Ransomware attacks grown 13% year on year in 2022, an increase greater than the past 5 years

May 28, 2022

Verizon has just released its 2022 Data Breach Investigation Report which shows that Ransomware has grown 13% year on year in 2022.   The report is valuable because it records trends in ransomware attacks.

The report states:

  • the four means of accessing an organisations online site is via:
    • misuse of credentials,
    • Phishing,
    • Exploiting vulnerabilities, and
    • Botnets.
  • Error continues to be a dominant trend, and is heavily influenced by misconfigured cloud storage.
  • The human element continues to drive breaches. Whether it is the use of stolen credentials, phishing or simply an error, people continue to play a large part in incidents and breaches alike.
  •  data compromises are considerably more likely to result from external attacks than from any other source.
  • 80% of breaches are caused by individuals external to the organization

Read the rest of this entry »

Australian Information Commissioners issue joint statement to establish consistent approaches in accessing Stolen Generations records

The Federal, State and Territory Information Commissioners have released a joint statement regarding the handling of personal information, in the form of record.  The statement provides:

Information Access and Privacy regulators from across Australia have issued a joint statement to mark National Sorry Day (26 May).

Australian Information Access Commissioners and Privacy Authorities recognise the important role of historical records in truth telling and sharing history, intergenerational healing, redress and reparations for Stolen Generation survivors and their families. Read the rest of this entry »

National Institute of Standards and technology issues Blockchain for Access Control Systems NISTIR 8403

May 27, 2022

The National Institute of Standards and Technology (“NIST”) has issued a guideline Blockchain for Access Control Systems.   

The abstract provides:

The rapid development and wide application of distributed network systems have made network security – especially access control and data privacy – ever more important. Blockchain technology offers features such as decentralization, high confidence, and tamper-resistance, which are advantages to solving auditability, resource consumption, scalability, central authority, and trust issues – all of which are challenges for network access control by traditional mechanisms. This document presents general information for blockchain access control systems from the views of blockchain system properties, components, functions, and supports for access control policy models. Considerations for implementing blockchain access control systems are also included.

Blockchain systems provide an alternative (or complimentary) system for reliability, security, accountability, and scalability for AC systems. Blockchain characteristics – such as transparency, distributed computing/storage, and a tamper-evident/tamper-resistant design – help to prevent AC data from being accessed or modified by malicious users. Access logs are also recorded in blocks that allow for the detection of malicious activities. Blockchain system components and their advantages for AC systems are Read the rest of this entry »

Education Apps endorsed by the Australian Government found to be surveilling Australian children resulting in inquiries by New South Wales and Victorian Governments

May 26, 2022

As the saying goes, the road to hell is paved with good intentions.  That may be the sombre story of education apps used during the Pandemic.   The Human Rights Watch has undertaken a detailed study, How Dare They Peep into My Private Life.  Of particular interest is some of the practices of EdTech.  The EdTech apps were used by students in Australia during the lockdowns.  The Victorian and New South Wales Governments have announced inquiries.  The Victorian Information Commissioner raised concerns about education apps as far back as August 2020 stating in a report that “..we consider that schools are at risk of breaching the [Information Privacy Principles] IPPs when using apps and web?based learning tools that handle student personal information.” 

The report has been reported in Itnews with Edtech vendors invaded student privacy: Human Rights Watch,  InnovationAus in ‘Dystopian’: Govt-endorsed education apps surveilling Australian children and the ABC with Investigation reveals tracking by EdTech of millions of Australian school students during COVID lockdowns.

Some interesting findings from the Report Read the rest of this entry »

Singapore launches AI Verify, worlds first AI Governance Testing Framework and Toolkit

Artificial Intelligence (“AI”) is revolutionising the way we consume, the way work is done, the way things are built.  The productivity gains have been extraordinary.  It also poses significant public policy challenges.  The problems include a lack of transparency in decision making, the skewed results with potentially poor quality algorithms and the “black box” effect where the path of reasoning is obscured or completely unknown. And it can have a dystopian potential, skewing results against minorities for example.  That is a problem with facial recognition technology and predictive analytics in insurance and criminal investigations.  All of those matters concern the public.  There is a dearth of regulation for the good reason that legislatures are not sure how to properly regulate without harming the positive potential of AI. 

The Singapore Privacy Commissioner has launched AI Verify – An AI Governance Testing Framework and Toolkit.  It is ostensibly designed to allow companies to demonstrate responsible AI.  It is a voluntary scheme. It is certainly a step in the right direction.

The press release by the Infocomm Media Development Authority, Singapore launches world’s first AI testing framework and toolkit to promote transparency; Invites companies to pilot and contribute to international standards development provides Read the rest of this entry »

Federal Trade Commission takes action against Twitter for deceptively using customers’ account security data to sell targeted ads. Twitter to pay 150 million dollars fine to settle privacy law suit.

The US Federal Trade Commission has taken action against Twitter for allowing advertisers to use its customers’ phone numbers and emails for targeted ads.  Customers provided that information to Twitter to protect their accounts.  The practice was reasonably long standing, from at least May 2013 until at least September 2019.  The practice affected more than 140 million Twitter users. 

It is interesting to note that in 2011 the FTC claimed Twitter misrepresented the extent to which it protected its customers privacy and the security of their non public information.  The FTC settled that complaint. 

