National Institute of Standards and Technology releases draft practice guide “Implementing a Zero Trust Architecture.”

June 4, 2022

The National Institute of Standards and Technology (“NIST”) have released Volume A of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” .  This guide shows how commercially available technology is being used to build interoperable, open standards-based ZTA example implementations that align  with the principle of Zero Trust Architecture.

The Abstract provides:

The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved conventional network boundaries. The workforce is more distributed, with remote workers who need access to resources anytime, anywhere, and on any device, to support the mission. Enterprises must evolve to provide secure access to company resources from any location and asset, protect interactions with business partners, and shield client-server as well as inter-server communications. Read the rest of this entry »

Ransomware attacks grown 13% year on year in 2022, an increase greater than the past 5 years

May 28, 2022

Verizon has just released its 2022 Data Breach Investigation Report which shows that Ransomware has grown 13% year on year in 2022.   The report is valuable because it records trends in ransomware attacks.

The report states:

  • the four means of accessing an organisations online site is via:
    • misuse of credentials,
    • Phishing,
    • Exploiting vulnerabilities, and
    • Botnets.
  • Error continues to be a dominant trend, and is heavily influenced by misconfigured cloud storage.
  • The human element continues to drive breaches. Whether it is the use of stolen credentials, phishing or simply an error, people continue to play a large part in incidents and breaches alike.
  •  data compromises are considerably more likely to result from external attacks than from any other source.
  • 80% of breaches are caused by individuals external to the organization

Read the rest of this entry »

Australian Information Commissioners issue joint statement to establish consistent approaches in accessing Stolen Generations records

The Federal, State and Territory Information Commissioners have released a joint statement regarding the handling of personal information, in the form of record.  The statement provides:

Information Access and Privacy regulators from across Australia have issued a joint statement to mark National Sorry Day (26 May).

Australian Information Access Commissioners and Privacy Authorities recognise the important role of historical records in truth telling and sharing history, intergenerational healing, redress and reparations for Stolen Generation survivors and their families. Read the rest of this entry »

National Institute of Standards and technology issues Blockchain for Access Control Systems NISTIR 8403

May 27, 2022

The National Institute of Standards and Technology (“NIST”) has issued a guideline Blockchain for Access Control Systems.   

The abstract provides:

The rapid development and wide application of distributed network systems have made network security – especially access control and data privacy – ever more important. Blockchain technology offers features such as decentralization, high confidence, and tamper-resistance, which are advantages to solving auditability, resource consumption, scalability, central authority, and trust issues – all of which are challenges for network access control by traditional mechanisms. This document presents general information for blockchain access control systems from the views of blockchain system properties, components, functions, and supports for access control policy models. Considerations for implementing blockchain access control systems are also included.

Blockchain systems provide an alternative (or complimentary) system for reliability, security, accountability, and scalability for AC systems. Blockchain characteristics – such as transparency, distributed computing/storage, and a tamper-evident/tamper-resistant design – help to prevent AC data from being accessed or modified by malicious users. Access logs are also recorded in blocks that allow for the detection of malicious activities. Blockchain system components and their advantages for AC systems are Read the rest of this entry »

Education Apps endorsed by the Australian Government found to be surveilling Australian children resulting in inquiries by New South Wales and Victorian Governments

May 26, 2022

As the saying goes, the road to hell is paved with good intentions.  That may be the sombre story of education apps used during the Pandemic.   The Human Rights Watch has undertaken a detailed study, How Dare They Peep into My Private Life.  Of particular interest is some of the practices of EdTech.  The EdTech apps were used by students in Australia during the lockdowns.  The Victorian and New South Wales Governments have announced inquiries.  The Victorian Information Commissioner raised concerns about education apps as far back as August 2020 stating in a report that “..we consider that schools are at risk of breaching the [Information Privacy Principles] IPPs when using apps and web?based learning tools that handle student personal information.” 

The report has been reported in Itnews with Edtech vendors invaded student privacy: Human Rights Watch,  InnovationAus in ‘Dystopian’: Govt-endorsed education apps surveilling Australian children and the ABC with Investigation reveals tracking by EdTech of millions of Australian school students during COVID lockdowns.

Some interesting findings from the Report Read the rest of this entry »

Singapore launches AI Verify, worlds first AI Governance Testing Framework and Toolkit

Artificial Intelligence (“AI”) is revolutionising the way we consume, the way work is done, the way things are built.  The productivity gains have been extraordinary.  It also poses significant public policy challenges.  The problems include a lack of transparency in decision making, the skewed results with potentially poor quality algorithms and the “black box” effect where the path of reasoning is obscured or completely unknown. And it can have a dystopian potential, skewing results against minorities for example.  That is a problem with facial recognition technology and predictive analytics in insurance and criminal investigations.  All of those matters concern the public.  There is a dearth of regulation for the good reason that legislatures are not sure how to properly regulate without harming the positive potential of AI. 

