house, Helen drives to supermarket

Music

20:12

GEOFF THOMPSON: Back at the Pappas home, Helen is heading out to do the family's weekly shop.

20:16

She goes to the local Coles because it's close, easy to park and always uncrowded.

20:23

The Coles loyalty card system known as "Fly Buys" has been running since 1994.

ROB SCOTT, FINANCE DIRECTOR, COLES: Well Fly Buys is really an extension of what retailers have been doing for many years.

20:31

Scott. Super:
ROB SCOTT
Finance Director, Coles

If you go back 100 years ago when Coles opened its first store, the shopkeeper understood their customers by name, knew what their preferences where, what they wanted to buy and when they wanted to buy it, and that helped them tailor their offer - and really Fly Buys is an opportunity for Coles to do that at scale.

GEOFF THOMPSON: And how does it work?

20:42

Supermarket checkout

ROB SCOTT: Well within Fly Buys, we collect information that the customer provides, it's an opt-in program, and then we can send

21:00

Scott

both targeted offers to the customer. It also helps inform us around what customers like in order for us to put the right products into store, and importantly it delivers significant value. So an average family, if they fully explore the opportunities of Fly Buys, could realise an additional $500 of value per year.

21:08

Supermarket checkout

COLES CHECK OUT MACHINE: If you have a fly buys card, please scan it now.

21:26

GEOFF THOMPSON: But the data customers surrender in exchange for rewards has a dollar value, too.

ALASTAIR MACGIBBON: Loyalty cards and reward systems

21:30

MacGibbon

are about collecting information about you. Again, it's a perfectly legitimate thing to do, so long as you go into it with your eyes wide open.

21:39

Ostler. Super:
JON OSTLER
General Manager,  Beyond D
Digital marketer

JON OSTLER: The sort of products you're buying can tell a marketer an awful lot about what you're, what else you're likely to buy, you know, what model of car you're likely to buy, what, you know, political party you're likely to vote for, you know, what sort of job you're likely to have. And you'd be surprised about the, you know, the choices you make in the supermarket or wherever it might be, and what that tells marketers about who you are and what you're likely to do next.

21:47

Helen at supermarket

GEOFF THOMPSON: Helen Pappas used to be a Fly Buys member, but opted out of the program.

HELEN PAPPAS: I used to but I decided that I had too many cards in my wallet

22:11

and I wasn't really utilising it properly.

22:24

Coles/Woolworth's supermarket

GEOFF THOMPSON: But almost 7 million Australians do use Coles Fly Buys cards and Woolworth's' "Everyday Rewards" loyalty program boasts 6.3 million members.

22:28

Quantium commercial

QUANTIUM COMMERCIAL: Businesses compete in an ever-changing and fiercely competitive...

GEOFF THOMPSON: Earlier this year Woolworth's made a bold leap into the big data space, by buying a fifty per cent stake in the data analytics company Quantium.

22:42

QUANTIUM COMMERCIAL: Today, how we live leaves a trail of data, clues about out lifestyle, preferences and shopping habits.

GEOFF THOMPSON: The deal gives Woolworth's access to what it calls "the full wallet" - that is an understanding of not just the buying habits of its own customers, but the customer habits of Quantium's many other clients, including the National Australia Bank.

22:56

QUANTIUM COMMERCIAL: Talk to Quantium.

ALASTAIR MACGIBBON: I'm not too sure how many National Australia Bank customers

23:19

MacGibbon

have consented to another company having access to that type of information, and that example is one of the, I suspect, many social questions we should be asking.

23:23

Supermarket

GEOFF THOMPSON: Once again, both Woolworth's and Quantium are only too happy to have your data, but are reluctant to discuss what they do with it.

23:34

GFX overlay: De-identified data may be used in aggregate form to understand broad customer profiles and preferences to help other clients in delivering better services to customers.

In a written response to questions, Woolworth's emphasised that the companies share only data that does not identify you.

23:44

But even without your name, your data is hugely valuable.

23:52

Bergman. Super:
RICHARD BERGMAN
PwC Cyber Services
Online Security Expert

RICHARD BERGMAN, PWC CYBER SERVICES, ONLINE SECURITY EXPERT: A lot of companies have realised is one, there's enormous value in them mining their own data, but there's a lot more value that can be obtained by combining data sets. So when you look at a retailer and you look at them analysing their loyalty program, that's all they see, but what they don't see is what that customer does for the remainder of the week, where they may shop elsewhere and what other patterns and habits they have. So if you can combine data sets and get a true representation of what your customer does when they're not your customer, it allows you to once again focus your attention on, you know, what that customer is looking for.

