Peter A Clarke

In light of the finding of a breach of the Privacy Act 1988 by Clearview AI regarding its use of facial recognition technology in Commissioner initiated investigation into Clearview AI, Inc. (Privacy) [2021] AICmr 54 there was always a reasonable chance that the Information Commissioner would respond to the comprehensive complaint made by Choice against Bunnings, Kmart and the Good Guys regarding their use of facial recognition technology.  

Today the Commissioner announced that her office had opened an investigation into Bunnings and Kmart.

The statement provides:

The Office of the Australian Information Commissioner (OAIC) has opened investigations into the personal information handling practices of Bunnings Group Limited and Kmart Australia Limited, focusing on the companies’ use of facial recognition technology.

The investigations follow a report from consumer advocacy group CHOICE about the retailers’ use of facial recognition technology. Read the rest of this entry »

The UK Information Commissioners Office has just released a significant and detailed report titled Behind the screens: ICO calls for review into use of private email and messaging apps within government on the use messaging apps and technologies within government with the associated the issues of privacy, data security and transparency.  The flexibility that comes with using messaging apps has unwelcome consequences when used for official business.  The lack of record of important exchanges goes to proper transparency.  The use of apps and texts have real security issues.  Private exchanges for public business can be problematical.

The media release provides:

The Information Commissioner’s Office (ICO) has today called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. Read the rest of this entry »

The Federal Trade Commission has written an article on its website titled Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data regarding the collection of data from smartphones, apps, connected cars and smart home products and then the misuse of of that data by onselling the to aggregators and data brokers. It clearly highlights how the collection of this data can act as a form of surveillance but more specifically identify places where individuals would not wish to be publicised to the third parties.  Aggregators and data brokers are not a chronic problem as in the United States of America however that doesn’t mean there isn’t a problem.  Organisations and government agencies collect masses of data and it is questionable whether they have a requirement for that personal information and the storage of that information is often not properly protected.  There remains a significant problem with the extent to which people consent to the collection of their data. Organisations almost invariably bury consents into the middle of a privacy policy or at the base of a page, physically or on line, which is difficult to read let alone properly understand.

The FTC article should be read by all privacy practitioners.  While it references US law the principles are universal.  It is also cheering that the FTC will crackdown on these unsavoury practices. Hopefully Read the rest of this entry »

To pay or not to pay ransomware demands, that is a vexed question for organisations.  And what advice should their legal representatives give. As far as the Information Commissioner’s Office (“ICO”) is concerned ransomware demands should be paid. The ICO and the UK National Cyber Security Centre (the”NCSC”) wrote to the UK Law Society and as a reminder that lawyers in the UK should not advise Read the rest of this entry »

As part of its Shifting Powers series Lloyds has released a timely and very thorough report on cyber security with Shifting powers: Physical cyber risk in a changing geopolitical landscape. The Report sets out scenarios and likely responses which are very helpful and practical (and which are too involved to summarise or analyse in this post).

The press release provides:

In a highly digitised economy, cybersecurity sits at the top of the agenda for businesses, boards, risk managers and governments alike.

At 38 pages it is a significant, and long, report which defies easy summary however some highly pertinent points it makes includes:

• the potential impacts on businesses are:
  • 1. Asymmetric Attack Exchange: A rudimentary cyber power sponsors non-state ransomware
    attacks by cybercriminals targeting another nation’s critical infrastructure
    2. Offensive Cyber Retaliation: Regional tensions over nuclear development programmes spill
    over into cyber-physical sabotage of critical infrastructure
    3. Symmetric Attack Exchange: Two sophisticated cyber powers engage in an escalation of
    destructive cyber attacks on critical infrastructure

Physical cyber risk

Read the rest of this entry »

Ireland, more accurately Ireland’s Data Protection Commission, has been engaged in a protracted dispute with Meta, Facebook’s parent company, regarding its data handling and compliance with the GDPR Articles.  On 15 March 2022 it concluded an inquiry into 12 data breaches by Meta Platforms where it found that Meta had infringed Articles 5(2) and 24(10 of the GDPR.  The media release relating to those findings stated:

The DPC has today adopted a decision, imposing a fine of €17m on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (“Meta Platforms”).

The decision followed an inquiry by the DPC into a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018.  The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.

As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR.  The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.

Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers.  While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.  Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU. 

Yesterday an article titled Europe faces Facebook blackout reports that the Commission informed its counterparts in Europe that it will block Meta from sending back data to the USA.  Meta has said that would close many of its services including Facebook and Instagram. Clearly Read the rest of this entry »

It has trite to say that a significant amount of cyber hacking is undertaken by or with the connivance of state sponsored actors.  For example North Korea was directly responsible for the hack of Sony in 2014 which resulted in half of Sony’s global digital network being destroyed.  There are many other instances.

The US Cybersecurity and Infrastructure Security Agency (‘CISA’ has released a joint a joint cybersecurity advisory regarding North Korea’s use of the Maui ransomware to target healthcare and public health sector organisations. Maui ransomware is an encryption binary. It is designed for manual execution by a remote actor using a command-line interface to interact with the malware and to identify files to encrypt.

Along with the advisory is a guidance that should be used to assist in defending against these attacks.  There is also a call for critical infrastructure organisations  to review and apply the recommended mitigations to reduce the likelihood of compromise from ransomware.  Good advice for US organisations and good advice for Australian organisations.  State sponsored hackers are equal opportunity criminals. 

The press release Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has released a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” for public’s comment.

This guide summarizes how commercially available technology is being used to develop an  interoperable, open standards-based Zero Trust Architecture. Read the rest of this entry »

When I first starting writing about privacy and data security data breaches involved low thousands of records compromised.  It didn’t take long for data breaches to involve many thousands of records and occasionally over a hundred thousand records.  In the last decade the ability and desire of government, organisations and businesses to collect masses of data has increased exponentially. Storage capacity increased as did the ability of analysing the data with the use of algorithms.  Analytics is now a sophisticated discipline and its products have made businesses wealthy.  Increased collection,use and storage of data has been matched by increased hacking into systems.  Personal information provides valuable source material for identity theft and other forms of fraud.  And many businesses and government agencies have traditionally had a terrible record in maintaining proper privacy protections and cyber security systems.

Now data breaches regularly involve millions of records, occasionally tens of millions of records. But not records of a billion people.  Until now.  Data Breach today reports in Unknown Hacker Steals Data of 1 Billion Chinese Citizens that an configuration error in Alibaba’s private cloud server resulted in a data breach involving a billion individuals.  The data was collected by Shanghai National Police and taken from its database.  The information was a hackers dream; names, home addresses, identification number and phone numbers.  That data, 23 terrabyte’s worth, is being offered for sale on a hacker forum for 10 Bitcoin (or over $200,000).

The story has been reported widely with Reuters, ABC, Bleeping Computer and the Guardian reporting on the breach among many others. China, being China, such a bad news story has been censored.  This can have the potentially Read the rest of this entry »

Publications by the National Institute of Standards and Technology (“NIST”) is regarded by many privacy and cyber security practitioners as setting out technical and process standards.  That is not a universal view but given its output it is a matter of time before that becomes a reality.

The NIST has released its Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process. 

The first group of algorithms NIST has chosen are designed to withstand the possible assault of a future quantum computer. Quantum computers are likely to become powerful enough to break present-day encryption.  That poses a serious threat to information systems.  The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard. Those selected algorithms are either alogorithms for:

• general encryption, used to access secure websites; or
• digital signatures, used to verify identities during a digital transaction or remote signing.

The Abstract Read the rest of this entry »