Peter A Clarke

Artificial intelligence is as much a technological phenomenon as a public policy challenge.  It impacts on the law in a significant way. 

On 4 October 2022 the White House Office of Science and Technology Policy issued  a Blueprint for an AI Bill of Rights. It has five principles to guide the design, use, and deployment of automated systems  each accompanied by a handbook detailing how to incorporate such principles.

The five principles are :

• Safe and effective systems: automated systems should be developed with consultation from diverse communities, stakeholders, and domain experts and should undergo pre-deployment testing, risk identification, and mitigation.
• Algorithmic discrimination protections: designers, developers, and deployers of automated systems should take proactive and continuous measures to protect individuals and communities from algorithmic discrimination and use and design systems in an equitable way.
• Data privacy: privacy should be provided through design choices that ensure protections are included by default, making sure that data collection conforms to reasonable expectations and is only what is strictly necessary for the specific context. Consent should only be used as a legal basis when it can be appropriately and meaningfully given, and requests for consent should be brief and understandable. Sensitive data should enjoy special protections, and unchecked surveillance should be avoided.
• Notice and explanation: designers, developers, and deployers of automated systems should provide documentation clearly describing the role of automation in the overall system, as well as notice that the systems are in the use and an explanation of outcomes, among other things.
• Human alternatives, consideration, and fallback: individuals should be able to opt out from automated systems in favour of a human alternative, where appropriate.

The Blueprint sets out  a two part-test to Read the rest of this entry »

It has long been mooted but now there are firm proposals on the changes to the UK data protection legislation. On 3 October 2022 Michelle Donelan, Secretary of State for Digital, Culture, Media & Sport announced that the Government will be replacing the system based on the EU’s General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) with a data protection system that will protect consumer privacy, while also retaining data adequacy, which would allow businesses to trade freely.

The Government proposes to co-design the new system with businesses and consider those countries that achieve adequacy without having the GDPR, such as Israel, Japan, South Korea, Canada, and New Zealand.  The stated focus of the new data protection plan is growth and common sense while preventing losses from cyber attacks.  The aim is to simplify complicated legislation and avoid the pitfalls of a one-size-fits-all system.

That is the plan at least.  The plan thus far is high on political rhetoric and less clear on details.

Given Australia is on the cusp of major privacy law reform it is worth keeping an eye on this latest variation of data protection.

Donelan’s speech Read the rest of this entry »

Telstra has suffered a data breach involving personal information of 30,000 current and former staff.  The cause was fairly typical of such data breaches, through a third party provider.  The provider operated the Telstra rewards program.  The story gets full coverage on Telstra staff suffer data breach as names and email addresses uploaded to dark web forum. 

Just to put matters into perspective, over approximately the same period:

• Mexico has had a hack of military records and the president’s health information;
• in a spectacular but all too familiar fail by educational institutions Wymondham High Academy sent an email to all pupils attaching confidential details of of every student that has been referred to support with anxiety.  In other words that person’s mental health details. The email was intended for staff members.  A good question is why all staff members should receive that information to start with.
• TD Bank, one of the largest banks in America by deposits, disclosed a data breach when a former employee stole personal information for the purposes of financial fraud.
• Live support was hacked to spread malware in a supply chain attack.
• A ransomware gang published data stolen from the Los Angelese Unified School District in September. 

The Guardian has published an Essential Poll finding that 51% of respondents support restrictions on amount of personal information private companies can collect.  That tallies with a Pew Research Center finding in November 2019 that Americans were concerned about data collection. The Australian Information Commissioner also published a survey of Australian Community Attitudes to Privacy in 2020. EPIC also described a similar outcome from a poll by Morning Consult in 2021.

These findings are all consistent and hardly secret.  Similar polls have had similar findings for more than a decade.  It is governmental inertia that prevents anything from being done about the problem.

The Guardian article Read the rest of this entry »

Politics and cyber security continue to occupy the same field in the Optus Data Breach now saga.  In ‘Bloody useless’: Companies could be forced to report data breaches after hacks the Home Minister Clare O’Neil has expressed exasperation about the weakness, if not uselessness, of the data breach notification regime.  It has hardly been a secret.  Right at the outset the weaknesses of the data breach notification scheme were obvious.  It has hardly been a surprise. I have been writing on this for ages. 

