Hacker steals data of 1 billion citizens of the Peoples Republic of China

July 6, 2022

When I first starting writing about privacy and data security data breaches involved low thousands of records compromised.  It didn’t take long for data breaches to involve many thousands of records and occasionally over a hundred thousand records.  In the last decade the ability and desire of government, organisations and businesses to collect masses of data has increased exponentially. Storage capacity increased as did the ability of analysing the data with the use of algorithms.  Analytics is now a sophisticated discipline and its products have made businesses wealthy.  Increased collection,use and storage of data has been matched by increased hacking into systems.  Personal information provides valuable source material for identity theft and other forms of fraud.  And many businesses and government agencies have traditionally had a terrible record in maintaining proper privacy protections and cyber security systems.

Now data breaches regularly involve millions of records, occasionally tens of millions of records. But not records of a billion people.  Until now.  Data Breach today reports in Unknown Hacker Steals Data of 1 Billion Chinese Citizens that an configuration error in Alibaba’s private cloud server resulted in a data breach involving a billion individuals.  The data was collected by Shanghai National Police and taken from its database.  The information was a hackers dream; names, home addresses, identification number and phone numbers.  That data, 23 terrabyte’s worth, is being offered for sale on a hacker forum for 10 Bitcoin (or over $200,000).

The story has been reported widely with Reuters, ABC, Bleeping Computer and the Guardian reporting on the breach among many others. China, being China, such a bad news story has been censored.  This can have the potentially Read the rest of this entry »

The National Institute of Standards and Technology releases Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process

Publications by the National Institute of Standards and Technology (“NIST”) is regarded by many privacy and cyber security practitioners as setting out technical and process standards.  That is not a universal view but given its output it is a matter of time before that becomes a reality.

The NIST has released its Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process

The first group of algorithms NIST has chosen are designed to withstand the possible assault of a future quantum computer. Quantum computers are likely to become powerful enough to break present-day encryption.  That poses a serious threat to information systems.  The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard. Those selected algorithms are either alogorithms for:

  • general encryption, used to access secure websites; or
  • digital signatures, used to verify identities during a digital transaction or remote signing.

The Abstract Read the rest of this entry »

New version of Privacy (Credit Reporting) Code 2014 took effect on 1 July 2022. More information available to credit providers relating to financial hardship.

July 5, 2022

One of the most significant amendments to the Privacy Act 1988 in 2014 relating to credit reporting.  A key element of those amendments was the establishment of Credit Reporting Codes. On 7 June 2022, the Australian Information Commissioner approved a replacement to the Privacy (Credit Reporting) Code 2014 (Version 2.2) by introducing the Privacy (Credit Reporting) Code 2014 (Version 2.3) (Code). Version 2.3 of the Credit Reporting Code registered on 1 July 2022. It took effect on 1 July 2022.

For anyone involved practising in privacy law, particularly with a connection to banking and finance, it is worth reviewing the updated code carefully.

The release Read the rest of this entry »

Australian data is potentially compromised with Tik Tok’s admission that China can access US data

July 4, 2022

The phrase “six degrees of separation” should be truncated to “one degree of separation” when describing data flows.  Personal information of Australians is held by many US companies and organisations courtesy of on line shopping, various subscription services and other connections.

The ABC in Australian user data security in doubt after TikTok admits US data accessible by China highlights the vulnerability of data relating to Australians can be as great as those of US individuals where third parties can access the US user data. And US users of Tik Tok have/can have their data accessed by Tik Tok Employees.  Tik Tok admits that is employees in China have access to US user data. If they are both stored on the same servers the likelihood of harm can be as great.

There is a very real concern that norms about accessing information differ between Read the rest of this entry »

34.9 million records compromised in data breaches and cyber attacks in June 2022

Itgovernance has identified 80 incidents in June 2022 which resulted in 34,908,053 records being compromised.  The types of attacks vary as does the severity of the attacks. 

Those breaches included:

Read the rest of this entry »

National Institute of Standards and Technology release Applying the Cyber Security Framework for the Responsible Use of Positioning, Navigation and Timing (PNT) Services NISTIR 8323

July 1, 2022

The US President’s  Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. made on February 12, 2020 has had a significant impact on government agencies  working on instituting standards to improve cyber security and privacy generally.

The Executive Order specially stated that “the widespread adoption of PNT services means disruption or manipulation of these services could adversely affect U.S. national and economic security. To strengthen national resilience, the Federal Government must foster the responsible use of PNT services by critical infrastructure owners and operators.” The Order called for updates to the profile every two years or on an as needed basis.

Positioning, navigation and timing (PNT) services is a US owned utility. This system consists of three segments: the space segment, the control segment, and the user segment. The U.S. Air Force develops, maintains, and operates the space and control segment.