The Singapore Privacy Commissioner has launched AI Verify – An AI Governance Testing Framework and Toolkit.  It is ostensibly designed to allow companies to demonstrate responsible AI.  It is a voluntary scheme. It is certainly a step in the right direction.

The press release by the Infocomm Media Development Authority, Singapore launches world’s first AI testing framework and toolkit to promote transparency; Invites companies to pilot and contribute to international standards development provides Read the rest of this entry »

Federal Trade Commission takes action against Twitter for deceptively using customers’ account security data to sell targeted ads. Twitter to pay 150 million dollars fine to settle privacy law suit.

The US Federal Trade Commission has taken action against Twitter for allowing advertisers to use its customers’ phone numbers and emails for targeted ads.  Customers provided that information to Twitter to protect their accounts.  The practice was reasonably long standing, from at least May 2013 until at least September 2019.  The practice affected more than 140 million Twitter users. 

It is interesting to note that in 2011 the FTC claimed Twitter misrepresented the extent to which it protected its customers privacy and the security of their non public information.  The FTC settled that complaint. 

The complaint states:

From at least May 2013 until at least September 2019, Twitter misrepresented to users of its online communication service the extent to which it maintained and protected the security and privacy of their nonpublic contact information. Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences. Twitter’s misrepresentations violate the FTC Act and the 2011 Order, which specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information. Plaintiff therefore seeks civil penalties for Twitter’s violations, as well as a permanent injunction and other equitable relief, to ensure Twitter’s future compliance with the law.

and Read the rest of this entry »

Where to with privacy reform in Australia

A brief review of this website will reveal that there is a constant development of privacy laws throughout the world to meet changes in data handling practices and challenges from those who would interfere with privacy.  Development and improvement of privacy regulation in Australia has been slow, tepid and fitful despite regular recommendations for reform from law reform commissions. 

In Australia the last Federal election did not reveal an enthusiasm for privacy reform as a platform for any major party according to InnovationAus with No privacy reform commitments from major parties.  The article was written last week, prior to the poll.  So in a sense Read the rest of this entry »

Data breaches of health providers highlight the weaknesses in the health sector

May 25, 2022

The health sector is a regular target of cyber criminals.  It is also a sector which is notorious for having poor cyber security practices.  That is a terrible confluence.

Data breach today reports that 3 recent health data breaches have affected 1.4 million individuals. The three entities were:

ETCH and PHC were attacked in in March, involving various IT system disruptions, suggesting possible ransomware attacks. ETCH’s reportto Maine’s attorney general claimed the attack  affected nearly 423,000 individuals.  PHC reported its breach affected nearly 855,000 individuals. Acuity International’s breach affected nearly 123,000 individuals

The ETCH breach affected data may include name, contact information, date of birth, medical record number, medical history information and Social Security number.  The PHC breach involve unauthorized access to names, Social Security number, date of birth, driver’s license number, tribal ID number, medical record number, health insurance information, member portal username and password, email address, and medical information including treatment, diagnosis and prescriptions.

Other recent health related cyber incidents around the world include:

Given the breadth and depth of the attacks it is relevant to have regard to a very recent Joint Cybersecurity advisory prepared by cyber security authorities of the United States of America, Canada, New Zealand and the United Kingdom titled “Weak Security Controls and Practices Routinely Exploited for Initial Access”. 

The report sheets home much of the blame on Read the rest of this entry »

European Council of the European Union approves the Data Governance Act

May 24, 2022

On 16 May the European Council approved the Data Governance Act.  It is a complicated and involved document

The Act is designed to provide procedures to facilitate the appropriate reuse of certain protected public sector data, within the EU.

A key element is to define and regulate a model for data intermediation services that would serve as trusted environments for organizations or individuals to share data. Those intermediation services are designed to:

  • support voluntary data sharing between companies
  • facilitate the fulfillment of data sharing obligations set by law
  • permit organisations share data without fear of it being misused or losing competitive advantage
  • enable individuals to gain control over their data and allow them to share it with trusted companies

Individuals will have control over how they share their data through novel personal information management tools, such as personal data spaces and/or data wallets.

Data intermediation service providers will be prohibited from profiting from the data that they handle, however they will be able to charge a fee for their services.

The Act introduces safeguards against the unlawful transfer of non-personal data similar to how personal data transfers are regulated under the GDPR.  The European Commission would be able to Read the rest of this entry »