Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • The Australian Cyber Security Centre releases guidance on managing cryptographic keys and secrets

    August 29, 2025

    Cryptographic keys are a key part of any proper protection of an organisation’s operations. And the compromise of those keys can have catastrophic effect on an organisation. The ACSC has developed a guide to assist organisations develop a Key Management Plan to deal with internal and external threats. It should be used in conjunction with appropriate NIST standards.  The guidance contains references, by way of hyperlink, to other guidances and publications.  They should be read as well.

    The guide relevantly provides:

    The world is increasingly relying on online services, digitalisation of data and interconnected systems, cyber security is a vital way in which we protect critical sectors. Good security hygiene keeps participants from making mistakes and makes it harder for malicious cyber actors to cause damage. One important aspect of cyber security is cryptographic keys and secrets management systems. Cryptographic keys and secrets are required for services that secure data, provide integrity, confidentiality, non-repudiation and access control. Cryptographic keys and secrets are a critical asset of many organisations and a core component of cyber security, which must be carefully managed and protected throughout their life cycle.

    The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the Department of Industry Science and Resources (DISR) have developed this guide to help organisational personnel in understanding the threat environment and the value of implementing secure keys and secrets management to make better informed decisions.

    The compromise of any private key or secret can have significant, or even severe, negative operational, financial and reputational impacts on an organisation. Organisations must seek to implement mitigations to ensure their organisational keys and secrets are protected and so they are positioned to respond quickly and effectively in the case of a security incident. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    National Institute of Science and Technology releases revisions of its Privacy Control Catalog in response to a Presidential Executive Order. The purpose is to improve software update and patch releases

    August 28, 2025

    The National Institute of Science and Technology (NIST) provides invaluable support to those developing privacy and data security controls for businesses and government agencies. On 6 June 2025 Donald Trump issued an executive order titled SUSTAINING SELECT EFFORTS TO STRENGTHEN THE NATION’S CYBERSECURITY AND AMENDING EXECUTIVE ORDER 13694
    AND EXECUTIVE ORDER 14144    . Previous Presidents have issued Executive Orders to deal with threats to cyber security.

    In response to the Executive Order the NIST  revised its catalog of security and privacy controls, focusing on improving the security and reliability of software updates and patches.  They are:

    • SP 800-53 Release 5.2.0 which addresses multiple aspects of the software development and deployment process, including software and system resiliency by design, developer testing, the deployment and management of updates, and software integrity and validation. 
    • updates to the control catalog through the Cybersecurity and Privacy Reference Tool (CPRT), which allows downloads of machine-readable formats, including OSCAL and JSON.

    The Executive Order provides:

    By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code, it is hereby ordered:

    Section 1.  Amendments to Executive Order 14144.  Executive Order 14144 of January 16, 2025 (Strengthening and Promoting Innovation in the Nation’s Cybersecurity), is hereby amended by: Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Safetrac allegedly installed surveillance without staff agreement

    August 26, 2025

    The Safetrac saga continues apace with allegations that it installed listening devices without consent or updating its surveillance policy. The AFR reports on these concerning developings in Safetrac surveillance installed without staff agreement: HR manager. Safetrac installed the Teramind program. Teramind proudly admits that itts program is designed to Monitor, analyze, and manage employee activity to prevent insider threats, safeguard sensitive information, and optimize team performance.According to the piece Safetrac used microphones of employees’ laptops to record sound close to their computer from 15 April until 2 June 2025.  Not so coincidentally the statutory tort of serious invasion of privacy came into effect on 10 June 2025. It amended its policy on use of surveillance equipment from 4 sentences to 2 pages.  Whether that is sufficient to constitute proper awareness and consent is another story.

    And interesting issue may be whether Safetrac used the Teramind program while monitoring compliance on behalf of some of its clients employees laptops and whether they were aware of it.

    The article provides:

    A top compliance firm that turned staff laptops into covert listening devices should have updated its surveillance policy before deploying its monitoring software, according to a statement by one of its human resources managers to the Victorian government’s workers’ compensation authority.

    The Australian Financial Review can reveal WorkCover agent Allianz this month accepted that Safetrac should have got staff consent to its new surveillance policy introduced in June before it installed the software Teramind two months before to monitor underperformers.

    The statement was outlined in reasons for WorkCover’s rare decision to grant workers’ compensation payments to a Safetrac staffer who it found developed anxiety when she discovered that she was under audio surveillance while she worked from home.

    The decision could open a path for other Safetrac staff to claim compensation following allegations Safetrac did not specifically advise them it was using the microphones of select employees’ laptops to record sound close to their computer from April 15 to June 2.

