Internet service providers (ISPs) have challenged guidelines released last week by the Office of the Privacy Commissioner for Personal Data (PCO) on how Internet users can protect their privacy, and say security problems on the Net are exaggerated. The PCO issued two sets of guidelines. One for individual Internet users is meant to raise awareness of privacy risks and to teach precautions. The other guides organisations on what to do when they collect, display and transmit personal data. The guide for organisations also says ISPs cannot use or sell clicktrail information to telemarketers. Normally used for troubleshooting and system maintenance, clicktrail data is a record of a user's Web activities, including sites visited. The data can reflect behaviour and hobbies and could be valuable to marketing firms or advertisers. Charles Mok, general manager of HKNet and secretary of Hong Kong Internet Service Providers Association (HKISPA), questioned why the PCO placed a 'top priority' on setting guidelines for Internet usage. 'I don't think the privacy risk on the Internet is higher than that in banks and other industries,' he said. It was 'much more common' to have personal information such as credit-card or identity-card numbers stolen in restaurants or shops. Local ISPs said they agreed on the need to respect and protect the privacy of Internet users, and this was stated in the HKISPA's code of practice. They said an extra guideline for Internet usage was unnecessary and said the guidelines might spoil the 'healthy' image of the Internet and ISPs in Hong Kong which they had worked hard to build. But Privacy Commissioner Stephen Lau said the guidelines were issued because the PCO saw the number of Internet users growing rapidly while regulations were inadequate, resulting in a high privacy risk. Star Internet vice-president Billy Tam said that compared with the number of mobile phone users in Hong Kong, the 400,000 Internet users were insignificant. The PCO already has issued guidelines in two other areas, one relating to human resources and the other to cold-calling by telemarketers. The guidelines gave only practical guidance to companies on how to comply with the Personal Data Ordinance, Mr Lau said. They had no legal power. He would not estimate how many Hong Kong organisations did not meet the guidelines for Internet usage or broke the ordinance. However, the PCO said it would contact industry players to promote the Internet guidelines and to conduct a survey to find out how many organisations were not complying with the law. The PCO also will investigate complaints from users and pass them on to the Government if they have merit. So far, the PCO has received two Internet-related complaints, both from individuals whose e-mail accounts and passwords were stolen by third parties and used to send embarrassing messages. The PCO said both cases were under investigation. If they were shown to involve law infringements, they would be referred to the Department of Justice which would decide whether to charge offenders.