The PNT Profile is designed to be used as part of a risk management program in order to help organizations manage risks to systems, networks, and assets that use PNT services.  It is not intended to serve as a solution or compliance checklist that would guarantee the responsible use of PNT services

The abstract provides:

The national and economic security of the United States (US) is dependent upon the reliable functioning of critical infrastructure. Positioning, Navigation and Timing (PNT) services are widely deployed throughout the critical infrastructure. A disruption or manipulation of PNT services would have adverse impacts on much of the nation’s critical infrastructure. In a government wide effort to mitigate these impacts, Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation and Timing Services was issued on February 12, 2020. The National Institute of Standards and Technology (NIST) as part of the Department of Commerce (DoC), produced this PNT Profile in response to Sec.4 Implementation (a), as detailed in the EO. The PNT Profile was created by using the NIST Cybersecurity Framework and can be used as part of a risk management program to help organizations manage cybersecurity risks to systems, networks, and assets that use PNT services, and is intended to be broadly applicable across all sectors. NIST acknowledges the tremendous efforts being undertaken by individual entities to address the responsible use of PNT services in their particular sectors and also encourages the development of sector specific guidance should more granular or specific risk management efforts be required. The PNT Profile can serve as a foundation for the development of sector specific guidance as well. This PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to natural and man-made, both intentional and unintentional, disruptions and manipulations.

The released document comes in at a hefty 115 pages.

Some interesting matters to note Read the rest of this entry »

Australian Digital Platform Regulators release Forum communique for priorities in 2022/23

June 29, 2022

Today the Information Commissioner, the Australian Competition and Consumer Commission (ACCC), Australian Media and Communications Authority (ACMA) and the eSafety Commissioner (eSafety) have released a joint communique regarding their co ordination and priorities for the next year.  The key focus will be digital transparency and algorithms and their impact.  As to what exactly that means in terms of action taken by regulators is not clear.  Both issues are very important in the privacy sphere. 

The communique provides:

Digital Platform Regulators Forum names algorithms, digital transparency and increased collaboration as priorities for 2022/23

The heads of the four members of the Digital Platform Regulators Forum (the forum) met yesterday and have agreed on a collective set of priorities for 2022/23.

Members of the forum are: The Australian Competition and Consumer Commission (ACCC), Australian Media and Communications Authority (ACMA), eSafety Commissioner (eSafety) and Office of the Australian Information Commissioner (OAIC).

The forum’s strategic priorities for 2022/23 include a focus on the impact of algorithms, seeking to increase transparency of digital platforms’ activities and how they are protecting users from potential harm, and increased collaboration and capacity building between the four members.

Through the forum all members have agreed to share information and work together to tackle issues across their traditional lines of responsibility.

Digital transparency Read the rest of this entry »

Choice makes complaint to the Australian Information Commissioner about Good Guys, Bunnings and Kmart using facial recognition. Meanwhile Good Guys is “pausing” its use of facial recognition

Choice has formally complained to the Australian Information Commissioner about the use of Facial Recognition by Kmart, Bunnings and the Good Guys.  Itnews has covered the story in Australian retailers named in facial recognition complaint

Choice’s announced the complaint by media release which provides:

CHOICE has asked the Office of the Australian Information Commissioner to investigate Kmart, Bunnings and The Good Guys for potential breaches of the Privacy Act (1988). CHOICE is concerned that the retailers’ practices related to their use of facial recognition technology pose significant risks to individuals. The social and economic risks include invasion of privacy, misidentification, discrimination, profiling and exclusion, as well as vulnerability to cybercrime through data breaches and identity theft.

Key issues

CHOICE has concerns with the retailers’ practices for two main reasons:

    1. Lack of notice and consent in the collection of sensitive information. The retailers’ use of online privacy policies and small signage in store as the key mechanisms to provide notice and obtain consent from individuals about the collection of their sensitive information is insufficient and non-compliant.
    2. The stated business purpose is disproportionate to the privacy harms posed to individuals. The retailers’ large scale collection and use of their customers’ sensitive information significantly invades the privacy of its customers. It is a disproportionate response to the risk of theft and anti-social behaviour in stores.

Choice has also made public the 16 page formal complaint.  It is comprehensive and refers to the Determination by the Information Commission against Clearview AI (Commissioner initiated investigation into Clearview AI, Inc. [2021] AICmr 54).  It is quite an impressive document. 

Choice alleges that the Kmart, Bunnings and the Good Guys breach the following Australian Privacy Principles (APPs):

APP 1.3 – have a clearly expressed and up-to-date APP Privacy Policy about how the
entity manages personal information;
? APP 3.3(a)(ii) – only collect ‘sensitive information’ where it is reasonably necessary;
? APP 3.3(a) – only collect ‘sensitive information’ with consent;
? APP 3.5 – only collect personal information by lawful and fair means; and
? APP 5.1 – take reasonable steps to notify an individual of the APP 5 matters or to
ensure the individual is aware of those matters.

As a prelude to the publishing its findings Choice undertook a survey of 1000 Australians about their awareness of facial recognition technology and found:

  • 76% of respondents didn’t know retailers were using facial recognition.
  • 83% of respondents think retail stores should be required to inform customers about the
    use of facial recognition before they enter the store.
  • 78% expressed concern about the secure storage of faceprint data.
  • 65% are concerned about stores using the technology to create profiles of customers
    that could cause them harm.