    Safetrac has said staff consented to the surveillance in their contracts and a four-sentence surveillance policy that said audio and images may be recorded during the course of their employment. It says it notified staff of “additional computer monitoring” at a company-wide town hall in February.

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Safetrac recording conversations of employees shows how privacy and surveillance laws are misunderstood. There is more to this story than meets the eye.

    August 25, 2025

    The fact that there is effective surveillance technology in the market does not mean it should be used. Pegasus spyware can be remotely and covertly be installed on mobile phones running IOS and Android. It is marketed as being used for fighting crime and terrorism. And it could even be sold as a supervision tool by companies. But because the way it operates is via secrecy and is effectively a form of spying it has not been used by businesses but rather is used by autocratic governments to spy on journalists and dissidents. There is other software which is less pernicious than Pegasus but can spy on individuals through the use of their computers. That intrudes into people’s privacy.  And enter Safetrac which according to the AFR’s quite brilliant article titled Company turned laptops into covert recording devices to monitor WFH has used a used software to eavesdrop on staff, for up to 10 hours a day, and video them as well. Safetrac claims to have provided notice and got consent. The notice is 4 sentences in a policy and some commentary during a “Town Hall.” That is inadequate. The fact that the surveillance picked up non work related sounds, such as private conversations and out of hours will also make its actions privacy instrusive. This story is not over.  The Privacy Commissioner has jurisdiction to consider whether there has been a breach of an Australian Privacy Principle of the Privacy Act 1988.  If the recordings took place after 10 June 2025 then those affected may have a cause of action for the statutory tort of serious invasion of privacy.  Even if not there are options in equity.  

    The article provides:

    One of the country’s top compliance training companies recorded the conversations of its employees by turning their laptops into covert listening devices while they were at home, in a case that tests the boundaries of workers’ privacy.

    Victorian police are investigating claims that Safetrac breached the state surveillance laws after chief executive Deborah Coram admitted in legal documents that her company recorded the audio and screens of select members of its staff, who work from home.

    The recordings, which were done over two months, used the laptop’s microphone to capture audio by default. They picked up not only audio from remote Teams meetings but also any sound close to the laptop.

    Safetrac says the screen and audio surveillance were necessary to manage underperformers in the business. The company says employees consented to being recorded when they signed their contract and accepted its surveillance policy.

    That policy, which consisted of just four sentences when the software was installed, said audio could be recorded during the course of employment.

    Several current and former employees have told The Australian Financial Review they did not agree to their laptops’ microphones being secretly switched on for up to 10 hours a day, recording every conversation. This included staff complaining about the CEO during Teams meetings.

    They also fear the audio recordings captured not only conversations with colleagues but also discussions with clients that might have involved confidential information, and even family members’ or personal phone calls near the laptop.

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Google settles You Tube lawsuit which alleged it interfered with children’s privacy by collection of personal information without consent. The sum of the settlement $30 million

    August 24, 2025

    There are strong protections for childrens’ privacy in the USA, notably COPPA. There is also a constant pressure to collect personal information to assist in targeting ads. Google was accused collecting personal information when children accessed You Tube without parental consent. It is reported by Reuters in Google settles YouTube children’s privacy lawsuit. It is also covered by Malwarebytes with Google settles YouTube lawsuit over kids’ privacy invasion and data collection. While a settlement of $30 million is a large figure in absolute terms it is important to note that Alphabet, Google’s owner, posted a net income of $62.7 billiion on $186.7 billion in the first half of 2025.  

    The Reuters article provides:

    Google will pay $30 million to settle a lawsuit claiming it violated the privacy of children using YouTube by collecting their personal information without parental consent, and using it to send targeted ads.

    A preliminary settlement of the proposed class action was filed on Monday night in San Jose, California, federal court, and requires approval by U.S. Magistrate Judge Susan van Keulen.

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Federal Trade Commission writes letter to technology companies warning them against censoring or weakening data security of Americans at request of foreign powers. Meanwhile the UK government says it will not seek back doors for programs

    August 22, 2025

    The demand. by some governments to have a back door to end to end encryption is hugely controversial.  The National Security Agency in the United States had Yahoo install a backdoor for NSA’s use in 2014/5, although Yahoo says it challenged the NSA about this. In 2015 it built custom software to search client’s incoming emails. Since 2013 the NSA has been keen to get around or through encrypted messaging.In February this year the UK ordered Apple to let it have access to users’ encrypted accounts.  In 2015/2016 Apple was embroiled in a dispute with the FBI.  The FBI wanted Apple to unlock phones whose data was cytographically protected.  Apple refused and objected to at least 11 orders issued by the US District Courts.

