Peter A Clarke

First it was Bunnings and now KMart have breached the Privacy Act 1988 in the use of facial recognition technology. Today the Privacy Commissioner published the results of a Commissioner instigated Investigation that found K Mart Australia breached Australian Privacy Principles in the collection of personal and sensitive information through facial recognition technology in the period June 2022 to July 2022. The story is covered by Information Age’s article Kmart facial recognition broke privacy laws, regulator finds. It is also covered by the ABC, the Australian Financial Review, Read the rest of this entry »

AI has a voracious appetite for data. The implications of for privacy protection is obvious. What is less known about, or at least discussed, is the danger to privacy from AI agents. This is explained clearly, and concerningly, by the President of the Signal Foundation, Meredith Whittaker in this week’s Economist by Invitation piece AI agents are coming for your privacy, warns Meredith Whittaker. A key concern is that operating systems are integrating AI agents into the core of their platforms so they are mandatory.  It is a particularly apt article for a delicate time in the development of AI technology.  The development of AI cannot be at the expense of privacy.  More to the point, AI can be developed with privacy protections built in.  Not as an afterthought.

The article provides:

SOON WE WILL all have robot butlers, an army of AI agents anticipating our needs and fulfilling our desires. At least, this is the tech promise of the moment. From booking a restaurant to asking your crush on a date, we’ll be able to put our brain in a jar while a bundle of AI systems does our living for us. Why waste time on wooing when you can leave it to your botservant to turn on the charm? In pursuit of this future, the companies that dominate this market are busy injecting AI agents into the nervous system of the digital world. But as in fairy tales, so in life: relying on magical fixes leads to trouble. Read the rest of this entry »

Ransomware is a chronic and growing problem in cybersecurity. It is important that organisations have an understanding of the threat but more importantly properly prepare against an attack. On both counts Australian companies are generally underprepared. The National Institute of Science and Technology (NIST) publishes excellent guides and reports. It’s report 8374 Revision 1, Ransomware Risk Management: A Cybersecurity Framework 2.0 Community Profile, is particularly timely. It is a crucial document that can help organizations bolster their defenses against ransomware threats.

The Abstract provides:

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the This Cybersecurity Framework (CSF) 2.0 Community Profile identifies the security objectives from the NIST CSF 0 that support governing management of, identifying, protecting against, detecting, responding to, and recovering from ransomware events.   The Profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of This Profile can be leveraged in developing a ransomware countermeasure

The Report starts with a very good description of the challenge Ransomware poses when it stated:

Ransomware is a type of malware that encrypts an organization’s data and demands payment as a condition of restoring access to that data. Ransomware can also be used to steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware events target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves. The methods ransomware uses to gain access to an organization’s information and systems are common to cyberattacks more broadly, but they are aimed at forcing a ransom to be paid. Techniques used to promulgate ransomware will continue to change as attackers constantly look for new ways to pressure their victims.

Ransomware attacks differ from other cybersecurity events where access may be surreptitiously gained to information such as intellectual property, credit card data, or personally identifiable information and later exfiltrated for monetization. Instead, ransomware threatens an immediate impact on business operations. During a ransomware event, organizations may be afforded little time to mitigate or remediate impact, restore systems, or communicate via necessary business, partner, and public relations channels. For this reason, it is especially critical that organizations be prepared. That includes educating users of cyber systems, response teams, and business decision makers about the importance of – and processes and procedures for – preventing and handling potential compromises before they occur.

Fortunately, organizations can follow recommended steps to prepare for and reduce the potential for successful ransomware attacks. This includes the following: establish, communicate and monitor ransomware risk strategy, expectations and policy; identify and protect critical data, systems, and devices; detect ransomware events as early as possible (preferably before the ransomware is deployed); and prepare to respond to and recover from any ransomware events that do occur. There are many resources available to assist organizations in these efforts. They include information from the National Institute of Standards and Technology (NIST), the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS).

The Report provides Read the rest of this entry »

Large tech companies have found themslves under close scrutiny of privacy regulators in Europe of late. The latest is the French data protection authority fining Google $379 million and Chinese e commerce operator Shein $150 million for setting advertising cookies without customers consent.

