Peter A Clarke

Today the Information Commissioner, the Australian Competition and Consumer Commission (ACCC), Australian Media and Communications Authority (ACMA) and the eSafety Commissioner (eSafety) have released a joint communique regarding their co ordination and priorities for the next year.  The key focus will be digital transparency and algorithms and their impact.  As to what exactly that means in terms of action taken by regulators is not clear.  Both issues are very important in the privacy sphere. 

The communique provides:

Digital Platform Regulators Forum names algorithms, digital transparency and increased collaboration as priorities for 2022/23

The heads of the four members of the Digital Platform Regulators Forum (the forum) met yesterday and have agreed on a collective set of priorities for 2022/23.

Members of the forum are: The Australian Competition and Consumer Commission (ACCC), Australian Media and Communications Authority (ACMA), eSafety Commissioner (eSafety) and Office of the Australian Information Commissioner (OAIC).

The forum’s strategic priorities for 2022/23 include a focus on the impact of algorithms, seeking to increase transparency of digital platforms’ activities and how they are protecting users from potential harm, and increased collaboration and capacity building between the four members.

Through the forum all members have agreed to share information and work together to tackle issues across their traditional lines of responsibility.

Digital transparency Read the rest of this entry »

Choice has formally complained to the Australian Information Commissioner about the use of Facial Recognition by Kmart, Bunnings and the Good Guys.  Itnews has covered the story in Australian retailers named in facial recognition complaint. 

Choice’s announced the complaint by media release which provides:

CHOICE has asked the Office of the Australian Information Commissioner to investigate Kmart, Bunnings and The Good Guys for potential breaches of the Privacy Act (1988). CHOICE is concerned that the retailers’ practices related to their use of facial recognition technology pose significant risks to individuals. The social and economic risks include invasion of privacy, misidentification, discrimination, profiling and exclusion, as well as vulnerability to cybercrime through data breaches and identity theft.

Key issues

CHOICE has concerns with the retailers’ practices for two main reasons:

1. 1. Lack of notice and consent in the collection of sensitive information. The retailers’ use of online privacy policies and small signage in store as the key mechanisms to provide notice and obtain consent from individuals about the collection of their sensitive information is insufficient and non-compliant.
   2. The stated business purpose is disproportionate to the privacy harms posed to individuals. The retailers’ large scale collection and use of their customers’ sensitive information significantly invades the privacy of its customers. It is a disproportionate response to the risk of theft and anti-social behaviour in stores.

Choice has also made public the 16 page formal complaint.  It is comprehensive and refers to the Determination by the Information Commission against Clearview AI (Commissioner initiated investigation into Clearview AI, Inc. [2021] AICmr 54).  It is quite an impressive document. 

Choice alleges that the Kmart, Bunnings and the Good Guys breach the following Australian Privacy Principles (APPs):

APP 1.3 – have a clearly expressed and up-to-date APP Privacy Policy about how the
entity manages personal information;
? APP 3.3(a)(ii) – only collect ‘sensitive information’ where it is reasonably necessary;
? APP 3.3(a) – only collect ‘sensitive information’ with consent;
? APP 3.5 – only collect personal information by lawful and fair means; and
? APP 5.1 – take reasonable steps to notify an individual of the APP 5 matters or to
ensure the individual is aware of those matters.

As a prelude to the publishing its findings Choice undertook a survey of 1000 Australians about their awareness of facial recognition technology and found:

• 76% of respondents didn’t know retailers were using facial recognition.
• 83% of respondents think retail stores should be required to inform customers about the
  use of facial recognition before they enter the store.
• 78% expressed concern about the secure storage of faceprint data.
• 65% are concerned about stores using the technology to create profiles of customers
  that could cause them harm.

That is a very clever move.

Regarding the potential breaches :

APP1

Choice argues

• retailers’ privacy policies (Appendix B) do not clearly express how the entities manage personal, including sensitive, information obtained through use of facial recognition technologies
• retailers were not forthcoming on how they manage sensitive information obtained through facial recognition technologies. There is a reluctance by the retailers to be clear, transparent and upfront about their privacy practices

Read the rest of this entry »

Today Australian Financial Review reports in Dreyfus pledges sweeping data privacy reforms that the Commonwealth Government will commit to “sweeping reforms” to data privacy laws in the life of this parliament.  That is within at most 3 years.  He also made a similar pledge in an interview with ABC Radio National’s Law Report on 28 June 2022.

