Peter A Clarke

Mobile apps are notorious for being gateways into an organisation’s records.  The quality of data security is generally poor.  Sometimes worse than that.  Privacy regulators have been alive to this for some time.  Security experts for a lot longer.  But the relentless desire to be relevant on line and high expectations of consumers to access services, products or information has meant that mobile apps are becoming ubiquitous. The problem is the security architecture rarely takes first, second or third priority in the design and project expenditure.

There is another issue with mobiles, their apps and privacy in terms of information police can access without a warrant.  This issue is considered by the Economist in There’s no app for that which provides:

SUPREME Court oral arguments, some scholars say, are all show. The justices don their robes, stroke their chins and lob their questions at silver-tongued lawyers for an hour, and then vote just the way they would have voted anyway. According to Jeffrey Segal and Harold Spaeth, political scientists who study the Court, judicial “attitudes”, not the subtleties of legal principles, matter most in the justices’ decisions. Oral argument does not “regularly, or even infrequently, [determine] who wins and who loses.”

If the justices Read the rest of this entry »

During Privacy Week the Privacy Commissioner gave, or least published on the oaic website, 3 speeches: Mapping data breach notification, Privacy matters and Defining the sensor society.

They relevantly provide:

Defining the sensor society

It’s a pleasure to be here to speak to you today for Privacy Awareness Week, especially with so much going on in the privacy sphere lately.

Defining the sensor society is an ambitious and important topic for a two day conference. As Australia’s Privacy Commissioner, you will not be surprised to learn that, in my view, any discussion of this topic should have privacy and the protection of personal information at its core. And so I am encouraged to see that is the case in a number of the presentations that you will hear over the next two days.

Privacy is rarely out of the news these days. The media continues to report on exciting new technologies as well as on activities that raise privacy questions and Read the rest of this entry »

This week is Privacy Week around the world.  It is then appropriate that Pro Publica has published Privacy Tools: Encrypt What You Can.  The revelations about NSA activities in the last 12 months make it clear that some encryption programes and keys are not foolproof from government agencies but for most users encryption has to be a fundamental plank of a data security framework.  Not just encryption of emails and stored data but encryption of mobile storage devices, especially USB sticks.  The number of unencrypted devices that are lost and data exposed is quite staggering.  As can be the consequences of such a breach.  The legal liability is obvious as is the acute Read the rest of this entry »

As part of Privacy Awareness Week the Privacy Commissioner has released a guide to developing an APP privacy policy.  The Privacy Policy, if drafted properly, should be the cornerstone to a compliance structure under the Privacy Act.  To prepare a privacy policy which actually fulfills the requirements of APP 1 an APP entity will need to understand the nature of the data it collects, uses and discloses, the data flows and how it properly manages that data, including the programs, protocols and training in place.  A privacy policy is not a pro forma where an organisation fills in a gap here and completes a sentence there.  Organisations handle information in different ways, depending on the type of business/activity and the way it has developed over time.  That said some organisations have had professionals offer them a package involving a privacy policy which could only be done in the most general terms.  That misses the point, doesn’t comply with the guide, doesn’t come close to comply with the APPs and has no relationship to the privacy by design concept. The guide makes it clear that more is expected of privacy policies than is commonly the case.  The real impact of the guide is the proactive steps the Privacy Commissioner takes to have organisations meet the minimum standards.  With greater enforcement powers as of March 2014 he will Read the rest of this entry »

Australian Privacy Principle 2 provides that an organisation or agency should provide individuals with an opportunity to be anonymous or use a pseudonym except in specific situations.  It is not a default position of many organisations.   The benefits of anonymity and pseudonymity are rarely enunciated outside the tech zone.

In We Need Online Alter Egos Now More Than Ever Wired, per Judith Donath, sets out in eloquantly the benefit of on line alter egos (or pseudonymity in more technical terms).  It provides:

Online, I use my real name for many things. But sometimes, I prefer to use a pseudonym. Not because I want to anonymously harass people or post incendiary comments unscathed; no, I simply want to manage the impression I make, while still participating in diverse conversations and communities.

“Hold on!” some of you are saying. “Writing under a fake name is a form of lying. It’s cowardly and the tactic of bullies and trolls. We need to make people use their real names online to ensure civility and trust.” Indeed, whenever a new controversy about cyberbullying or anonymous rumors arises, a frequently offered “solution” is to ban anonymous comments and insist that people use real names. But this approach focuses on the wrong issue and Read the rest of this entry »

The Sydney Morning Herald in Australians’ private government details at mercy of hackers, say IT security experts reports on the flimsy state of IT security at governmental portals.  It is a sobering piece and one that should put large corporations on notice. Government traditionally gives over more resources to internet security than the private sector, banking and finance being a possible exception.

The article provides:

The private records of millions of Australians – including their doctor visits, prescription drugs, childcare and welfare payments – are at the mercy of cyber criminals because of flimsy IT security around a critical federal government website, IT security experts warn.

And they say the risk will increase from the middle of the year, when the government will make it compulsory for Australians to use the my.gov.au website to lodge their electronic tax returns, potentially also exposing their financial and banking records to hackers.

The myGov site is used by 2.5 million Australians to access Read the rest of this entry »

Personal information is the lifeblood of skiptracers, private investigators and debt collectors.  That information allows individuals to be traced and, often harassed.  The use of social engineering to extract personal information is part of the dark arts used by less ethical operators.  The UK Information Offices reports on illegal social engineering to extract by trickery.

The Information Officers press release (found here) provides:

Two men who ran a company that tricked organisations into revealing personal details about customers have today been found guilty of conspiring to breach the Data Protection Act.

Barry Spencer, 41, and Adrian Stanton, 40, ran ICU Investigations Ltd in Feltham, Middlesex. The pair were convicted at Isleworth Crown Court of conspiring to unlawfully obtain personal data. Five employees of the company Read the rest of this entry »

Digging into the past of a political opponent has been a practice Read the rest of this entry »

Verizon has been publishing annual reports of data breaches since 2000.  It is a very useful publication as it quantifies data breaches, security interests both overall and by industry.  It also maps trends and threats.  For those interested in information security and privacy it should be mandatory reading.  If there is any time left in the day the CISCO annual security report is also a very useful resource (found here).  Both are invaluable for privacy practitioners in preparing policies, training programs and protocols following the Privacy By Design methodology to comply with the Australian Privacy Principles in particular and the Privacy Act 1988 in general.

The 2014 Verizon report (found here) states that there have been 1,367 confirmed data breaches with 63,437 security incidents

The Canberra Times has piece on the report, Revamped Verizon security report to help funnel funds into the right holes, provides as follows:

Cyber security threats vary according to industry sector, a report has found.

After analysing more than 63,000 security incidents that took place in 2013, Verizon’s annual Data Breach Investigations Report, used by corporations and governments worldwide as a benchmark of cyber security, or lack thereof, has come to a new conclusion.

The 2014 edition released on Tuesday analysed more than 63,000 incidents and 1361 data breaches as reported by 50 organisations in 95 countries, including computer emergency response teams (CERTs) and law enforcement agencies.

Rather than isolating one or two main attack vectors, the analysis was able to Read the rest of this entry »

The Australian in Apology to veteran for privacy breach reports on what appears to be a fairly serious privacy breach by the Department of Veterans Affairs.

It provides:

THE Department of Veterans Affairs’ Affairs has apologised to a former army sergeant after a private company employed by the fed­eral government obtained confi­dential information about his claim for medical compensation.

The admission has brought Read the rest of this entry »