Not Big Brother, but close: a surveillance expert explains some of the ways we’re all being watched, all the time

Ausma Bernot, PhD Candidate, School of Criminology and Criminal Justice, Griffith University A group of researchers studied 15 months of human mobility movement data taken from 1.5 million people and concluded that just four points in space and time were sufficient to identify 95% of them, even when the data weren’t of excellent quality. That… Read More

Card-Number Protections Depend on Data Deletion

The Optus, Medibank and MedLab data breaches have caused some re-thinking. But not all of the thinking is clear enough. It’s being touted that there’s a simple solution to driver licence data being compromised. That solution is said to be the addition of a card-number.
Organisations have to understand that the critical issue is: The retention of authentication-data in databases creates an unmanageable vulnerability. Read More

After the Optus data breach, Australia needs mandatory disclosure laws

The Optus data breach, which has affected close to 10 million Australians, has sparked calls for changes to Australia’s privacy laws, placing limits on what and for how long organisations can hold our personal data. Equally important is to strengthen obligations for organisations to publicly disclose data breaches. Optus made a public announcement about its breach, but was not legally required to do so. In fact, beyond the aggregated data produced by the Office of the Australian Information Commissioner, the public is not made aware of the vast majority of data breaches that occur in Australia every year. Read More

Optus data breach: regulatory changes announced, but legislative reform still needed

In response to Australia’s biggest ever data breach, the federal government will temporarily suspend regulations that stop telcos sharing customer information with third parties. But it’s still only a remedial measure, intended to be in place for 12 months. More substantive reform is needed to tighten Australia’s loose approach to data privacy and protection. Read More

Optus says it needed to keep identity data for six years. But did it really?

Among the many questions raised by the Optus data leak is why the company was storing so much personal information for so long. Optus has said it is legally required to do so. But your name, address and account reference number should be all it needs for this, not your passport, driver’s licence or Medicare details. The only clear legal requirement for it to keep “information for identification purposes” comes from the Telecommunications (Interception and Access) Act 1979, which requires that identification information and metadata be kept for two years (to assist law enforcement and intelligence agencies). Read More

I’ve given out my Medicare number. How worried should I be about the latest Optus data breach?

Medicare card numbers are the latest personal details to be exposed as part of the Optus data breach. Optus has confirmed this affects 14,900 valid Medicare numbers that have not expired, and a further 22,000 expired card numbers. But this isn’t the first time Australians’ Medicare numbers have been exposed. And some privacy and cybersecurity experts have long been concerned about the security of our health data. Here’s what you can do if you’re concerned about the latest Medicare breach, and what needs to happen next. Read More

Optus customers, not the company, are the real victims of massive data breach

Optus executives are paid millions to ensure that, among other things, customer data is safe. These are the people who should be held accountable for the data breach. Straight after the breach, Optus made claims that it was “not currently aware of any customers having suffered harm”. This suggests that Optus doesn’t consider the widespread damage to people’s privacy harmful. This is wrong. Read More

This law makes it illegal for companies to collect third-party data to profile you. But they do anyway

A little-known provision of the Privacy Act makes it illegal for many companies in Australia to buy or exchange consumers’ personal data for profiling or targeting purposes. It’s almost never enforced. The burning question is: why is there not a single published case of this law being enforced against companies “enriching” customer data for profiling and targeting purposes? Read More

‘Pretty creepy’: Agencies illegally obtained emails, voicemails and texts

Australia’s law enforcement agencies have persistently accessed, retained and used private email, voicemail and text messages without legal authority and failed to provide the data protections that the law requires, according to the Commonwealth ombudsman. In a sweeping annual examination of how the nation’s crime-fighting agencies and investigative and integrity bodies access and handle electronic data, the ombudsman has found repeated breaches of the law. Read More

Report Launch: Securing Australian Journalism from Surveillance

Drawing upon interviews with 19 journalists and 2 media lawyers, Dr Diarmaid Harkin and Dr Monique Mann report on how whistle-blowers and sources are more reluctant to cooperate with journalists. Journalists also express “very low confidence” that they are prepared for the threats of electronic surveillance and experience a general lack of support on crucial matters of cyber-security. The implications for press freedom, democracy, and law reform will be explored. Read More