The Full Bench of the High Court heard argument in Google LLC v Defteros [2022].  It is a case of considerable interest to defamation practitioners.  The key issue is whether a search engine a publisher of defamatory material on a third party website to which that search engine provides a hyperlink when the search result on its own conveys no defamatory imputation.  Also Google seeks a ruling on what is required to notify the search engine of defamatory publication for the purposes of the common law doctrine of innocent dissemination and the statutory defence under section 32 of the Defamation Act 2005. 

The transcript of oral argument before their Honours can be found here.

It is an appeal from a decision from the Victorian Court of Appeal in Defteros v Google LLC [2021] VSCA 167 (17 June 2021).  Interestingly on that occasion the appellant, Defteros, was unsuccessful.  Google’;s cross application for leave to appeal was refused. 

Special leave was granted on 10 December 2021 conditional upon Google paying Defteros’s costs of the appeal and not disturbing the costs orders in the Court of Appeal and at trial.  The transcript of the Special Leave Application can be found here.  In short, there is a public interest in resolving the issue. 

The essence of Google’s submissions is that the trial judge and the Victorian Court of Appeal erroneously found that the provision of a hyperlink was participation in the communication of defamatory material for the purpose of publication.  

The submissions of both parties can be found Read the rest of this entry »

The Federal Bureau of Investigation (“FBI”) has issued a public service announcement reporting that there were 241,206 domestic and international incidents involving a total loss of $43,312,749,946 arising from what is described as a Business Email Compromise.  

A business Email Compromise is defined as:

Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.

The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.

The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.

Interestingly there was a 65% increase in global losses between July 2019 and December 2021. The FBI concludes that that is due to the COVID restrictions which caused more work and business virtually. 

With every scam there needs to be Read the rest of this entry »

The concept of Privacy by design has been in existence since the 1990.  It has been hugely influential and a very important set of principles for businesses and government in developing and maintaining an adequate privacy structure. It is described by the Australian Information Commissioner as:

‘Privacy by design’ is a process for embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures. This means building privacy into the design specifications and architecture of new systems and processes.

It’s more effective and efficient to manage privacy risks proactively, rather than to retrospectively alter a product or service to address privacy issues that come to light.

The CyberCX Privacy has awarded  Design Awards for organisations who have successfully implement privacy by design.  The awards for 2022have been announced. 

The results are:

CyberCx grouped organisations into 11 sectors being Read the rest of this entry »

Artificial Intelligence (“AI”) is becoming a significant issue for lawyers generally and regulators in particular.   Its impact on the law is apparent with the Full Bench, of 5 justices, ruling in Commissioner of Patents v Thaler [2022] FCAFC 62 last month that an inventor in terms of patent law must be a natural person, not AI.  This was an appeal from a decision of Justice Beach on 30 July 2021 in Thaler v Commissioner of Patents [2021] FCA 879 who relevantly ordered:

• The determination of the Deputy Commissioner that s 15(1) of the Patents Act 1990 (Cth) is inconsistent with an artificial intelligence system or device being treated as an inventor be set aside.
• The matter as to whether patent application no. 2019363177 satisfies the formalities under the Patents Regulations 1991 (Cth) and its examination be remitted to the Deputy Commissioner to be determined according to law in accordance with these reasons.

In its reasons the Full Court found  that identification of the “inventor” was central to the operation of the legislation. Under s 15, only the inventor or someone claiming through the inventor is entitled to a patent.

Thaler will probably make its way to the High Court. 

But the use of AI is more prosaic and ubiquitous than in inventing devices.  That is likely to be both a public good and a cause for concern.  At the moment the technology and its implementation is far outpacing the law and regulation.  That is a concern given the potential forseeable and unforseeable consequences.  In that regard I thoroughly recommend Machines Behaving Badly; the Morality of AI by Toby Walsh.   I attended a presentation by Professor Walsh organised by the Centre for Artificial Intelligence and Digital Ethics (CAIDE) last Wednesday. 