    The issue of concern is that the US government is concerned that overseas governments are attempting to weaken the level of encryption and data security.  This directive, for want of a better word, poses real challenges for companies operating in other jurisdictions. Like Australia.  But the US policy has had an impact with the UK agreeing to drop its plan for encryption backdoor mandate for Apple.

    The chairman of the Federal Trade Commission (“FTC”) has written letters to the largest and well known cloud computing, data security, social media, computer and other technology companies warning them not to censor themselves or weaken data security of Americans if asked by foreign governments. The rationale is set out in its media release titled FTC Chairman Ferguson Warns Companies Against Censoring or Weakening the Data Security of Americans at the Behest of Foreign Powers.

    The media release provides:

    Federal Trade Commission Chairman Andrew N. Ferguson sent letters today to more than a dozen prominent technology companies reminding them of their obligations to protect the privacy and data security of American consumers despite pressure from foreign governments to weaken such protections. He also warned them that censoring Americans at the behest of foreign powers might violate the law.

    The letters were sent to companies that provide cloud computing, data security, social media, messaging apps and other services and include: Akamai, Alphabet, Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack and X.

    The letters noted that companies might feel pressured to censor and weaken data security protections for Americans in response to the laws, demands, or expected demands of foreign powers. These laws include the European Union’s Digital Services Act and the United Kingdom’s Online Safety Act, which incentivize tech companies to censor worldwide speech, and the UK’s Investigatory Powers Act, which can require companies to weaken their encryption measures to enable UK law enforcement to access data stored by users.

    “I am concerned that these actions by foreign powers to impose censorship and weaken end-to-end encryption will erode Americans’ freedoms and subject them to myriad harms, such as surveillance by foreign governments and an increased risk of identity theft and fraud,” Chairman Ferguson wrote.

    The letter noted that as companies consider how to comply with foreign laws and demands, they are still required to comply with the FTC Act’s prohibition against unfair and deceptive practices in the marketplace. For example, if a company promises consumers that it encrypts or secures online communications but then adopts weaker security in response to demands from a foreign government, such an action could be considered a deceptive practice under the FTC Act, the letter noted.

    The FTC has brought dozens of cases over the past two decades against companies that have failed to keep their promises to consumers to deploy reasonable safeguards to protect consumer data. 

    The model letter sent to the companies provides, without footnotes:

    Read the rest of this entry »

    Posted in Federal Trade Commission, Legal, Privacy | Post a comment »

    Office of the Victorian Information Commissioner releases the investigation into use of surveillance by the University of Melbourne during a student protest in 2024. The University breached Information Privacy Principle 1.3

    August 21, 2025

    In Privacy and Data Protection Commissioner has found that the University of Melbourne breached Information Privacy Principle (IPP) 1.3 in tracking its students who were engaged in a sit in protest in May 2024 and a direction by the Vice Chancellor to leave on 20 May 2024.

    The investigation is a useful consideration of IPP 1.3 and 2.1 of the Privacy and Data Protection Act (Vic). The analysis and principles are applicable in relation to the extent to which the collector of personal information informs those who own that information what it will be used for.  It is considered whether the use was consistent with the purpose of gathering the information or a permissible secondary purpose.

    Beyond making a finding against the University the Information Commissioner’s Office could take no action against the University notwithstanding an egregrious and serious breach of the Act.  The only action that could be taken is a Compliance Notice which is little more than a notice saying one should fix problems.  That’s it.  That highlights the fundamental weakness in the legislation. In the United Kingdom the Information Commissioner has the power to impose monetary penalties on agencies. 

    Notwithstanding the lack of meaningful action taken against the University by the regulator that does not mean those whose privacy was interfered with don’t have causes of action in the courts.  

    The Report is 31 pages long but some relevant points made include:

    Regarding Function creep

    Foreword

    Social licence and function creep are two important concepts in interpretation of the relationship between human rights and technology. When governments or other official bodies implement technology, society expects them to respect human rights, including the right to privacy. This is usually achieved through the preparation of a Privacy Impact Assessment, and through communication with affected stakeholders about the purpose of the technology and the ways in which its use will be governed.

