Health data breaches of many varieties

June 18, 2022

The Markup has published a most extraordinary story, Facebook Is Receiving Sensitive Medical Information from Hospital Websites, where hospitals which had installed the Meta Pixel had collected sensitive personal information and sent it to Facebook.  Meta Pixel is an analytical tool that allows a company to track its website visitors activities. This piece of code helps identify Facebook and Instagram users and see how they interacted with the content on the website . This information can be used to target people with ads based on interests. It used to be called the Facebook Pixel.  The Meta Pixel sends information to Facebook via scripts running in a person’s internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or householdhttps://www.natlawreview.com/article/motion-preliminary-approval-accellion-data-breach-settlement-filed-california

A more traditional health data breach was involving the Baptist Medical Center and Resolute Hospital which involved an unauthorised party accessing and exfiltrated data from their network between March 31, 2022 and April 24. The information may have included:

  • full name, date of birth, and address
  • Social Security number
  • health insurance information, such as the name of insurer/government payor and the policy and/or group number
  • medical information, such as medical record numbers, dates of service, provider and facility names, chief complaint or reason for a visit, and other visit procedure and diagnosis information
  • billing and claims information, such as account and claim status, billing and diagnostic codes, and payor information

Meanwhile at Yuma Regional Medical Centre Read the rest of this entry »

Australian Information Commissioner to look at use facial recognition technology at Bunnings, Kmart, Good Guys etc…

June 17, 2022

After Choice’s comprehensive report, the firestorm of media coverage and obstinate response by Bunnings it was always a strong possibility that the Information Commissioner would look at the material Choice collected.  Given the Commissioner’s findings against 7 Eleven’s use of facial recognition technology Bunnings et al may have some difficulties because they adopted wheezes to supposedly comply with the Privacy Act which were rejected by the Information Commissioner.  Such problematical Read the rest of this entry »

Federal Trade Commission issues a report on the problems of using Artificial Intelligence to combat online problems.

The Federal Trade Commission (FTC) today released a very important report to Congress, Combatting Online Harms Through Innovation, warning about abuses of AI.  Those abuses include privacy intrusive practices and biases built into AI.  It highlights the growing body of work warning of worrying aspects of Artificial Intelligence in accuracy, biases and privacy intrusive processes, including surveillance.

The press release Read the rest of this entry »

Colorado passes legislation restricting the use of facial recognition technology by government agencies

June 16, 2022

Colorado’s governor has just signed into law legislation aimed at limiting the use of facial recognition technology by government agencies and state institutions.  This highlights that facial recognition is capable of proper regulation, that privacy issues can be regulated and there is a public good in properly regulating this form of technology. 

It has been well summarised in The National Law Review as:

Ramping up the state’s continued focus on data privacy, on June 8, 2022, Colorado Governor Jared Polis signed legislation aimed at limiting the use of facial recognition technology by government agencies and state institutions of higher education.

The new law, SB 113, requires an agency, defined as “an agency of the state government or of a local government; or a state institution of higher education,” that intends to “develop, procure, use or continue to use facial recognition service” to provide notice of intent to use those services with its “reporting authority” prior to using the technology. Read the rest of this entry »

Continuing story Bunnings & ors and facial recognition & privacy violations…as if it is news

The Choice story regarding some of our biggest retailers using facial recognition in their stores continues to attract media coverage.  As well it should.  The ABC has undertaken a broad brush review, Renewed calls for national guidelines on using facial recognition technology after CHOICE investigation, regarding the science of facial recognition and the legal regulation, or more accurately the lack thereof. The Conversation weighs in for some analysis with Bunnings, Kmart and The Good Guys say they use facial recognition for ‘loss prevention’. An expert explains what it might mean for you.

The Oz with Faceprint technology: Kmart, Bunnings and The Good Guys are scanning customers’ faces in stores reports on the (usual) call for Federal Government action to ban facial recognition.  Bunnings has decided to join the fray and attack the Choice article stating:

We are disappointed by CHOICE’s inaccurate characterisation of Bunnings’ use of facial recognition technology in selected stores. This technology is used solely to keep team and customers safe and prevent unlawful activity in our stores, which is consistent with the Privacy Act.
In recent years, we’ve seen an increase in the number of challenging interactions our team have had to handle in our stores and this technology is an important tool in helping us to prevent repeat abuse and threatening behaviour towards our team and customers.
There are strict controls around the use of the technology which can only be accessed by specially trained team. This technology is not used for marketing, consumer behaviour tracking, and images of children are never enrolled.
We let customers know if the technology is in use through signage at our store entrances and also in our privacy policy, which is available via the homepage of our website.

