The devil is in the detail of government bill to enable access to communications data


Monique Mann, Queensland University of Technology

The Australian government has released a draft of its long awaited bill to provide law enforcement and security agencies with new powers to respond to the challenges posed by encryption.

According to the Department of Home Affairs, encryption already impacts 90% of Australian Security Intelligence Organisation’s (ASIO) priority cases, and 90% of data intercepted by the Australian Federal Police. The measures aim to counteract estimates that communications among terrorists and organised crime groups are expected to be entirely encrypted by 2020.

The Department of Home Affairs and ASIO can already access encrypted data with specialist decryption techniques – or at points where data are not encrypted. But this takes time. The new bill aims to speed up this process, but these broad and ill-defined new powers have significant scope for abuse.




Read more:
New data access bill shows we need to get serious about privacy with independent oversight of the law


The Department of Home Affairs argues this new framework will not compel communications providers to build systemic weaknesses or vulnerabilities into their systems. In other words, it is not a backdoor.

But it will require providers to offer up details about technical characteristics of their systems that could help agencies exploit weaknesses that have not been patched. It also includes installing software, and designing and building new systems.

Compelling assistance and access

The draft Assistance and Access Bill introduces three main reforms.

First, it increases the obligations of both domestic and offshore organisations to assist law enforcement and security agencies to access information. Second, it introduces new computer access warrants that enable law enforcement to covertly obtain evidence directly from a device (this occurs at the endpoints when information is not encrypted). Finally, it increases existing powers that law enforcement have to access data through search and seizure warrants.

The bill is modelled on the UK’s Investigatory Powers Act, which introduced mandatory decryption obligations. Under the UK Act, the UK government can order telecommunication providers to remove any form of electronic protection that is applied by, or on behalf of, an operator. Whether or not this is technically possible is another question.

Similar to the UK laws, the Australian bill puts the onus on telecommunication providers to give security agencies access to communications. That might mean providing access to information at points where it is not encrypted, but it’s not immediately clear what other requirements can or will be imposed.




Read more:
End-to-end encryption isn’t enough security for ‘real people’


For example, the bill allows the Director-General of Security or the chief officer of an interception agency to compel a provider to do an unlimited range of acts or things. That could mean anything from removing security measures to deleting messages or collecting extra data. Providers will also be required to conceal any action taken covertly by law enforcement.

Further, the Attorney-General may issue a “technical capability notice” directed towards ensuring that the provider is capable of giving certain types of help to ASIO or an interception agency.

This means providers will be required to develop new ways for law enforcement to collect information. As in the UK, it’s not clear whether a provider will be able to offer true end-to-end encryption and still be able to comply with the notices. Providers that breach the law risk facing $10 million fines.

Cause for concern

The bill puts few limits or constraints on the assistance that telecommunication providers may be ordered to offer. There are also concerns about transparency. The bill would make it an offence to disclose information about government agency activities without authorisation. Anyone leaking information about data collection by the government – as Edward Snowden did in the US – could go to jail for five years.

There are limited oversight and accountability structures and processes in place. The Director-General of Security, the chief officer of an interception agency and the Attorney-General can issue notices without judicial oversight. This differs from how it works in the UK, where a specific judicial oversight regime was established, in addition to the introduction of an Investigatory Powers Commissioner.

Notices can be issued to enforce domestic laws and assist the enforcement of the criminal laws of foreign countries. They can also be issued in the broader interests of national security, or to protect the public revenue. These are vague and unclear limits on these exceptional powers.




Read more:
Police want to read encrypted messages, but they already have significant power to access our data


The range of services providers is also extremely broad. It might include telecommunication companies, internet service providers, email providers, social media platforms and a range of other “over-the-top” services. It also covers those who develop, supply or update software, and manufacture, supply, install or maintain data processing devices.

The enforcement of criminal laws in other countries may mean international requests for data will be funnelled through Australia as the “weakest-link” of our Five Eyes allies. This is because Australia has no enforceable human rights protections at the federal level.

It’s not clear how the government would enforce these laws on transnational technology companies. For example, if Facebook was issued a fine under the laws, it could simply withdraw operations or refuse to pay. Also, $10 million is a drop in the ocean for companies such as Facebook whose total revenue last year exceeded US$40 billion.

Australia is a surveillance state

As I have argued elsewhere, the broad powers outlined in the bill are neither necessary nor proportionate. Police already have existing broad powers, which are further strengthened by this bill, such as their ability to covertly hack devices at the endpoints when information is not encrypted.

Australia has limited human rights and privacy protections. This has enabled a constant and steady expansion of the powers and capabilities of the surveillance state. If we want to protect the privacy of our communications we must demand it.

The ConversationThe Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) is still in a draft stage and the Department of Home Affairs invites public comment up until 10th of September 2018. Submit any comments to assistancebill.consultation@homeaffairs.gov.au.

Monique Mann, Vice Chancellor’s Research Fellow in Regulation of Technology, Queensland University of Technology

This article was originally published on The Conversation. Read the original article.

Advertisements

New data access bill shows we need to get serious about privacy with independent oversight of the law



File 20180814 2921 15oljsx.jpg?ixlib=rb 1.1

MICK TSIKAS/AAP

Greg Austin, UNSW

The federal government today announced its proposed legislation to give law enforcement agencies yet more avenues to reach into our private lives through access to our personal communications and data. This never-ending story of parliamentary bills defies logic, and is not offering the necessary oversight and protections.

The trend has been led by Prime Minister Malcolm Turnbull, with help from an ever-growing number of security ministers and senior officials. Could it be that the proliferation of government security roles is a self-perpetuating industry leading to ever more government powers for privacy encroachment?

That definitely appears to be the case.

Striking the right balance between data access and privacy is a tricky problem, but the government’s current approach is doing little to solve it. We need better oversight of law enforcement access to our data to ensure it complies with privacy principles and actually results in convictions. That might require setting up an independent judicial review mechanism to report outcomes on an annual basis.




Read more:
Australia should strengthen its privacy laws and remove exemptions for politicians


Where is the accountability?