    The University engaged in function creep by using surveillance of users of on-campus Wi-Fi in disciplinary proceedings it began after a protest. The University introduced the Wi-Fi tracking capability some years ago, for the purpose of network management, with a reassurance that it would not be used to surveil individuals. The University subsequently used the capability for disciplinary purposes, because it was already in place, without substantially considering the human rights or privacy impacts of doing so. In failing to consult with stakeholders about the policy change, the University failed to obtain a social licence for the use of this technology.

    and 

    The delivery method for the Notices related to Wi-Fi use – an on-screen pop-up – was also not an effective mechanism for explaining complex terms and conditions.

    and 

    …the governance and authorising processes the University used to authorise access to staff email accounts fell below the standard the Deputy Commissioner expects. This access occurred after the urgency of protest had passed, and could have been dealt with more carefully Read the rest of this entry »

    Posted in Privacy, Victorian law | Post a comment »

    Cyber Security fails can have painful financial consequences. In the US Healthplex settles suit and pays $2 million for cyber security breach

    August 20, 2025

    Data breaches often bring on multiple levels of pain and repeated expense. The initial data breach involves the affected company bringing in technical experts to figure out where the breach occurred and undertake remedial action. Often cyber attackers leave compromised or wrecked systems in their weight, requiring reprogramming. Then there is the expense of dealing with the regulator or regulators for a prolonged period. In Australia, the regulator moves slowly so the process can be excruciating for companies. To that extent the recent comments by Malcolm Turnbull that companies regard data breaches as the cost of doing business is a little glib and a major generalisation. That said his comments about complacency is spot on. In the United States the cost of data breaches include civil claims by governments, usually through Attorneys General and Government departments. Last week the Department of Financial Services settled a claim with Healthplex for $2 million arising out of a data breach which violated state cyber security regulation. The settlement requires Healthplex to hire an auditor to examine the multi factor authentication controls.

    The statement by the Department of the Financial Services provides:

    New York State Department of Financial Services?Superintendent Adrienne A. Harris announced today that Healthplex, Inc. (Healthplex) will pay a $2 million penalty to New York State for violations of DFS’s cybersecurity regulation (23 NYCRR Part 500). As part of the settlement, Healthplex has agreed to hire an independent auditor to examine the adequacy of Healthplex’s multi-factor authentication (MFA) controls.  

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    National Institute of Science and Technology publishes ‘Lightweight Cryptography’ Standard to protect small networked devices from cyber attack

    August 19, 2025

    The National Institute of Science and Technology (“NIST”) has published a very valuable lightweight cryptography standard to protect information created and transmitted by the Internet of Things as well as other small electronics. It is very important for those developing small devices which require protection from cyber attack, which is pretty much all small internet connected devices. 

    The NIST has published a page on Lightweight Cryptography. 

    The Read the rest of this entry »

    Posted in Privacy | Post a comment »

    iiNet hacked with data relating to 280,000 customers affected

    Another day, another data breach in Australia. This time iiNet has announced that it has suffered a data breach. Mode of entry, use of employee credentials to get into iiNet’s order management system. The breach is reported by the Australian in iiNet latest Aussie company to be hit by hackers. iiNet released a media release earlier today titled Cyber incident involving iiNet customers. As is the way the story has been covered across the media with News.com.au, Information Age, Australian Cyber Security Magazine, AFR, Cyber Daily amongst others.

    This data breach will be hugely embarrassing for iiNet.  It’s whole image is based around being more accessible (not in that way) and different from other telco providers.  And better in a geekier more friendly but more efficient sort of way.  Now it finds itself suffering the sort of data breach other big organisations suffer.  

    iiNet’s media statement is quite good.   For Australia.  It provides some detail of what happened and how though much is not revealed.  That will be revealed if the Privacy Commissioner takes action or there is a class action.  But being as transparent as possible is preferable to saying virtually nothing as Genea has done with its much more serious data breach.  iiNet provided detail of the nature of the personal information stolen; emails (280,000), phone numbers (20,000) and user names, streeet addresses (10,000) and modem set up passwords (1,700).  Distressing and damaging as that may be it did not involve financial information, dates of birth and any other personal information.  iiNet has been more specific than most in how it responded.  It can’t help itself in advising how it is liasing with the ACSC, the NOCS and the OAIC.  On a more relevant note it has set up a dedicated hotline.  That is an excellent initiative.  By contrast Genea has been very difficult to contact and responses have been wholly unhelpful, enraging patients.   It provided some preliminary advice on what to do and answering frequently asked questions.  Interestingly iiNet responds to the question as to why it was holding information on people who are no longer customers of iiNet.  The answer is somewhat mealy mouthed including being due “to legal, regulatory, or operational requirements.” Mmmm.  

    The statement provides:

    iiNet has been impacted by a cyber incident involving unauthorised access to its order management system by an unknown third party.

    The iiNet ordering system is used to create and track orders for iiNet services, such as NBN connections. The system contains limited personal information. Importantly, it does not contain copies or details of customer identity document details (such as passport or driver’s licences), credit card or banking information.

    What we are doing

    Upon confirmation of this incident on Saturday, 16 August 2025, we enacted our incident response plan, began work to ensure the security of the system and to determine what occurred. We have engaged external IT and cyber security experts to assist with our investigation. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    « Previous Entries
    Next Entries »