23:57

Pappas house, Helen unloading shopping from car

24:33

GEOFF THOMPSON: Helen Pappas has just returned home with her shopping. She doesn't spend much time on the family computer. But Helen does take advantage of the few quiet moments left in the day, before her kids get home from school.

24:38

Helen on computer

HELEN PAPPAS: I basically check my emails and check anything that's of concern to me immediately.

24:53

Yahoo screen on computer

GEOFF THOMPSON: Helen uses a Yahoo account. That means her data - like the data of Gmail or Facebook users - likely passes through computer servers in the United States. Making even her emails subject to the scrutiny of US intelligence agencies.

25:02

O'Brien. Super:
DANNY O'BRIEN
Electronic Frontiers Foundation
Privacy Advocate, San Francisco

DANNY O'BRIEN: I think the biggest worry about the international level of the internet right now, is that that data that you put into a website that's running out of another country, usually the United States, is that it's really out of your control and it's out of the legal constraints of the Australian legal system too.

25:21

Computer montage

Music

25:41

GEOFF THOMPSON: In June this year - it took a computer systems administrator working for America's National Security Agency out of Hawaii, to shatter any lingering faith we had in the internet as a place where privacy is possible.

25:45

Snowden. Super:
EDWARD SNOWDEN
NSA Whistleblower

EDWARD SNOWDEN, NSA WHISTLEBLOWER: The NSA specifically targets the communications of everyone, it ingests them by default. It collects them in its system and it filters them, and it analyses them, and it measures them, and it stores them for periods of time. Simply because that's the easiest, most efficient and most valuable way to achieve these ends.

26:00

Hong Kong night/Company information websites

Music

26:19

GEOFF THOMPSON: Escaping to Hong Kong, Edward Snowden revealed the vast reach of America's surveillance of our online lives, by accessing the data of trusted companies through programs such as PRISM.

26:23

Snowden

EDWARD SNOWDEN: So while they may be intending to target someone associated with a foreign government, or someone that they suspect of terrorism, they're collecting your communications to do so.

26:35

Mobile devices montage

GEOFF THOMPSON: The world suddenly knew that decisions to trade our civil liberties for extra security were being made for us and not by us.

26:46

President Obama

BARACK OBAMA, PRESIDENT OF THE UNITED STATES: We have to strike the right balance between protecting our security and preserving our freedoms.

26:58

Moscow

GEOFF THOMPSON: Reaching Moscow, Snowden stayed beyond the reach of the US Government.

27:03

Mobile devices montage

The same can't be said for the data of Australians using the internet services of American companies.

27:09

O'Brien

DANNY O'BRIEN: US citizens have, at least in theory, some constitutional rights that protect their data from access by the US government. Those rights don't extend to non-US persons, which means that Australian's data, when it's kept in the United States, has no real legal protection from the government.

27:17

MacGibbon. Super:
ALASTAIR MacGIBBON
Centre for Internet Safety
Former Australian Federal Police Officer

ALASTAIR MACGIBBON: The implications for Australians when it comes to prisms specifically is that your metadata the, the equivalent of the front and back of the envelopes of the letters that you either send or receive, will be stripped and, you know, amalgamated in these servers of a US government agency. For the vast bulk of us that has no implication whatsoever. If you're doing something that either is of interest or is construed to be of interest to those intelligence agencies, then it might have quite significant implications for you.

27:38

O'Brien

DANNY O'BRIEN: It gets worse because, not only is there no good legal protections from the US government, because the US government shares its intelligence and research with the rest of the world, including potentially the Australian Government. So you have this incredible trade off where the Australian legal system has good protections to prevent data just ending up in the hands of the Australian law enforcement, without, you know, a good warrant or a judicial process. But that doesn't stop the US from handing data on Australian citizens straight over to those same parties without any of those legal safeguards.

28:15

Helen

HELEN PAPPAS: I'm not feeling comfortable with the idea at all. Of course, anybody reading my emails would be very bored, but, again the fact that they can do this to anybody is cause for concern.

28:58

Ludlam. Super:
SEN. SCOTT LUDLAM
Greens Senator

SEN. SCOTT LUDLAM: What's difficult to comprehend in Australia, where both of the old parties are running dead and pretending this simply isn't happening, is that this has caused a massive furore in the United States, across both sides of the political divide and in Europe and in Latin America and in East Asia, and in fact it only appears to be in Australia, where the major political parties are just hoping that this will all go away. In the US this is being heavily contested, politically, legally, constitutionally, and in terms of the social right of intelligence agencies to do what they've been doing.

29:16

Katerina walking through train station

Music

29:50

GEOFF THOMPSON: Katerina Pappas is leaving the city where she works for a consumer advocacy group.

29:54

On the way home, she's agreed to meet a friend for coffee in Bondi Junction.

