Peter A Clarke

The Federal Trade Commission (the “FTC”) is the primary Federal agency regulating privacy and dealing with breaches. It is a misnomer to say that there is no privacy protection in the USA. It is however regulated more sectorely and privacy is weighed against other rights and interests.  The distinction between the USA’s approach to privacy protection, in particular of personal information, and that of the European Union is set out in Reconciling Personal Information in the United States and European Union by Daniel Solove, a privacy expert in academe and Paul Shwartz.  The Australian regulation of privacy is more consistent with the European Model and legislation however the Privacy Act 1988 has significant weaknesses and as such the extent of privacy protection is less effective than in EU countries.

Yesterday the FTC released a groundbreaking report DATA BROKERS A Call for Transparency and Accountability regarding the operations of and, more importantly, problems with data brokers.  It exposes significant problems with transparency and fairness in the way many businesses collect, use and disclose personal information.

The press release neatly summarises the issues and the need for Federal Legislation to properly regulate the industry.  It provides:

In a report issued today on the data broker industry, the Federal Trade Commission finds that data brokers operate with a fundamental lack of transparency. The Commission recommends that Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the immense amounts of personal information about them collected and shared by data brokers.

The report, “Data Brokers: A Call for Transparency and Accountability” is the result of a study of nine data brokers, representing a cross-section of the industry, undertaken by the FTC to shed light on the data broker industry. Data brokers obtain and share vast amounts of consumer information, typically behind the scenes, without consumer knowledge. Data brokers sell this information for marketing campaigns and fraud prevention, among other purposes. Although consumers benefit from data broker practices which, for example, help enable consumers to find and enjoy the products and services they prefer, data broker practices also raise privacy concerns.

“The extent of consumer profiling today means that data brokers often know as much – or even more – about Read the rest of this entry »

The Age, in The Duchess of Cambridge in another privacy scandal, reports on the German Magazine Bild publishing an embarrassing photograph of the Duchess of Kent.  The Duchess has been the subject of long lens photography for a while now.  Some photographs have clearly been the result of a deliberate attempt to get her picture in a moment when she and everyone else would know she had a reasonable expectation of privacy.  The most notorious incident was her being photographed at a private resort in France in 2012 (recounted below).  Facts are always critical in determining what is or is not private and what expectation of privacy is reasonable.  A fashion malfunction, to use the euphemism in a relatively public place is not the same as being Read the rest of this entry »

The Guardian has kept up a fairly consistent interest in privacy issues.  Little wonder given it was involved in releasing much of the material leaked by Snowden, he who went from a low/mid level employee of the NSA to the biggest whisleblower of the current century.  The Guardian in Drones investigation: keeping up with the droneses, part one – video has produced a 4 minute or so video on drones.  Topical and quite informative.  It doesn’t add anything to the coverage to date but it is a very interesting synopsis.  In particular the privacy implications.

The internet interface with an organisations data, within an organisation or in the cloud, is always a potential target for hackers.  For those whose business is largely or exclusively on line and who hold significant amounts of personal information of customers the impact of a data breach in the form of a hacking attack the consequences can be immense. Reputationally and financially.  Ebay suffered damage to at least the former and probably the latter.  The unauthorised access to customer’s data occurred in the late February early March period.  Around 3 months ago.  There will be questions about the delay in notifying its clients of this breach.  In the USA there is no mandatory Federal data breach notification laws, although most states have such laws in place.  In Australia there is no mandatory data breach notification laws although there should be.  In the last sitting week of the last Parliament such a Bill came very close to being read a second time in the Senate and passed however the bill lapsed when Parliament was prorogued.

In the context of Australian Privacy Law a significant hacking attack does not, of itself, result in a breach of the Australian Privacy Principles.  That is clear from the guidelines.  That said if Read the rest of this entry »

Fitbits, pedometers and other fitness tracking devices in wearable wristbands, phone apps and other devices are becoming a regular feature of the keen, the fit and a few of the tragics.  What they all do is collect, analyse and dessiminate data.  The level of sophistication has improved markedly over time as has the audience for that data.  The more sensitive data going to third parties the more the potential for serious privacy intrusions.  The Washington Post in Privacy advocates warn of ‘nightmare’ scenario as tech giants consider fitness tracking raises the issue of fitness apps and the data they generate raising severe privacy problems.

Data about heart rate, weight and whatever details are keyed in by the user is personal information if it can be tied to an identified person.  It is probably sensitive information for the purpose of the Privacy Act.  Third parties having access to that data is a very serious issue.