That is a very clever move.

Regarding the potential breaches :

APP1

Choice argues

  • retailers’ privacy policies (Appendix B) do not clearly express how the entities manage personal, including sensitive, information obtained through use of facial recognition technologies
  • retailers were not forthcoming on how they manage sensitive information obtained through facial recognition technologies. There is a reluctance by the retailers to be clear, transparent and upfront about their privacy practices

Read the rest of this entry »

Federal Attorney General pledges sweeping data privacy reforms in current parliament

Today Australian Financial Review reports in Dreyfus pledges sweeping data privacy reforms that the Commonwealth Government will commit to “sweeping reforms” to data privacy laws in the life of this parliament.  That is within at most 3 years.  He also made a similar pledge in an interview with ABC Radio National’s Law Report on 28 June 2022.

This is welcome news although it should be tempered with caution borne of many false dawns in the past.  The commitment is to data privacy laws and not privacy laws per se.  Hopefully the distinction is not significant.  If the reforms ignored legislating a statutory cause of action for interferences with privacy and retained the current regulatory structure where the Information Commissioner was responsible for taking any action for breaches that would be a retrograde step.  Similarly maintaining the multitude of exclusions from the operation of the Privacy Act 1988, such as employment records and the small business exemption (to name but two) and the broadly drawn exemptions within the Australian Privacy Principles would be a matter of concern. Hopefully the Government will consider both the Australian Law Reform Commission Reports For Your Information: Australian Privacy Law and Practice (ALRC Report 108) of 2008 and Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014.  But it is also important for it to consider legislating standards consistent with the General Data Protection Regulation which came into force on 25 May 2018.

The history of privacy reform has been dismal with ample blame to be assigned on all parties.  The Labor Government was selective in accepting and implementing recommendations from the 2008 Australian Law Reform Commission Report.  It could have legislated a statutory cause of action, as was recommended.  There was no good policy reason for Attorney General Dreyfus to commission yet another inquiry into privacy, this time on serious investigations in privacy in the digital era.  It was can kicking.  The issues were no different even if the impact of the digital economy was greater.  The Coalition when in government has done the bare minimum in reforming the Privacy Act 1988.  It made no effort to consider the recommendations of the ALRC 2008 and effectively shelved the Serious Invasions Report when it was completed in 2014.  It instituted a departmental review of the Privacy Act 1988 which has proceeded in a languid fashion.  Why a departmental investigation would be better than 2 ALRC reports is not clear.  The business community have doggedly resisted any form of privacy rights which gives individuals a direct right of action.  The rationale has always been weak but now is just anachronistic.  The Business Council  of Australia lauds the conciliation process run by the Information Commissioner as being largely successful in resolving complaints.  And why wouldn’t the Business Council support the status quo.  The Information Commissioner deals with complaints quietly and settlements are miserly.  It is also a timid regulator.  As business organisations hate the light it is a system that suits malefactors.  And business likes the small business exemption, which makes no logical sense given businesses with a turnover of less than $3 million can hold masses of personal information but is beyond regulation.  Of course media organisations have chosen sectional interest over public good in wanting to retain the media exemption. The Federal Court has not had its finest moments in decisions involving the Privacy Act 1988. The Full Court decision in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (the Ben Grubb decision) was as wrong headed as it is possible to be in constraining the definition of personal information and regarding data collected by Telstra could not be used to identify Ben Grubb, and therefore be personal information.  It is an analog decision in the digital era. What is also clear is that principles based legislation is not easy to work with.  The terms are vague and the exemptions many.

Against this grim backdrop one can only hope the Government will look as much overseas as with the Australian Law Reform Commission’s recommendation when implementing the reform.  It should also not be afraid of a root and branch change to the Privacy Act 1988.  It is a weak vessel.

The article Read the rest of this entry »

Deloitte releases its 2022 Australia Privacy Index titled Every Breath You take

June 28, 2022

Deloitte Australia has released it 2022 Privacy Index, this year titled Every Breath You Take.  It is a very useful survey, focusing especially on APP 5. The results are sobering.  While some industries perform better than other generally there is a compliance problem. 

The web article provides:

In this year’s Index, we explore how transparency can increase consumers’ willingness to share data, the uses of online information and location data consumers are uncomfortable with and what value, if any, consumers place on personalisation. This is compared with the practices of leading consumer brands in the Australian market to determine whether brands are meeting these consumer expectations around their personal information.

The amount of information created and copied globally continues to grow and is forecast to increase for many years to come. The COVID-19 pandemic expedited this growth as we moved to learning, working, and entertaining from home. Unfortunately, accompanying this growth has been an increase in associated ‘creepy’ uses of information. Through the rise of online behavioural monitoring, brands now have access to even more data about their customers. They can act on this information through the personalisation of offers, online experiences and use of advertising tools provided by the likes of big technology corporations and social media.

Read the rest of this entry »