30:00

Katerina meets friend

They meet at the Westfield Shopping Centre where her movements are captured on CCTV.

30:06

But Westfield's privacy policy allows it to capture a lot more than that. It says:

30:15

GFX overlay: "...where devices are able to connect to, or are identifiable by, in-centre infrastructure, we may collect data including usage, location and type of device."

WESTFIELD PRIVACY POLICY: "...where devices are able to connect to, or are identifiable by, in-centre infrastructure, we may collect data including usage, location and type of device."

30:21

Westfield

GEOFF THOMPSON: Right now, Westfield has the capacity to track your devices in three of its Australian shopping centres, but says it is not doing it yet.

30:33

Westfield promotion

WESTFIELD PROMOTION: "Westfield Labs is a new division of the Westfield group ...

30:43

GEOFF THOMPSON: Meanwhile, at a new research centre in San Francisco - called Westfield Labs - the company is working to perfect this technology.

30:49

WESTFIELD PROMOTION: ...our focus is to discover, to develop and build applications and services within the middle of the convergence between the digital and physical shopper."

30:57

RetailNext promotion

RETAILNEXT PROMOTION: What if all systems worked as one, providing real-time data...

GEOFF THOMPSON: While Westfield plans its future, another company - RetailNext - is already there in the United States. They call it in-store tracking.

30:01

Callan. Super:
TIM CALLAN
Marketing Chief, RetailNext
San Francisco

TIM CALLAN, MARKETING CHIEF, RETAILNEXT, SAN FRANCISCO: We think that one way or another Australians are going do this because it's just such a basic piece of making your stores effective.

31:26

RetailNext promotion

RETAILNEXT PROMOTION: With RetailNext, the comprehensive solution for gathering in-store performance data, analysing findings, and visualising key insights, you'll know exactly how your customer behaves.

TIM CALLAN: What in-store analytics does

31:33

Callan

is it takes the same kind of capabilities that e-commerce sites have had for more than a decade and it brings those to physical brick and mortar stores. So the stores can understand how many shoppers are coming in, where they're going inside of the stores, where they're stopping, what products or displays or parts of the store they're engaging with, and ultimately how all of that translates to sales at the register.

31:48

Callan showing RetailNext technology

In this case we a view from a camera that's not in the ceiling...

GEOFF THOMPSON: RetailNext's technology relies on the security camera networks already in shopping centres around the world.

TIM CALLAN: If they move from the field of vision from one camera to the next,

32:33

there's software that will actually stitch those pads, we call 'em,

32:27

Callan

from one camera to another and if you have full camera coverage of the store, in principle, you can watch the whole store and understand what people do in the entire store.

32:31

Katerina in Westfield

GEOFF THOMPSON: Katerina is not comfortable with the idea of being tracked in a shopping centre.

KATERINA PAPPAS: To me it feels like

32:42

Katerina

the sole purpose would be to maximise money, maximise where you buy things and how much you buy, what kind of stores you go into, and I, yeah I completely, just that, doesn't sit well. Like I don't want to be, yeah I don't I don't like that.

32:51

Katerina in Westfield

Yeah I would want to opt in or out and have the option.

33:13

Westfield parking station

Music

33:17

GEOFF THOMPSON: Helen is on her way to Westfield to pick Katerina up. Westfield's parking station has been a testing ground for a new technology, which helps shoppers find their cars. Every car parked is photographed and uploaded to a searchable mobile phone app. In 2011 Troy Hunt discovered that the app was less than secure.

33:20

TROY HUNT: That information was made available via an iPhone app so that you could search for your vehicle,

33:42

Hunt. Super:
TROY HUNT
Internet Security Researcher

and in theory you would only see grainy photos of four possible matches. Unfortunately, the way they had implemented it was that they returned much more information than that and it was possible to find all the other vehicles that were in the shopping centre.

33:48

Westfield parking station

GEOFF THOMPSON: When told about the security flaw, Westfield fixed the problem. But without Troy Hunt alerting the company, anyone with an internet connection could keep a running tab on which cars were in the shopping centre and when.

34:02

Hunt

TROY HUNT: And they would get a list of every vehicle that was currently in the car park and then they could repeat it every sixty seconds, every five minutes, whenever they wanted to, so you would get a profile of who's coming and going and how long they're staying.

34:18

Pappas house

Music

34:30

Pappas family look at photos

GEOFF THOMPSON: As evening comes to the Pappas house, Helen and the kids are catching on the family history.

34:35

KATERINA PAPPAS: Oh that's a really nice photo.

GEOFF THOMPSON: They still enjoy old photo albums and Mum and Dad keep a collection of old records and books.