The story is reported by the Hacker News with Google Fined $379 Million by French Regulator for Cookie Consent Violations. 

The story provides:

The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules.

Both companies set advertising cookies on users’ browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision. Read the rest of this entry »

The question of the status of pseudonymised data confounds many and is the subject of some controversy. OVIC published a report The Limitations of De-Identification – Protecting Unit-Record Level Personal Information. In its guidelines the Privacy Commissioner’s guidelines regarding Pseudonymity state that:

2.6Pseudonymity requires that an individual may deal with an APP entity by using a name, term or descriptor that is different to the person’s actual name. Examples include an email address that does not contain the person’s actual name, a user name that a person uses when participating in an online forum, or an artist who uses a ‘pen-name’ or ‘screen-name’.

2.7 The use of a pseudonym does not necessarily mean that an individual cannot be identified. The individual may choose to divulge their identity, or to volunteer personal information necessary to implement a particular transaction, such as credit information or an address at which goods can be delivered. Similarly, an APP entity may have in place a registration system that enables a person to participate by pseudonym in a moderated online discussion forum, on condition that the person is identifiable to the forum moderator or the entity.

2.8 An APP entity should bear in mind that the object of APP 2 is to provide individuals with the opportunity to deal with the entity without revealing their identity. Personal information should only be linked to a pseudonym if this is required or authorised by law, it is impracticable for the entity to act differently, or the individual has consented to providing or linking the additional personal information. An entity could also restrict access to personal information that is linked to a pseudonym to authorised personnel (for a discussion of the security requirements for personal information, see Chapter 11 (APP 11)).

In EDPS v SRB the Court of Justic of the European Union  confirmed that pseudonymised data will not be personal data in all cases. Whether the data is actually personal depends on the context requiring an assessment of all the means reasonably likely to be used to identify the individual.

The Decision

The Court relevantly stated:

The requirement that Read the rest of this entry »

In a Federal Court class action in the United States involving 98 Google users over 174 million devices The jury found for the claimants and awarded the sum of $425 million against Google for breaching users privacy. The breach was Google collecting data from users even after they turned off a tracking feature in Google Accounts. The orginal claim was for $32 billion.  Jury awards in the United States can be eye watering high.  Appeals courts regularly reduce the size of the award if they are not reduced by agreement between the parties.

The story is covered by the BBC with Google told to pay $425m in privacy lawsuit, Reuters with Google must pay $425 million in class action over privacy, jury rules and Tech xplore with Jury tells Google to pay $425 mn over app privacy.

The BBC story provides:

Read the rest of this entry »

Multi factor authentication is a critical part of any cyber security. While it is becoming standard with many larger organisations it is poorly understood and even more poorly implemented. The National Institute of Science and Technology (“NIST”) has released a report on multi factor authentication for Criminal Justice Information Systems. Very specific perhaps but the contents of the report have a broader application.

The abstract provides:

Most recent cybersecurity breaches have involved compromised credentials. Migrating from single-factor to multi-factor authentication (MFA) reduces the risk of compromised credentials and unauthorized access. Both criminal and noncriminal justice agencies need to access criminal justice information (CJI); to reduce the risk of unauthorized access, the Criminal Justice Information Services (CJIS) Security Policy now requires the use of MFA when accessing CJI. This document provides practical information to agencies that are implementing MFA, reflecting on lessons learned from agencies around the country and from CJI-related technology vendors.

The report is worth reading.  Some interesting Read the rest of this entry »

The National Institute of Science and Technology has published the final version of NIST Internal Report (IR) 8349, Methodology for Characterizing Network Behavior of Internet of Things (IoT) Devices. and a draft of NIST IR 8536, Supply Chain Traceability: Manufacturing Meta-Framework.

Understanding the scope of the Internet of things and how the network operates is key to determining its cyber security requirements.   This 47 page report is worth consideration.  The Internet of Things will become more not less ubiquitous and more and not less prone to cyber attacks.  The Supply Traceability paper is also important but more specific and technical.

