Peter A Clarke

It is enough to make a cat smile how the obvious poor state of cyber defence across the board is breathlessly reported as a revelation, again and again.  And how nothing really changes even though the problem grows worse each year.

The ABC reports in Australia’s cyber defences ‘relatively weak, uncoordinated’, former ASIO boss David Irvine warns in a submission through the Australian Cyber Security Research Institute that that Australia’s ability to counter cyber threats and criminal activity is relevantly week and uncoordinated.  That is not surprising, coming from a former public servant of long standing, the proposal is single Commonwealth led Co operative Agency.  The proposed entity will Read the rest of this entry »

There are limits to legislation criminalising revenge porn, the publication of  revealing or sexually explicit images or videos of a person posted on the Internet without the consent of the subject in order to cause them distress or embarrassment, without providing the victim with an actionable cause of action.  The first limitation is that a complaint to the police may not result in a prosecution.  The burden of proof is much higher.  In some cases proving the accused took the image or posted it may be an issue though in the typical revenge porn scenario that is not common problem.  The other potential problem from the point of view of the victim is that how a matter is dealt with is a matter for the prosecution, whether in the form of a plea and the agreed statement of facts and the submissions on penalty. That is not to say the prosecution are less than professional but matters are resolved all the time.  While the victim may be kept informed the call is always the prosecutions to make.   What is required is an actionable civil claim by victims, in the form of either a statutory or common law basis, under the tort of invasion of privacy.  And that is what is missing in Australian law.  Claims in Australia must rely on equity, breach of confidence and misuse of private information, to bring a civil claim.  That was what Ms Chambers did because at the time of the acts giving rise to her action the Supreme Court had not recognised a tort of invasion of privacy, which it did subsequently.  It is a more complicated and unwieldy form of action which is very much a second best option to a tortious claim.  Australia remains one of the few places in the common law world without a specific actionable right to enforce privacy rights.  It remains a significant gap in the law and a ongoing failure of public policy.

The BBC reports that Chrissy Chambers, described as a Youtube celebrity, brought an action against an ex partner who posted 6 videos on a pornographic site after they broke up, from December 2009 until January 2012.  Ms Chambers found out about the posting in June 2013.  Her efforts to bring criminal charges were unsuccessful, primarily because a criminal offence relating to revenge porn had not been enacted at the time of the posting.   She commenced proceedings in the UK High Court and obtained a settlement involving an undisclosed sum of money, her costs, destruction of images held by the defendant and the copyright to the images Read the rest of this entry »

The mantra by regulators that data which is anonymised can be used for research and published has resulted in significant embarrassment when said anonymisation resulted in re identification. It has spawned a busy subset of academic articles on how this happens and generally advising caution, see for example All or Nothing: The False Promise of Anonymity in the Data Science Journal.

 Re identification occurs were there has been insufficient de identification and the methods of re identifying are generally one or both of pseudonym reversal or by combing data sets.

In Australia the Government introduced the Privacy Amendment (Re-identification Offence) Bill 2016.  If enacted it will prohibit the Read the rest of this entry »

The Fairfax press in Personal information held by NSW government exposed to cyber crime risk reports that 2/3rds of NSW Government agencies do not comply with their obligations to secure data.

The 82 page report provides insight but the chronic and deep seated flaws in data handling and cyber security practices are all too common.  A lack of training and what limited access to data should mean,  a lack of in depth protections which detect breaches from both outside and within, inadequate legislation with ineffective enforcement and inadequate training which leads to a poor privacy culture are the foundations upon which these problems develop.

It is curious that the report was released on 20 December and only reported on 28 December 2017.  Given the issue is so serious it is almost certain to disappear into the ether over the Christmas break.  Maybe it wasn’t so curious after all.

The New South Wales Audit Office released a press release on Read the rest of this entry »

Tonight’s 7.30 program has a story, titled  Commonwealth Bank accused of misleading the Privacy Commissioner about a privacy complaint where the sting is the Commonwealth Bank failing to provide proper disclosure of documents. The determination is Read the rest of this entry »

Legislatures, and courts, being slow to fill gaps in the law is hardly a news story.  And it is axiomatic that there is legislative inertia in the face of new technologies. The history of road rules for motor vehicles is a classic example.  But the inertia and failure to respond to the threat of cyber attack has been a protracted and sad story of public policy failure.  Hacking, phishing, spoofing and any number of attacking a network has existed as long as the internet has been publicly accessible.  Protecting against that has been ad hoc and generally Read the rest of this entry »

It is always in the enforcement that regulators are judged.  And how effective legislation is.  In the privacy sphere that is no different.  The Privacy Amendment (Notifiable Data Breaches) Act 2017  commences operation on 22 February 2018.

The Australian Information Commissioner has released the final resources (used to be called guidelines) on the operation of the Act and what is expected of organisations and agencies.  They are set out below.

Resources are one thing it is the culture that is as important.  The excellent article When cultures collide: the debate we’re not having on data privacy highlights Read the rest of this entry »

There is significant controversy about whether data can be scrubbed so that it can not be re identified.  What is less controversial is that many organisations put insufficient effort into de identifying data.  The authors of a paper Health Data in an Open World have demonstrated how they have re identified patients in an supposedly de identified open health data set.  The authors, academics at the Shcool of Computing and Information Systems at the University of Melbourne summarised what they did Read the rest of this entry »

Law firms have long been a target for hackers.  They hold vast troves of valuable information about clients and significant sums of money in trust.  They generally constitute a soft target because they have a poor understanding of cyber security and what their obligations are under the Privacy Act 1988 and do not Read the rest of this entry »

There has been a flurry of stories relating to the internet of things and lack of data security, to wit businesses being hacked through access points existing courtesy of connected devices.  In the UK dozens of British Heating systems have been found to be vulnerable to hacking.  In that case Read the rest of this entry »