Peter A Clarke

The problem with having a ubiquitous open source software that is a key part of the security framework  for communications in cyberspace is that where problems arise the impact is tremendous and potentially disastrous.  The Heartbleed episode demonstrated that in no uncertain terms.  Changes to passwords, rushed out patches and changes to security protocols all came with cost, aggravation and no shortage of concern.

OpenSSL has identified flaws in the cryptographic library which makes it vulnerable to a man-in-the-middle-attack (which is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker) in an advisory which relevantly provides:

OpenSSL Security Advisory [05 Jun 2014] 

SSL/TLS MITM vulnerability (CVE-2014-0224)

An attacker using Read the rest of this entry »

The US Federal Trade Commission (the “FTC”) has given evidence to the Senate’s subcommittee for privacy, technology and the law of the Committee on the Judiciary on geolocation privacy on 4 June 2014. It is a very interesting statement which effectively describes the privacy implications of the use of geolocation apps and software.  The lack of transparency in the marketing and delivery of those apps and software is a significant concern.  As the FTC makes clear the data that can be collected is often sensitive.  It can also be an effective tracking, if not stalking device.  The management, use and disclosure of that data can have significant consequences for individuals.  Apart from the obvious breach of privacy the data can be used for predictive analytics.

The FTC media statement provides:

The Federal Trade Commission testified before Congress on the Commission’s efforts to address the privacy concerns raised by the tracking of information about consumers’ location, as well as proposed legislation to protect the privacy of geolocation data.

Delivering testimony before the Senate Judiciary Committee’s Subcommittee for Privacy, Technology and the Law, Jessica Rich, Director of the FTC Bureau of Consumer Protection, outlined the FTC’s ongoing efforts to protect the privacy of consumers’ geolocation information through enforcement, policymaking, and consumer and business education.

Precise geolocation data is sensitive personal information increasingly used in consumer Read the rest of this entry »

The records of almost 3000 members of the South Central Ambulance Service were the subject of a significant data breach according to the BBC in South Central Ambulance Service staff data breach.  The breach reportedly included publishing the age, sexuality and religion of members.  This information is regarded as sensitive information under the Privacy Act and should attract greater protection.

The report provides:

The personal data of thousands of ambulance service staff has been accidentally published online, it has been revealed.

The data breach by South Central Ambulance Service (SCAS) included publishing the age, sexuality and religion of almost 3,000 staff members.

The information has been revealed Read the rest of this entry »

Google and privacy.  Not a neat or natural fit, whether it is google’s modus operandi or its devices, most recently the google glass.  Now Google’s driverless car has tech heads excited and privacy practitioners worried. Again.  The Guardian in Google’s driverless cars are a boon for safety and climate, but not for privacy highlights the privacy issue, being the unremitting collection of data about individuals using the car.  It is no longer a means of transportation but a data collecting module whose data is invaluable for all manner of secondary purposes, such as insurers, nosey employers, embittered or just curious spouses not to mention advertisers and retailers.  A mass of data identifying where one travels, how fast one travels, where one stops and for how long can be used for the purpose of predictive analytics.  That can lead to inferences about someone’s behaviours and likely exposure to risk. Predictive analytics is just that, a form of prediction.  The accuracy can be questionable.  More importantly Read the rest of this entry »

Senate estimates are both a valuable part of the democratic process, holding governmnents accountable and reviewing expenditure, and good media fodder.  It can also be tedious.

The Legal and Constitutional Affairs Committee quizzed the Information Commisioner and the Privacy Commissioner on 29 May 2014.  It is found here.  Noteworthy comments were:

Data Breach notification.

Senator SINGH: Professor McMillan, I want to ask about privacy alerts and whether you support the introduction of mandatory notification requirements for serious breaches of data.

CHAIR: Senator Singh, this might have to be your last question because I have four other senators and 15 minutes left. So could you make this your last question?

Prof. McMillan : Legislation was introduced into the parliament under the previous government for mandatory notifications.

Senator SINGH: Yes, I have now introduced a private member’s bill.

Prof. McMillan : It was called the privacy alerts bill. At the time the Office of the Australian Information Commissioner put out a statement saying that it supported the passage of that legislation. We have made no subsequent statement on the issue.

Senator SINGH: You obviously stand by that previous statement. Are you aware of what significant data breaches have occurred in the last few years?

Prof. McMillan : I will transfer that question to the Privacy Commissioner.