This is welcome news although it should be tempered with caution borne of many false dawns in the past.  The commitment is to data privacy laws and not privacy laws per se.  Hopefully the distinction is not significant.  If the reforms ignored legislating a statutory cause of action for interferences with privacy and retained the current regulatory structure where the Information Commissioner was responsible for taking any action for breaches that would be a retrograde step.  Similarly maintaining the multitude of exclusions from the operation of the Privacy Act 1988, such as employment records and the small business exemption (to name but two) and the broadly drawn exemptions within the Australian Privacy Principles would be a matter of concern. Hopefully the Government will consider both the Australian Law Reform Commission Reports For Your Information: Australian Privacy Law and Practice (ALRC Report 108) of 2008 and Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014.  But it is also important for it to consider legislating standards consistent with the General Data Protection Regulation which came into force on 25 May 2018.

The history of privacy reform has been dismal with ample blame to be assigned on all parties.  The Labor Government was selective in accepting and implementing recommendations from the 2008 Australian Law Reform Commission Report.  It could have legislated a statutory cause of action, as was recommended.  There was no good policy reason for Attorney General Dreyfus to commission yet another inquiry into privacy, this time on serious investigations in privacy in the digital era.  It was can kicking.  The issues were no different even if the impact of the digital economy was greater.  The Coalition when in government has done the bare minimum in reforming the Privacy Act 1988.  It made no effort to consider the recommendations of the ALRC 2008 and effectively shelved the Serious Invasions Report when it was completed in 2014.  It instituted a departmental review of the Privacy Act 1988 which has proceeded in a languid fashion.  Why a departmental investigation would be better than 2 ALRC reports is not clear.  The business community have doggedly resisted any form of privacy rights which gives individuals a direct right of action.  The rationale has always been weak but now is just anachronistic.  The Business Council  of Australia lauds the conciliation process run by the Information Commissioner as being largely successful in resolving complaints.  And why wouldn’t the Business Council support the status quo.  The Information Commissioner deals with complaints quietly and settlements are miserly.  It is also a timid regulator.  As business organisations hate the light it is a system that suits malefactors.  And business likes the small business exemption, which makes no logical sense given businesses with a turnover of less than $3 million can hold masses of personal information but is beyond regulation.  Of course media organisations have chosen sectional interest over public good in wanting to retain the media exemption. The Federal Court has not had its finest moments in decisions involving the Privacy Act 1988. The Full Court decision in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (the Ben Grubb decision) was as wrong headed as it is possible to be in constraining the definition of personal information and regarding data collected by Telstra could not be used to identify Ben Grubb, and therefore be personal information.  It is an analog decision in the digital era. What is also clear is that principles based legislation is not easy to work with.  The terms are vague and the exemptions many.

Against this grim backdrop one can only hope the Government will look as much overseas as with the Australian Law Reform Commission’s recommendation when implementing the reform.  It should also not be afraid of a root and branch change to the Privacy Act 1988.  It is a weak vessel.

The article Read the rest of this entry »

Deloitte Australia has released it 2022 Privacy Index, this year titled Every Breath You Take.  It is a very useful survey, focusing especially on APP 5. The results are sobering.  While some industries perform better than other generally there is a compliance problem. 

The web article provides:

Read the rest of this entry »

The New Zealand Financial Markets Authority (“FMA”) has released an information sheet to assist financial institutions with cyber security. 

The press release provides:

The Financial Markets Authority (FMA) – Te Mana T?tai Hokohoko has published an information sheet to help financial services firms enhance the resilience of their technology and operational systems, and meet any relevant licence obligations. Read the rest of this entry »

The difference between the attitude and the actions of the Federal Trade Commission (the “FTC”) for privacy breaches and failing to implement proper data security and that of Australia is illustrated in the Consent Agreement between the FTC and CafePress regarding the latter’s data breach, its attempted cover up and its dreadful data security. The FTC imposes robust, stringent and long lasting proscriptions while enforceable undertakings in Australia are infrequent, last a short time and impose quite mild constraints on malefactors.  They are worlds apart. 