The succession of data access legislation in the Australian parliament is fast becoming a Mad Hatter’s tea party – a characterisation justified by the increasingly unproductive public conversations between the government on one hand, and legal specialists and rights advocates on the other.

If the government says it needs new laws to tackle “terrorism and paedophilia”, then the rule seems to be that other side will be criticised for bringing up “privacy protection”. The federal opposition has surrendered any meaningful resistance to this parade of legislation.

Rights advocates have been backed into a corner by being forced to repeat their concerns over each new piece of legislation while neither they nor the government, nor our Privacy Commissioner, and all the other “commissioners”, are called to account on fundamental matters of principle.

Speaking of the commissioner class, Australia just got a new one last week: the Data Commissioner. Strangely, the impetus for this appointment came from the Productivity Commission.

The post has three purposes:

  1. to promote greater use of data,
  2. to drive economic benefits and innovation from greater use of data, and
  3. to build trust with the Australian community about the government’s use of data.

The problem with this logic is that purposes one and two can only be distinguished by the seemingly catch-all character of the first: that if data exists it must be used.

Leaving aside that minor point, the notion that the government needs to build trust with the Australian community on data policy speaks for itself.

National Privacy Principles fall short

There is near universal agreement that the government is managing this issue badly, from the census data management issue to the “My Health Record” debacle. The growing commissioner class has not been much help.

Australia does have personal data protection principles, you may be surprised to learn. They are called “Privacy Principles”. You may be even more surprised to learn that the rights offered in these principles exist only up to the point where any enforcement arm of government wants the data.




Read more:
94% of Australians do not read all privacy policies that apply to them – and that’s rational behaviour


So it seems that Australians have to rely on the leadership of the Productivity Commission (for economic policy) to guarantee our rights in cyber space, at least when it comes to our personal data.

Better oversight is required

There is another approach to reconciling citizens’ interests in privacy protection with legitimate and important enforcement needs against terrorists and paedophiles: that is judicial review.

The government argues, unconvincingly according to police sources, that this process adequately protects citizens by requiring law enforcement to obtain court-ordered warrants to access information. The record in some other countries suggests otherwise, with judges almost always waving through any application from enforcement authorities, according to official US data.

There is a second level of judicial review open to the government. This is to set up an independent judicial review mechanism that is obliged to annually review all instances of government access to personal data under warrant, and to report on the virtues or shortcomings of that access against enforcement outcomes and privacy principles.

There are two essential features of this proposal. First, the reviewing officer is a judge and not a public servant (the “commissioner class”). Second, the scope of the function is review of the daily operation of the intrusive laws, not just the post-facto examination of notorious cases of data breaches.

It would take a lengthy academic volume to make the case for judicial review of this kind. But it can be defended simply on economic grounds: such a review process would shine light on the efficiency of police investigations.

According to data released by the UK government, the overwhelming share of arrests for terrorist offences in the UK (many based on court-approved warrants for access to private data) do not result in convictions. There were 37 convictions out of 441 arrests for terrorist-related offences in the 12 months up to March 2018.




Read more:
Explainer: what is differential privacy and how can it protect your data?


The Turnbull government deserves credit for its recognition of the values of legal review. Its continuing commitment to posts such as the National Security Legislation Monitor – and the appointment of a high-profile barrister to such a post – is evidence of that.

But somewhere along the way, the administration of data privacy is falling foul of a growing bureaucratic mess.

The ConversationThe only way to bring order to the chaos is through robust accountability; and the only people with the authority or legitimacy in our political system to do that are probably judges who are independent of the government.

Greg Austin, Professor UNSW Canberra Cyber, UNSW

This article was originally published on The Conversation. Read the original article.

Let the light shine on super-fast wireless connections



File 20180724 194140 11t9bop.jpg?ixlib=rb 1.1
Light can be used as a high-speed form of wireless communication.
Shutterstock/ra2studio

Thas Ampalavanapillai Nirmalathas, University of Melbourne; Christina Lim, University of Melbourne, and Elaine Wong, University of Melbourne

We live in a world of wireless communications, from the early days of radio to new digital television, Wi-Fi and the latest 4G (soon to be 5G) connected smart devices.

But there are limits to this wireless world. With the prediction of 12 billion mobile-connected devices by 2021 and a projected sevenfold increase in wireless traffic, the search is on for any new method of wireless connectivity.

One solution could be right before our very eyes, if only we could see it.




Read more:
The 5G network threatens to overcrowd the airwaves, putting weather radar at risk


Current wireless connections

All wireless applications – such as mobile communications, Wi-Fi, broadcasting, and sensing – rely on some form of electromagnetic radiation.

The difference between these applications is simply the frequency of the signal (the carrier frequency) used in the electromagnetic radiation.

For example, current mobile phones sold as 3G and 4G operate in the lower microwave frequency bands (850MHz, 1.8GHz, 2-2.5GHz). A wireless local area network such as Wi-Fi operates in the 2.4GHz and 5GHz bands, whereas digital terrestrial television operates at 600-620MHz.

The spectrum of electromagnetic radiation covers a very broad range of frequencies and some of these are selected for specific applications.

These frequency regions are highly contested and valuable resources for wireless applications.

Running out of spectrum

Our current spectrum use in the lower microwave region will soon be heavily congested, even exhausted. It would be difficult to squeeze any more spare spectrum for any wireless application.

To carry an information content on to one of these frequencies, the frequency bands need sufficient bandwidth – the amount of information that can be transmitted – to meet future requirements. At the lower end of the spectrum, there are insufficient bandwidths to meet speeds exceeding gigabits per second.

At the higher end of the spectrum, ionising radiation such as x-rays and gamma rays cannot be used because of safety issues.

Despite current 4G wireless standard promising more shared capacity (1Gb/s), the projected demand and traffic volume already pushes the existing infrastructure to its ultimate limit. The future promise of 5G communication only adds to the problem.

A major rethink of the current wireless technologies is needed to meet these challenging requirements.

Let there be light!

The wireless transmission of optical signals has emerged as a viable option. It offers advantages not possible with current wireless technologies.

