Peter A Clarke

It seems now that the Australian Competition and Consumer Commission (ACCC) have taken a real interest, and lead, in responding to egregious data collection practices. Its Data Platform Inquiry has been influential, it has made submissions to the review of the Privacy Act and now has successfully brought a claim in Australian Competition and Consumer Commission v Meta Platforms Inc [2023] FCA 842.  Meta subsidiaries were found to have misused personal information.  At paragraph 2 his Honour summarised the issue thus:

Onavo and Facebook Israel admit contraventions of ss 18 and 33 of the Australian Consumer Law, contained in Schedule 2 of the Competition and Consumer Act 2010 (Cth) (CCA). The contraventions occurred during the period from 1 February 2016 to 31 October 2017 (Available Period), when Onavo and Facebook Israel advertised and promoted Onavo Protect on the Play Store and App Store in Australia (in the form set out in Schedule A to the orders) (the Listings), without making disclosures to Australian consumers that were sufficiently prominent and proximate to those Listings that data collected from users of Onavo Protect would be used for purposes other than providing Onavo Protect. While Onavo Protect was advertised and promoted as protecting users’ personal information and keeping their data safe, in fact, Facebook Israel and Onavo used the app to collect an extensive variety of data about users’ mobile device usage. An anonymised and aggregated form of that data was provided to their parent company, Meta Platforms Inc (Meta), and used by Meta for a range of commercial purposes.

The ACCC media release, $20m penalty for Meta companies for conduct liable to mislead consumers about use of their data, provides:

The Federal Court has ordered two subsidiaries of social media giant Meta, Facebook Israel and Onavo Inc, to each pay $10 million for engaging in conduct liable to mislead in breach of the Australian Consumer Law, in an action brought by the ACCC.

The Court declared that the two companies engaged in conduct liable to mislead the public in promotions for the Onavo Protect app, by failing to adequately disclose that users’ data would be used for purposes other than providing Onavo Protect, including Meta’s commercial purposes. Read the rest of this entry »

Chapter 11 of the Privacy Act Review Report considers the operation of consent under the Privacy Act and possible reforms.  

The issue of consent regarding handling of personal information is vexed, not just in Australia but throughout jurisdictions which have data protection laws. Often the concern is that all too often any consent is not the product of true agreement.  Few consent without reading those notices.  Often those terms are lengthy, drafted in complex legalese and the provisions relating to the use, collection and disclosure of personal information are buried deep into the notices.  If a person wishes to use a service they must consent to terms and conditions of the service provider or retailer setting out in Privacy Notices. Is there really consent if the service is critically necessary.  An example, the Barristers Chambers Limited sent all Victorian barristers terms and conditions with a requirement that they be agreed to by 30 June.  If the box wasn’t ticked, no email services hosted by Barristers Chambers Limited.  The permissions given to the provider are extensive and, in part, quite ridiculous.  Onerous doesn’t begin to describe them.  They seem to be inspired by the mill owners of 18th century England.  There is no way i would advise a client to accept them if given a choice.  But like all barristers I need to be on the Barristers Chambers Network.  So I signed up to them.  And hope for the best. Which will probably be the case.  That doesn’t make the terms and conditions any more reasonable.

Some experts are sceptical that proper consent can ever be effected. In an excellent paper published earlier this year David Solove suggested a way of accepting the inadequacy of of consents but achieving a satisfactory outcome in Murky Consent: An Approach to the Fictions of Consent in Privacy Law.  The abstract provides:

Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic” – it transforms things that would be illegal and immoral into lawful and legitimate activities. Regarding privacy, consent authorizes and legitimizes a wide range of data collection and processing.

There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates, where organizations post a notice of their privacy practices and then people are deemed to have consented if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.

Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems – people are ill-equipped to make decisions about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.

In this Article, I contend that in most circumstances, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary – an on/off switch – but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.

Abandoning consent entirely in most situations involving privacy would involve the government making most decisions regarding personal data. But this approach would be problematic, as it would involve extensive government control and micromanaging, and it would curtail people’s autonomy. The law should allow space for people’s autonomy over their decisions, even when those decisions are deeply flawed. The law should thus strive to reach a middle ground, providing a sandbox for free play but with strong guardrails to protect against harms.

Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Instead of providing extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. This would allow for a degree of individual autonomy but with powerful guardrails to limit exploitative and harmful behavior by the organizations collecting and using personal data. In the Article, I propose some key guardrails to use with murky consent.

Consent is currently only required under the Act for a limited range of collections, uses and disclosures of personal information such as

• the collection of sensitive information,
• and may also allow APP entities to use or disclose personal information for a secondary purpose. Consent may be relied on to authorise the use or disclosure of personal or sensitive information for the purposes of direct marketing in certain circumstances, or as a basis for cross-border disclosures of personal information.

In the Act consent can be Read the rest of this entry »

The HWL Ebsworth’s woes continue with another announcement of what documents were stolen. This time it is Victorian Government files according to ‘Highly sensitive’ Victorian government files leaked online by HWL Ebsworth law firm hackers. Not to be outdone Queensland also says its files were taken by the data breach. Meanwhile the Fair Work Ombudsman has released a statement .

The statement provides:

On 8 May 2023, national law firm HWL Ebsworth reported a cyber incident involving a data breach and possible unauthorised disclosure of personal information to the dark web.

Documents relating to a limited number of our (the Fair Work Ombudsman’s) files were included in the breach experienced by HWL Ebsworth.

Importantly, none of our systems have been compromised by the cyber incident.

We’re working with HWL Ebsworth to ensure individuals affected by the data breach are notified as a priority. Support and assistance will be provided to these individuals.

The Department of Home Affairs is investigating the extent of the breach, including exposure of the Australian Government’s information including personal information.

We’re also working with HWL Ebsworth to understand what information of ours may have been disclosed. We take our obligations under the Privacy Act 1988 seriously and we’re committed to ensuring appropriate systems are in place to maintain the privacy and the protection of personal information.

HWL Ebsworth released a statement on Friday. It has finally adopted a sensible approach when dealing with the public, especially those affected or just concerned.  To date the firm has been secretive and inward looking.  That is entirely the wrong approach.  But then again, having a cyber security system that lets a hacker with one person’s authorisation not detecting wholesale theft of data shows that Ebsworth has a long way to go in getting its cyber house in order.  

The statement is clearly curated by a cyber Read the rest of this entry »

The Health Sector in every jurisdiction is a high priority area of interest for hackers. Hospitals, health centres and other facilities in the sector are notorious for both troves of personal information and very poor privacy practices. Given the nature of the information is highly sensitive there is often the imperative to respond to demands by hackers. That is why it is not surprising that the the European Union Agency for Cyber Security found that ransomware accounts for 54% per of threats to the health sector.

The press release Read the rest of this entry »

Another week, another scandal involving the AFL. This time it is not the fault of the organisation. The ABC reports in AFL investigates distribution of explicit images of past and present players online that explicit images of more than 45 players and former players have been circulated. The AFL is investigating according to its statement AFL investigating, police aware after nude photos of ‘more than 45 players’ leaked. In addition the Victoria police and the e Safety Commissioner have been notified. The role the AFL can play is constrained by its limited powers. Through technical experts it may, but not certainly, find the source of the photos and possibly where the the photos were sent. If AFL employees or members of AFL clubs were involved it has disciplinary powers. But beyond that its powers are limited. It can’t arrest anyone, it can’t enter premises with a warrant to search premises and any interview with someone has to be voluntary. The police have traditionally had a monopoly on those powers. A number of the regulators in this area have been given some coercive powers. The E Safety Commissioner has a page on its website devoted to Image based abuse.

This type of problem is not new. As the Conversation in In the 19th century, a man was busted for pasting photos of women’s heads on naked bodies … sound familiar? highlights creating false images to titillate or humiliate has only been limited by the technology and the imagination of users. Modern technology, especially the use of deep fake websites, has Read the rest of this entry »

The Australian Cyber Security Co ordinator, Darren Goldie, has confirmed in a statement that the HWL Ebsworth data breach has resulted in personal information and government information being posted on the dark web. This is confirmation of what has been known for some little time. It is covered in the Australian article HWL ­Ebsworth hack: ‘Sensitive personal and government information’ published on dark web, Darren Goldie reveals. It is also covered by Cyber Security Connect with New national cyber security coordinator releases statement on HWL Ebsworth hack.

