What should Australian companies be doing right now to protect our privacy


David Glance, University of Western Australia

Australians are increasingly concerned about how companies handle their personal data, especially online.

Faced with the increasing likelihood that this data will be compromised, either through cyber attacks or mishandling, companies are now being forced into a more comprehensive approach to collecting and protecting customers’ personal data. The question remains – what is the best approach to achieving this goal?

The Organisation for Economic Co-operation and Development (OECD) has proposed that instead of talking about cybersecurity – companies, organisations and nations should be viewing the problem from a digital security risk management perspective.

Cybersecurity often overlooks risks to data that have nothing to do with a “cyber” element, even if people could agree on a definition of that term. In the case of Edward Snowden for example, he used a colleague’s credentials to access the system and copied files to a USB drive.

Digital security risk management involves getting everyone in an organisation to see digital risk as part of the overall risks that the organisation faces. The extent of risk any organisation is willing to take in any particular activity depends on the activities value. The aim is to manage the risk to a level that is acceptable to all parties.

What do you do about the weak link: humans?

It is worth remembering that in the case of the Equifax breach in which the personal details of up to 143 million customers in the US were leaked, it was largely human errors that were to blame.

Put simply, the person who was responsible for applying the patch (a piece of software designed to update a computer program or its supporting data, to fix or improve it) simply didn’t do their job. The software that was supposed to check whether the patch had been applied also failed to pick this up.

Until humans can be taken out of the equation entirely, it is almost impossible to remain entirely secure, or to avoid the inadvertent disclosure of personal and private information. Insider threat (as this type of risk is known) is difficult to combat and companies have tried various approaches to managing this risk including predictions based on psychological profiling of staff.

Automation and artificial intelligence may be a way of achieving this in the future. This works by minimising the amount of sensitive information staff have direct access to and surfacing only the analysis or interpretation of that data.

A litany of recent breaches

If you needed convincing about the vulnerability of personal data on the Internet, you only need look at Gemalto’s data breach website or DataBreaches.net.

The breaches of private and personal information don’t recognise national boundaries with hacks of companies like Yahoo having affected 3 billion users, including millions of Australians.

Of course, Australian companies and organisations have also been involved with spectacular data breaches. Last year saw the Australian Red Cross expose 555,000 customer records online.

Of more concern was the Australian Department of Health had published online what they believed were de-identified records of Medicare and pharmaceutical claims of more than 3 million patients. Researchers at the University of Melbourne discovered that the “encrypted” doctor provider numbers could be decrypted.

Are we looking at it in the wrong way?

Whilst there are practical steps companies can take to protect digital systems and data, there are more fundamental questions companies should be asking from a risk perspective. In order to navigate these questions, companies need to understand the data they collect and perhaps surprisingly, this is something most companies struggle to do.

The 13 Australian Privacy Principles from the Office of the Australian Information Commissioner outline the basics of how organisations and agencies should handle personal information. The practical application of these principles involves an approach called Privacy By Design for all applications and services companies offer.

Enter confidential computing

For CSIRO’s Data61, the answer to breaches of this sort is “confidential computing”. Data61 is tasked with data innovation and commercialisation of its research ideas. Confidential computing is the remit of Data61’s latest spin-off, N1 Analytics.

The main aspect of confidential computing involves keeping data encrypted at all times and using special techniques to be able to query data that is still encrypted and only decrypting the answer.

This can even allow others outside an organisation to query internal data directly or link to it with their own data without revealing the actual underlying data to either party.

Aside from the case of allowing the use of sensitive data in research, this approach would allow a company with financial information say, to share this data with an insurance company without handing over sensitive information but theoretically letting the insurance company carry out extensive data analytics.

What companies should do now to protect your data

As a starting point, Australian companies should only collect the minimum of personal information that the business actually needs. This means not collecting extra information simply for marketing purposes at some later date for example.

Companies then need to explain in simple, clear, terms why information is being collected, what it is being used for and get users to consent to giving that information.

Companies then need to secure the data that is collected. Security involves dedicated staff understanding the data that is kept by a company and taking responsibility for its physical security and for controlling who has access, when they have access and what form they can access the data.

The ConversationLastly, they need to understand and enact a risk management approach to all digital data. This means that this is part of the overall culture of the company for every employee.

David Glance, Director of UWA Centre for Software Practice, University of Western Australia

This article was originally published on The Conversation. Read the original article.

Advertisements

The new data retention law seriously invades our privacy – and it’s time we took action



File 20170615 24976 1y7ipnc
Then government’s new law enabling the collection of metadata raises serious privacy concerns.
shutterstock

Uri Gal, University of Sydney

Over the past few months, Australians’ civil rights have come under attack.