Optical wireless promises greater speed, higher throughput, and potentially lower energy consumption. Leveraging on existing optical wired infrastructures (namely optical fibre cables and networks), optical wireless connectivity can provide a seamless high capacity to end-users.

An example would be using optical wireless connectivity inside buildings to complement fibre-to-the-home deployments.

Optical wireless networks would be immune to electromagnetic interference and so could be deployed in radio frequency (RF) sensitive environments. You’ve probably seen those warning signs asking you not to use your mobile phone in hospitals, aircraft and other areas where equipment is sensitive to interference.

Optical wireless communications can be divided into visible light and infrared systems.

And let there be sight

A common issue with both is that devices need to be in the line of sight, as any physical obstruction can result in the loss of transmission. You may have experienced this issue when attempting to change a channel on TV if someone or something gets in the way of your remote.

Visible light communication (VLC) relies on LEDs that are also used for lighting. For example, by flashing LED lights located in the ceiling of a room at a rate much higher than can be discerned by the human eye, information can be conveyed to detectors around the room.

The major limitation of VLC is the limited bandwidth of commercially available white LED (~100 of MHz) that limits the transmission speeds.

Infrared communication systems have ample bandwidth with the potential of transmission tens of Gb/s per user. Despite the major advantage over VLC, the need for line-of-sight has seen this technology under-developed. Until now.

To overcome this we have demonstrated an infrared-based optical wireless communication link that can support a user on the move. By using a pair of access points with some spatial separation, any blockage of beams can be easily overcome as users hop from beam to beam freely.

Optical wireless systems can be built to make sure there is a secure wireless transmission. Using efficient wireless protocols it’s possible to transmit data without any delay and to allow users to move within a building while enjoying high speed wireless coverage.

Optical wireless in action

We will in future be using a range of devices, such as virtual reality (VR) and augmented reality (AR) devices, that all require superfast wireless connections.

For example, these new user interfaces are poised to make a big difference to the way museums and galleries will operate in the future. Currently, most of these platforms are linked via wired connections. But wireless interfaces will make them more easy to be used in applications.

The uptake of optical wireless as a viable communications technology can also drive further possibilities of using low-cost optical wireless transceivers to substitute expensive optical fibre rollout in rural and regional broadband contexts.

The ConversationThe integrated transceivers for infrared optical wireless communications are still under development and more effort is needed to speed up such integration efforts. But the researcher teams here and abroad are trying to make advances in the way such systems can be used in realistic scenarios.

Thas Ampalavanapillai Nirmalathas, Director – Networked Society Institute and Professor of Electrical and Electronic Engineering, University of Melbourne; Christina Lim, Professor, University of Melbourne, and Elaine Wong, Associate Dean, Diversity and Inclusion, University of Melbourne

This article was originally published on The Conversation. Read the original article.

What should be done with the NBN in the long run?


Mark A Gregory, RMIT University

The National Broadband Network (NBN) should be built and fully operational by 2022, having cost about A$50 billion. The question will then be whether the government should retain the NBN or sell it off.

The current government has laid the groundwork for NBN to be broken up and sold off. But this could end the NBN’s positive disruption of the telecommunications market, which includes lower prices, increased competition, improved access for consumers and more services being offered.




Read more:
Telstra may be simpler, but where will revenue come from?


In a recent paper I outlined four options for the NBN:

  • government retains the NBN
  • sell NBN as a single entity
  • disaggregate NBN technologies and sell them separately
  • disaggregate NBN technologies, excluding satellite and fixed wireless, and sell off separately.

Breaking up the NBN could result in the creation of geographic monopolies, hurting rural and regional consumers especially.

Telstra’s recent decision to hive off its infrastructure into separate companies gives Australia the opportunity to do what New Zealand has done: create a new, publicly listed company that contains the NBN and parts of Telstra’s infrastructure.

But there is a valid argument for the government to retain NBN Co. as a government enterprise beyond the NBN rollout.




Read more:
Australia’s digital divide is not going away


The NBN has brought about an unprecedented period of positive change in the telecommunications market. But there is more to be done, including a further reduction in the digital divide between urban and regional and remote areas, and upgrading from fibre to the node to fibre to the curb or fibre to the premises.

By retaining ownership of the NBN for the next decade, the government could provide a stable level playing field upon which the telecommunications market can thrive.

For the major carriers, the focus over the next decade will be to build competing 5G networks. The sale of the NBN during this time could return the industry to the chaos that existed before the NBN.

Who would buy the NBN?

The first major concern for anyone buying part of the NBN is the A$15 per customer per month paid to Telstra for a majority of the fixed connections to the NBN.

This is a payment for the use of Telstra’s existing infrastructure, such as the ducts that run along streets and the telephone exchanges where NBN systems are now located.

This payment is a major impediment to the NBN having a successful business model. There is some doubt whether Optus, Vodafone or TPG would bid for part of the NBN knowing that they would be required to make a monthly payment to Telstra for most of the customers they connect.




Read more:
NBN faces irrelevance in cities as competitors build faster, cheaper alternatives


Telecommunications networks are a “natural monopoly”, similar to roads, rail, gas and electricity. This is because of the high startup costs of building the networks, especially for the segments closest to homes and businesses (also known as the last mile).

In high-value urban areas it is possible to build financially viable infrastructure that competes with incumbents. But this does not solve the problem of competition in lower-value outer urban, regional and remote areas.

No solution to this problem has been forthcoming. This is one of the reasons the NBN came into being in the first place.

How do you break up the NBN?

Outside of the high-value urban areas there is no guarantee of infrastructure-based competition, so regulation is required to ensure broadband in those areas keeps up with what is offered in the high-value urban areas.

The government has already introduced a levy to subsidise the cost of providing broadband in regional and remote areas. But more needs to be done to ensure regional and remote telecommunications is improved continuously.




Read more:
5G will be a convenient but expensive alternative to the NBN


Breaking up the NBN will also likely result in smaller geographic monopolies, with different technologies used in each network – fixed wireless, satellite and transit etc.

So rather than have one infrastructure monopoly (NBN Co.) wholesaling products and services, we could end up with the bigger telcos becoming monopoly providers by purchasing one or more of the technology footprints.

