Federal Trade Commission requires Zoom to enhance security practices

December 1, 2020

Zoom is now a verb.  The impact of video conferencing platform has made it ubiquitous and necessary to work from home and keep in touch with others during long weeks of shut downs. And it deserves its reputation as the go to platform; it is easy to use, it is free (for 40 minutes at a time), it allows for up to 100 people to join a meeting and it has many cool features such as separate rooms and messaging services.

It has also suffered from the growing pains that afflict technology that appear from nowhere and become massively popular overnight.  That included critical flaws in software for windows that allowed hackers to take over computers and flaws that lets an attacker to use a GIF to hack software and install malware and until recently not having end to end encryption. The list of flaws identified and fixed are set out in Zoom security issues: Here’s everything that’s gone wrong (so far).

As a result of the persistent flaws and inadequate privacy practices, now fixed, Zoom entered into a agreement with the New York Attorney General, on 7 May 2020, whereby Zoom would put into place and support new security measures and enhance privacy controls.

It was only a matter of time before Zoom’s privacy and security problems came to the attention of the US Federal Trade Commission.  It was investigated and earlier this month came to a settlement, again requiring it to provide better information security systems.  The jurisdictional basis for FTC bringing an action is that Zoom engaged in deceptive and unfair practices about it’s level of security, including representations about end to end encryption and the level of encryption.  The period of compliance with the Decision is 20 years.

The FTC issued a complaint  alleging that the misleading practices dated back to 2016.  The complaint highlights Read the rest of this entry »

Europe to take control of its own data

November 27, 2020

Europe is taking decisive steps to increase its data protection with proposed legislation to create an EU wide data market which will enable the sharing of industrial and government information under the European standards. This is reported in the Wall Street Journal’s article Europe Doubles Down on Data Protection to Ward Off Silicon Valley, Chinese Influence.  This will probably be critisised as data localisation, a practice that warrants scrutiny given it is much loved by authoritarian governments for less than savoury reasons.   The scheme will involve data not exclusively involving personal information.

This development highlights Read the rest of this entry »

Hackers attack Legal Services firm Law in Order with Ransonware

November 25, 2020

I have long posted on law firms being in the sights of cyber criminals.  I raised this as an increasing threat in September last year and attacks on Queensland law firms in 2017 and European law firms in 2016.

The Australian Financial Review reports, in Hackers threaten to publish data from attack on legal services firm, report on a cyber attack on 22 November 2020 by hacker legal services firm Law In Order suffering a Ransomware attack with the hackers threatening to publish data unless a payment is made. The story is also covered by itwire, insurance business mag, and itnews.  That list will grow.

Law In Order issued statements of what happens.  It is far from a best practice response.  General waffle.  Full candour is not always possible because investigations take time.  But that does not mean that writing excessive meaningless verbiage is the answer. That is particularly so when the Australian Financial Review has key information about the attack, for example that it was undertaken by Netwalker and is a ransomware attack.  That makes the statement look even sillier than Read the rest of this entry »

Attorney General announces a review of the Privacy Act 1988 with submissions due by 29 November 2020

October 30, 2020

Today the Attorney General announced a(nother) review of the Privacy Act 1988.  That was part of a response to the ACCC Digital Platform’s Inquiry.  In doing so he released a 89 page Issues Paper. 

The media release provides:

The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). 

The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.

These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements

The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.

“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.

The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website. Read the rest of this entry »

Victorian Privacy and Data Protection Deputy Commissioner commences examination of privacy/security in Victorian Universities

October 21, 2020

Universities are prime targets for cyber attack as well as just poor data handling.  In the former category the Australian National University suffered a massive and prolonged data breach over 2018/2019 caused by overseas actors, probably Chinese (my post here) while more recently the University of Tasmania had a significant data breach involving over 19,000 names through incompetent data protection (my post here).

Today the Victorian Privacy and Data Protection Deputy Commissioner commences an examination of how Victorian universities protect personal information.  The press release Read the rest of this entry »

New Zealand Privacy Commissioner launches a privacy breach reporting tool

New Zealand has come even later to mandatory data breach reporting.  Its legislation comes into effect on 1 December 2020. The New Zealand Privacy Act 2020 is, like Australia’s, far from the gold standard. But New Zealand does have a tort of interference with privacy which puts it well ahead of Australia.

