Peter A Clarke

The European Commission has recently released its proposed regulation of Artificial Intelligence. It is the first ever legal framework on AI.  Given the impact of the European Union’s implementation of the General Data Protection Regulation (GDPR) on worldwide data collection, use, storage and security this proposal, if the Artificial Intelligence Act becomes European law it will have similarly significant impact. The proposal runs to 108 pages with 17 pages of attachments.  It will be a seriously large, laborious and slow process to go from its proposal to adoption stage.

There is a useful 10 page overview titled Communication on Fostering a European approach to Artificial Intelligence.  And being the EU there is a 66 page overlong and detailed plan on AI titled Coordinated Plan on Artificial Intelligence 2021 Review.

The media release Read the rest of this entry »

The Australian in Business on frontline in cyberspace ‘war’   and the BBC with GCHQ chief warns of tech ‘moment of reckoning’ both report on senior governmental figures in Australia and the United Kingdom warning of the impact of threats to security through the internet.

Andrew Hastie, Assistant Defence Minister, in another series of “canary in the coal mine” grabs highlights the danger of cyber attacks to infrastructure, governments and business.  There is talk of a new international cyber and meetings of critical technology engagement strategy and meetings of the governments cyber security industry advisory committee and need to counter threat actors.  He is right that major cyber attacks aimed at government institutions and major infrastructure is a threat to Australia’s digital sovereignty.  And of course the article talks up the funding of the international cyber and critical technology strategy which involves spending of $375 million.  All very worthy.

But these statements are nothing much new.  The threat from hackers has been a problem that has existed for over a decade.  Longer.  It has evolved over time, as technology has developed and opportunities to monetise the use of malware has grown at an exponential rate. The greater activities of state players has made a difficult situation worse.

Where Hastie and other government members are wrong is in having a top down approach to the ensuring that businesses and governmental agencies are properly prepared to deal with cyber attacks.  Strategies are fine.  But they have no real impact on the day to day operations of businesses, many of which have contact with government.  There is little incentive for businesses to do all that is required to minimise cyber attack.  Some Read the rest of this entry »

In Australia the few notable privacy related cases have involved the use of sex tapes, recordings of former partners involved in intimate sexual conduct.  This was the subject of the claim in the Victorian Court of Appeal decision of Giller v Procopets [2008] VSCA 236 and the Western Australian decision of Wilson v Ferguson [2015] WASC 15 which I posted on here. In both of those cases the actual filming was consensual but the subsequent use of those recordings by rejected male partners was not.

In Victim of Tyrone May sex tape seeks damages the Australian reports that a woman has commenced action against Tyrone May for illegally filming her having sex with him and then disseminating those recordings without her consent.  According to the article the recordings went viral through Facebook messenger and SMS text and ended up on a pornographic website, Porn Hub, reputedly the largest adult website in the world.

Interestingly the woman is suing for “breach of privacy”, presumably alleging there is a tortious cause of action. If successful that will set precedent and be welcome.  At the moment privacy claims languish in the realms of equity, specifically breach of confidence. It is unsatisfactory.

May pleaded guilty to intentionally recording an intimate image without consent.  That may complicate any defence he Read the rest of this entry »

The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce.  It is enormously influential in setting standards, worldwide, in the cyber security sphere.  That is relevant in privacy protections as well.  Overnight the NIST released a guideline for comment, Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.

It is a very topical release and deals with a difficult area of cyber security.  The industrial internet of things involves multiple devices.

The goals of the guide are:

• remotely monitor and control utility-owned and customer-managed DER assets
• protect and trust data and communications traffic of grid-edge devices and networks
• capture an immutable record of control actions across DERs
• support secure edge-to-cloud data flows, visualization, and continuous intelligence

The guide is aimed to have Read the rest of this entry »

In a very significant decision of Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367 the Federal Court, per Thawley J, has found that Google breached sections 18, 29 and 34 of the Australian Consumer Law (the “ACL”).  At 341 paragraphs it is a significant and detailed judgment.

Privacy policies and settings remain problematical in terms of practical, as opposed to theoretical, compliance with the Privacy Act 1988 and in providing consumers with a clear understanding of what the settings actually mean for them.  It does not help that settings are changed regularly and often without notice, with Facebook being particularly notorious in this regard.

It appears that the ACCC is stepping into the regulatory void that would otherwise be occupied by the Australian Information Commissioner in enforcing privacy protections.  By relying on misleading and deceptive conduct provisions of the ACL the ACCC is following the long established approach taken by the US Federal Trade Commission in bringing proceedings for misleading conduct where companies claim to protect privacy or have proper data security when in fact they do not.  That has led scholars to suggest that the FTC has developed a new common law of privacy. It would be a welcome development if the ACCC used its experience and superior litigation skills to enforce privacy protections in Australia.  The Information Commissioner has thus far had a dismal record in the Federal Court regarding consideration of the Privacy Act 1988.

