Peter A Clarke

Protection of children’s privacy has been the subject of increasing focus by regulators worldwide. In Australia under the Privacy and Other Legislation Amendment Act 2024 the Office of the Australian Information Commissioner (OAIC) must develop a Children’s Online Privacy Code by 10 December 2026. The Code will specify how online services accessed by children must comply with the Australian Privacy Principles impose additional requirements provided they are not inconsistent with the existing principles. Legislation protecting children’s privacy has been in place in the United States for some time with legislation including the Children’s Online Privacy Protection Rule (“COPPA”). Recently the Federal Trade Commission (“FTC”) has taken action against Disney and Apitor, a robot toy maker, regarding unlawful collection of their personal information.

Complaint against Disney

Disney has entered into a settlement with the FTC to settle allegations that it enabled the unlawful collection of Children’s personal information in breach of COPPA.  The breach was Read the rest of this entry »

The SBS has published a very interesting piece on the Gena data breach and medical privacy in general with ‘Really angry’: Isabel is one of hundreds considering class action against this IVF provider. The Story reports that Phi Finney McDonald are investigating whether to undertake a class action.

The story highlights the chronic problem of organisations holding personal information much longer than is reasonable.  The health sector is particularly prone to this data hoarding.  There have been cases where the medical practices of patients who have died.  The deceased have no privacy protections but there is no basis for holding onto such records.  It is a systemic problem.  Because the cost of storing digitised personal records is inexpensive and becoming less and less expensive there is little urgency or financial need to purge data bases.  The Genea and Optus data breach reveal that such poor data handling results in personal information being taken which should not have been in the possession of the organisations to start with.  

The Genea data breach also highlights how a poor data breach response plan can aggravate a damaging situation.  Genea initially treated its patients and ex patients poorly,  has been very closed mouthed about the data breach generally and took an inordinate amount of time to properly notify those patients affected.  

The article provides:

Read the rest of this entry »

First it was Bunnings and now KMart have breached the Privacy Act 1988 in the use of facial recognition technology. Today the Privacy Commissioner published the results of a Commissioner instigated Investigation that found K Mart Australia breached Australian Privacy Principles in the collection of personal and sensitive information through facial recognition technology in the period June 2022 to July 2022. The story is covered by Information Age’s article Kmart facial recognition broke privacy laws, regulator finds. It is also covered by the ABC, the Australian Financial Review, Read the rest of this entry »

AI has a voracious appetite for data. The implications of for privacy protection is obvious. What is less known about, or at least discussed, is the danger to privacy from AI agents. This is explained clearly, and concerningly, by the President of the Signal Foundation, Meredith Whittaker in this week’s Economist by Invitation piece AI agents are coming for your privacy, warns Meredith Whittaker. A key concern is that operating systems are integrating AI agents into the core of their platforms so they are mandatory.  It is a particularly apt article for a delicate time in the development of AI technology.  The development of AI cannot be at the expense of privacy.  More to the point, AI can be developed with privacy protections built in.  Not as an afterthought.

The article provides:

SOON WE WILL all have robot butlers, an army of AI agents anticipating our needs and fulfilling our desires. At least, this is the tech promise of the moment. From booking a restaurant to asking your crush on a date, we’ll be able to put our brain in a jar while a bundle of AI systems does our living for us. Why waste time on wooing when you can leave it to your botservant to turn on the charm? In pursuit of this future, the companies that dominate this market are busy injecting AI agents into the nervous system of the digital world. But as in fairy tales, so in life: relying on magical fixes leads to trouble. Read the rest of this entry »

Ransomware is a chronic and growing problem in cybersecurity. It is important that organisations have an understanding of the threat but more importantly properly prepare against an attack. On both counts Australian companies are generally underprepared. The National Institute of Science and Technology (NIST) publishes excellent guides and reports. It’s report 8374 Revision 1, Ransomware Risk Management: A Cybersecurity Framework 2.0 Community Profile, is particularly timely. It is a crucial document that can help organizations bolster their defenses against ransomware threats.

The Abstract provides:

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the This Cybersecurity Framework (CSF) 2.0 Community Profile identifies the security objectives from the NIST CSF 0 that support governing management of, identifying, protecting against, detecting, responding to, and recovering from ransomware events.   The Profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of This Profile can be leveraged in developing a ransomware countermeasure

The Report starts with a very good description of the challenge Ransomware poses when it stated:

Ransomware is a type of malware that encrypts an organization’s data and demands payment as a condition of restoring access to that data. Ransomware can also be used to steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware events target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves. The methods ransomware uses to gain access to an organization’s information and systems are common to cyberattacks more broadly, but they are aimed at forcing a ransom to be paid. Techniques used to promulgate ransomware will continue to change as attackers constantly look for new ways to pressure their victims.

Ransomware attacks differ from other cybersecurity events where access may be surreptitiously gained to information such as intellectual property, credit card data, or personally identifiable information and later exfiltrated for monetization. Instead, ransomware threatens an immediate impact on business operations. During a ransomware event, organizations may be afforded little time to mitigate or remediate impact, restore systems, or communicate via necessary business, partner, and public relations channels. For this reason, it is especially critical that organizations be prepared. That includes educating users of cyber systems, response teams, and business decision makers about the importance of – and processes and procedures for – preventing and handling potential compromises before they occur.

