Peter A Clarke

The National Institute of Science and Technology has published the final version of NIST Internal Report (IR) 8349, Methodology for Characterizing Network Behavior of Internet of Things (IoT) Devices. and a draft of NIST IR 8536, Supply Chain Traceability: Manufacturing Meta-Framework.

Understanding the scope of the Internet of things and how the network operates is key to determining its cyber security requirements.   This 47 page report is worth consideration.  The Internet of Things will become more not less ubiquitous and more and not less prone to cyber attacks.  The Supply Traceability paper is also important but more specific and technical.

Internet of Things

The summary provides:

Characterizing and understanding the expected network behavior of IoT devices is essential for cybersecurity; it enables the implementation of appropriate network access controls to protect the devices and the networks on which they are deployed. Device characterization techniques that describe the communication requirements of IoT devices, in support of the NCCoE Securing Home IoT Devices Using Manufacturer Usage Description (MUD) project, can aid in securing devices and their networks. 

To properly secure networks, network administrators need to understand what devices are on the network and what network communication each device requires to perform its intended functions. In the case of networks that include IoT devices, it is often difficult to identify each individual device, much less know what network access is required by each device to other network components (and what access other network components need to each device). Read the rest of this entry »

Hanson Chambers in South Australia have been hit with a cyber attack. The chambers has 8 barristers; 3 silks and 5 juniors. And one associate member, acting as a mediator. The breach is serious with correspondence and court documents being stolen and listed on the Lynx ransomware site. It has been reported in cyberdaily.au in Exclusive: South Australian barristers’ chambers listed on Lynx ransomware’s leak site.  

The cyberdaily article Read the rest of this entry »

There will be a change to the Rules of the Federal Circuit Court and Family Court (Division 2). New Practice Directions will also take effect being:

• Central Practice Direction: General Federal Law Proceedings
• Central Practice Direction: Migration Proceedings
• General Federal Law Practice Direction: Admiralty and Maritime Proceedings;
• General Federal Law Practice Direction: Intellectual Property Proceedings.

Practice Directions

The Court’s summary of the Practice Directions provides:

Central Practice Direction: General Federal Law Proceedings

• updates to reflect new rule references in the new GFL Rules.
• updates removing child support from the types of proceeding listed as within the Court’s general federal law jurisdiction, to reflect that child support proceedings must now be heard in the family law jurisdiction.
• new item 3.2 on the overarching purpose stating that parties and their lawyers have a duty to co-operate with the Court and amongst practitioners.
• new section 4 stating the procedural requirements for parties seeking to file an urgent application.
• new item 6.3 on case management stating that the Court expects a party to seek consent of all other parties when seeking to adjourn a hearing or vacate a listing date.
• updates to section 8 on ending a proceeding early to reflect that parties can file a notice of discontinuance at any time before the first court date, or, if the proceeding is continued on pleadings, any time before the pleadings have closed. This includes new item 8.2 which states that the notice of discontinuance can be filed at a later date with the leave of the court or the other parties’ consent, if judgment has not been entered.
• new section 10 on parties’ conduct and communication with the Court stating the requirements for parties when communicating with each other, the Court and all Court staff. 

Central Practice Direction: Migration Proceedings

• this is a new Practice Direction, some items in the previous Migration Practice Direction remain and new items have been included.
• updates to reflect new rule references under the new GFL Rules.
• new section 3 including:
  • the assignment of a pseudonym to litigants
  • the requirements for how parties are to be named in migration proceedings
  • the requirement that all Court documents must include the details of the person who prepared the document irrespective of whether that person is a lawyer
  • the obligations under section 486E of the Migration Act 1958 (Cth)
  • the requirements for notifying the other party when filing documents with the Court.
• new section 4 regarding how the Court triages matters before they are allocated to a judicial officer for determination.
• new section 5 stating the requirements for parties seeking to file an urgent application.
• new section 6 regarding the non-removal from Australia of detainees with litigation before the Court.
• new section 7 regarding matters involving a party who is in immigration detention.
• new section 8 regarding the requirement for the solicitor for the Minister to prepare a Court Book and what it must include. This section also includes the Court’s requirements where a party wishes to rely on authorities.
• new section 9 on interview/hearing audio and transcripts.
• new section 10 regarding requests for adjournment.
• new section 12 regarding the requirements for Direct Access Barristers.
• new section 13 on parties’ conduct and communication with the Court stating the requirements for parties when communicating with each other, the Court and all Court staff.

