Peter A Clarke

Data leakage and identity theft is a constant and ubiquitous problem.  Under Privacy Principle 11 of the Privacy Act an organisation or agency has obligations to maintain data security.  That deals with hacking or other unauthorised access, use and disclosure of personal information. For a recent example see Cybersecurity expert says little risk from Butler data breach which despite the headlines reports on hackers accessing records of 163,000 individuals who were students, employees, applicants and alumni of Butler University, Indianapolis, United States.

The other side of the problem is inadvertent release of information by individuals through phishing, spear fishing and other scams to obtain personal information and use that to defraud, blackmail or extort individuals.  The latter situation is highlighted in Personal data sold to scammers on black market.

The ABC report highlights not only the emotional distress associated with sensitive personal information being used against an individual but the reputational damage done to agencies, in this case the Australian Taxation Office whose name was used in vain by the scammers. Interestingly the story highlights that last week, 24 June, the Auditor General found that seven government agencies are vulnerable to cyber attacks.  Compliance in the private sector is anecdotally quite patchy.  Ineffective regulation in the past has lead to Read the rest of this entry »

In Gaining Insurance, Losing Privacy the Atlantic reports on a quirk in the provision of health insurance in the United States which compromises individuals privacy.  Many people have health insurance as part of their parent’s health plan, usually through work.  Accordingly the insurance company sends forms to the insurance policy holder setting out payments under the policy even if those payments relate to treatment of others in the family.  Details of treatment provided is sensitive and intensely private information.  Providing enough details to another Read the rest of this entry »

The current focus on inadvertent data leaks is upon losing USB sticks and memory cards and the theft of  laptops. The Information Commissioner’s office reports that the loss of documents inadvertently left in a filing cabinet which was then sold to a member of the public is just as much a problem. In Prison service warned after Maze records sold at auction the ICO reports on the prison service of Northern Ireland selling a filing cabinet at auction. The person who purchased the filing cabinet found some very sensitive records regarding the inmate and prison officers. Given the reorganisation of the prison service, with the incident occurring under the watch of the predecessor, and that the incident predated the powers of the ICO to take stronger action the ICO issued a warning and the Department of Justice entered into an undertaking.

Recycling and selling old office equipment is not a new phenomanon.  There needs to be proper Read the rest of this entry »

CNN in high tech peeping drone terrifies woman has a report on a drone engaging in privacy invasive conduct.  In this case hovering near a window of a resident who was in a state of undress.  Such potential has long been acknowledged and the reality is here and reported upon from time to time.  This report highlights the actuality very starkly.

Protections in the US for an individual tend to be greater than Australia Read the rest of this entry »

Yesterday the US Supreme Court in Riley v California handed down a very important decision on privacy, regarding the right of a police officer to search digital information on a cell phone who had been arrested.   Earlier this month the Canadian Supreme Court handed down a privacy related decision in Spencer v R & ors regarding accessing internet search history from an ISP without a warrant.  Both are significant and will have a along lasting impact on their own jurisdictions and beyond.  Both should be required reading by those who want a more effective privacy regime in Australia. The underpinnings of each decision, the Bill of Rights in the US and the Canadian Charter and its privacy legislation, differ to those in existence in Australia but the principles and analysis are both apposite.

While a further analysis is required the key findings in Riley, a unanimous decision, are that:

 (a) a warrantless search is reasonable only if it falls within a specific exception to the Fourth Amendment ’s warrant requirement.

(b) the Court declined to extend the exception to searches of data stored on cell phones.  The Court generally determines whether to exempt a given type of search from the warrant requirement “by assessing, on the one hand, the degree to which it intrudes upon an individual’s privacy and, on the other, the degree to which it is needed for the promotion of legitimate governmental interests.” The search of digital information on a cell phone does not further the government interests  and implicates substantially greater individual privacy interests Read the rest of this entry »

The Washington Post has undertaken a fascinating and comprehensive 3 part report on drones  with

• part one: war zones;
• part two: domestic air space; and
• part 3: near misses.

The issues in the US are the same as those in Australia, a rapidly evolving technology which is finding more and more uses within the community and a near paralysis by Federal Government and regulators to deal with it.  In the US the States are stepping in, for good and bad, and regulating the use of drones in their jurisdictions.  In Australia the Civil Aviation Safety Authority has Read the rest of this entry »

Under the Privacy Act individuals should have the ability to either be anonymous or use a pseudonym when dealing with organisations or agencies except in some circumstances.  Australian Privacy Principle 2 encompasses this entitlement.  It provides:

2.1 Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.

2.2 Subclause 2.1 does not apply if, in relation to that matter:

a.   the APP entity is required or authorised by or under an Australian law, or a court/tribunal order,   to deal with individuals who have identified themselves; or
b.   it is impracticable for the APP entity to deal with individuals who have not identified themselves or who have used a pseudonym.

The exceptions under 2.2 at first glance seem to dilute the effectiveness of APP 2 however the Privacy Commissioner’s Guidelines restricts the claim of impracticability to 2.2(b) to fairly limited types of situations and ones where anonymity or pseudonymity is reasonable.  It is a very poorly understood and appreciated APP and considerable work will be done to have organisations comply.

The other issue which is complementary to the legal right/ability to anonymous communication is the technical ability to anonymise Read the rest of this entry »

Itnews reports in Domino’s Pizza blackmailed over mass data leak that hackers who stole personal information of its customers, described as 600,000 customer details, want  €30,000 for the data.   It is a huge breach of data security which was effected through the vulnerability in an old ordering site.  If that is the case Domino’s has a real responsibility.  Organisations which Read the rest of this entry »

It would seem that Optus is a bit a jealous of of Telstra hogging all the limelight on the data breach/privacy interference stage for the last 3 years (see my post here, here and here though it has tried to show it was capable of poor data security – see article here).  So, as the Fairfax reports in Optus exposes customers’ silent listings it has managed to not only have a significant data breach of personal information of customer information but that of individuals who really don’t want their information publicised; those with silent numbers.   The very people who specifically ask for their phone details to be kept private have had them published online but also in print editions of the phone book. Those who especially are concerned for their privacy.  Sometimes for exceptionally good reasons, such as personal safety.

According to the story notices were sent out by letter on 2 June but Optus discovered the problem in April.  On the kindest assessment that is at least a 4 week delay.  With no mandatory data breach notification laws Optus doesn’t have to disclose of much of anything to the Privacy Commissioner or clients whose information was the subject of a data breach.  Given the Optus response to enquiries from Fairfax was at best a standard PR Read the rest of this entry »

The Federal Trade Commission has recently sought to rein in the excesses of data brokers in the United States (see my post on the subject here).  Whether that happens is a matter of conjecture and some sceptisism as the industry is well established, hugely profitable and the rate of improvement in broad ranging privacy regulation in the United States has been glacial.  With improvements in tracking techniquest such as onboarding, use of big data and algorithims the ability to track individuals on and off Read the rest of this entry »