Peter A Clarke

I

f it wasn’t for bad luck the various UK police services would have no luck at all. The Times reports that the Metropolitan Police have suffered a data breach. This time the photos, names and rank of 47,000 personnel may have been exposed to hackers. The means of entry to the Metropolitan site, through a compromised IT system of a contractor engaged to print police warrant cards. The implications of this data breach are particularly serious and multi pronged.  Not only do the hackers have details of police and their warrant card numbers but also there is the potential of creating false warrant cards. 

Hackers regularly use 3rd party contractors as  means of access to the intended target or get data belonging to the intended target.  Small contractors tend to have less effective and extensive cyber security defences and large businesses use a lot of contractors. 

The Times article Read the rest of this entry »

It has been a bad month for the police in the United Kingdom. Privacy wise at least. The Northern Ireland Police Service had suffered a significant data breach Cumbria Police said that on March 6 it found out information about pay and allowances had been uploaded on its website following a “human error”. The force’s admission comes after an “industrial scale breach of data” in Northern Ireland this week which saw some details of around 10,000 officers and staff published online for a number of hours.

The Norfolk Police data breach involved personal details of 1,230 victims of abuse being shared accidentally. The breach occurred because of poor data handling, with data being attached as part of a response to a Freedom of Information Request. This has attracted the early attention of the Information Commissioner’s Office.

Most of the recent data breaches involving the loss of data from various police forces in the United Kingdom related to human error rather than criminal activity by hackers.  In short, poor privacy practices.  It highlights the need for proper training and processes.  That is particularly the case for police where the data is almost invariably Read the rest of this entry »

In keeping with the times and the speed of the UK Information Commissioner has commenced the guidance development process regarding the use of biometric data. The draft guidance is found here.

The guidance details how data protection law will apply in the use of biometric data in biometric recognition systems. To that end it is aimed at organizations that use or are considering using biometric recognition systems.

• the definition of biometric data and special category biometric data;
• how biometric data is used in biometric recognition systems; and
• the legal data protection requirements when using biometric data including when a Data Protection Impact Assessment (DPIA) is required.

Helpfully the guidance Read the rest of this entry »

In Texas a woman has won an award of $1.2 billion in a judgment where she claimed he had been the victim of revenge porn. The allegation was that her ex boyfriend posted intimate images of her on line to humiliate her. This follows a decision in 2021 when a judge ordered a former boyfriend pay $500,000 for posting nude photographs and videos of his girlfriend on a pornography site. In that case the court also ordered the former boyfriend to remove the images and destroy them, failing which he would be found in contempt of court.

The BBC’s coverage provides::

Read the rest of this entry »

It has been a dreadful week for cyber security in the United Kingdom. First, on 8 August the UK electoral commission publicly announced that it had detected access to its data in October 2022. It determined that the first attack had occurred in August 2021. The attackers gained access to its electoral registers, holding information of registered voters between 2014 – 2022. That has prompted an investigation by the Information Commissioner. Given the Read the rest of this entry »

The Office of the Information Commissioner has released the he Australian Community Attitudes to Privacy Survey (ACAPS) 2023 provides a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them. The survey finds that Australians care about their privacy, they feel they have little control over it and are concerned how their information is handled. They want more to be done to protect their privacy. These findings reinforce findings of previous surveys in Australia. They are also consistent with the Pew Research Center’s 2019 survey of Americans with Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information in 2019.    

The problem has never been that discerning Australians’ attitude to privacy.  Repeated surveys show they value it and want it protected. The problems are well known as well; ineffective legislation & timid enforcement of what there is, chronic under investment in cyber security and privacy training and a lack of any right to take action for breaches.  Report after report into privacy legislation has made this clear.  What has been lacking is the will. Governments of both persuasions have alternated between hostility and tentativeness towards privacy reform.  The result has been minimum protection.   