The story Read the rest of this entry »

Writing about privacy and the deficiencies in the the law is to feel like Cassandra.  Cassandra a Trojan priestess of Greek mythology who was given the gift of prophecy, but was also cursed by the god Apollo so that her true prophecies would not be believed.

With the Optus data breach suddenly people have discovered the problems I have been writing about for years.  As if it is a sudden discovery.  That is typified with an ABC article What does the Optus data breach reveal about corporate governance problems around cyber security?, the Australian Financial review with Customer data should not be a corporate asset: Dreyfus and the Read the rest of this entry »

The Chilean judicial system has suffered a ransomware attack requiring it to take 150 computers off line to stop the spread of a virus as reported in Chilean Court System Hit With Ransomware Attack.  The trojan program entered the system via a phishing email.  A typical entreport for ransomware software.

It provides:

The Chilean judicial system yanked 150 computers offline to stop the spread of a virus that maliciously encrypts files even as authorities stressed that court proceedings were mostly unaffected.

The event is the latest cyber disruption affecting the South American country. The nation’s consumer protection agency was hit by a ransomware attack that started on Aug. 25 (see: Chile Consumer Protection Agency Hit by Ransomware Attack) and just days ago, hundreds of thousands of emails hacked from the military’s Joint Chiefs of Staff were published online. Read the rest of this entry »

As a practitioner in the privacy area I find it fascinating to see how a sophisticated telco has pretty much done everything wrong in responding to the data breach.  Its original notification was poorly drafted and vague.  Getting a CEO to front the media is a real gamble which did not pay off.  Optus is stubbornly refusing to give any insight into what actually happened.  It is possible to provide a broad outline without compromising work being undertaken or any commercial in confidence information (which is difficult to see applying).  Optus was less than candid about what data was compromised, failing to mention that Medicare numbers were included in the personal information stolen.  Optus has been slow in advising its customers what they can do.  It has been incredibly miserly in providing assistance through the use of credit reporting.  It has grudgingly agreed to pay for the replacement of drivers licences.  If it had a data breach response plan, which is doubtful, it was probably drafted by Telstra.  It has failed to take control and get ahead of the news cycle and in the process has been attacked from all sides.  Much of that is self inflicted though there is an element of opportunism in some of the political attacks.

As an example of Optus’s dreadful communications has been its late and seemingly reluctant advice that Medicare numbers had been compromised.  It provided a statement only yesterday.  It said:

Of the 9.8 million customer records exposed, we have identified 14,900 valid Medicare ID numbers that have not expired. All of the customers who have a Medicare card that is not expired will be contacted within 24 hours. There are a further 22,000 expired Medicare card numbers exposed. Out of an abundance of caution we they will also be contacted directly over the next couple of days.

Please be assured that people cannot access your Medicare details with just your Medicare number. If you are concerned or have been affected, you can replace your Medicare card as advised by Services Australia.

Our call centres will not have further information to assist on this matter. We are in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take.

Medicare numbers being stolen causes the public incredible concern.  But the reality is Read the rest of this entry »

The Federal Trade Commissioner has been taking action against companies for misusing the personal information of children.  The UK Information Commisioner’s Office has also taken action on that front, against TikTok.  It has issued a notice of intent against TikTok for failing to protection children’s privacy.  The statement Read the rest of this entry »

Data breaches in other jurisdictions rarely have governments drawn into both the circumstances of the data breaches and steps being taken to remedy them.  Usually regulators are the limit of governmental involvement. There have been exceptions.  The Cambridge Analytica scandal involving Facebook attracted widespread condemnation from political parties across multiple jurisdictions. But the Federal and now State Government’s involvement in the Optus Data Breach both as critics and active participants is unusual.  Probably because it is such a massive data breach and it involves a major telco.  Whether this is a good practice will be seen. The initial and ultimate responsibility for cyber security and remedying a data breach is the organisation itself.  The Federal Government has a critical role in ensuring there is the appropriate level of regulation and a regulator which is willing and able to enforce the laws.

The Australian reports in Scramble to save millions of Optus customers that Australians are in the dark about the security of their personal information and that governments and banks are working to protect them  It reheats a story first run by the Guardian that Optus resisted any legislative change to the privacy laws. 

The article Read the rest of this entry »