Brendan Walker-Munro, Senior Research Fellow, The University of Queensland

In response to Australia’s biggest ever data breach, the federal government will temporarily suspend regulations that stop telcos sharing customer information with third parties.

It’s a necessary step to deal with the threat of identify theft faced by 10 million current and former Optus customers. It will allow Optus to work with banks and government agencies to detect and prevent the fraudulent use of their data.

But it’s still only a remedial measure, intended to be in place for 12 months. More substantive reform is needed to tighten Australia’s loose approach to data privacy and protection.

Changing regulations, not legislation

The changes – announced by Treasurer Jim Chalmers and Federal Communications Minister Michelle Rowland – involve amending the Telecommunications Regulation 2021.

This a piece of “subordinate” or “delegated law” to the Telecommunications Act 1997. Amending the act itself would require a vote of parliament. Regulations can be amended at the government’s discretion.

Under the Telecommunications Act it is a criminal offence for telcos to share information about “the affairs or personal particulars of another person”.

The only exceptions are sharing information with the National Relay Service (which enables those with hearing or speech disabilities to communicate by phone), to “authorised research entities” such as universities, public health agencies or electoral commissions, or to police and intelligence agencies with a warrant.

That means Optus can’t tell banks or even government agencies set up to prevent identity fraud, such as the little-known Australian Financial Crime Exchange, who the affected customers are.

Important safeguards

The government says the changes will only allow the sharing of “approved government identifier information” – driver’s licences, Medicare and passport numbers.

This information can only be shared with government agencies or financial institutions regulated by the Australian Prudential Regulatory Authority. This means Optus (or any other telco) won’t be able to share information with the Australian branches of foreign banks.

Financial institutions will also have to meet strict requirements about secure methods for transferring and storing personal information shared with them, and make undertakings to the Australian Competition and Consumer Commission (which can be enforced in court).

The information can be shared only “for the sole purposes of preventing or responding to cybersecurity incidents, fraud, scam activity or identify theft”. Any entity receiving information must destroy it after using it for this purpose.

These are incredibly important safeguards given the current lack of limits on how long companies can keep identity data.

What is needed now

Although temporary, these changes could be a game changer. For the next 12 months, at least, Optus (and possibly other telcos) will be able to proactively share customer information with banks to prevent cybersecurity, fraud, scams and identity theft.

It could potentially enable a crackdown on scams that affect both banks and telcos – such as fraudulent texts and phone calls.

But this does not nullify the need for a larger legislative reform agenda.

Australia’s data privacy laws and regulations should put limits on how much data companies can collect, or for how long they can keep that information. Without limits, companies will continue to collect and store much more personal information than they need.

This will require amending the federal Privacy Act – subject to a government review now nearing three years in length. There should be limits on what data companies can retain, and how long, as well as bigger penalties for non-compliance.

We all need to take data privacy more seriously.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Among the many questions raised by the Optus data leak – cybersecurity experts are confident it wasn’t a hack, but that may have to be decided by a court – is why the company was storing so much personal information for so long.

Optus had a legitimate need to collect that data – to verify customers were real people and potentially to recover any debts later. This is known as a “know your customer” (or “KYC”) requirement.

But the reason about 4 million former customers along with 5.8 million current customers are now worrying about their driver’s licences, passport numbers and Medicare numbers ending up in the hands of criminals is due to Optus hanging on to it for six years.

Optus has said it is legally required to do so.

It is required by the Telecommunications Consumer Protections Code, the industry code of practice overseen by the Australian Communications and Media Authority, to provide customers (or former customers) billing information for “up to six years prior to the date the information is requested”.

But your name, address and account reference number should be all it needs for this, not your passport, driver’s licence or Medicare details. If it needs to confirm your identity it could simply ask for documents again.

The only clear legal requirement for it to keep “information for identification purposes” comes from the Telecommunications (Interception and Access) Act 1979, which requires that identification information and metadata be kept for two years (to assist law enforcement and intelligence agencies).

Is there any limit?

The big problem with Australia’s data retention laws is that there’s really no limit on how long a company can keep personal data.

The federal Privacy Act says only that information must be destroyed “where the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity”.

That’s a loose requirement. A company could theoretically argue it “needs” to keep customer information for anything – such as defending against a civil claim in court, as part of its corporate records, or for marketing. This is especially the case when we have consented to those uses when we sign up for the services, another practice the Privacy Act allows.

This is a serious weakness with our privacy laws. Consumer data is big business. Companies are collecting – and keeping – much more personal information than they need without a truly legitimate commercial or legal purpose.

I call this trend “hyper-collection”. It’s turning companies into goldfields for hackers. Once personal information is stolen there is often little authorities can do.

It’s time to get serious about data privacy

Australia needs to get more serious about unnecessary data collection and retention. As technology gets more interwoven into our daily lives, protecting personal data presents massive challenges.

The need for vigilance should have been made clear to the federal government in 2020, when its own myGov website was hacked.

The usernames and passwords of thousands of accounts were made available for sale on the dark web. Anyone buying those details would have had access to Medicare, Centrelink, National Disability Insurance Scheme and tax office records.

Privacy laws are too weak both in obligations and penalties. The fines for “serious interference with privacy” are $444,000 for individuals and $2.2 million for companies – hardly enough for a corporation the size of Optus to sit up and take notice. Nor do they offer comfort to those affected.

Legislative action is needed to clarify what information companies can collect, how they can collect it, and what they can do with it.

Opportunities for action

There are two obvious opportunities for the federal government to act.

The first is in its response to recommendations arising from the Attorney-General’s Department’s long-running review of the Privacy Act (which has yet to deliver its final report). Ironically Optus made a submission to the review that actually suggested weakening privacy protections.