In April, the government’s data retention law came into effect. The law requires telecommunications companies to store customer metadata for at least two years. Metadata from our phone calls, text messages, emails, and internet activity is now tracked by the government and accessible by intelligence and law enforcement agencies.

Ironically, the law came into effect only a few weeks before Australia marked Privacy Awareness Week. Alarmingly, it is part of a broad trend of eroding civil rights in Western democracies, most noticeably evident by the passage of the Investigatory Powers Act in the UK, and the decision to repeal the Internet Privacy Law in the US.

Why does it matter?

Australia’s data retention law is one of the most comprehensive and intrusive data collection schemes in the western world. There are several reasons why Australians should challenge this law.

First, it undermines the democratic principles on which Australia was founded. It gravely harms individuals’ right to privacy, anonymity, and protection from having their personal information collected.

The Australian Privacy Principles define limited conditions under which the collection of personal information is permissible. It says personal information must be collected by “fair” means.

Despite a recent ruling by the Federal Court, which determined that our metadata does not constitute “personal information”, we should consider whether sweeping collection of all of Australian citizenry’s metadata is consistent with our right to privacy.

Second, metadata – data about data – can be highly revealing and provide a comprehensive depiction of our daily activities, communications and movements.

As detailed here, metadata is broad in scope and can tell more about us than the actual content of our communications. Therefore, claims that the data retention law does not seriously compromise our privacy should be considered as naïve, ill-informed, or dishonest.

Third, the law is justified by the need to protect Australians from terrorist acts. However, despite the government’s warnings, the risk of getting hurt in a terrorist attack in Australia has been historically, and is today, extremely low.

To date, the government has not presented any concrete empirical evidence to indicate that this risk has substantially changed. Democracies such as France, Germany and Israel – which face more severe terrorist threats than Australia – have not legalised mass data collection and instead rely on more targeted means to combat terrorism that do not jeopardise their democratic foundations.

Fourth, the data retention law is unlikely to achieve its stated objective and thwart serious terrorist activities. There are a range of widely-accessible technologies that can be used to circumvent the government’s surveillance regime. Some of them have previously been outlined by the now-prime minister, Malcolm Turnbull.

Therefore, in addition to damaging our civil rights, the law’s second lasting legacy is likely to be its contribution to increasing the budgetary debt by approximately A$740 million over the next ten years.

How can the law be challenged?

There are several things we can do to challenge the law. For example, there are technologies that we can start using today to increase our online privacy.

A full review of all available options is beyond the scope of this article, but here are three effective ones.

  1. Virtual private networks (VPNs) can hide browsing information from internet service providers. Aptly, April 13, the day the data retention law came into effect, has been declared the Australian “get a VPN day”.

  2. Tor – The Onion Router is free software that can help protect the anonymity of its users and conceal their internet activity from surveillance and analysis.

  3. Encrypted messaging applications – unprotected applications can be easily tracked. Consequently, applications such as Signal and Telegram that offer data encryption solutions have been growing in popularity.

Australian citizens have the privilege of electing their representatives. An effective way to oppose continuing state surveillance is to vote for candidates whose views truly reflect the democratic principles that underpin modern Australian society.

The Australian public needs to have an honest, critical and open debate about the law and its social and ethical ramifications. The absence of such a debate is dangerous. The institutional accumulation of power is a slippery slope – once gained, power is not easily given up by institutions.

And the political climate in Australia is ripe for further deterioration of civil rights, as evident in the government’s continued efforts to increase its regulation of the internet. Therefore, it is important to sound a clear and public voice that opposes such steps.

Finally, we need to call out our elected representatives when they make logically muddled claims. In a speech to parliament this week Tuesday, Turnbull said:

The rights and protections of the vast overwhelming majority of Australians must outweigh the rights of those who will do them harm.

The ConversationThe data retention law is a distortion of the logic embedded in this statement because it indiscriminately targets all Australians. We must not allow the pernicious intent of a handful of terrorists to be used as an excuse to harm the rights of all Australians and change the fabric of our society.

Uri Gal, Associate Professor in Business Information Systems, University of Sydney

This article was originally published on The Conversation. Read the original article.

How the law allows governments to publish your private information



Image 20170310 10926 1lptfki
Controversy has recently surrounded Centrelink and its handling of ‘overpayments’ and personal information.
AAP/Dave Hunt

Bruce Baer Arnold, University of Canberra

Recent controversy over the government’s use of information provided to Human Services and Veterans’ Affairs demonstrates there are major holes in Australia’s privacy regime that we need to fix. The Conversation

Australians are accustomed to providing personal information to federal and state governments. We do it repeatedly throughout our lives. We do so to claim entitlements. We also do so as the basis of public administration – the contemporary “information state”.