General Federal Law Practice Direction: Admiralty and Maritime Proceedings

• updates to reflect new rule references under the new GFL Rules.
• new item 1.2 reflecting that parties have a duty to act consistently with the overarching purpose, and practitioners must assist parties to comply with the duty.
• removal of section 8 on urgent applications due to new section 4 in the Central Practice Direction – General Federal Law Proceedings.

Read the rest of this entry »

Sam and Brittany Groth have issued proceedings in the Federal Magistrates Court against the Herald and Weekly Times alleging a breach of privacy. Or more accurately a breach of the statutory tort of serious invasion of privacy. The Court number is VID1130/2025 and there are 3 respondents; the Herald and Weekly Times, Stephen Drill and Sam Weir. The story is covered by 3AW (with audio) in Deputy opposition leader launches legal action over controversial reporting. The Australian Financial Review also covers it Read the rest of this entry »

In late July 2025 the Attorney General, Michelle Rowland, said to the Australian Financial Review that the Privacy Act was not fit for the digital age”. She later said during an an appearance on Sky News’ Sunday Agenda regarding the Privacy Act that “..Well, this is the second tranche of privacy reforms. I think it’s fair to say, Andrew, that Australians are sick and tired of their personal information not only being exploited for benefit by third parties, but also the way in which that information is not being protected. We’ve seen that in recent times with data breaches, both by Australian companies as well as multinational tech giants.”

Modern reform often begins with Ministers making noises about the need to address this or that reform.  Putting the issue onto the agenda.  In the privacy context that was done in 2022 – 2023.  The 2022 Privacy Act Review Report proposed 116 recommendations to reform the Privacy Act 1988.

The government accepted 38 of the proposed reforms and agreed to 68 in principle.  It said it would implement the changes in phases.  The first tranche, as it became known, was found in the Privacy and Other Legislation Amendment Act 2024 which passed in November 2024 and became law on 10 December 2024.  It implemented 23 of the reforms, including the introduction of a statutory tort of privacy, anti-doxxing offences and a new tiered civil penalty regime, as well as the development of a new Children’s Privacy Code, which is currently the subject of consultation undertaken by the Office of the Australian Information Commissioner (OAIC). The  obligation to disclose the use of personal information for automated decision making will commence in December 2026.

The Attorney General has now dropped two not very subtle hints that more privacy reform is required.  Nothing detailed about the what and the when but that is not required.  Starting the conversation is the key.  Given the Government has already responded to a report’s recommendation going from discussion to action is a short step.

As to when the second tranche will be introduced into Parliament as a Bill is the subject of some speculation.  It is a more comprehensive  set of reforms and some are Read the rest of this entry »

Regulators are increasing their focus on the proper use of biometrics. Advances in technology has made the collection and mandatory use of biometrics more prevalent. Even common in some industries. That has meant more attention by the regulators as compliance is an issue when it comes to collection, storage, use and disposal of this sort of personal information. On 11 August 2025 the Privacy Commissioner of Canada issued its guidance on the use of biometrics. This follows the New Zealand Privacy Commissioner publishing rules on the use of biometrics earlier this month. The UK Information Commissioner has probably issued the most comprehensive biometric data guidance. While it is referable to UK legislation it’s general advice is very good. The Australian Information Commissioner has not published guidelines on biometrics however has advised that biometric information is sensitive information for the purpose of the Privacy Act 1988.