It is a wholly unconvincing defence of the facial technology and proper notice of the use of the facial recognition technology. It is a weak defence because:

  • What is the safety issue? It is not terrorism or armed robberty? It is challenging interactions which constitutes abuse and “threatening behaviour”.  What exactly does challenging interactions mean.  These terms have been misused on occasion by organisations and government to extend to dissent or disagreement of any form.  If it is arguments at the check out why is it necessary to obtain facial recognition data of all individuals.  With these interactions why isn’t it sufficient to take a picture of the malefactor using a camera or smartphone and then use that as a resource to enforce a banning order, if that is what is anticipated. 
  • What is the threshold for the use of the facial recognition?  A prior argument or what?  It is all very vague.  
  •  how is the technology being used to keep team and customers people safe? If a small proportion of individuals cause a problem how does that justify the hoovering up of thousands of images.  
  • how long are the images kept for?  Are they being distributed throughout all Bunnings Stores?  Are they provided to Bunnings staff for delivery purposes?  It is possible for a customer who engages in “challenging interactions” to order on line and have products delivered.
  • what are strict controls regarding the use of the technology.  It is a statement that means nothing.,  What is the special training that the team receive before they can access the technology. 
  • how does the Bunnings screen out children?  What is the age cut off?  How is that determined?  By an algorithm or a specially trained staff. 
  • the notice to the customers is a joke.  The signage at the store entrance is in small print.  Nothing is done to bring that to the customers attention.  Similarly burying reference to it in the privacy policy is unsatisfactory, as the Information Commissioner found with 7 Eleven’s notice on web site.  How Bunnings can rely on this argument given the Commissioner’s findings last year is quite extraordinary. 

Read the rest of this entry »

Facial recognition technology at Kmart, Bunnings and the Goodguys..Serious privacy concerns. It highlights the inadequacy of privacy legislation & poor regulation of what there is.

June 15, 2022

Choice has published the findings of its investigations of retailers using facial recognition with Kmart, Bunnings and The Good Guys using facial recognition technology in stores.  The Australian has picked up on that story with Faceprint technology: Kmart, Bunnings and The Good Guys are scanning customers’ faces in stores.

Both stories cover a disturbing pattern of organisations deploying privacy instrusive technology without any real restrictions or regulation.  As the stories make clear the compliance with the Privacy Act 1988 as to collection of personal information is either buried in on line privacy statements or small inconspicuous written notices under the heading conditions of entry off to the side of the entrance of Kmart stores.  This is arrogance writ large.  Kmart has undergone a box ticking exercise.  And the excuses used by Bunnings, that facial recognition technology is to “..to help identify persons of interest who have previously been involved in incidents of concern in our stores,” and that it is  “..an important measure that helps us to maintain a safe and secure environment for our team and customers.”  is, if true, a wholly disproportionate response to a problem Read the rest of this entry »

Canadian Federal Government introduces a bill to compel industries to bolster cyber security

Canada is likely to join the United States and Australia and other countries in legislating increased cyber security for key industries as reported in New federal bill would compel key industries to bolster cyber security — or pay a price.  This form of legislation is probably required however remains a panacea.  Adding an additional layer of obligations doesn’t change the base of the problem, that too few businesses put in nearly enough effort in basic privacy and data protection,  The new laws will require the key industries to set up processes and respond to a cyber attack.  But will it mean companies will spend what needs to be spent to protect themselves properly.,  If Australia is any guide then no.

The Canadian Broadcasting Service Read the rest of this entry »

US Chamber of Commerce write open letter need for Privacy Legislation

June 14, 2022

US Chamber of Commerce has written an open letter to the Members of the Senate Committee on Commerce, Science and Transportation and the House Committee on Energy and Commerce, on potential national data privacy legislation. As far as the history of legislative action in the privacy field this is a pretty big deal.  Little wonder given the growing patchwork of state laws that now exist to fill the gap in regulation.  From a business point of view having to comply with various levels of protections across jurisdiction would be a nightmare and one that will get worse not better. 

The letter Read the rest of this entry »

Google AI’s chatbot sentient…interesting if unlikely at the moment…but it does highlight impacts for the law.

Blake Lemoine, hardly a household name, has the tech world and Google aflutter with his suggestion that Google’s artificial intelligence chatbox has become sentient.  That has earned him a suspension and whatever else Google can come up with on his return.  Google has Read the rest of this entry »

Report says Australia is an easy target for bank app trojans…Australian banks with poor privacy protections! Quelle surprise!

June 13, 2022

The Australian reports breathlessly with Australia an ‘easy target’ for bank app trojans that Australian banks are vulnerable to malware with 13 of 34 apps being targeted by a variety of banking trojans. Given Australian financial institutions spotty records when it comes to data breaches this story hardly deserves the column inches it gets.  In April last year NAB repaid customers $687,000 for a data breach.  In August 2019 hackers breached tens of thousands of Australian banking accounts through PayID.  In May 2018 the Commonwealth Bank of Australia lost the personal financial histories of 12 million customers.  And being a bank it decided that its customers did not need to know.  The information was contained in magnetic tapes which, of course, were not encrypted. 

So the most recent Australian story is worth a run but hardly a novel turn of events. The criticisms in the article about inadequate infrastructure, ineffective consumer protection laws and a poor mindset have applied for many years.  There is no incentive to change.  The consequences of a data breach are embarrassment, sitting across the table from the Information Commissioner for a few hours and compensation for those account holders who lost money through fraud.  That is small change Read the rest of this entry »