Consumers, especially those in regional and remote areas, will likely be hit with steep price rises with the end of uniform national wholesale pricing.

The New Zealand option

Telstra has announced that it is creating a standalone company called InfraCo, that will be:

… accountable for our copper and HFC networks; all our fibre network that is not dedicated to supporting mobiles; all ducts, pits and pipes; property including exchange buildings and data centres; and international and domestic subsea cables. These assets will be combined with Telstra Wholesale and the teams in Telstra Operations that provide services to NBN Co.

This provides Telstra with the opportunity to participate in the future sale of the NBN. Telstra could spin off InfraCo as a separate ASX-listed company, take on infrastructure investors for a future purchase of the NBN, or part of the NBN, and effectively follow what happened in New Zealand with Telecom New Zealand becoming Spark (retail/mobile) and Chorus (wholesale).

If Telstra splits into two ASX-listed companies so that InfraCo can purchase the NBN, the result would be a company with about A$10 billion in revenue and A$30 billion in infrastructure assets. This would be a viable company that is able to service the government debt repayments while making a reasonable return to shareholders.

It is likely this outcome would be more palatable to the rest of the telecommunications industry because the positive disruption to the market caused by the NBN would continue.




Read more:
The NBN needs subsidies if we all want to benefit from it


If the NBN is sold off, the focus must shift to the telecommunications legislation and regulations, setting a minimum broadband connection speed and capacity that infrastructure wholesalers are to provide without penalty, and focusing on how to further reduce the digital divide between urban and regional and remote areas.

The ConversationThe key for a future government decision on what to do with the NBN is that it should not be considered in isolation. There are a number of linked issues, including the universal service obligation, universal access, foreign ownership restrictions and wholesale competition.

Mark A Gregory, Associate professor, RMIT University

This article was originally published on The Conversation. Read the original article.

Here’s what a privacy policy that’s easy to understand could look like



File 20180606 137315 1d8kz0n.jpg?ixlib=rb 1.1
We need a simple system for categorising data privacy settings, similar to the way Creative Commons specifies how work can be legally shared.
Shutterstock

Alexander Krumpholz, CSIRO and Raj Gaire, CSIRO

Data privacy awareness has recently gained momentum, thanks in part to the Cambridge Analytica data breach and the introduction of the European Union’s General Data Protection Regulation (GDPR).

One of the key elements of the GDPR is that it requires companies to simplify their privacy related terms and conditions (T&Cs) so that they are understandable to the general public. As a result, companies have been rapidly updating their terms and conditions (T&Cs), and notifying their existing users.




Read more:
Why your app is updating its privacy settings and how this will affect businesses


On one hand, these new T&Cs are now simplified legal documents. On the other hand, they are still too long. Unfortunately, most of us have still skipped reading those documents and simply clicked “accept”.

Wouldn’t it be nice if we could specify our general privacy preferences in our devices, have them check privacy policies when we sign up for apps, and warn us if the agreements overstep?

This dream is achievable.

Creative Commons as a template

For decades, software was sold or licensed with Licence Agreements that were several pages long, written by lawyers and hard to understand. Later, software came with standardised licences, such as the GNU General Public Licence, Berkeley Software Distribution, or The Apache License. Those licences define users’ rights in different use cases and protect the provider from liabilities.

However, they were still hard to understand.

With the foundation of Creative Commons (CC) in 2001, a simplified licence was developed that reduced complex legal copyright agreements to a small set of copyright classes.

These licences are represented by small icons and short acronyms, and can be used for images, music, text and software. This helps creative users to immediately recognise how – or whether – they can use the licensed content in their own work.




Read more:
Explainer: Creative Commons


Imagine you have taken a photo and want to share it with others for non-commercial purposes only, such as to illustrate a story on a not-for-profit news website. You could licence your photo as CC BY-NC when uploading it to Flickr. In Creative Commons terms, the abbreviation BY (for attribution) requires the user to cite the owner and NC (non-commercial) restricts the use to non-commercial applications.

Internet search engines will index these attributes with the files. So, if I search for photos explicitly licensed with those restrictions, via Google for example, I will find your photo. This is possible because even the computers can understand these licences.

We need to develop Privacy Commons

Similar to Creative Commons licences under which creative content is given to others, we need Privacy Commons by which companies can inform users how they will use their data.

The Privacy Commons need to be legally binding, simple for people to understand and simple for computers to understand. Here are our suggestions for what a Privacy Commons might look like.

We propose that the Privacy Commons classifications cover at least three dimensions of private data: collection, protection, and spread.

What data is being collected?

This dimension is to specify what level of personal information is collected from the user, and is therefore at risk. For example, name, email, phone number, address, date of birth, biometrics (including photos), relationships, networks, personal preferences, and political opinions. The could be categorised at different levels of sensitivities.

How is your data protected?

This dimension specifies:

  • where your data stored – within an app, in one server, or in servers at multiple locations
  • how it is stored and transported – whether it is plain text or encrypted
  • how long the data is kept for – days, months, years or permanently
  • how the access to your data controlled within the organisation – this indicates the protection of your data against potentially malicious actors like hackers.

How is your data spread?

In other words, who is your data shared with? This dimension tells you whether or not the data is shared with third parties. If the data is shared, will it be de-identified appropriately? Is it shared for research purposes, or sold for commercial purposes? Are there any further controls in place after the data is shared? Will it be deleted by the third party when the user deletes it at the primary organisation?




Read more:
94% of Australians do not read all privacy policies that apply to them – and that’s rational behaviour


Privacy Commons will help companies think about user privacy before offering services. It will also help solve the problem of communication about privacy in the same way that Creative Commons is solving the problems of licensing for humans and computers. Similar ideas have been discussed in the past, such as Mozilla. We need to revisit those thoughts in the contemporary context of the GDPR.

Such a system would allow you to specify Privacy Commons settings in the configuration of your children’s devices, so that only appropriate apps can be installed. Privacy Commons could also be applied to inform you about the use of your data gathered for other purposes like loyalty rewards cards, such as FlyBuys.

Of course, Privacy Commons will not solve everything.