The information provided by the cyber tsar provides little that is not known by those following this story. Given Black Cat has only published 1.4 terrabytes of the 4 terrabytes of data stolen there will be more uncomfortable moments for HWL Ebsworth in the coming weeks and months, 

To put matters into a broader context itgovernance has reported that in June 2023 there were 79 reported data breaches worldwide involving 14,353,113 records. It provided a brief summary of data breaches stating:

Number of data breaches in June 2023: 79

Breached records in June 2023: 14,353,113

Number of data breaches in 2023: 607

Number of breached records in 2023: 466,078,044

Biggest data breach of 2023 so far: Twitter (220 million breached records)

Biggest data breach in the UK: JD Sports (10 million breached records)

Most breached sectors: Healthcare (175), education (106), public (72)

The number of records compromised in the HWL Ebsworth data breach is shrouded in secrecy.  An injunction will do that.  The three known biggest data breaches, in terms of records compromised, in June 2023 were:

•  Oregon and Louisiana departments of motor vehicles which involved a compromise of  all Louisianans with a state-issued driver’s license, ID or car registration. The Oregon Department of Motor Vehicles estimates that data of 3.5 million driver’s license and identity card were  compromised. 
• Genworth Financial which was affected by the MOVEit breach, with at least 2.5 million records exposed in the attack.  Also compromised was California Public Employees’ Retirement System with  769,000 of its members affected.
• Wilton Reassurance was also affected by the MOVEit breach which compromised records of 1,482,490 of its members.  

Read the rest of this entry »

The protection of children’s privacy has been a focus of enforcement action in the United States. For good reason. There is a real problem with some companies collecting and using personal information of minors.

The Department of Justice and the Federal Trade Commission have entered into orders with Edmodo whereby Edmodo consented to a permanent injunction to prevent future violations of children’s privacy. In Edmodo’s case the claim was that it collected the personal information of children under 13 without any notice to the children’s parents or obtaining parental authorization. It used this personal information to enable third-parties to display targeted advertising to student users.

The press release provides:

The Department of Justice, together with the Federal Trade Commission (FTC), today announced that Edmodo, LLC (Edmodo) has agreed to a permanent injunction and a $6 million civil penalty in connection with its online educational platform, as part of a settlement to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA), the Children’s Online Privacy Protection Rule (COPPA Rule), and the Federal Trade Commission Act. The civil penalty is suspended due to Edmodo’s inability to pay.

The Edmodo educational platform, sold to schools throughout the United States, enabled teachers to interface with students, including children under 13 years old, to host virtual class spaces, conduct discussions, share materials, make assignments, and provide quizzes and grades, among other things. In a complaint filed in the U.S. District Court for the Northern District of California, the government alleges that, until approximately September 2022, Edmodo collected the personal information of children under 13, including their names, email addresses, phone numbers, device information, and IP addresses. Edmodo allegedly collected such information without providing notice to the children’s parents or obtaining parental authorization to collect such personal information, as required by the COPPA Rule, and used this personal information to enable third-parties to display targeted advertising to student users between 2018 and September 2022.

The complaint further asserts that Edmodo was retaining this personal information indefinitely. As of March 2020, Edmodo retained the personal information associated with approximately 36 million student accounts, of which only one million were actively using the platform. This indefinite retention violated COPPA’s requirement that an operator not retain personal information of children for longer than “reasonably necessary to fulfill the purpose for which [the information] was collected.”  Read the rest of this entry »

Even users of porn deserve their privacy. Especially users of porn. That doesn’t seem to be a viewpoints shared by Pornhub. It has been illegally collecting masses of its users data. There is an excellent story in Wired with Pornhub Is Being Accused of Illegal Data Collection. It has also been picked yp by Mashable with Pornhub accused of abusing user data, cybernews with Pornhub accused of illegal data collection in Europe and VPN Overview with Pornhub’s Data Practices Violate EU Privacy Laws: Complaint.

There are serious complaints; about inadequate consents, opaque about how it shares the data it collects and arbitrarily assigns its users sexual prferences without their consent. 

This is not the first time that Pornhub has failed to protect its users privacy. The Canadian House of Commons’ Standing Committee on Access to Information, Privacy and Ethics published a report in June 2021 titled Ensuring the Protection of Privacy and Reputation on Platforms such as Pornhub in June 2021.

The Wired article Read the rest of this entry »