CafePress was hacked on 20 February 2019 and the data breach compromised more than 23 million accounts.  More than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates was accessed with some of that information available for sale on the Dark Web. 

CafePress carefully did everything wrong after discovering the data breach including:

• while it patched the vulnerability, a month after the breach, it failed to properly investigate the breach for several months despite additional warnings including a warning in April 2019 from a foreign government
• instead of telling customers that  a hacker had illegally obtained CafePress customer account information it instead only told customers to reset their passwords as part of an update to its password policy.
• CafePress did not inform affected customers until September 2019—one month after the breach was reported widely.
• CafePresses lax security practices still left many consumers at risk. It continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses, which had previously been stolen by hackers.

CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress discovered that certain accounts of shopkeepers had been hacked. It also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

The FTC took action in March 2022 for the data breach and cover up.

Last week the FTC announced a Consent Agreement with Cafe Press.  The obligations under the Agreement will last 20 years and CafePress has to pay a fine of $500,000. 

The FTC Press Release Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has released the guidance Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP).

The abstract provides:

The macOS Security Compliance Project (mSCP) provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. This publication introduces the mSCP and gives an overview of the resources available from the project’s GitHub site, which is continuously curated and updated to support each new release of macOS. The GitHub site provides practical, actionable recommendations in the form of secure baselines and associated rules. This publication also describes use cases for leveraging the mSCP content.

Interesting matters raised Read the rest of this entry »

The National Institute of Standards Technology (“NIST”) has released a very interesting Discussion Easy titled Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity  and Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity as a prelude to a seminar, that took place on 22 June 2022.

The abstract provides:

Abstract

Some of the interesting issues Read the rest of this entry »

The US has had a long tradition of commercialising customer lists.  It is curious With that has come the “data broker” putting holders of data in touch with those who are keen to use that data.  In the analog age it was a matter of mild concern, typically with people getting unexpected correspondence and offers.  A common example was someone signing up for a hunting magazine getting offered a membership of the National Rifle Associate.  In terms of scale the problem was real and concerning but not threatening to a person’s privacy.  Most people subscribe to a limited number of publications and it wasn’t until relatively recently the fetish for being required to provide masses of personal information for even the most anodyne activity. 

The digital age and the appreciation of businesses of the advantage of knowing as much about customers or potential customers combined with the vastly improved ability to collect masses of data and process them into useful information has mean the collection of information is key.  And that has led to worrying practices, such as the collection of sensitive and health information.  In that context on 15 June 2022 Senator Elizabeth Warren introduced Senate Bill 4408 to  prohibit data brokers from selling and transferring certain sensitive data was introduced in the U.S. Senate.

Australia has not had a tradition or framework for data brokers but that does not mean there has not been the sale of data from time to time.  Recently the Federal Government has made the transference of data between government agencies and educational institutions much easier.  The privacy protections were added as an afterthought.  It remains a problematical piece of legislation.

The Bill would Read the rest of this entry »

The Markup has published a most extraordinary story, Facebook Is Receiving Sensitive Medical Information from Hospital Websites, where hospitals which had installed the Meta Pixel had collected sensitive personal information and sent it to Facebook.  Meta Pixel is an analytical tool that allows a company to track its website visitors activities. This piece of code helps identify Facebook and Instagram users and see how they interacted with the content on the website . This information can be used to target people with ads based on interests. It used to be called the Facebook Pixel.  The Meta Pixel sends information to Facebook via scripts running in a person’s internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household. https://www.natlawreview.com/article/motion-preliminary-approval-accellion-data-breach-settlement-filed-california

A more traditional health data breach was involving the Baptist Medical Center and Resolute Hospital which involved an unauthorised party accessing and exfiltrated data from their network between March 31, 2022 and April 24. The information may have included:

• full name, date of birth, and address
• Social Security number
• health insurance information, such as the name of insurer/government payor and the policy and/or group number
• medical information, such as medical record numbers, dates of service, provider and facility names, chief complaint or reason for a visit, and other visit procedure and diagnosis information
• billing and claims information, such as account and claim status, billing and diagnostic codes, and payor information

Meanwhile at Yuma Regional Medical Centre Read the rest of this entry »