The Security Legislation Amendment (Critical Infrastructure) Bill passed both houses of the Commonwealth Parliament on Monday 22 November 2021. 

Key elements of the legislation are:

• Section 8D defines the critical infrastructure sector as being:

Each of the following sectors of the Australian economy is a critical infrastructure sector:

                     (a)  the communications sector;

                     (b)  the data storage or processing sector;

                     (c)  the financial services and markets sector;

                     (d)  the water and sewerage sector;

                     (e)  the energy sector;

                      (f)  the health care and medical sector;

                     (g)  the higher education and research sector;

                     (h)  the food and grocery sector;

                      (i)  the transport sector;

                      (j)  the space technology sector;

                     (k)  the defence industry sector.

• section section 8E defines a critical infrastructure asset as being an asset that relates to a critical infrastructure sector. There are definitions of specific types of critical infrastructure assets
• there are very broad definitions of when assets relate to a sector
• the definition of a relevant impact is broad and general
• Part 2B sets out the obligations of mandatory reporting.  Section 30BC, regarding a critical cyber security incident, provides, in part:

Read the rest of this entry »

Another sign, if more more were needed, that data breaches are a chronic and increasingly damaging phenomana when the US Federal Trade Commission (the “FTC”) has issued amendments to the Standards for Safeguarding Customer Information. 

The Final Rule is a very substantial document. It is a useful document for those interested in privacy and cybersecurity generally. Given the dearth of clear and precise definitions, practices and protocols in Australia it is quite useful in Australia.  Like NIST publications it is a much more substantial and useful documents than the vague and opaque guidelines issued by regulators in Australia.

Those who are responsible for maintaining cyber security and establishes procedures and protocols to protect personal information could do worse than read these rules.  It is only a matter of time before the Information Commissioner prepares detailed guidelines which are more consistent with the voluminous GDPR documents or the direct and also comprehensive FTC rules Read the rest of this entry »

On 25 October the Attorney General’s Department released its long awaited Privacy Act Review Discussion paper (the “Paper”).  It is something of a behemoth, being 217 pages long or about half a lever arch folder.  That said, as a veteran of reading many reform papers on privacy over the years it is not the longest or most comprehensive.  That honour falls upon the Australian Law Reform Commissions 2008 Report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108), which filled more than 3 lever arch folders over 3 volumes.  The ALRC’s 2014 Report,Serious Invasions of Privacy in the Digital Era (ALRC Report 123), at 332 pages, was modest by comparison and slightly built on the earlier ALRC report.  The ACCC Digital Platforms Inquiry considered privacy related matters, in particular endorsing and recommending a statutory tort of interference with privacy, coming in at 623 pages.  And there are reports from the Victorian Law Reform Commission and the New South Wales Law Reform Commission on privacy. The point being made is not that I have read a lot of reports. I have.  It is also not that the size of the reports matter.  They don’t.  It is that this Paper is just another in a long line of reports on the need for report of privacy legislation.  And those previous reports were prepared by much more learned authors and were more thorough than this Paper.

The Paper is a constrained work, making many generally uncontroversial recommendations to make interpretation clearer, operation of APPs more relevant and giving some increased powers to the Information Commissioner.  It is far from comprehensive.  It avoids making recommendations about a statutory tort of privacy. Rather it continues the continual policy loop as governments of every persuasion push this issue into further review, then consultation then bury it in a report and then hope it goes away until it is recommended or otherwise finds itself before the Government.  It has been a hugely expensive, time intensive waste of time.  Any body outside of a Government that looks into the issue recognises the need for a statutory tort of privacy.

The Report discusses the small business exception from the operations of the Privacy Act in the broad, on the one hand then on the other way, as well as that of the Employment Records, Political Parties and Journalist carve out but goes no further.  Each exception is anomolous to a greater or lesser degree and the restricted coverage of the Act, covering only 5% of businesses, is a matter that should have been addressed with a firm proposal. Those carve outs make it regulation that is quite limited in scope.

The Paper did not consider the many exceptions to and limitations upon the APPs.  There are too many exceptions which permit agencies especially avoid proper scrutiny.

It is interesting that the Paper quotes the GDPR definitions and practices quite liberally and endorses aspects of the GDPR but refrains from adopting those parts of the regulation, by way of amendment to the Privacy Act 1988, which makes the GDPR a much more effective privacy regulation regime.

The Paper does not consider the role of the Guidelines, which are prepared by the Office of the Australian Information Commissioner’s office, in proceedings.  The Guidelines are important in giving context and detail to the broadly drawn Australian Privacy Principles (APPs).  But they are not regulations.  As such the Administrative Appeals Tribunal and the Federal Court are quite able to have no regard to them, which has happened in cases.  This has made submissions on the interpretation of Principles a fraught affair before the AAT and the Federal Court where applicants have had a poor record of success.  And not because they had weak cases.