The key issues from the Canadian guidelines are:

1. Collection, use and dislosure.  Appropriate use
   • At the outset the organisation must have  lawful authority for the collection, use and disclosure of biometric information. The issue is slightly different between sectors:
     • Public sector: In establishing whether Federal institutions have lawful authority to collect biometric information the information must directly relate to a government program or activity.
     • Private sector: organisations must identify a legitimate need for using biometrics.  The collection and use must be effective, minimally intrusive and proportionate to its purpose.
2. Consent
   • As with all privacy legislation consent is important.  As the guidance states it must be valid, informed and meaningful. That includes advising people what biometric information will be collected, why it is needed, who it may be shared with and any risks of harm.
   • Biometrics is not the first and only option.  Where biometrics are not integral to the service, alternatives must be offered.
3.  Privacy Impacts; Necessity and ProportionalityAs is good practice generally prior to implementing a biometrics program there should be a privacy impact assessment. That means showing that biometrics are:
   • Necessary for a specific, legitimate and defensible objective;
   • Effective and reliable in achieving that purpose;
   • Minimally intrusive, with no less invasive alternatives available; and
   • Proportional, ensuring that privacy impacts are commensurate to the benefits gained.
4. Limiting Collection, Use and Retention

   Organisations must only collect and use the biometric characteristics strictly necessary for the stated purpose. The process involves:

   • Favouring verification (one-to-one) systems over identification (one-to-many), where feasible;
   • Avoiding large, centralised biometric databases;
   • Avoiding the extraction of secondary information t;
   • Limiting disclosure; and
   • Retaining biometric information only as long as necessary and destroying it once no longer required.
5. Security/Safeguards

   This encompases having measures to protect personal information against loss, theft or unauthorised access. Biometric information must be secured with physical, administrative and technical measures proportionate to its sensitivity. Best practices involves:

   • Encryption during storage and transmission;
   • Regular penetration testing and vulnerability assessments;
   • Control of employee access; and
   • Breach reporting.
6. Accuracy

   It is important to have accurate information.  The consequences can be even greater with  biometric recognition.  Erroneous information can lead to wrongful denial of services or misidentification. Best practice includes:

   • adopting technologies with appropriate accuracy rates;
   • Testing systems in real-world conditions and across demographic groups to minimise bias and discrimination;
   • Monitoring accuracy on an ongoing basis, as system updates can affect performance; and
   • Developing procedures for false positives and negatives, ensuring timely resolution and human review where decisions have significant consequences.
7. Accountability

   While holding biometric information organisations remain responsible for that biometric information even when using third-party service providers. In that respect organisations obligations include:

   • due diligence on service providers’ practices;
   • having contracts and information-sharing agreements that embed privacy protections;
   • establishing clear governance structures, audit rights and breach response plans; and
   • ensuring there is adequate employee training and oversight.
8. Openness and Transparency

Read the rest of this entry »

Cryptographic keys are a key part of any proper protection of an organisation’s operations. And the compromise of those keys can have catastrophic effect on an organisation. The ACSC has developed a guide to assist organisations develop a Key Management Plan to deal with internal and external threats. It should be used in conjunction with appropriate NIST standards.  The guidance contains references, by way of hyperlink, to other guidances and publications.  They should be read as well.

The guide relevantly provides:

The world is increasingly relying on online services, digitalisation of data and interconnected systems, cyber security is a vital way in which we protect critical sectors. Good security hygiene keeps participants from making mistakes and makes it harder for malicious cyber actors to cause damage. One important aspect of cyber security is cryptographic keys and secrets management systems. Cryptographic keys and secrets are required for services that secure data, provide integrity, confidentiality, non-repudiation and access control. Cryptographic keys and secrets are a critical asset of many organisations and a core component of cyber security, which must be carefully managed and protected throughout their life cycle.