For example, it will still be a challenge to address concerns about third party personal data brokers like Acxiom or Oracle collecting, linking and selling our data without most of us even knowing.

The ConversationBut at least it will be a step in the right direction.

Alexander Krumpholz, Senior Experimental Scientist, CSIRO and Raj Gaire, Senior Experimental Scientist, CSIRO

This article was originally published on The Conversation. Read the original article.

Trolls, fanboys and lurkers: understanding online commenting culture shows us how to improve it



File 20180524 117628 k4li3d.jpg?ixlib=rb 1.1
The way user interfaces are designed can impact the kind of community that gathers.
Shutterstock

Renee Barnes, University of the Sunshine Coast

Do you call that a haircut? I hope you didn’t pay for it.

Oh please this is rubbish, you’re a disgrace to yourself and your profession.

These are just two examples of comments that have followed articles I have written in my career. While they may seem benign compared with the sort of violent and vulgar comments that are synonymous with cyberbullying, they are examples of the uncivil and antisocial behaviour that plagues the internet.

If these comments were directed at me in any of my interactions in everyday life – when buying a coffee or at my monthly book club – they would be incredibly hurtful and certainly not inconsequential.

Drawing on my own research, as well as that of researchers in other fields, my new book “Uncovering Online Commenting Culture: Trolls, Fanboys and Lurkers” attempts to help us understand online behaviours, and outlines productive steps we can all take towards creating safer and kinder online interactions.




Read more:
Rude comments online are a reality we can’t get away from


Steps we all can take

Online abuse is a social problem that just happens to be powered by technology. Solutions are needed that not only defuse the internet’s power to amplify abuse, but also encourage crucial shifts in social norms and values within online communities.

Recognise that it’s a community

The first step is to ensure we view our online interactions as an act of participation in a community. What takes place online will then begin to line up with our offline interactions.

If any of the cruel comments that often form part of online discussion were said to you in a restaurant, you would expect witnesses around you to support you. We must have the same expectations online.

Know our audience

We learn to socialise offline based on visual and verbal cues given by the people with whom we interact. When we move social interactions to an online space where those cues are removed or obscured, a fundamental component of how we moderate our own behaviour is also eliminated. Without these social cues, it’s difficult to determine whether content is appropriate.

Research has shown that most social media users imagine a very different audience to the actual audience reading their updates. We often imagine our audience as people we associate with regularly offline, however a political statement that may be supported by close family and friends could be offensive to former colleagues in our broader online network.

Understand our own behaviour

Emotion plays a role in fuelling online behaviour – emotive comments can inspire further emotive comments in an ongoing feedback loop. Aggression can thus incite aggression in others, but it can also establish a behavioural norm within the community that aggression is acceptable.




Read more:
How empathy can make or break a troll


Understanding our online behaviour can help us take an active role in shaping the norms and values of our online communities by demonstrating appropriate behaviour.

It can also inform education initiatives for our youngest online users. We must teach them to remain conscious of the disjuncture between our imagined audience and the actual audience, thereby ingraining productive social norms for generations to come. Disturbingly, almost 70% of those aged between 18 and 29 have experienced some form of online harassment, compared with one-third of those aged 30 and older.

What organisations and institutions can do

That is not to say that we should absolve the institutions that profit from our online interactions. Social networks such as Facebook and Twitter also have a role to play.

User interface design

Design of user interfaces impacts on the ease with which we interact, the types of individuals who comment, and how we will behave.

Drawing on psychological research, we can link particular personality traits with antisocial behaviour online. This is significant because simple changes to the interfaces we use to communicate can influence which personality types will be inclined to comment.

Using interface design to encourage participation from those who will leave positive comments, and creating barriers for those inclined to leave abusive ones, is one step that online platforms can take to minimise harmful behaviours.

For example, those who are highly agreeable prefer anonymity when communicating online. Therefore, eliminating anonymity on websites (an often touted response to hostile behaviour) could discourage those agreeable individuals who would leave more positive comments.

Moderation policies

Conscientious individuals are linked to more pro-social comments. They prefer high levels of moderation, and systems where quality comments are highlighted or ranked by other users.

Riot Games, publisher of the notorious multiplayer game League of Legends, has had great success in mitigating offensive behaviour by putting measures in place to promote the gaming community’s shared values. This included a tribunal of players who could determine punishment for people involved in uncivilised behaviour.

Analytics and reporting

Analytical tools, visible data on who visits a site, and a real-time guide to who is reading comments can help us configure a more accurate imagining of our audience. This could help eliminate the risk of unintentional offence.

Providing clear processes for reporting inappropriate behaviour, and acting quickly to punish it, will also encourage us to take an active role in cleaning up our online communities.




Read more:
How we can keep our relationships during elections: don’t talk politics on social media


We can and must expect more of our online interactions. Our behaviour and how we respond to the behaviour of others within these communities will contribute to the shared norms and values of an online community.

The ConversationHowever, there are institutional factors that can affect the behaviours displayed. It is only through a combination of both personal and institutional responses to antisocial behaviour that we will create more inclusive and harmonious online communities.

Renee Barnes, Senior Lecturer, Journalism, University of the Sunshine Coast

This article was originally published on The Conversation. Read the original article.

94% of Australians do not read all privacy policies that apply to them – and that’s rational behaviour



File 20180514 34038 10eli61.jpg?ixlib=rb 1.1
It would take the average person 244 hours per year (6 working weeks) to read all privacy policies that apply to them.
Shutterstock

Katharine Kemp, UNSW

Australians are agreeing to privacy policies they are not comfortable with and would like companies only to collect data that is essential for the delivery of their service. That’s according to new, nation-wide research on consumer attitudes to privacy policies released by the Consumer Policy Research Centre (CPRC) today.

These findings are particularly important since the government’s announcement last week that it plans to implement “open banking” (which gives consumers better access to and control over their banking data) as the first stage of the proposed “consumer data right” from July 2019.




Read more:
How not to agree to clean public toilets when you accept any online terms and conditions


Consumer advocates argue that existing privacy regulation in Australia needs to be strengthened before this new regime is implemented. In many cases, they say, consumers are not truly providing their “informed consent” to current uses of their personal information.