Determining whether a data breach is notifiable can be a difficult weighing exercise under both the Australian and New Zealand legislation. Both Acts use serious harm as a threshold but provide no definition of what that is.  In the New Zealand Act the process involves consider quite general factors in section 113 which provides:

Assessment of likelihood of serious harm being caused by privacy breach

When an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider the following:

(a) any action taken by the agency to reduce the risk of harm following the breach:

(b) whether the personal information is sensitive in nature:

(c) the nature of the harm that may be caused to affected individuals:

(d) the person or body that has obtained or may obtain personal information as a result of the breach (if known):

(e) whether the personal information is protected by a security measure:

(f) any other relevant matters.

Mandatory data breach notification is a complicated process . The Privacy Commissioner has Read the rest of this entry »

Smart devices being used for domestic abuse

The weaknesses of the internet of things to hacking has long been known.  That doesn’t mean it has been dealt with adequately.  The common problem is access to those devices through inadequate security or weak passwords from third parties.  A recent BBC article How smart devices are exploited for domestic abuse demonstrates how the internet of things can be used track and terrorise.

A machine or application is in and of itself neither evil or good.  It has no value.  It provides a service or performs a function.  As the article makes clear features designed to assist, such as a doorbell camera, can be used by partners or ex partners to surveil.  Family apps, which I find creepy, are designed to monitor children’s safety.  But the data can be relayed to Read the rest of this entry »

UK Information Commissioner’s office fines British Airways 20 million pounds for data breach affecting 400,000 customers

October 17, 2020

The UK Information Commissioner’s Office (“ICO”)has fine British Airways (BA) £20 million for a data breach in 2018.  I did a post on it in September 2018. The ICO initially intended to fine BA nearly £184 million and made a statement in July 2019 to that effect in response to BA’s statement to the London Stock Exchange.  The Commissioner decided to reduce the sum in light of the impact COVID 19 has had on BA’s business and finances.

As often happens the investigation into the cyber attack by the regulator turned up multiple failings by BA in both protecting its network but also failing to detect the attack. And that attack was both wide and deep in its penetration. Through the attack addresses of 244,000 customers were accessed, the credit card details with CVV numbers of 77,000 customers and credit card numbers Read the rest of this entry »

Surveillance of workers at home… a new (actually old) privacy issue that has been a kick along

The cynical saying “don’t waste a good crisis” has found plenty of examples of unimpeded and inadequately scrutinised change by governments and businesses.  Here there has been  a solid level of support in governments doing the right thing.  And generally less fractious argument between workers and employers.  The feeling is, we are all in this right so the presumption is that commonweal trumps all, including individual rights.  A dangerous mindset and one that leads to abuse which can be difficult to undo when the crisis passes as the technology is embeded into the work place structure with little to no push back.

The phenomana of employee monitoring is not a unique by product of the COVID 19 lockdown and remote working.  It has been a growing trend for some time.  In 2018 Garnter produced a report, The Future of Employee Monitoring, where it found that in 2018 50% of companies surveyed used some form of non traditional monitoring techniques.  The figure was 30% in 2015.  Gartner predicted that number to be 80% this year. That prediction was done without factoring in the change in workplace arrangements with COVID 19.  There has been a discernible effort by employers to use the technology available to monitor their workers output while working remotely coupled.  A growing list of increasingly sophisticated surveillance tools has lead to an ineffectively regulated and comprehensive means to surveil employees in their home.  This is well described Read the rest of this entry »

Contact tracing data collected from pubs and restaurants in the UK being sold marketers,

October 12, 2020

When the history of the COVID 19 pandemic is written the chapter on how governments and organisations respected individuals privacy will be grim reading.  The way in which data was collected by businesses at venues was at best sloppy and often times almost criminally negligent. I gave up counting how many scraps of paper or, for some reason, children’s exercise books were left lying around with details of patrons in plain view.  Some of the information sought went beyond names and contact details. Governments went overboard on tracking, to the point where Israel halted police phone tracking because of the privacy intrusion was so great.  The contact tracing app in Australia was oversold as an aid and seriously under performed.  It rarely features in any discussions by, well pretty much anyone.

The Times reports in Contact-tracing data harvested from pubs and restaurants being sold on that data collected to assist contact tracing has been sold on by the establishments that collected that data.  That is a blatant breach of Read the rest of this entry »