The article provides:

Fitness tracking apps and devices have gone from an early adopter novelty to a staple of many users’ exercise routines during the past few years  — helping users set goals and measure progress over time. Some employers even offer incentives, including insurance discounts, when workers sign up.

“There’s been a tremendous amount of evolution in the app space, both generally and in the fitness app,” since she joined the Federal Trade Commission six years ago, Senior Staff Attorney Cora Han acknowledges. “It’s a completely different landscape.”

But as several major tech companies appear poised to disrupt that landscape, privacy advocates warn Read the rest of this entry »

Lifelock’s homepage says it all –Protecting Your Identity in an Always-Connected World Comprehensive identity theft protection from LifeLock helps safeguard your finances, credit and good name. In today’s always-connected world, that’s more important than ever.  The core of its business is data security.

In a post of 16 May Lifelock’s CEO explained that Lifelock’s mobile app is not secure.  Technically, it is not compliant with the payment card industry security standards.  The potential for a data breach was too great a threat to tolerate.  Accordingly the apps have been withdrawn and data deleted.

It is a salient example of why businesses must take as much care with developing their mobile apps as they do any other aspect of their data security architecture.  If anything the care should be greater given the additional potential threats in losing data, such as interception across unsecured wi fis.

In the Australian context a business, particularly a large operation whose core activity is data storage and protection, failing to be compliant with minimum industry standards relating to security would run the risk of breaching APP 11 at minimum.

The post provides

One thing I’ve learned in business and, for that matter, life is the importance of authenticity and transparency.

With that in mind, I want to make you aware of an issue that we identified related to our recently acquired LifeLock Wallet application. We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards. 

For that reason, we are removing the LifeLock Wallet application from the App Store, Amazon Apps, and Google Play, and when users open the LifeLock Wallet, their information will be deleted Read the rest of this entry »

Privacy Regulators have undertaken a review of mobile apps.  And not before time. While mobile apps are becoming a necessary part of marketing a business, accessing services and a means of collecting data for business it is also an easy highway into personal data by those whose motives are less than pure.  App developers are often the weak link in data security.

The French Data Protection Authority reviewed 100 mobile apps during an internet sweep.  This was part of a global enforcement sweep which was announced on May 6 (found here)  which provides:

OTTAWA, May 6, 2014 — The exploding popularity of mobile applications is raising a number of privacy concerns, prompting the  Global Privacy Enforcement Network (GPEN) to focus its 2014 international Privacy Sweep on mobile apps.

The Sweep from May 12 to 18, 2014, involving 27 privacy enforcement authorities from around the world, is aimed at shedding light on the collection and use of personal information on mobile apps.

“The number of mobile applications offered to consumers is growing at an astonishing rate and many of them collect a great deal of personal information,” says Chantal Bernier, Interim Privacy Commissioner of Canada. 

“It is important that consumers have Read the rest of this entry »

The Age reports, in Australians targeted in hacker raids, on a crack down against computer hackers using Blackshades program for illegitimate purposes.

The article provides:

Australian authorities have joined a co-ordinated global crackdown on computer hackers who use software known as Blackshades for sinister purposes.

Hackers in Australia, Canada, Asia and Europe have flooded chatrooms, online forums and websites in recent days complaining about their homes being raided and Read the rest of this entry »

Portals of whatever description, government or business are key entreport to data storage systems.  Weak data security, program flaws or just obsolete structures may result in a site being hacked and personal information compromised.  Verizon in its 2014 data breach investigations report found there were 63,000 confirmed security incidents and over 4,000 breaches world wide.  A breach after known security flaws raises the prospect of a breach of APP 11 of the Privacy Act.

The Sydney Morning Herald reports in Revealed: serious flaws in myGov site exposed millions of Australians’ private information that the much vaunted MyGov website has a serious security weakness.  The potential danger of interference with sensitive personal information is clear.  APP 11 makes it clear that Read the rest of this entry »

Last night’s budget held an unwelcome development for the Information Commissioner’s office.  As in there will be no Information Commissioner come 1 January 2015.  The Privacy Commissioner, a statutory office, will move to the Human Rights Commission and work out of Sydney.

The OAIC were well and truly quick off the mark in the legacy exercise with a statement (found here) which provides:

We acknowledge the Australian Government’s Budget decision on Tuesday 13 May 2014 to disband the Office of the Australian Information Commissioner (OAIC) by 1 January 2015.