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the Department of Industry Science and Resources (DISR) have developed this guide to help organisational personnel in understanding the threat environment and the value of implementing secure keys and secrets management to make better informed decisions.

The compromise of any private key or secret can have significant, or even severe, negative operational, financial and reputational impacts on an organisation. Organisations must seek to implement mitigations to ensure their organisational keys and secrets are protected and so they are positioned to respond quickly and effectively in the case of a security incident. Read the rest of this entry »

The National Institute of Science and Technology (NIST) provides invaluable support to those developing privacy and data security controls for businesses and government agencies. On 6 June 2025 Donald Trump issued an executive order titled SUSTAINING SELECT EFFORTS TO STRENGTHEN THE NATION’S CYBERSECURITY AND AMENDING EXECUTIVE ORDER 13694
AND EXECUTIVE ORDER 14144. Previous Presidents have issued Executive Orders to deal with threats to cyber security.

In response to the Executive Order the NIST  revised its catalog of security and privacy controls, focusing on improving the security and reliability of software updates and patches.  They are:

• SP 800-53 Release 5.2.0 which addresses multiple aspects of the software development and deployment process, including software and system resiliency by design, developer testing, the deployment and management of updates, and software integrity and validation. 
• updates to the control catalog through the Cybersecurity and Privacy Reference Tool (CPRT), which allows downloads of machine-readable formats, including OSCAL and JSON.

The Executive Order provides:

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), section 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of title 3, United States Code, it is hereby ordered:

Section 1.  Amendments to Executive Order 14144.  Executive Order 14144 of January 16, 2025 (Strengthening and Promoting Innovation in the Nation’s Cybersecurity), is hereby amended by: Read the rest of this entry »

The Safetrac saga continues apace with allegations that it installed listening devices without consent or updating its surveillance policy. The AFR reports on these concerning developings in Safetrac surveillance installed without staff agreement: HR manager. Safetrac installed the Teramind program. Teramind proudly admits that itts program is designed to Monitor, analyze, and manage employee activity to prevent insider threats, safeguard sensitive information, and optimize team performance.According to the piece Safetrac used microphones of employees’ laptops to record sound close to their computer from 15 April until 2 June 2025.  Not so coincidentally the statutory tort of serious invasion of privacy came into effect on 10 June 2025. It amended its policy on use of surveillance equipment from 4 sentences to 2 pages.  Whether that is sufficient to constitute proper awareness and consent is another story.

And interesting issue may be whether Safetrac used the Teramind program while monitoring compliance on behalf of some of its clients employees laptops and whether they were aware of it.

The article provides:

Read the rest of this entry »

The fact that there is effective surveillance technology in the market does not mean it should be used. Pegasus spyware can be remotely and covertly be installed on mobile phones running IOS and Android. It is marketed as being used for fighting crime and terrorism. And it could even be sold as a supervision tool by companies. But because the way it operates is via secrecy and is effectively a form of spying it has not been used by businesses but rather is used by autocratic governments to spy on journalists and dissidents. There is other software which is less pernicious than Pegasus but can spy on individuals through the use of their computers. That intrudes into people’s privacy.  And enter Safetrac which according to the AFR’s quite brilliant article titled Company turned laptops into covert recording devices to monitor WFH has used a used software to eavesdrop on staff, for up to 10 hours a day, and video them as well. Safetrac claims to have provided notice and got consent. The notice is 4 sentences in a policy and some commentary during a “Town Hall.” That is inadequate. The fact that the surveillance picked up non work related sounds, such as private conversations and out of hours will also make its actions privacy instrusive. This story is not over.  The Privacy Commissioner has jurisdiction to consider whether there has been a breach of an Australian Privacy Principle of the Privacy Act 1988.  If the recordings took place after 10 June 2025 then those affected may have a cause of action for the statutory tort of serious invasion of privacy.  Even if not there are options in equity.  

The article provides:

Read the rest of this entry »