Internet of Things

The summary provides:

Characterizing and understanding the expected network behavior of IoT devices is essential for cybersecurity; it enables the implementation of appropriate network access controls to protect the devices and the networks on which they are deployed. Device characterization techniques that describe the communication requirements of IoT devices, in support of the NCCoE Securing Home IoT Devices Using Manufacturer Usage Description (MUD) project, can aid in securing devices and their networks. 

To properly secure networks, network administrators need to understand what devices are on the network and what network communication each device requires to perform its intended functions. In the case of networks that include IoT devices, it is often difficult to identify each individual device, much less know what network access is required by each device to other network components (and what access other network components need to each device). Read the rest of this entry »

Hanson Chambers in South Australia have been hit with a cyber attack. The chambers has 8 barristers; 3 silks and 5 juniors. And one associate member, acting as a mediator. The breach is serious with correspondence and court documents being stolen and listed on the Lynx ransomware site. It has been reported in cyberdaily.au in Exclusive: South Australian barristers’ chambers listed on Lynx ransomware’s leak site.  

The cyberdaily article Read the rest of this entry »

There will be a change to the Rules of the Federal Circuit Court and Family Court (Division 2). New Practice Directions will also take effect being:

• Central Practice Direction: General Federal Law Proceedings
• Central Practice Direction: Migration Proceedings
• General Federal Law Practice Direction: Admiralty and Maritime Proceedings;
• General Federal Law Practice Direction: Intellectual Property Proceedings.

Practice Directions

The Court’s summary of the Practice Directions provides:

Central Practice Direction: General Federal Law Proceedings

• updates to reflect new rule references in the new GFL Rules.
• updates removing child support from the types of proceeding listed as within the Court’s general federal law jurisdiction, to reflect that child support proceedings must now be heard in the family law jurisdiction.
• new item 3.2 on the overarching purpose stating that parties and their lawyers have a duty to co-operate with the Court and amongst practitioners.
• new section 4 stating the procedural requirements for parties seeking to file an urgent application.
• new item 6.3 on case management stating that the Court expects a party to seek consent of all other parties when seeking to adjourn a hearing or vacate a listing date.
• updates to section 8 on ending a proceeding early to reflect that parties can file a notice of discontinuance at any time before the first court date, or, if the proceeding is continued on pleadings, any time before the pleadings have closed. This includes new item 8.2 which states that the notice of discontinuance can be filed at a later date with the leave of the court or the other parties’ consent, if judgment has not been entered.
• new section 10 on parties’ conduct and communication with the Court stating the requirements for parties when communicating with each other, the Court and all Court staff. 

Central Practice Direction: Migration Proceedings

• this is a new Practice Direction, some items in the previous Migration Practice Direction remain and new items have been included.
• updates to reflect new rule references under the new GFL Rules.
• new section 3 including:
  • the assignment of a pseudonym to litigants
  • the requirements for how parties are to be named in migration proceedings
  • the requirement that all Court documents must include the details of the person who prepared the document irrespective of whether that person is a lawyer
  • the obligations under section 486E of the Migration Act 1958 (Cth)
  • the requirements for notifying the other party when filing documents with the Court.
• new section 4 regarding how the Court triages matters before they are allocated to a judicial officer for determination.
• new section 5 stating the requirements for parties seeking to file an urgent application.
• new section 6 regarding the non-removal from Australia of detainees with litigation before the Court.
• new section 7 regarding matters involving a party who is in immigration detention.
• new section 8 regarding the requirement for the solicitor for the Minister to prepare a Court Book and what it must include. This section also includes the Court’s requirements where a party wishes to rely on authorities.
• new section 9 on interview/hearing audio and transcripts.
• new section 10 regarding requests for adjournment.
• new section 12 regarding the requirements for Direct Access Barristers.
• new section 13 on parties’ conduct and communication with the Court stating the requirements for parties when communicating with each other, the Court and all Court staff.

General Federal Law Practice Direction: Admiralty and Maritime Proceedings

• updates to reflect new rule references under the new GFL Rules.
• new item 1.2 reflecting that parties have a duty to act consistently with the overarching purpose, and practitioners must assist parties to comply with the duty.
• removal of section 8 on urgent applications due to new section 4 in the Central Practice Direction – General Federal Law Proceedings.

Read the rest of this entry »