The proceedings commenced in October 2019. Final orders will not be made for at least 14 days as the parties are to provide orders to reflect the court’s conclusions.  Given the nature of the findings it is reasonable to expect Read the rest of this entry »

The Reserve Bank of Australia has highlighted cyber attacks as being a challenge for financial institutions. The report stated:

The Australian financial system has remained resilient through a tumultuous year for the economy and financial markets.

After a substantial decline in the first half of 2020, banks’ profitability recovered in the second half and analysts expect it to strengthen further in 2021. This has helped raise banks’ capital positions from already strong levels. Banks have abundant liquidity and funding. Measures of banks’ asset quality have deteriorated a little in recent months as loan repayment deferrals have come to an end and support for households and businesses has tapered. However, banks had increased their provision balances to absorb the impact of future defaults.

Available information also points to other financial institutions being resilient. The financial impacts of the pandemic tested the liquidity management of superannuation funds, but their systems proved effective in navigating this challenge (see ‘Box C: What did 2020 Reveal about Liquidity Challenges Facing Superannuation Funds?’). General insurers remain well capitalised and have increased their provisions for potential business interruption claims arising from the pandemic. However, the life insurance industry has to address longstanding issues that continue to result in losses. Financial market infrastructures have recently experienced some operational disruptions, underscoring the importance of continually assessing and improving their resilience.

There are a number of other longer-term challenges for financial institutions to manage. The risks posed by information technology (IT) malfunctions and malicious cyber attacks are growing and a significant event could threaten financial stability. Another challenge will be to manage the broad range of risks arising from climate change. These do not currently pose a substantial risk to financial stability, but they could over time if climate change risks to Australian financial institutions grow and are left unaddressed. And financial institutions need to continue to maintain a focus on governance and embed a healthy culture to address the misconduct that has become apparent over the past few years.

…………

Financial institutions need to carefully manage technology risks …

Risks to financial institutions’ IT systems – from both malicious attacks and malfunction – require ongoing attention and robust management, both globally (see ‘Chapter 1: The Global Financial Environment’) and domestically. These risks have grown as digital platforms and service channels become more ingrained and more complex and as a result of the increased incidence of remote working arrangements. They have recently been highlighted by a data breach involving a legacy file sharing service run by Accellion, a third-party technology provider, which affected a wide range of entities including ASIC and the Reserve Bank of New Zealand. The operational disruptions experienced by ASX in November (discussed above) also demonstrate the risks associated with technology malfunction. The constantly evolving nature of cyber risks means it is critical that financial institutions regularly update and upgrade their defences. In recognition of this, Australian regulators have a number of initiatives to support financial institutions’ efforts to strengthen cyber resilience (see ‘Chapter 4: Domestic Regulatory Developments’).

Cyber attacks and incidents are most likely to involve manageable financial losses for specific institutions, but they could have systemic implications in certain circumstances. To be systemic, the impact of cyber attacks and incidents would have to affect multiple institutions, either directly or indirectly. This could occur if they affect third-party providers or software used widely across the financial system. Similarly, if such an incident affected critical nodes, such as an FMI (including payment systems or CCPs) for a prolonged period it could directly impact the ability of firms and households to engage in economic activity and manage risk. The integrity of data is particularly important since it dictates the ability of banks to disburse funds or collect on monies due and, in the extreme, if violated it could raise questions about the institution’s solvency. More generally, any data breaches that cause consumers and creditors to lose confidence in the security of the financial system could see banks face liquidity challenges.

(Emphasis added)

What the RBA is saying is of course true.  It has been said before.  What is lacking is Read the rest of this entry »

Facebook, hardly the paragon of virtue, has had a data breach involving more than 500 million people. The latest firm estimate is it involved 533 million.  The data published on line includes names, phone numbers, email addresses, account IDs and biographies.  According to the Record the information leaked included phone numbers which are not public for most profiles.  Plenty of material to doing a bit of identity theft. 

The leak involved an attacker using a vulnerability in the Facebook contacts importer features.  The attackers were able to link random phone numbers to specific users.  As is commonly the case these days the attacker remained and collected data until Facebook detected the process and cut of access. The attack occurred 2 years ago, though Read the rest of this entry »

It has been an ordinary 12 months for New South Wales in the data protection world.  Services NSW suffered a massive data breach in April, which was first reported in May 2020, with 180,000 customer’s personal information exposed. The breach was affected through a phishing attack on 47 emails of Services NSW.  Being a secretive government department, as most Australian departments are, it resisted providing information about the breach, even resisting a Freedom of Information request in July. There is nothing much unusual about that.  Regrettable, but not unusual.

The public affected only started to be notified in September 2020 which is seriously odd.  Why wait 4 months? It is still to notify 18,500 customers affected by the breach, almost a year after the breach was detected.  It can be difficult to locate people particularly those who live a transient lifestyle or have mental health issues but 18,500 is still a large number of people and it has been almost a year.  That bespeaks a poor response plan and a lack of resources being put into the task.  The cost of this data breach is reportedly $30 million.

Meanwhile in March the hacking group Clop  put up stolen data taken from the NSW transport department on the dark web and Read the rest of this entry »