The problems with passwords in data protection..time for two factor authentication

October 4, 2015

Passwords are a perennial weakness in data security.  There are no shortage of stories mocking the passwords that people use (such as Top 10 Dumbest Passwords Ever and How Many People Still Use Them, ‘696969’ and 24 more of the dumbest passwords of 2014 and Whatever you do, please don’t use these dumb passwords just to list a few) and some of the passwords chosen would make a cat smile.  The answer is not more mockery and Read the rest of this entry »

Obfuscation and privacy

I am currently reading a fascinating book Obfuscation A User’s Guide for Privacy and Protest which considers and advocates means of reducing digital surveillance by means of adding ambiguous and confusing information so as to interfere with clean data collection by whoever, be they government or retailers.  It has been well received (see review here). The concept is not extraordinary or particularly new (see here) as researchers have been aware for some time that releasing raw data can, with the appropriate algorithms be used to identify individuals.  The points of reference required are startling few.  Adding confusing and misleading data within raw or refined data makes it much more difficult to do that.   It is a complementary approach to protecting one’s privacy.  It is not substitution for adequate privacy regulation and enforcement, both of which remain lacking in Australia at both a Federal and State level. The reality is that for some adopting this approach is too complicated or just too much like hard work.  The default should be proper opt ins rather than opt outs in collection protocols.
Read the rest of this entry »

The myth of people being comfortable giving up their privacy

October 3, 2015

There is a prevailing view amongst business advocates and organisations that people are prepared to give up their privacy, or at least be content that their personal information is being collected and analysed, where they obtain benefits from retail and internet.  The corollary of that assertion, because the evidence is scant, is usually that there is no need pressing, or any, need for privacy protections and a visceral hostility to enhancing privacy protections.  As recently as this week I heard a variation of this spiel.  Apart from being illogical it is not supported by any facts.  As the Atlantic makes clear in Americans Love Technology—but They Want Their Privacy Back it is not an either, technology, or, privacy, argument.  It never has been.  And it Read the rest of this entry »

Drones linked to VR headsets

The development of drone technology moves apace.  Now drones are being operated by and tied to virtual reality goggles worn by the operator as reported by Slate in A Drone Linked to a VR Headset Lets You Explore the Sky, Almost for Real Interestingly the article highlights one of the drone’s features as permitting the user to map out a flight plan, something that has been possible for a while but not commonly available, while another system swaps batteries itself when one runs of out power.  That is a huge development as Read the rest of this entry »

David Jones suffers data breach with customer information compromised

October 2, 2015

Following hot on the heels of Kmart announcing a data breach David Jones has started notifying customers today that there has been a large scale data breach of its website.  Itnews covers the story in David Jones website hacked, customer data stolen & the Age in David Jones says third party accessed ‘limited’ customer information. The PM program covered the story in Department store David Jones says customer details stolen in data breach with the transcript provides:

PETER LLOYD: The personal and private details of customers of retailer David Jones are in the hands of criminals who hacked the company’s computer system. But DJs insists no credit card information or passwords were stolen.

It’s also happened recently to K-Mart and the privacy commissioner says there has been a huge jump in reports of computer hacking to steal data over the last year. Read the rest of this entry »

Kmart Australia suffers a data breach, customer information stolen

Kmart announced on 30 September 2015 that it had suffered suffered a data breach, caused by hackers.  Customer information, Read the rest of this entry »

The increasing presence of drones

October 1, 2015

The Economist in its most recent edition has a detailed article on the expansion in the use and numbers of drones in Welcome to the Drone Age. It concisely summarises how quickly drones have developed once drones were introduced into civilian usage.  And how poorly the governments and regulators have responded to this remarkable equipment.  The FAA in the USA and, to a lesser extent, CASA have failed to anticipate and react promptly to the widening use of drones.  As for the issues of privacy breaches and criminal law responses the state and Federal governments have done nothing.  There has been a total failure of policy.  As the article makes clear in this Read the rest of this entry »

SEC settles a claim against R T Jones Capital Equities Management for failing to adopt proper cyber security policies prior to a cyber attack

September 23, 2015

The requirement for proper cyber security policies is no longer only of interest to privacy regulators.  Earlier this year I posted on ASIC’s Report 429, Cyber Resilience (see Report on Cyber Resilience, highlights the need for proper cyber security, this time from ASIC) where ASIC now makes it clear that it regards proper cyber security as being part of a directors legal obligations.

In the United States the Securities and Exchange Commission also has a not unreasonable interest in cyber security.  Financial records contain considerable personal information and details which allow for fraud identity theft.  Yesterday it made it clear that it takes poor cyber security practices seriously when it announced that it Read the rest of this entry »

The slow burn of the Vodaphone data breach story

September 18, 2015

Data breach notification legislation is becoming a mandatory feature of most data legislation in the developed world.  There are some quirks here and there, with the USA having data breach notification in most states but not at a Federal level.  There is no data breach notification legislation in Australia at a state level and very limited at a Federal level, confined to breaches relating to some health records.  There is no general requirement.  That has always been a concern.  Given there is now mandatory data retention laws in Australia by telcos that is now a significant failing.  Telecommunications firms have been notorious for their poor compliance with the privacy legislation and quite obdurate Read the rest of this entry »

Health Legislation Amendment (eHealth Bill) 2015 introduced into the House of Representatives

Yesterday the Government introduced and read for a first and second time the Health Legislation Amendment (eHealth) Bill 2015.

The Bill is a 126 page behemoth which will warrant close scrutiny.  Briefly it is worth noting some notable features of the Bill:

  • Part 3 provides for the collection, use and disclosure of the healthcare identifiers, identifying information and other information. The simplified outline describes the process as:

Read the rest of this entry »