HELEN PAPPAS: We go back to my generation, how I came to Australia,

34:42

Helen

the boat I was on, I still have black and white photographs from that time.

34:57

Pappas family look at photos

GEOFF THOMPSON: But, like most modern families, their memories and music increasingly exist only in digital form.

35:02

Katerina

KATERINA PAPPAS: There's a sense of detachment when you look at an image on a screen, the screen is a very desensitised way of viewing things, viewing the world I think.

35:14

Pappas family look at photos

GEOFF THOMPSON: But what happens to our digital possessions when we die?

35:23

Bergman. Super:
RICHARD BERGMAN
PwC Cyber Services
Online Security Expert

RICHARD BERGMAN: I think actually everyone thinks they do own their digital assets and I think that's what they think they're signing up to with the terms and conditions, and in fact most terms and conditions will attribute ownership to you whilst you're using those assets but it does vary. So for example, with Apple and, and iTunes, your ownership is a license agreement, so technically your iTunes music, you have a license to own and operate. But when you pass away that license agreement ends because it's with you as an individual. So it's not like leaving a record collection to your family members any more. It's actually around 'Well what do we do with these songs that may not sit on a physical device?'

35:29

MacGibbon. Super:
ALASTAIR MacGIBBON
Centre for Internet Safety
Former Australian Federal Police Officer

ALASTAIR MACGIBBON: The data is assumed to be owned by the companies you've given it to and it certainly will outlive us, and there are some quite sad examples of where families are marketed to based on data of now deceased relatives. You know, suggestions that you connect to a person that may not be alive any more, and there's a new industry online being built up about what to do with your data post-death.

36:05

Ostler. Super:
JON OSTLER
General Manager,  Beyond D
Digital marketer

JON OSTLER: That is a really interesting, another really interesting new phenomenon that no-one's really taken into account, as far as who owns that data and what could be done with it and if it's going to get deleted, or if it's going to get kept. And yeah, I guess as a society we really are in the early stages of the ultimate information technology revolution, and I don't think anyone's got all the answers to how it's all going to end.

36:35

Pappas family at computer

GEOFF THOMPSON: It is already virtually impossible to distinguish between our actual and our digital personalities. Throughout the evening, members of the Pappas household take turns on the family desktop. The data breadcrumbs they sprinkle around the world paint an increasingly detailed picture of their interests, plans and even secrets.

KATERINA PAPPAS: It's in a sense shocking, but also at the same time it's something that you'd expect, which I think is how a lot of things work these days.

37:06

Katerina at computer

GEOFF THOMPSON: But Katerina was surprised to learn that our logging of her data trail reveals that she's been looking at boutique hotels in New York - where she plans to holiday - and that she's interested in a personal loan.

KATERINA PAPPAS: I think it is private information and I think,

37:38

Katerina

you know, with, especially the financial part of it, if I was looking for a home loan. I think if people sell that information about me, then that that could be, yeah, really worrying.

37:57

Alexi on mobile device

ALEXI PAPPAS: Just before I'm going to bed you know, maybe I should be encouraging myself to read a little bit more or do something more productive. But instead I'm usually just zoned out on my phone,

38:12

Alexi

looking at the apps, you know, the websites and all that.

38:25

Alexi on Facebook

Music

38:31

GEOFF THOMPSON: Alexi's late-night activity on Facebook tells us - and online trackers - something about him he mostly keeps to himself. He has an interest in graffiti.

38:37

Graffiti web screens

ALEXI PAPPAS: I'd be uncomfortable if anything that I looked up on the internet

38:50

Alexi

that I shouldn't have, and my parents found out about it, not from word of mouth or from what I left the tab open or something, but if they just found it out from advertising, then I think that'd be a little bit scary. There's no, there's no escape really.

38:53

Ext. Pappas house. Night

Music

39:10

GEOFF THOMPSON: By the time the Pappases go to sleep, our investigation reveals that their data has been logged by hundreds of tracking sites they barely knew were watching them.

39:13

People on mobile devices/Space shot

Music

39:24

GEOFF THOMPSON:  Information about us has never been so easily available, not only to our friends and employers - but also to the corporations and governments we have chosen to trust.

SEN. SCOTT LUDLAM: We have to rely

39:47

Ludlam

on trust, and I've been working in politics for a decade and you have to ask yourself, do you trust these tools in the hands of governments anywhere or everywhere? And I don't.

40:03

People on mobile devices

Music

40:15

DANNY O'BRIEN: I don't think any social system,

40:17

O'Brien

any government, can survive knowing everything about its citizens without ultimately that being corrupted. I mean I wouldn't be able to take that power. I don't think anyone would want or to take that power. But once you've got it, you're going to find a use for it.

40:20

Space shot of earth

Music

40:37

40:40