The Government is considering the Privacy Act Review Report prepared by the Attorney General’s Department. The recommendations do not go far enough in legislating best practice privacy protections. If the Government accepted all of the recommendations the legislative structure will provide robust protections. Then it is a question of properly funding the regulator and staffing it with people who will be much more assertive in taking action against breaches. Even with greater powers provided in 2014 the Commissioner’s Office has been a timid regulator and poor litigator in the Federal Court.

The media release sets out a reasonable summary of the findings.  It provides:

There has been a sharp increase in the number of Australians who feel data breaches are the biggest privacy risk they face today, according to a major survey released today by the Office of the Australian Information Commissioner (OAIC).

The Australian Community Attitudes to Privacy Survey (ACAPS) 2023 provides a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them.

The survey tested attitudes on topics such as data practices, privacy legislation, data breaches, biometrics, artificial intelligence and children’s privacy.

“Our survey shows privacy is a significant concern for Australians, especially in areas that have seen recent developments like artificial intelligence and biometrics,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk. Read the rest of this entry »

It seems now that the Australian Competition and Consumer Commission (ACCC) have taken a real interest, and lead, in responding to egregious data collection practices. Its Data Platform Inquiry has been influential, it has made submissions to the review of the Privacy Act and now has successfully brought a claim in Australian Competition and Consumer Commission v Meta Platforms Inc [2023] FCA 842.  Meta subsidiaries were found to have misused personal information.  At paragraph 2 his Honour summarised the issue thus:

Onavo and Facebook Israel admit contraventions of ss 18 and 33 of the Australian Consumer Law, contained in Schedule 2 of the Competition and Consumer Act 2010 (Cth) (CCA). The contraventions occurred during the period from 1 February 2016 to 31 October 2017 (Available Period), when Onavo and Facebook Israel advertised and promoted Onavo Protect on the Play Store and App Store in Australia (in the form set out in Schedule A to the orders) (the Listings), without making disclosures to Australian consumers that were sufficiently prominent and proximate to those Listings that data collected from users of Onavo Protect would be used for purposes other than providing Onavo Protect. While Onavo Protect was advertised and promoted as protecting users’ personal information and keeping their data safe, in fact, Facebook Israel and Onavo used the app to collect an extensive variety of data about users’ mobile device usage. An anonymised and aggregated form of that data was provided to their parent company, Meta Platforms Inc (Meta), and used by Meta for a range of commercial purposes.

The ACCC media release, $20m penalty for Meta companies for conduct liable to mislead consumers about use of their data, provides:

The Federal Court has ordered two subsidiaries of social media giant Meta, Facebook Israel and Onavo Inc, to each pay $10 million for engaging in conduct liable to mislead in breach of the Australian Consumer Law, in an action brought by the ACCC.

The Court declared that the two companies engaged in conduct liable to mislead the public in promotions for the Onavo Protect app, by failing to adequately disclose that users’ data would be used for purposes other than providing Onavo Protect, including Meta’s commercial purposes. Read the rest of this entry »

Chapter 11 of the Privacy Act Review Report considers the operation of consent under the Privacy Act and possible reforms.  

The issue of consent regarding handling of personal information is vexed, not just in Australia but throughout jurisdictions which have data protection laws. Often the concern is that all too often any consent is not the product of true agreement.  Few consent without reading those notices.  Often those terms are lengthy, drafted in complex legalese and the provisions relating to the use, collection and disclosure of personal information are buried deep into the notices.  If a person wishes to use a service they must consent to terms and conditions of the service provider or retailer setting out in Privacy Notices. Is there really consent if the service is critically necessary.  An example, the Barristers Chambers Limited sent all Victorian barristers terms and conditions with a requirement that they be agreed to by 30 June.  If the box wasn’t ticked, no email services hosted by Barristers Chambers Limited.  The permissions given to the provider are extensive and, in part, quite ridiculous.  Onerous doesn’t begin to describe them.  They seem to be inspired by the mill owners of 18th century England.  There is no way i would advise a client to accept them if given a choice.  But like all barristers I need to be on the Barristers Chambers Network.  So I signed up to them.  And hope for the best. Which will probably be the case.  That doesn’t make the terms and conditions any more reasonable.