Where major revision was warranted the Paper recommends modest improvements.  An improvement is just that, so that is to be welcomed.  But only to that degree. What the Paper does not Read the rest of this entry »

As with the Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB) is concerned about tech giants untrammelled use of vast amounts of consumers’ personal information.  To that end the CFPB issued orders on Tech Giants to require each to provide information about data harvesting and monetization and access restriction.  

The Director of the CFPB set out the rationale for this significant fact finding exercise in a formal statement.  It provides Read the rest of this entry »

The Federal Trade Commission (the “FTC”) released a report titled A Look At What ISPs  Know About You: Examining the Privacy  Practices of Six Major Internet Service Providers on 21 October 2021.   It is a very significant report as it lays out in detail the poor privacy practices of ISPs in the United States of America. Thsi follows on from FTC previously signalling interest in formulating new online privacy rules. 

The report makes for grim reading in terms of privacy invasive conduct by ISPs in the USA including Read the rest of this entry »

The Attorney General for the District of Columbia is planning to join Mark Zuckerberg, CEO of Facebook, to its consumers protection lawsuit according to the New York Times in Zuckerberg to Be Added to Facebook Privacy Suit.

Claims of this nature which are brought by bodies politic are not unusual in the United States.  They are far less common in Australia where Read the rest of this entry »

Last week the County Court, at Oxford in the United Kingdom, found for the claimant in a claim for harassment, nuisance and breach of the UK Data Protection Act 2018 in Fairhurst v Woodard.

FACTS

The Claimant (“Fairhurst”) and the Defendant (“Woodard”) are neighbours in Cromwell Avenue, Thame, Oxfordshire [2].  They each occupied terrace houses [3].

The cause of the complaint was the deployment of:

• a floodlight and sensor (“the Floodlight”) and   a video and audio surveillance camera with an integrated motion sensitive spotlight known as a ‘Ring’ Spotlight Camera (Battery) (the “Shed Camera”) pointing in the direction of a car park [5]
  
• a combined doorbell and video and audio surveillance system known as a ‘Ring’ Video Doorbell 2 (the “Ring Doorbell”) at his front door pointing in the direction of Cromwell Avenue [6];
• a second ‘Ring’ Spotlight Camera (Battery) (the “Driveway Camera”) on the gable end wall of another property pointing down a driveway towards a car park [7]
  
• a ‘Nest’ camera inside the front windowsill of No 87 (“Windowsill Camera”), pointing out of the window towards Cromwell Avenue [8]
  

The Driveway Camera and the Windowsill Camera were removed before proceedings were commenced.

There were issues between the parties about, [11]:

i) its field and depth of view, i.e. the extent it can ‘see’ beyond the boundaries of the Defendant’s property, in particular whether it can ‘see’ the Claimant or her visitors entering and leaving her property, her car, or the car park;
ii) the sensitivity of its microphone;

iii) the extent to which it activates itself automatically, or is triggered, to capture, transmit or record video images and/or associated audio from the field of view (it being accepted that once the camera is set up, the user can do so at any time);
iv) whether the Defendant undertook adequate consultation of neighbours before installation or provided adequate notices or warnings after installation;
v) how and for what purpose the Defendant stores and processes the video or audio files produced by it.

Fairhurst alleged that the placement of the Cameras unnecessarily and unjustifiably invaded her privacy and this amounted to

• nuisance
• breach of the Data Protection Act 2018; and
• harassment under the Protection from Harassment Act 1997.

Woodward claimed the cameras, lights and audio devices were installed for Read the rest of this entry »

These days the number of files stolen or compromised by hackers have been increasingly exponentially. The theft of hundreds of twenty years ago have morphed into the loss of thousands and then hundreds of thousands of documents. These days the theft and loss of millions of records are not uncommon. What is less common, as in extraordinary is where the personal information of an entire country’s population is stolen. That is what happened to Argentina earlier in October as reported by the Record in Hacker steals government ID database for Argentina’s entire population.

The article provides:

A hacker has breached the Argentinian government’s IT network and stolen ID card details for the country’s entire population, data that is now being sold in private circles.

The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons.

The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen’s personal information.

The first evidence that someone breached RENAPER surfaced earlier this month on Twitter when a newly registered account named @AnibalLeaks published ID card photos and personal details for 44 Argentinian celebrities.

This included details for the country’s president Alberto Fernández, multiple journalists and political figures, and even data for soccer superstars Lionel Messi and Sergio Aguero.