Fortunately, organizations can follow recommended steps to prepare for and reduce the potential for successful ransomware attacks. This includes the following: establish, communicate and monitor ransomware risk strategy, expectations and policy; identify and protect critical data, systems, and devices; detect ransomware events as early as possible (preferably before the ransomware is deployed); and prepare to respond to and recover from any ransomware events that do occur. There are many resources available to assist organizations in these efforts. They include information from the National Institute of Standards and Technology (NIST), the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS).

The Report provides Read the rest of this entry »

Large tech companies have found themslves under close scrutiny of privacy regulators in Europe of late. The latest is the French data protection authority fining Google $379 million and Chinese e commerce operator Shein $150 million for setting advertising cookies without customers consent.

The story is reported by the Hacker News with Google Fined $379 Million by French Regulator for Cookie Consent Violations. 

The story provides:

The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules.

Both companies set advertising cookies on users’ browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision. Read the rest of this entry »

The question of the status of pseudonymised data confounds many and is the subject of some controversy. OVIC published a report The Limitations of De-Identification – Protecting Unit-Record Level Personal Information. In its guidelines the Privacy Commissioner’s guidelines regarding Pseudonymity state that:

2.6Pseudonymity requires that an individual may deal with an APP entity by using a name, term or descriptor that is different to the person’s actual name. Examples include an email address that does not contain the person’s actual name, a user name that a person uses when participating in an online forum, or an artist who uses a ‘pen-name’ or ‘screen-name’.

2.7 The use of a pseudonym does not necessarily mean that an individual cannot be identified. The individual may choose to divulge their identity, or to volunteer personal information necessary to implement a particular transaction, such as credit information or an address at which goods can be delivered. Similarly, an APP entity may have in place a registration system that enables a person to participate by pseudonym in a moderated online discussion forum, on condition that the person is identifiable to the forum moderator or the entity.

2.8 An APP entity should bear in mind that the object of APP 2 is to provide individuals with the opportunity to deal with the entity without revealing their identity. Personal information should only be linked to a pseudonym if this is required or authorised by law, it is impracticable for the entity to act differently, or the individual has consented to providing or linking the additional personal information. An entity could also restrict access to personal information that is linked to a pseudonym to authorised personnel (for a discussion of the security requirements for personal information, see Chapter 11 (APP 11)).

In EDPS v SRB the Court of Justic of the European Union  confirmed that pseudonymised data will not be personal data in all cases. Whether the data is actually personal depends on the context requiring an assessment of all the means reasonably likely to be used to identify the individual.

The Decision

The Court relevantly stated:

The requirement that Read the rest of this entry »

In a Federal Court class action in the United States involving 98 Google users over 174 million devices The jury found for the claimants and awarded the sum of $425 million against Google for breaching users privacy. The breach was Google collecting data from users even after they turned off a tracking feature in Google Accounts. The orginal claim was for $32 billion.  Jury awards in the United States can be eye watering high.  Appeals courts regularly reduce the size of the award if they are not reduced by agreement between the parties.

The story is covered by the BBC with Google told to pay $425m in privacy lawsuit, Reuters with Google must pay $425 million in class action over privacy, jury rules and Tech xplore with Jury tells Google to pay $425 mn over app privacy.

The BBC story provides:

Read the rest of this entry »

Multi factor authentication is a critical part of any cyber security. While it is becoming standard with many larger organisations it is poorly understood and even more poorly implemented. The National Institute of Science and Technology (“NIST”) has released a report on multi factor authentication for Criminal Justice Information Systems. Very specific perhaps but the contents of the report have a broader application.

The abstract provides:

Most recent cybersecurity breaches have involved compromised credentials. Migrating from single-factor to multi-factor authentication (MFA) reduces the risk of compromised credentials and unauthorized access. Both criminal and noncriminal justice agencies need to access criminal justice information (CJI); to reduce the risk of unauthorized access, the Criminal Justice Information Services (CJIS) Security Policy now requires the use of MFA when accessing CJI. This document provides practical information to agencies that are implementing MFA, reflecting on lessons learned from agencies around the country and from CJI-related technology vendors.

The report is worth reading.  Some interesting Read the rest of this entry »

The National Institute of Science and Technology has published the final version of NIST Internal Report (IR) 8349, Methodology for Characterizing Network Behavior of Internet of Things (IoT) Devices. and a draft of NIST IR 8536, Supply Chain Traceability: Manufacturing Meta-Framework.

Understanding the scope of the Internet of things and how the network operates is key to determining its cyber security requirements.   This 47 page report is worth consideration.  The Internet of Things will become more not less ubiquitous and more and not less prone to cyber attacks.  The Supply Traceability paper is also important but more specific and technical.

Internet of Things

The summary provides:

Characterizing and understanding the expected network behavior of IoT devices is essential for cybersecurity; it enables the implementation of appropriate network access controls to protect the devices and the networks on which they are deployed. Device characterization techniques that describe the communication requirements of IoT devices, in support of the NCCoE Securing Home IoT Devices Using Manufacturer Usage Description (MUD) project, can aid in securing devices and their networks. 

To properly secure networks, network administrators need to understand what devices are on the network and what network communication each device requires to perform its intended functions. In the case of networks that include IoT devices, it is often difficult to identify each individual device, much less know what network access is required by each device to other network components (and what access other network components need to each device). Read the rest of this entry »