Some experts are sceptical that proper consent can ever be effected. In an excellent paper published earlier this year David Solove suggested a way of accepting the inadequacy of of consents but achieving a satisfactory outcome in Murky Consent: An Approach to the Fictions of Consent in Privacy Law.  The abstract provides:

Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic” – it transforms things that would be illegal and immoral into lawful and legitimate activities. Regarding privacy, consent authorizes and legitimizes a wide range of data collection and processing.

There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates, where organizations post a notice of their privacy practices and then people are deemed to have consented if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.

Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems – people are ill-equipped to make decisions about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.

In this Article, I contend that in most circumstances, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary – an on/off switch – but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.

Abandoning consent entirely in most situations involving privacy would involve the government making most decisions regarding personal data. But this approach would be problematic, as it would involve extensive government control and micromanaging, and it would curtail people’s autonomy. The law should allow space for people’s autonomy over their decisions, even when those decisions are deeply flawed. The law should thus strive to reach a middle ground, providing a sandbox for free play but with strong guardrails to protect against harms.

Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Instead of providing extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. This would allow for a degree of individual autonomy but with powerful guardrails to limit exploitative and harmful behavior by the organizations collecting and using personal data. In the Article, I propose some key guardrails to use with murky consent.

Consent is currently only required under the Act for a limited range of collections, uses and disclosures of personal information such as

• the collection of sensitive information,
• and may also allow APP entities to use or disclose personal information for a secondary purpose. Consent may be relied on to authorise the use or disclosure of personal or sensitive information for the purposes of direct marketing in certain circumstances, or as a basis for cross-border disclosures of personal information.

In the Act consent can be Read the rest of this entry »

The HWL Ebsworth’s woes continue with another announcement of what documents were stolen. This time it is Victorian Government files according to ‘Highly sensitive’ Victorian government files leaked online by HWL Ebsworth law firm hackers. Not to be outdone Queensland also says its files were taken by the data breach. Meanwhile the Fair Work Ombudsman has released a statement .

The statement provides:

On 8 May 2023, national law firm HWL Ebsworth reported a cyber incident involving a data breach and possible unauthorised disclosure of personal information to the dark web.

Documents relating to a limited number of our (the Fair Work Ombudsman’s) files were included in the breach experienced by HWL Ebsworth.

Importantly, none of our systems have been compromised by the cyber incident.

We’re working with HWL Ebsworth to ensure individuals affected by the data breach are notified as a priority. Support and assistance will be provided to these individuals.

The Department of Home Affairs is investigating the extent of the breach, including exposure of the Australian Government’s information including personal information.

We’re also working with HWL Ebsworth to understand what information of ours may have been disclosed. We take our obligations under the Privacy Act 1988 seriously and we’re committed to ensuring appropriate systems are in place to maintain the privacy and the protection of personal information.

HWL Ebsworth released a statement on Friday. It has finally adopted a sensible approach when dealing with the public, especially those affected or just concerned.  To date the firm has been secretive and inward looking.  That is entirely the wrong approach.  But then again, having a cyber security system that lets a hacker with one person’s authorisation not detecting wholesale theft of data shows that Ebsworth has a long way to go in getting its cyber house in order.  

The statement is clearly curated by a cyber Read the rest of this entry »

The Health Sector in every jurisdiction is a high priority area of interest for hackers. Hospitals, health centres and other facilities in the sector are notorious for both troves of personal information and very poor privacy practices. Given the nature of the information is highly sensitive there is often the imperative to respond to demands by hackers. That is why it is not surprising that the the European Union Agency for Cyber Security found that ransomware accounts for 54% per of threats to the health sector.

The press release Read the rest of this entry »