Regulators in the United Kingdom and Europe have been much more alive to the need for guidance and consideration of AI and its effect on privacy and data security than in Australia where the regulator takes a more languid approach and seems to be letting the ACCC to take the running on big tech issues.  In that vein the Information Commissioner’s Office (‘ICO’) announced, on 4 May 2022, that it had launched its updated AI and data protection risk toolkit. It is an important document for Read the rest of this entry »

The National Institute of Standards (“NIST”) and Technology today released the updated guidance Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. It was prepared in response to to Presidential Executive order 14028.  

It is a timely and valuable resource dealing with cyber security risks in supply chains.  Supply chain vulnerabilities is a chronic problem for organisations.  Given the relatively sparse material generated in Australia on this issue it should be used by those working in the cyber security and privacy sphere.

NIST’s summary of the Executive Order in so far as it is relevant to it provides:

The President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity  issued on May 12, 2021, charges multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

Section 4 directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines, which are ultimately aimed at federal agencies but which also are available for industry and others to use, include: 

• • criteria to evaluate software security,  
  • criteria to evaluate the security practices of the developers and suppliers, and 
  • innovative tools or methods to demonstrate conformance with secure practices. 

NIST is to consult with other agencies in producing some of its guidance; in turn, several of those agencies are directed to take steps to ensure that federal procurement of software follows that guidance.

The EO also assigns NIST to work on two labeling efforts related to consumer Internet of Things (IoT) devices and consumer software with the goal of encouraging manufacturers to produce – and purchasers to be informed about– products created with greater consideration of cybersecurity risks and capabilities.

The Guide is 326 pages long, extensive even for NIST.  

The abstract Read the rest of this entry »

The National Institute of Science and Technology (“NIST”) today released NISTIR 8320, Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases.

The abstract provides:

In today’s cloud data centers and edge computing, attack surfaces have shifted and, in some cases, significantly increased. At the same time, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the platform on which data and workloads will be executed and accessed. The physical platform represents the first layer for any layered security approach and provides the initial protections to help ensure that higher-layer security controls can be trusted. This report explains hardware-enabled security techniques and technologies that can improve platform security and data protection for cloud data centers and edge computing.

The report is aimed at security professionals on the technical side however anyone involved in privacy and data protection would get a benefit from it.  

It is, as is common with NIST reports and guides, a voluminous document, at 94 pages, making Read the rest of this entry »

The Cybersecurity and Infrastructure Security Agency (‘CISA’) along with:

• the Federal Bureau of Investigation (‘FBI’),
• National Security Agency (‘NSA’),
• Australian Cyber Security Centre (‘ACSC’),
• Canadian Centre for Cyber Security (‘CCCS’),
• New Zealand National Cyber Security Centre (‘NCSC’), and the UK’s National Cyber Security Centre (‘NCSC’),

has published a joint cybersecurity advisory, titled ‘2021 Top Routinely Exploited Vulnerabilities’.

The advisory provides a detailed overview of the 15 most commonly exploited cybersecurity vulnerabilities and exposures of 2021.

The advisory aims to help organisations prioritise their mitigation strategies, and highlights the importance of prioritising several mitigation measures related to:

• vulnerability and configuration management;
• identity and access management; and
• protective controls and architecture.

The  press release relevantly provides:

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint Cybersecurity Advisory today on the common vulnerabilities and exposures (CVEs) frequently exploited by malicious cyber actors, including the 15 most commonly exploited of 2021.?? 

Malicious cyber actors continue to aggressively target disclosed critical software vulnerabilities against broad target sets in both the public and private sectors. While the top 15 vulnerabilities have previously been made public, this Advisory is meant to help organizations prioritize their mitigation strategies. Read the rest of this entry »

Google has been attracting some plaudits for being responsive to concerns about privacy abuses.  In October 2021  Google started allowing people under 18 or their parents request to delete their photos from search results. Users must specify that they want Google to remove “Imagery of an individual currently under the age of 18” and provide some personal information, the image URLs and search queries that would give rise to the results. Google also now allows requests to remove non-consensual explicit or intimate personal images from Google, along with involuntary fake pornography

It is pleasing that these changes have been made of Google’s own volition but it was done  at a time of regulator pressure and adverse findings regarding the use of Google Analytics by the CNIL. 

