Peter A Clarke

The National Institute of Standards Technology (“NIST”) has released a very interesting Discussion Easy titled Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity  and Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity as a prelude to a seminar, that took place on 22 June 2022.

The abstract provides:

Abstract

Some of the interesting issues Read the rest of this entry »

The US has had a long tradition of commercialising customer lists.  It is curious With that has come the “data broker” putting holders of data in touch with those who are keen to use that data.  In the analog age it was a matter of mild concern, typically with people getting unexpected correspondence and offers.  A common example was someone signing up for a hunting magazine getting offered a membership of the National Rifle Associate.  In terms of scale the problem was real and concerning but not threatening to a person’s privacy.  Most people subscribe to a limited number of publications and it wasn’t until relatively recently the fetish for being required to provide masses of personal information for even the most anodyne activity. 

The digital age and the appreciation of businesses of the advantage of knowing as much about customers or potential customers combined with the vastly improved ability to collect masses of data and process them into useful information has mean the collection of information is key.  And that has led to worrying practices, such as the collection of sensitive and health information.  In that context on 15 June 2022 Senator Elizabeth Warren introduced Senate Bill 4408 to  prohibit data brokers from selling and transferring certain sensitive data was introduced in the U.S. Senate.

Australia has not had a tradition or framework for data brokers but that does not mean there has not been the sale of data from time to time.  Recently the Federal Government has made the transference of data between government agencies and educational institutions much easier.  The privacy protections were added as an afterthought.  It remains a problematical piece of legislation.

The Bill would Read the rest of this entry »

The Markup has published a most extraordinary story, Facebook Is Receiving Sensitive Medical Information from Hospital Websites, where hospitals which had installed the Meta Pixel had collected sensitive personal information and sent it to Facebook.  Meta Pixel is an analytical tool that allows a company to track its website visitors activities. This piece of code helps identify Facebook and Instagram users and see how they interacted with the content on the website . This information can be used to target people with ads based on interests. It used to be called the Facebook Pixel.  The Meta Pixel sends information to Facebook via scripts running in a person’s internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household. https://www.natlawreview.com/article/motion-preliminary-approval-accellion-data-breach-settlement-filed-california

A more traditional health data breach was involving the Baptist Medical Center and Resolute Hospital which involved an unauthorised party accessing and exfiltrated data from their network between March 31, 2022 and April 24. The information may have included:

• full name, date of birth, and address
• Social Security number
• health insurance information, such as the name of insurer/government payor and the policy and/or group number
• medical information, such as medical record numbers, dates of service, provider and facility names, chief complaint or reason for a visit, and other visit procedure and diagnosis information
• billing and claims information, such as account and claim status, billing and diagnostic codes, and payor information

Meanwhile at Yuma Regional Medical Centre Read the rest of this entry »

The Federal Trade Commission (FTC) today released a very important report to Congress, Combatting Online Harms Through Innovation, warning about abuses of AI.  Those abuses include privacy intrusive practices and biases built into AI.  It highlights the growing body of work warning of worrying aspects of Artificial Intelligence in accuracy, biases and privacy intrusive processes, including surveillance.

The press release Read the rest of this entry »

Colorado’s governor has just signed into law legislation aimed at limiting the use of facial recognition technology by government agencies and state institutions.  This highlights that facial recognition is capable of proper regulation, that privacy issues can be regulated and there is a public good in properly regulating this form of technology. 

It has been well summarised in The National Law Review as:

Ramping up the state’s continued focus on data privacy, on June 8, 2022, Colorado Governor Jared Polis signed legislation aimed at limiting the use of facial recognition technology by government agencies and state institutions of higher education.

The new law, SB 113, requires an agency, defined as “an agency of the state government or of a local government; or a state institution of higher education,” that intends to “develop, procure, use or continue to use facial recognition service” to provide notice of intent to use those services with its “reporting authority” prior to using the technology. Read the rest of this entry »

Choice has published the findings of its investigations of retailers using facial recognition with Kmart, Bunnings and The Good Guys using facial recognition technology in stores.  The Australian has picked up on that story with Faceprint technology: Kmart, Bunnings and The Good Guys are scanning customers’ faces in stores.

Both stories cover a disturbing pattern of organisations deploying privacy instrusive technology without any real restrictions or regulation.  As the stories make clear the compliance with the Privacy Act 1988 as to collection of personal information is either buried in on line privacy statements or small inconspicuous written notices under the heading conditions of entry off to the side of the entrance of Kmart stores.  This is arrogance writ large.  Kmart has undergone a box ticking exercise.  And the excuses used by Bunnings, that facial recognition technology is to “..to help identify persons of interest who have previously been involved in incidents of concern in our stores,” and that it is  “..an important measure that helps us to maintain a safe and secure environment for our team and customers.”  is, if true, a wholly disproportionate response to a problem Read the rest of this entry »

Canada is likely to join the United States and Australia and other countries in legislating increased cyber security for key industries as reported in New federal bill would compel key industries to bolster cyber security — or pay a price.  This form of legislation is probably required however remains a panacea.  Adding an additional layer of obligations doesn’t change the base of the problem, that too few businesses put in nearly enough effort in basic privacy and data protection,  The new laws will require the key industries to set up processes and respond to a cyber attack.  But will it mean companies will spend what needs to be spent to protect themselves properly.,  If Australia is any guide then no.

The Canadian Broadcasting Service Read the rest of this entry »

US Chamber of Commerce has written an open letter to the Members of the Senate Committee on Commerce, Science and Transportation and the House Committee on Energy and Commerce, on potential national data privacy legislation. As far as the history of legislative action in the privacy field this is a pretty big deal.  Little wonder given the growing patchwork of state laws that now exist to fill the gap in regulation.  From a business point of view having to comply with various levels of protections across jurisdiction would be a nightmare and one that will get worse not better. 

The letter Read the rest of this entry »

Blake Lemoine, hardly a household name, has the tech world and Google aflutter with his suggestion that Google’s artificial intelligence chatbox has become sentient.  That has earned him a suspension and whatever else Google can come up with on his return.  Google has Read the rest of this entry »

The Australian reports breathlessly with Australia an ‘easy target’ for bank app trojans that Australian banks are vulnerable to malware with 13 of 34 apps being targeted by a variety of banking trojans. Given Australian financial institutions spotty records when it comes to data breaches this story hardly deserves the column inches it gets.  In April last year NAB repaid customers $687,000 for a data breach.  In August 2019 hackers breached tens of thousands of Australian banking accounts through PayID.  In May 2018 the Commonwealth Bank of Australia lost the personal financial histories of 12 million customers.  And being a bank it decided that its customers did not need to know.  The information was contained in magnetic tapes which, of course, were not encrypted. 

So the most recent Australian story is worth a run but hardly a novel turn of events. The criticisms in the article about inadequate infrastructure, ineffective consumer protection laws and a poor mindset have applied for many years.  There is no incentive to change.  The consequences of a data breach are embarrassment, sitting across the table from the Information Commissioner for a few hours and compensation for those account holders who lost money through fraud.  That is small change Read the rest of this entry »