While some blame consumers for failing to read privacy policies, I argue that not reading is often rational behaviour under the current consent model. We need improved standards for consent under our Privacy Act as a first step in improving data protection.

Australians are not reading privacy policies

Under the Privacy Act, in many cases, the collection, use or disclosure of personal information is justified by the individual’s consent. This is consistent with the “notice and choice” model for privacy regulation: we receive notice of the proposed treatment of our information and we have a choice about whether to accept.

But according to the CPRC Report, most Australians (94%) do not read all privacy policies that apply to them. While some suggest this is because we don’t care about our privacy, there are four good reasons why people who do care about their privacy don’t read all privacy policies.

https://datawrapper.dwcdn.net/hJXfh/1/

We don’t have enough time

There are many privacy policies that apply to each of us and most are lengthy. But could we read them all if we cared enough?

According to international research, it would take the average person 244 hours per year (six working weeks) to read all privacy policies that apply to them, not including the time it would take to check websites for changes to these policies. This would be an impossible task for most working adults.

Under our current law, if you don’t have time to read the thousands of words in the policy, your consent can be implied by your continued use of the website which provides a link to that policy.

We can’t understand them

According to the CPRC, one of the reasons users typically do not read policies is that they are difficult to comprehend.

Very often these policies lead with feel-good assurances “We care about your privacy”, and leave more concerning matters to be discovered later in vague, open-ended terms, such as:

…we may collect your personal information for research, marketing, for efficiency purposes…

In fact, the CPRC Report states around one in five Australians:

…wrongly believed that if a company had a Privacy Policy, it meant they would not share information with other websites or companies.




Read more:
Consent and ethics in Facebook’s emotional manipulation study


We can’t negotiate for better terms

We generally have no ability to negotiate about how much of our data the company will collect, and how it will use and disclose it.

According to the CPRC Report, most Australians want companies only to collect data that is essential for the delivery of their service (91%) and want options to opt out of data collection (95%).

However, our law allows companies to group into one consent various types and uses of our data. Some are essential to providing the service, such as your name and address for delivery, and some are not, such as disclosing your details to “business partners” for marketing research.

These terms are often presented in standard form, on a take-it-or-leave-it basis. You either consent to everything or refrain from using the service.

https://datawrapper.dwcdn.net/L7fPF/2/

We can’t avoid the service altogether

According to the CPRC, over two thirds of Australians say they have agreed to privacy terms with which they are not comfortable, most often because it is the only way to access the product or service in question.

In a 2017 report, the Productivity Commission expressed the view that:

… even in sectors where there are dominant firms, such as social media, consumers can choose whether or not to use the class of product or service at all, without adversely affecting their quality of life.

However, in many cases, we cannot simply walk away if we don’t like the privacy terms.

Schools, for example, may decide what apps parents must use to communicate about their children. Many jobs require people to have Facebook or other social media accounts. Lack of transparency and competition in privacy terms also means there is often little to choose between rival providers.

We need higher standards for consent

There is frequently no real notice and no real choice in how our personal data is used by companies.

The EU General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, provides one model for improved consent. Under the GDPR, consent:

… should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement.




Read more:
You may be sick of worrying about online privacy, but ‘surveillance apathy’ is also a problem


The Privacy Act should be amended along these lines to set higher standards for consent, including that consent should be:

  • explicit and require action on the part of the customer – consent should not be implied by the mere use of a website or service and there should be no pre-ticked boxes. Privacy should be the default;

  • unbundled – individuals should be able to choose to consent only to the collection and use of data essential to the delivery of the service, with separate choices of whether to consent to additional collections and uses;

  • revocable – the individual should have the option to withdraw their consent in respect of future uses of their personal data at any time.

The ConversationWhile further improvements are needed, upgrading our standards for consent would be an important first step.

Katharine Kemp, Lecturer, Faculty of Law, UNSW, and Co-Leader, ‘Data as a Source of Market Power’ Research Stream of The Allens Hub for Technology, Law and Innovation, UNSW

This article was originally published on The Conversation. Read the original article.

Tough new EU privacy regulations could lead to better protections in Australia



File 20180523 117628 nmvce5.jpg?ixlib=rb 1.1
The EU’s General Data Protection Regulation comes into force on May 25.
Shutterstock

Vincent Mitchell, University of Sydney

Major personal data breaches, such as those that occurred recently at the Commonwealth Bank, Cambridge Analytica and Yahoo, have taught us how vulnerable our privacy is.

Like the cigarette and alcohol markets, it took a long time to prove that poorly regulated data collection can do us harm. And as with passive smoking, we now know that data trading can harm those around us as well as ourselves.

Regulators in the European Union are cracking down on the problem with the introduction the new strict General Data Protection Regulation (GDPR) from May 25. The hope is that the new rules will shift the balance of power in the market for data away from companies and back to the owners of that data.




Read more:
Online privacy must improve after the Facebook data uproar


The GDPR applies to companies who trade in the EU or process the data of people in the EU. This includes some of Australia’s biggest companies, such as the Commonwealth Bank and Bunnings Warehouse. Since companies that don’t operate in the EU or process the data of people in the EU aren’t required to comply, Australian consumers could soon be facing a two-tier system of privacy protections.

That isn’t all bad news. By choosing to deal with companies with better data protection policies, Australian consumers can create pressure for change in how personal data is handled across the board.

How the GDPR empowers consumers

The GDPR makes it clearer what companies should be doing to protect personal data and empowers consumers like never before.

When dealing with companies operating in the EU, you will now have the right to:

  1. access your own data and any derived or inferred data

  2. rectify errors and challenge decisions based on it, including to object to direct marketing

  3. be forgotten and erased in most situations

  4. move your data more easily, such as when changing insurance companies or banks

  5. object to certain types of data processing and challenge significant decisions based purely on profiling, such as for medical insurance or loans

  6. compensation.

This final right will lead to another profound improvement in regulation of the market for personal data.

Consumers as a regulating force

As a result of these new rights and powers, consumers themselves can help regulate company behaviour by monitoring how well they comply with GDPR.