In making that state possible we trust we will not be treated as a file number or an incident. We will not be doxed.

A key aspect of that trust, consistent with international rights law since the 1940s, is that our privacy will be protected. We assume officials – and private sector entities they use as their agents – will not be negligent in safeguarding personal information.

We also assume they will not share personal information with other agencies unless there is a substantive need for that sharing – for example, for national security or to prevent harm to an individual. And we expect they will not disclose personal information to the media or directly to the community at large as a way of silencing criticism or resolving disputes.

Australia has a sophisticated body of administrative law and ombudsmen. So, there is no need for public shaming of people who disagree with ministers, officials or databases.

The complicated and inconsistent body of privacy law highlighted by law reform commissions over the past two decades attempts to provide legal protection for personal information. It is overseen by under-resourced watchdogs that – amid threats of termination – are inclined to lick the ministerial hand that feeds them.

That law has major weaknesses, illustrated by the Centrelink controversy and the furore over the Veterans’ Affairs Legislation Amendment (Digital Readiness and Other Measures) Bill. The Commonwealth is able to ignore ostensible protections under the Privacy Act and other statutes. That is quite lawful. It has been so for many years, evident in the watchdog’s finding in L v Commonwealth Agency.

The watchdog’s guidelines state that where someone:

… makes adverse comments in the media about the way [a body] has treated them … it may be reasonable to expect that the entity may respond publicly to these comments in a way that reveals personal information specifically relevant to the issues that the individual has raised.

Put simply, if you complain publicly about a Commonwealth agency that holds personal information relating to you, that agency can lawfully give the information to the media or publish it directly. It can do so to correct what the minister deems to be “misinformation”.

There is no requirement that your complaint be malicious, fraudulent, vexatious or otherwise wrong. Disclosure is at the minister’s discretion, not subject to independent review. You have no legal remedies unless it could be proved that the official was malicious or corrupt.

We have seen such a disclosure. The Department of Human Services gave personal information to a journalist for publication about a person who disagreed with action by Centrelink to recover an alleged overpayment of an entitlement.

There has been much discussion in the media and the national parliament about the vigour with which the government is seeking to recover overpayments. Worryingly, it remains uncertain whether many of the alleged overpayments actually exist.

Ongoing changes to entitlements policy, the hollowing out of key agencies by the annual “efficiency dividend” (that is, ongoing cuts to budgets) and problematical design and management of very large information technology projects mean overpayments might not have occurred.

Public disclosure of someone’s personal information thus looks very much like bullying, if not a deliberate effort to chill legitimate criticism and discussion of publicly funded programs.

The veterans’ affairs minister and the shadow minister have apparently not done their homework. The new Digital Readiness Bill – passed in the House of Representatives but not in the Senate – allows the minister to publicly disclose medical and other personal information about veterans. The rationale for that disclosure is to correct misinformation.

Understandably, veterans are unhappy. Legal practitioners and academics wonder about the scope for public shaming through release of department information that might not be correct.

The national Privacy Commissioner has been complacent. Labor’s veterans’ affairs spokeswoman, Amanda Rishworth, has belatedly expressed concern. The minister has simply referred to the establishment of an independent review by the Australian Government Solicitor and his department. It is difficult to understand why privacy wasn’t properly considered before the bill went into parliament.

There are too many loopholes in Australia’s privacy regime. Government agencies also need to toughen up in the face of criticism – legitimate or otherwise – and not respond by bullying people through publication of personal information.

Bruce Baer Arnold, Assistant Professor, School of Law, University of Canberra

This article was originally published on The Conversation. Read the original article.

Through a PRISM darkly: Tracking the ongoing NSA surveillance story


Gigaom

It was a relatively quiet week for internet news until Guardian blogger Glenn Greenwald dropped a bombshell on Thursday, with a story that showed the National Security Agency was collecting data from Verizon thanks to a secret court order. But that was just the beginning: the Washington Post later revealed an even broader program of surveillance code-named PRISM, which involved data collection from the web’s largest players — including Google (s goog), Facebook (s fb) and Apple (s aapl) — and then the Wall Street Journal said data is also being gathered from ISPs and credit-card companies.

This story is moving so quickly that it is hard to keep a handle on all of the developments, not to mention trying to follow the denials and non-denials from those who are allegedly involved, and the threads that tie this particular story to the long and sordid history of the U.S. government’s…

View original post 4,165 more words