Mr Pilgram : Yes, we are aware, obviously, of a number of major data breaches that have occurred over the last few years. Just to give you an idea, they will vary in severity and the number of people that have been impacted. For example, in the current year, 2013-14, we have become aware of Read the rest of this entry »

The Guardian in Privacy call for internet browsing in the wake of Edward Snowden leaks reports on a poll commissioned by the Joseph Rowntree Reform Trust.  That internet users are concerned about their privacy is hardly new.  Privacy Commissioners have been undertaking surveys over the years that consistently highlight public concern about privacy.  This poll shows a heightened level of concern in Read the rest of this entry »

Proper data security policies, programs and protocols are not a one-off event.  Organisations and agencies change. They develop.  At minimum such changes should involve a privacy impact assessment.  Unfortunately some bodies, public and private, are frequent fliers when it comes to poor data handling practices and privacy protections.  One such agency was Wolverhampton which ignored or didn’t heed warnings about its practices.  That ultimately prompted the attention of the Information Commissioner’s Office and resulted in an enforcement notice.

The ICO’s press release (found here) provides:

The Information Commissioner’s Office (ICO) has ordered Wolverhampton City Council to provide adequate data protection training for its staff following a series of warnings dating back over two years.

The enforcement action follows Read the rest of this entry »

Consumer’s having confidence that their personal information, confidential communications and sensitive data should be a given.  The revelations about the collection of meta data as well specific data by government agencies (and a data brokers) has caused disqueit by consumers, privacy specialists and, as importantly, technology companies.  Technology companies don’t want to be part of a data storage program against their will. This has been highlighted in the he New York Times article  Technology Companies Are Pressing Congress to Bolster Privacy Protections.

The article provides:

WASHINGTON — A law that allows the government to read email and cloud-stored data over six months old without a search warrant is under attack from technology companies, trade associations and lobbying groups, which are pressing Congress to tighten privacy protections. Federal investigators have used the law to view content hosted by third-party providers for civil and criminal lawsuits, in some cases without giving notice to the individual being investigated.

Nearly 30 years after Congress passed the law, the Electronic Communications Privacy Act, which government officials have interpreted to cover newer technologies, cloud computing companies are scrambling to reassure their customers, and some clients are taking their business to other countries.

Ben Young, the general counsel for Peer 1, a web hosting company based in Vancouver, British Columbia, said his customers were keeping their business out of the United States because the country “has a serious branding problem.”

“We’ve enjoyed a competitive advantage in Canada,” he said, “because the public perception in the business community is that American law enforcement has more access to data than in other parts of the world.”

Places such as Germany, Iceland and Switzerland are trading on a reputation of stronger protections for companies, but such safeguards are not universally tighter than those in the United States. “Some countries are stricter on privacy, and some of them are not,” said Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, a technology advocacy group.

Privacy has been an increasing concern since Read the rest of this entry »

The UK Information Commissioner has recently told the BBC that the reputational damage from a data breach can be far more significant than any penalty emanating from a regulator. And it is relevant to note that the Information Commissioner has the power to issue businesses with fines of up to £500,000 for serious breaches of UK’s data protection legislation. He said:

“It’s our information, it needs to be protected and the brands that get it wrong will trash their reputation – that’s the real threat for the eBay’s and the Sony’s of this world” and  “.. the real hit is reputation, the real hit is the brand,”

He also said:

• that both individuals and businesses are “not sufficiently alert to what is going on in the 21st century”.

• “Cyber crime is real. Hacking is real. Watch out, there’s a data thief about…the personal information that is there online – practically everything we do, social, business, work, buying stuff, holidays – the data imprint is huge and none of us are taking this seriously enough. None of us are as good as we should we about passwords, [from] changing passwords regularly, [to setting] credible, hard passwords … and companies aren’t taking this seriously enough and they should be.”

That experience is all very true in Australia. The UK protections are more comprehensive and effective than those under the Privacy Act but the Privacy Commissioner does now have enhanced powers to deal with breaches arising from inadequate security.  The general level of understanding of what proper privacy protection by organisations involves is generally poor.  With some notable exceptions, the level of sophistication of systems, training, protocols and policies is also quite poor. Part of that is due to Read the rest of this entry »

The New Zealand legislature will be outlawing identity theft with major improvements in privacy regulation according to stuff.  That includes mandatory data breach notification legislation.

Identity theft is to be outlawed with a fine of up to $10,000 under an overhaul of privacy laws.

The Government is to Read the rest of this entry »