In addition to complaining to authorities, such as the Information Commissioner, when consumers encounter breaches they can complain directly to the company, share stories online and alert fellow users.

This can be powerful – especially when whistleblowers actually work in the industry, as was the case with Cambridge Analytica’s Christopher Wylie.




Read more:
GDPR: ten easy steps all organisations should follow


Companies that don’t protect people’s personal data will face fines from the regulator of up to 4% of global turnover, or €20 million. In addition, they could be required to pay compensation directly to consumers who have asked investigating authorities to claim on their behalf.

This potentially means that all those millions of EU citizens who were caught up in the Facebook Cambridge Analytica scandal could, in the future, be able to sue Facebook.

From the viewpoint of empowering and motivating consumers to monitor what companies do with their data, this is a momentous change.

A shift in our expectations of data privacy

The way things currently stand, there is an imbalance in the personal data market. Companies take all the profit from our personal data, yet we pay the price as individuals, or as a society, for privacy breaches.

But as a result of GDPR, we are likely to see expectations of how companies should act begin to shift. This will create pressure for change.

You’ve probably already been sent notifications from companies asking you to re-consent to their privacy policies. This is because GDPR expects consent to be more explicit and active – default settings and pre-checked boxes are considered inadequate.

Consumers should also expect companies to make it just as easy to withdraw consent as it is to give it.




Read more:
Why your app is updating its privacy settings and how this will affect businesses


Unlike New Zealand, which has strong privacy laws, personal data protections in Australia – and the massive data markets of BRIC countries – are not considered “adequate”, and fall below EU standards.

Consumers should be wary of vested interest arguments, such as Facebook’s claim that it just wants to connect people. To use an analogy, that’s comparable to an alcohol manufacturer saying it just wants people to have a good time, without highlighting the potential risks of alcohol use.

The ConversationIf you want these greater rights and protections, now is the perfect time to lobby your Members of Parliament and demand the best available protection from all the companies you deal with.

Vincent Mitchell, Professor of Marketing, University of Sydney

This article was originally published on The Conversation. Read the original article.

The ethics of ‘securitising’ Australian cyberspace


Dr Shannon Brandt Ford, Curtin University

This article is the fifth in a five-part series exploring Australian national security in the digital age. Read parts one, two, three and four here.


As technology evolves and Australia becomes ever-more reliant on cyber systems throughout government and society, the threats that cyber attacks pose to the country’s national security are real – and significant.

Cyber weapons now exist that can be used to attack and exploit vulnerabilities in Australia’s national infrastructure. Many of the cyber threats that exist now, such as defacing a website, are not that serious.

But more nefarious attacks on software systems have the potential to damage critical infrastructure and threaten people’s lives.




Read more:
Since Boston bombing, terrorists are using new social media to inspire potential attackers


The Australian Cyber Security Centre (ACSC) Threat Report addresses these concerns every year, highlighting the ubiquitous nature of cyber-crime in Australia, the potential for cyber-terrorism, and the vulnerability of data stored on government and commercial networks.

Governments now take these types of threats so seriously, they speak of the potential for military responses to cyber-attacks in the future. As one US military official told The Wall Street Journal:

If you shut down our power grid, maybe we will put a missile down one of your smokestacks.

A securitised internet

Such concerns have been a key part of Australia’s ambitions to revamp its national security to respond to future cyber-threats. Australia’s Cyber Security Strategy, for instance, states that:

all of us – governments, businesses and individuals – need to work together to build resilience to cybersecurity threats and to make the most of opportunities online.

An important ethical concern with such a focus, however, is the risk that Australia’s cyberspace becomes “securitised”.

When we securitise an issue, we frame the activity as being conducted in a state of emergency. A state of emergency is when a government temporarily changes the conditions of its political and social institutions in response to a particularly serious emergency. This might be a natural disaster, war or rioting, for example. Importantly, due process constraints on government officials, such as habeas corpus, are suspended.

An ethical problem with a securitised or militarised cyberspace, especially if it becomes a permanent measure, is that it can quickly erode fundamental human rights such as privacy and freedom of speech.

Ethical problems in a brave new world

For instance, what are the ethical implications of conducting military activities against terrorist propaganda online, by conducting psychological operations on social media platforms, say, or simply shutting them down?

Using social media in this way would be counter to the social and civil function of these channels of communication. Trying to deny audiences the ability to speak freely on social media could also undermine the internet’s effectiveness as a tool for social and economic good. This is especially problematic in Australia, where fundamental human rights such as privacy and freedom of speech are taken for granted as fundamental civic values.

There is also potential for a militarised cyberspace to increase the likelihood of conflict between states. As cyber-attacks are a relatively new threat, it’s unclear what actions might lead to escalation and constitute an act of war.

The perception that cyber-attacks are not as harmful as, say, a missile attack could lead to their increased use. This opens the door to potentially more serious forms of conflict.




Read more:
The Cyber Security Strategy is only a small step in the right direction


Another important ethical consideration is the enhanced government surveillance of a securitised internet. The fall-out from the Edward Snowden disclosures, for instance, revealed the intrusiveness of US security agencies’ activities online. This in turn had the effect of undermining the public’s trust in the government.

Such a loss of trust in one segment of the government can have potentially dire impacts on other areas. For example, in response to public suspicions of the actions of security agencies, governments might overreact and cut worthwhile surveillance programmes. Or disgruntled government employees (like Snowden) might leak other types of confidential or sensitive information to the detriment of the public good.

A recent example of this occurred when highly sensitive correspondences between Home Affairs Secretary Mike Pezzullo and Defence Secretary Greg Moriarty were leaked to the media. The communications detailed plans to give the Australian Signals Directorate new domestic surveillance powers. Mark Dreyfus, the national security shadow minister, labelled the leak, “a deeply worrying signal of internal struggles.”

So it is important that Australian government agencies tasked with managing national security in cyberspace consistently act in a trustworthy manner. As such, there should be guarantees that decisions related to cyber-security oversight and governance are not driven by short-term political gains.

In particular, government decision-makers should seek to promote an informed and public debate about the standards required for “minimum transparency, accountability and oversight of government surveillance practices.”

