June 8, 2022
The National Institute of Standards and Technology (“NIST”) has release Engineering Trustworthy Secure Systems for public comment.It is a very useful document for those interested in privacy and cyber security in that it provides a framework for analysis.
This guide has been produced pursuant to a Presidential Executive Order on 12 May 20212 titled Improving the National’s Cyber Security WO 14028.
The key elements of that executive order Read the rest of this entry »
Posted in Legal, Practical issues, Privacy
|
Post a comment »
June 7, 2022
The Federal Court, per Rares J, found for John Barilaro in Barilaro v Google LLC [2022] FCA 650 for defamation by means of posts on YouTube and awarded him $715,000.
FACTS
The publications complained of were two YouTube videos prepared by a Mr Shanks:
- bruz, first uploaded on 14 September 2020. The contents are described in great detail at [33] – [63]; and
- Secret Dictatorship, first uploaded on 21 October 2020 [3]. It is described in great detail at [81] – [91]
The imputations pleaded in bruz video was that:
(a) Mr Barilaro is a corrupt conman;
(b) Mr Barilaro committed perjury nine times;
(c) Mr Barilaro has so conducted himself in committing perjury nine times that he should be gaoled;
(d) Mr Barilaro corruptly gave $3.3 million to a beef company; and
(e) Mr Barilaro corruptly voted against a Royal Commission into water theft [4].
The imputations pleaded in Secret Dictatorship video was that:
(a) Mr Barilaro has acted corruptly by engaging in the blackmailing of councillors;
(b) Mr Barilaro has acted corruptly by engaging in the blackmailing of councillors using taxpayer money; and
(c) Mr Barilaro has pocketed millions of dollars which have been stolen from the Narrandera Shire Council [5].
On 25 November 2020 Barilaro’s chief of staff, McCormack, contacted Google Australia’s manager to complain about the racist and untrue content of friendlyjordies videos [129]. On 30 November 2020 Barilaro’s social media manager made a formal complaint to YouTube about the allegations Read the rest of this entry »
Posted in Australian decisions, Defamation, Federal Court, Legal
|
Post a comment »
June 5, 2022
The USA stands alone amongst first world countries that does not have Federal Legislation regulating the collection and use of the personal information. That may soon change. The draft American Data Privacy and Protection Act was released by both House and Senate leaders on 3 June 2022. it is a bipartisan discussion draft data privacy bill.
The Act is an advance on many previous efforts because it has bipartisan support and incorporates compromise positions on state law preemption and enforcement.
The statement from the US Sentate Committee on Commerce, Science and Transportation provides:
WASHINGTON – U.S. Senator Roger Wicker, R-Miss., Ranking Member of the Senate Committee on Commerce, Science, and Transportation, and U.S. Representatives Frank Pallone, Jr. D-N.J., and Cathy McMorris Rodgers, R-Wash., Chairman and Ranking Member of the House Committee on Energy and Commerce, today released a discussion draft of a comprehensive national data privacy and data security framework. The draft legislation is the first comprehensive privacy proposal to gain bipartisan, bicameral support.
“This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone,” Wicker, Pallone, and Rodgers said. “In the coming weeks, we will be working with our colleagues on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data. We welcome and encourage all of our colleagues to join us in this effort to enable meaningful privacy protections for Americans and provide businesses with operational certainty. This landmark agreement represents the sum of years of good faith efforts by us, other Members, and numerous stakeholders as we work together to provide American consumers with comprehensive data privacy protections. Read the rest of this entry »
Posted in Privacy
|
Post a comment »
Tim Hortons is a Canadian fast food outlet specialising in take away coffees and snacks. It has a large presence in Canada. It heavily promotes its apps to allow customers to order their beverages and food by phone.
The Privacy Commissioner of Canada has found that Tim Hortons app violated privacy laws in collecting vast amounts of sensitive location data. The app permitted Tim Hortons to track and record the users movements every few minutes even when the app was not open. Tim Hortons asked for permission to access geolocations functions but misled users who thought that access would be used when the app was open. In fact the location data was collected even when individuals app was not open. As long as the device was on data was collected. Tim Horton’s only stopped the practice when the Privacy Commissioners began to investigate.
Collection on this scale would give Tim Hortons an enormous amount of raw data from which, with the right algorithms, determine where users lived, where they worked and even when they used a competitor’s product. The question of proportionality was raised by the Privacy Commissioner. And appropriately. In the Australian context the issue is whether the purpose for the collection of that vast amount of data relates to the ordering and purchasing of coffee.
It is no surprise that the Privacy Commissioner found there wasn’t a ” robust privacy management program for the app.” It is a fairly typical story to see the majority of the work being focused on developing a the functionality of the app and making it as attractive to users as possible and considering privacy protections as Read the rest of this entry »
Posted in Canadian Privacy Commissioner, Privacy
|
Post a comment »
June 4, 2022
May was hardly a banner month for cyber security 2022. It governance has identified 77 security breaches in May 2022 resulting in 49,782,129 compromised records, a polite term for hackers accessing information.