A day after the images and personal details were published on Twitter, the hacker also posted an ad on a well-known hacking forum, offering to look up the personal details of any Argentinian user.

Faced with a media fallback following the Twitter leaks, the Argentinian government confirmed a security breach three days later.

In an October 13 press release, the Ministry of Interior said its security team discovered that a VPN account assigned to the Ministry of Health was used to query the RENAPER database for 19 photos “in the exact moment in which they were published on the social network Twitter.”

Officials added that “the [RENAPER] database did not suffer any data breach or leak,” and authorities are now currently investigating eight government employees about having a possible role in the leak.

However, The Record contacted the individual who was renting access to the RENAPER database on hacking forums.

In a conversation earlier today, the hacker said they have a copy of the RENAPER data, contradicting the government’s official statement.

The individual proved their statement by providing the personal details, including the highly sensitive Trámite number, of an Argentinian citizen of our choosing.

“Maybe in a few days I’m going to publish [the data of] 1 million or 2 millon people,” the RENAPER hacker told The Record earlier today. They also said they plan to continue selling access to this data to all interested buyers.

When The Record shared a link to the government’s press release in which officials blamed the intrusion on a possibly compromised VPN account, the hacker simply replied “careless employees yes,” indirectly confirming the point of entry.

According to a sample provided by the hacker online, the information they have access to right now includes full names, home addresses, birth dates, gender info, ID card issuance and expiration dates, labor identification codes, Trámite numbers, citizen numbers, and government photo IDs.

Argentina currently has an estimated population of more than 45 million, although it’s unclear how many entries are in the database. The hacker claimed to have it all.

This is the second major security breach in the country’s history after the Gorra Leaks in 2017 and 2019 when hacktivists leaked the personal details of Argentinian politicians and police forces.

The Australian Information Commissioner (the “Commissioner”) has issued a very significant s determination resulting from a Commissioner initiated  investigation into 7-Eleven Stores Pty Ltd (Privacy)  [2021] AICmr 50 where she found that 7 Eleven had breached Australian Privacy Principle (APP) 3 and 5 of the Privacy Act 1988.

FACTS

From 15 June 2020 to 24 August 2021 7-Eleven used facial recognition technology in its stores as part of a customer feedback mechanism (the Facial Recognition Tool) in its 700 stores nationwide [4]. The Facial Recognition Tool was supplied by a third party supplier (the Service Provider). 7-Eleven described its use of the Facial Recognition Tool as:

• a tablet was located inside the 7-Eleven stores enabled a customer to complete a voluntary survey about his or her’s in-store experience.
• each tablet had a built-in camera that took facial images of the customer while that person was  completing the survey.
• the customer’s facial image was captured twice, when the individual  first engaged with the tablet and then after completing the survey.
• the facial images were stored on the tablet for around 20 seconds before being uploaded via a secure connection to a secure server hosted in Australia within the Microsoft Azure infrastructure (the Server). Once the upload occurred, the facial image was deleted from the tablet.
• the Service Provider processed the facial images  (the Detect API) by converting each facial image to an encrypted algorithmic representation of the face (faceprint) and assessed and recorded inferred information about the customer’s approximate age and gender;
• the faceprint was then sent to another API (the Similarity API), along with all other faceprints generated by responses entered on the same tablet for the previous 20 hours;
• these faceprints were compared to other faceprints to identify faceprints that were sufficiently similar.  The Facial Recognition Tool  directly linked individuals’ faceprints with survey responses, by using each faceprint as an ‘identifier’.  These processes enabled an individual depicted in a faceprint to be distinguished from other individuals whose faceprints were held on the Server [38].
• the Similarity API looked for faceprints that were similar. If there was a high probability match, then the corresponding matched survey results were flagged;
• the facial images were retained on the server for 7 days so that  the Service Provider could identify and correct any issues, and reprocess survey responses if necessary;
• while there was no defined retention period for faceprints after 24 hours if there was any attempt to identify a match using the Similarity API that would come up as an error;
• the faceprints and customers’ survey answers were stored in a dedicated encrypted database. All survey responses were timestamped and associated with the relevant store where the relevant tablet was located [6]

As at March 2021, approximately 1.6 million survey responses had been completed [7]
The ostensible reason for generating faceprints were to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. If they were, their responses may not have been genuine, and were excluded from the survey results. 7-Eleven said Read the rest of this entry »

The Home Affairs Ministers, Karen Andrews, today released the Government’s Ransonware Action Plan.

It has been heralded as a new plan to protect Australia against ransomware.  Actually that is the title of the media release Read the rest of this entry »