The ConversationAnything short of that could make the country’s cyber-infrastructure less secure – a frightening prospect in an increasingly hostile and volatile digital world.

Dr Shannon Brandt Ford, Lecturer, Curtin University

This article was originally published on The Conversation. Read the original article.

How information warfare in cyberspace threatens our freedom



File 20180509 34024 rhe9bv.jpg?ixlib=rb 1.1
Information warfare in cyberspace could replace reason and reality with rage and fantasy.
Shutterstock

Roger Bradbury, Australian National University; Anne-Marie Grisogono, Crawford School of Public Policy, Australian National University; Dmitry Brizhinev, Australian National University; John Finnigan, CSIRO, and Nicholas Lyall, Australian National University

This article is the fourth in a five-part series exploring Australian national security in the digital age. Read parts one, two and three here.


Just as we’ve become used to the idea of cyber warfare, along come the attacks, via social media, on our polity.

We’ve watched in growing amazement at the brazen efforts by the Russian state to influence the US elections, the UK’s Brexit referendum and other democratic targets. And we’ve tended to conflate them with the seemingly-endless cyber hacks and attacks on our businesses, governments, infrastructure, and a long-suffering citizenry.

But these social media attacks are a different beast altogether – more sinister, more consequential and far more difficult to counter. They are the modern realisation of the Marxist-Leninist idea that information is a weapon in the struggle against Western democracies, and that the war is ongoing. There is no peacetime or wartime, there are no non-combatants. Indeed, the citizenry are the main targets.

A new battlespace for an old war

These subversive attacks on us are not a prelude to war, they are the war itself; what Cold War strategist George Kennan called “political warfare”.

Perversely, as US cyber experts Herb Lin and Jaclyn Kerr note, modern communication attacks exploit the technical virtues of the internet such as “high connectivity” and “democratised access to publishing capabilities”. What the attackers do is, broadly speaking, not illegal.

The battlespace for this warfare is not the physical, but the cognitive environment – within our brains. It seeks to sow confusion and discord, to reduce our abilities to think and reason rationally.

Social media platforms are the perfect theatres in which to wage political warfare. Their vast reach, high tempo, anonymity, directness and cheap production costs mean that political messages can be distributed quickly, cheaply and anonymously. They can also be tailored to target audiences and amplified quickly to drown out adversary messages.

Simulating dissimulation

We built simulation models (for a forthcoming publication) to test these ideas. We were astonished at how effectively this new cyber warfare can wreak havoc in the models, co-opting filter bubbles and preventing the emergence of democratic discourse.

We used agent-based models to examine how opinions shift in response to the insertion of strong opinions (fake news or propaganda) into the discourse.

Our agents in these simple models were individuals who each had a set of opinions. We represented different opinions as axes in an opinion space. Individuals are located in the space by the values of their opinions. Individuals close to each other in the opinion space are close to each other in their opinions. Their differences in opinion are simply the distance between them.

When an individual links to a neighbour, they experience a degree of convergence – their opinions are drawn towards each other. An individual’s position is not fixed, but may shift under the influence of the opinions of others.

The dynamics in these models were driven by two conflicting processes:

  • Individuals are social – they have a need to communicate – and they will seek to communicate with others with whom they agree. That is, other individuals nearby in their opinion space.

  • Individuals have a limited number of communication links they can manage at any time (also known as their Dunbar number, and they continue to find links until they satisfy this number. Individuals, therefore, are sometimes forced to communicate with individuals with whom they disagree in order to satisfy their Dunbar number. But if they wish to create a new link and have already reached their Dunbar number, they will prune another link.

Figure 1: The emergence of filter bubbles

Figure 1: Filter bubbles emerging with two dimensions, opinions of issue X and opinions of issue Y.
roger.bradbury@anu.edu.au

To begin, 100 individuals, represented as dots, were randomly distributed across the space with no links. At each step, every individual attempts to link with a near neighbour up to its Dunbar number, perhaps breaking earlier links to do so. In doing so, it may change its position in opinion space.

Over time, individuals draw together into like-minded groups (filter bubbles). But the bubbles are dynamic. They form and dissolve as individuals continue to prune old links and seek newer, closer ones as a result of their shifting positions in the opinion space. Figure 1, above, shows the state of the bubbles in one experiment after 25 steps.

Figure 2: Capturing filter bubbles with fake news

Conversation lobbies figure 2.
roger.bradbury@anu.edu.au

At time step 26, we introduced two pieces of fake news into the model. These were represented as special sorts of individuals that had an opinion in only one dimension of the opinion space and no opinion at all in the other. Further, these “individuals” didn’t seek to connect to other individuals and they never shifted their opinion as a result of ordinary individuals linking to them. They are represented by the two green lines in Figure 2.

Over time (the figure shows time step 100), each piece of fake news breaks down the old filter bubbles and reels individuals towards their green line. They create new tighter filter bubbles that are very stable over time.

Information warfare is a threat to our Enlightenment foundations

These are the conventional tools of demagogues throughout history, but this agitprop is now packaged in ways perfectly suited to the new environment. Projected against the West, this material seeks to increase political polarisation in our public sphere.

Rather than actually change an election outcome, it seeks to prevent the creation of any coherent worldview. It encourages the creation of filter bubbles in society where emotion is privileged over reason and targets are immunised against real information and rational consideration.

These models confirm Lin and Kerr’s hypothesis. “Traditional” cyber warfare is not an existential threat to Western civilisation. We can and have rebuilt our societies after kinetic attacks. But information warfare in cyberspace is such a threat.

The ConversationThe Enlightenment gave us reason and reality as the foundations of political discourse, but information warfare in cyberspace could replace reason and reality with rage and fantasy. We don’t know how to deal with this yet.

Roger Bradbury, Professor, National Security College, Australian National University; Anne-Marie Grisogono, Visiting fellow, Crawford School of Public Policy, Australian National University; Dmitry Brizhinev, Research Assistant, National Security College, Australian National University; John Finnigan, Leader, Complex Systems Science, CSIRO, and Nicholas Lyall, Research Assistant (National Security College), Australian National University

This article was originally published on The Conversation. Read the original article.