Recently Google announced  its plan to include a “reject all” button on cookie banners.  Google is now giving consumers more choice and control on how their data is tracked. 

The UK Information Commissioner is huffed stating:

We welcome news of Google’s revised approach to cookie consent. It’s a change we’ve been seeking through our ongoing discussions with Google and broader adtech work. The new ‘reject all’ option gives consumers greater control and balance of choice over the tracking of their online activity.

“There’s still a long way to go to address concerns around consent across the whole online advertising industry, but short term, we expect to see industry following Google’s lead to provide clearer choices for consumers. This is only a first step; current approaches to obtaining cookie consent need further revision in order to provide a smoother and increasingly privacy-friendly browsing experience.”

As of this week Google has updated its personal information removal policy to allow doxxing victims to remove personal identifiable information from search engines.

The statement from Google, per Read the rest of this entry »

The difference between Australian Privacy regulation and the European regulation under the General Data Protection Regulation has been well known.  The protections are greater under the GDPR than Australia’s Privacy Act 1988 and the size of the fines are much greater. That is made clear with the Data Data Protection Australian imposing a fine of 565,000 Euros on the Ministry of Foreign Affairs for violations of Articles 13(1)(e) and 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).

The media release provides:

The Dutch Data Protection Authority (DPA) fined the Dutch Ministry of Foreign Affairs €565,000 for long-term, large-scale, serious infringements of the General Data Protection Regulation (GDPR) in its visa-issuing process.

NVIS, the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, is inadequately secured. As a result, there is a risk that unauthorised persons could access and change files. Furthermore, the Ministry of Foreign Affairs failed to provide visa applicants with sufficient information about the sharing of their personal data with third parties. Read the rest of this entry »

Justice Riordan considered an appeal against an order for security for costs in In the matter of Credit Clear Limited [2022] VSC 206.  The appellants were unsuccessful across the board. 

FACTS

By originating process filed 15 July 2020, the plaintiffs made an application under:

(a) sections 175, 232, 233, 461(1)(k), 1041H(1), 1324(1) and 1325 of the Corporations Act 2001 (Cth) (‘the Act’);

(b) sections 12DA and 12GM of the Australian Securities and Investments Commission Act 2001(Cth) (‘the ASIC Act’);

(c) Sections 237 and 243 of the Australian Consumer Law, being Schedule 2 of the Competition and Consumer Act 2020 (Cth) (‘ACL’); and

(d) the inherent jurisdiction of the Court [2].

The plaintiffs sought the following substantive relief in their points of claim [4]:

(a) The first plaintiff (‘Mr McKendrick’) sought to be reinstated as a director of the first respondent (‘Credit Clear’).

(b) The appellant sought the following relief:

B. Declarations and or orders under s 1325 of the Act, alternatively s 233(1)(c) and or (j) of the Act, s 12GM of the ASIC Act and or ss 237 and 243 of the ACL, that the Separation Agreement dated 11 November 2016 and Intellectual Property Assignment Agreement dated 11 November 2016 (by which the plaintiffs were forced to give up their interests in the first defendant together with the intellectual property rights owned by the first plaintiff) are void on the grounds they were procured under duress, undue influence, unconscionable conduct and or misleading and deceptive conduct in contravention of 1041H(1) of the Act, s 12DA of the ASIC Act and or s 18 of the ACL;

C. A declaration that the second plaintiff is entitled to hold 20% of the issued ordinary shares in the first defendant;

D. Rectification of the share register of the first defendant pursuant to s 175 of the Act to reinstate the second plaintiff as a member and to record that it holds a number of fully paid ordinary shares representing 20% of issued shares in the first defendant alternatively that it holds 6,805,555 fully paid ordinary shares in the first defendant;

E. A declaration that the affairs of the first defendant are being conducted contrary to the interests of the members as a whole and or are oppressive to, or unfairly prejudicial to, or unfairly discriminatory against the second plaintiff, or in the interests of and to the benefit of the second to third defendants and not the first defendant or its members;

F. An order that the second and or third defendants purchase the second plaintiff’s shareholding in the first defendant at fair value; Read the rest of this entry »