The complaint states:

From at least May 2013 until at least September 2019, Twitter misrepresented to users of its online communication service the extent to which it maintained and protected the security and privacy of their nonpublic contact information. Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences. Twitter’s misrepresentations violate the FTC Act and the 2011 Order, which specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information. Plaintiff therefore seeks civil penalties for Twitter’s violations, as well as a permanent injunction and other equitable relief, to ensure Twitter’s future compliance with the law.

and Read the rest of this entry »

Where to with privacy reform in Australia

A brief review of this website will reveal that there is a constant development of privacy laws throughout the world to meet changes in data handling practices and challenges from those who would interfere with privacy.  Development and improvement of privacy regulation in Australia has been slow, tepid and fitful despite regular recommendations for reform from law reform commissions. 

In Australia the last Federal election did not reveal an enthusiasm for privacy reform as a platform for any major party according to InnovationAus with No privacy reform commitments from major parties.  The article was written last week, prior to the poll.  So in a sense Read the rest of this entry »

European Council of the European Union approves the Data Governance Act

May 24, 2022

On 16 May the European Council approved the Data Governance Act.  It is a complicated and involved document

The Act is designed to provide procedures to facilitate the appropriate reuse of certain protected public sector data, within the EU.

A key element is to define and regulate a model for data intermediation services that would serve as trusted environments for organizations or individuals to share data. Those intermediation services are designed to:

  • support voluntary data sharing between companies
  • facilitate the fulfillment of data sharing obligations set by law
  • permit organisations share data without fear of it being misused or losing competitive advantage
  • enable individuals to gain control over their data and allow them to share it with trusted companies

Individuals will have control over how they share their data through novel personal information management tools, such as personal data spaces and/or data wallets.

Data intermediation service providers will be prohibited from profiting from the data that they handle, however they will be able to charge a fee for their services.

The Act introduces safeguards against the unlawful transfer of non-personal data similar to how personal data transfers are regulated under the GDPR.  The European Commission would be able to Read the rest of this entry »

Robodebt Royal Commission to commence later in 2022

During the recent election campaign the opposition announced that it would hold a Royal Commission into the Government practice of data matching to recover government overpayments described as Robodebt.  The media release on 30 April 2022 provided:

An Albanese Labor Government will expose the truth of the Morrison Government’s illegal Robodebt scheme, return integrity to the public service, and ensure a disaster like this never happens again.
If elected, Labor will establish a Royal Commission into Robodebt by the end of this year. Our consultation will begin after the election.
An Albanese Labor Government would ask a Royal Commission to examine and report on the Robodebt scheme, consistent with these key objectives which will be reflected in the Terms of Reference:

    1. To establish who was responsible for establishing Robodebt scheme.
    2. To establish what advice, and what process or processes, informed the design and implementation of the Robodebt scheme.
    3. To investigate the handling of complaints about the Robodebt scheme – including in relation to the scheme’s legality –by Services Australia, the Department of Human Services, other relevant Commonwealth agencies and Ministers. 
    4. To determine how much the implementation, suspension and wind-back of the Robodebt scheme cost taxpayers.
    5. To investigate the harm caused to law-abiding Australians by the Robodebt scheme
    6. To investigate the use of third-party debt collectors under the Robodebt scheme.

Our consultation after the election will inform the Terms of Reference for the Royal Commission.
The Morrison Government has consistently denied, obstructed and covered-up the origins of the Robodebt scandal and refused to take responsibility. 
It is only when Labor organised a class action that a $1.8 billion settlement was made to repay victims and keep ministers out of the witness box. 
It is vital that Robodebt victims and the broader Australian public know the truth of the Robodebt disaster. 
We need to learn the truth of Robodebt’s origins so that such an atrocity can never again be perpetrated by an Australian Government against its citizens. 
The illegal and immoral Robodebt scheme caused untold carnage in the Australian community – stress, anxiety, financial destitution and even suicide.

Comments attributable to Anthony Albanese: 
“Robodebt was a human tragedy, wrought by this government. Against all evidence, and all the outcry, the government insisted on using algorithms instead of people to pursue debt recovery against Australians who in many cases had no debt to pay. It caused untold misery. Only an Albanese Labor Government will find out the truth.”

Comments attributable to Bill Shorten:
“We still do not know how this reckless scheme was unleashed. We do not know whether poor legal advice was given or whether legal advice was simply never sought. We do not know if public servants were inappropriately heavied and politicised. And without knowing the true origins we do not know what safeguards could be put in place to prevent a repeat.” 

The election has been held and the opposition is now the Government.  InnovationAU reports in Robodebt Royal Commission to be launched this year that a Royal Commission will be established and Read the rest of this entry »

Information Commissioner’s Office fines facial recognition company Clearview AI more 7,552,800 pounds and orders data be deleted

The UK Information Commissioner has imposed a significant fine of £7,552,800 on Clearview AI for illegally collecting personal data of UK residents. The facial images of UK residents were scraped from the internet and fed into Clearview’s database where, with the aide of artificial intelligence, it could use that data to identify those people and monitor them.

Clearview AI continues to maintain that it has done nothing wrong, saying that its technology and intentions have been “misinterpreted.” and claimed that Clearview AI is not subject to the ICO’s jurisdiction.

Clearview has already been the subject of act ion by other regulators. In March 2022 the Italian data protection agency fined Clearview €20 million penalty for breaches of EU law.  In December last year France’s data watchdog, CNIL,found that Clearview had committed two breaches of the the GDPR.    Similarly in February 2021 Canadian privacy commissioners stated that Clearview violated Canadian Privacy laws .  In the United States Cook County, effectively Chicago, and Clearview entered into agreement in settlement of a suit whereby Clearview has agreed to stop providing its technology to most private clients and doing business in Illinois

The use of facial recognition technology by police, is belatedly being scrutinised Read the rest of this entry »