The second is what it does with the National Data Security Action Plan being developed by the Department of Home Affairs.

The intention of this plan appears to be to treat data as a national asset. If so, it should strengthen policy and legislation around security, ensure Australians know their rights and responsibilities, and ensure consistent responses to cybercrime.

We need to scrutinise every company – not just Optus, and not just after the fact – and ask questions about their data collection. Why do they need to know things? What information are they keeping, how long for and why?

Without action, the next breach at this kind is a matter of when, not if.

We asked Optus to clarify the reasons it needs to keep identification data for six years but received no response.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Brendan Walker-Munro, Senior Research Fellow, The University of Queensland

You walk into a shopping centre to buy some groceries. Without your knowledge, an electronic scan of your face is taken by in-store surveillance cameras and stored in an online database. Each time you return to that store, your “faceprint” is compared with those of people wanted for shoplifting or violence.

This might sound like science fiction but it’s the reality for many of us. By failing to take our digital privacy seriously – as former human rights commissioner Ed Santow has warned – Australia is “sleepwalking” its way into mass surveillance.

Privacy and the digital environment

Of course, companies have been collecting personal information for decades. If you’ve ever signed up to a loyalty program like FlyBuys then you’ve performed what marketing agencies call a “value exchange”. In return for benefits from the company (like discounted prices or special offers), you’ve handed over details of who you are, what you buy, and how often you buy it.

Consumer data is big business. In 2019, a report from digital marketers WebFX showed that data from around 1,400 loyalty programs was routinely being traded across the globe as part of an industry worth around US$200 billion. That same year, the Australian Competition and Consumer Commission’s review of loyalty schemes revealed how many of these loyalty schemes lacked data transparency and even discriminated against vulnerable customers.

But the digital environment is making data collection even easier. When you watch Netflix, for example, the company knows what you watch, when you watch it, and how long you watch it for. But they go further, also capturing data on which scenes or episodes you watch repeatedly, the ratings of your content, the number of searches you perform and what you search for.

Hyper-collection: a new challenge to privacy

Late last year, the controversial tech company ClearView AI was ordered by the Australian information commissioner to stop “scraping” social media for the pictures it was collecting in its massive facial recognition database. Just this month, the commissioner was investigating several retailers for creating facial profiles of the customers in their stores.

This new phenomenon – “hyper-collection” – represents a growing trend by large companies to collect, sort, analyse and use more information than they need, usually in covert or passive ways. In many cases, hyper-collection is not supported by a truly legitimate commercial or legal purpose.

Digital privacy laws and hyper-collection

Hyper-collection is a major problem in Australia for three reasons.

First, Australia’s privacy law wasn’t prepared for the likes of Netflix and TikTok. Despite numerous amendments, the Privacy Act dates back to the late 1980s. Although former Attorney-General Christian Porter announced a review of the Act in late 2019, it has been held up by the recent change of government.

Second, Australian privacy laws are unlikely on their own to threaten the profit base of foreign companies, especially those located in China. The Information Commissioner has the power to order companies to take certain actions – like it did with Uber in 2021 – and can enforce these through court orders. But the penalties aren’t really big enough to discourage companies with profits in the billions of dollars.

Third, hyper-collection is often enabled by the vague consents we give to get access to the services these companies provide. Bunnings, for example, argued that its collection of your faceprint was allowed because signs at the entry to their stores told customers facial recognition might be used. Online marketplaces like eBay, Amazon, Kogan and Catch, meanwhile, supply “bundled consents” – basically, you have to consent to their privacy policies as a condition of using their services. No consent, no access.

TikTok and hyper-collection

TikTok (owned by Chinese company ByteDance) has largely replaced YouTube as a way of creating and sharing online videos. The app is powered by an algorithm has already drawn criticism for routinely collecting data about users, as well as the ByteDance’s secretive approach to content moderation and censorship.

For years, TikTok executives have been telling governments that data isn’t stored in servers on the Chinese mainland. But these promises might be hollow in the wake of recent allegations.

Cybersecurity experts now claim that not only does the TikTok app routinely connect to Chinese servers, but that users’ data is accessible by ByteDance employees, including the mysterious Beijing-based “Master Admin”, which has access to every user’s personal information.

Then, just this week, it was alleged that TikTok (owned by Chinese company ByteDance) can also access almost all the data contained on the phone it is installed on – including photos, calendars and emails.

Under China’s national security laws, the government can order tech companies to pass on that information to police or intelligence agencies.

What options do we have?

Unlike a physical store, we don’t get a lot of choice about consenting to digital companies’ privacy policies and how they collect our information.

One option – supported by encryption expert Vanessa Teague at ANU – is for consumers simply to delete offending apps until their creators are willing to submit to greater data transparency. Of course, this means locking ourselves out of those services, and it will only have a big impact in the company if enough Australians join in.

Another option is “opting-out” of intrusive data collection. We’ve done this before – when My Health records became mandatory in 2019, a record number of us opted out. Though these opt-outs reduced the usefulness of that digital health record program, they did demonstrate that Australians can take their data privacy seriously.

But how exactly can Australians opt-out of a massive social app like TikTok? Right now, they can’t – perhaps the government needs to explore a solution as part of its review.

A further option being explored by the Privacy Act review is whether to create new laws that would allow individuals to sue companies for damages for breaches of privacy. While lawsuits are expensive and time-consuming, they might just deliver the kind of financial damage to big companies that could change their behaviour.

No matter which option we take, Australians need to start getting more savvy with their data privacy. This might just mean we actually read those terms and conditions before agreeing, and being prepared to “vote with our feet” if companies won’t be honest about what they’re doing with our personal information.

This article is republished from The Conversation under a Creative Commons license. Read the original article.