The highlights are:
- hackers stole records of 22.5 million Malaysians from the National Registration Department and are looking to sell the data for $10,000 US;
- a successful phishing attack at the Australian Pension provider Spirit Super affected 50,000 victims. The attack was made through an employee’s email account. The information involved included names, addresses, ages (as at 2019 and 2020), email addresses, telephone numbers, member account numbers, and member balances (as at 2019 and 2020).
- Chicago Public School was hit with a data breach exposing 4 years worth of records, involving 560,000 students and employees.
- Breastcancer.org, a breast cancer charity suffered a data breach which exposed 350,000 files totaling 150 GB of data. The compromised data included sensitive images of website users.
- The National Population Commission of Nigeria suffered a theft of birth certificates.
- in South Australia more than 90,000 public servants had their personal information stolen.
- IKEA Canada had a data breach involving personal information of 95,000 customers.
Read the rest of this entry »
Posted in Privacy
|
Post a comment »
The National Institute of Standards and Technology (“NIST”) have released Volume A of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” . This guide shows how commercially available technology is being used to build interoperable, open standards-based ZTA example implementations that align with the principle of Zero Trust Architecture.
The Abstract provides:
The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved conventional network boundaries. The workforce is more distributed, with remote workers who need access to resources anytime, anywhere, and on any device, to support the mission. Enterprises must evolve to provide secure access to company resources from any location and asset, protect interactions with business partners, and shield client-server as well as inter-server communications. Read the rest of this entry »
Posted in Privacy
|
Post a comment »
May 28, 2022
Verizon has just released its 2022 Data Breach Investigation Report which shows that Ransomware has grown 13% year on year in 2022. The report is valuable because it records trends in ransomware attacks.
The report states:
- the four means of accessing an organisations online site is via:
- misuse of credentials,
- Phishing,
- Exploiting vulnerabilities, and
- Botnets.
- Error continues to be a dominant trend, and is heavily influenced by misconfigured cloud storage.
- The human element continues to drive breaches. Whether it is the use of stolen credentials, phishing or simply an error, people continue to play a large part in incidents and breaches alike.
- data compromises are considerably more likely to result from external attacks than from any other source.
- 80% of breaches are caused by individuals external to the organization
Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
The Federal, State and Territory Information Commissioners have released a joint statement regarding the handling of personal information, in the form of record. The statement provides:
Information Access and Privacy regulators from across Australia have issued a joint statement to mark National Sorry Day (26 May).
Australian Information Access Commissioners and Privacy Authorities recognise the important role of historical records in truth telling and sharing history, intergenerational healing, redress and reparations for Stolen Generation survivors and their families. Read the rest of this entry »
Posted in Privacy
|
Post a comment »
May 27, 2022
The National Institute of Standards and Technology (“NIST”) has issued a guideline Blockchain for Access Control Systems.
The abstract provides:
The rapid development and wide application of distributed network systems have made network security – especially access control and data privacy – ever more important. Blockchain technology offers features such as decentralization, high confidence, and tamper-resistance, which are advantages to solving auditability, resource consumption, scalability, central authority, and trust issues – all of which are challenges for network access control by traditional mechanisms. This document presents general information for blockchain access control systems from the views of blockchain system properties, components, functions, and supports for access control policy models. Considerations for implementing blockchain access control systems are also included.
Blockchain systems provide an alternative (or complimentary) system for reliability, security, accountability, and scalability for AC systems. Blockchain characteristics – such as transparency, distributed computing/storage, and a tamper-evident/tamper-resistant design – help to prevent AC data from being accessed or modified by malicious users. Access logs are also recorded in blocks that allow for the detection of malicious activities. Blockchain system components and their advantages for AC systems are Read the rest of this entry »
Posted in Big Data, General, Practical issues
|
Post a comment »
May 26, 2022
As the saying goes, the road to hell is paved with good intentions. That may be the sombre story of education apps used during the Pandemic. The Human Rights Watch has undertaken a detailed study, How Dare They Peep into My Private Life. Of particular interest is some of the practices of EdTech. The EdTech apps were used by students in Australia during the lockdowns. The Victorian and New South Wales Governments have announced inquiries. The Victorian Information Commissioner raised concerns about education apps as far back as August 2020 stating in a report that “..we consider that schools are at risk of breaching the [Information Privacy Principles] IPPs when using apps and web?based learning tools that handle student personal information.”
The report has been reported in Itnews with Edtech vendors invaded student privacy: Human Rights Watch, InnovationAus in ‘Dystopian’: Govt-endorsed education apps surveilling Australian children and the ABC with Investigation reveals tracking by EdTech of millions of Australian school students during COVID lockdowns.
Some interesting findings from the Report Read the rest of this entry »
Posted in Practical issues, Privacy
|
Post a comment »