But not all of the thinking is clear enough.

It’s being touted that there’s a simple solution to driver licence data being compromised.

That solution is said to be the addition of a card-number.

So, instead of just the licence-number and expiry-date being used to authenticate a claim that a person is entitled to use that identity document, the card-number would also be required.

This was implemented recently in NSW, and it has now been announced for immediate implementation in Victoria, with about 1m of that State’s 5m licences to be urgently re-issued.

But will that achieve the aim?

Credit-cards have had a 3- or 4-digit ‘card verification code’ or ‘card security code’ on the back (variously called a CVV, CVC or CSC) since about 2000. Its function is identical to that of a card-number on a driver’s licence (on the front of the card in NSW and on the back in Victoria).

The MedLab attack gained access to credit-card details – including in some cases the CVV.

So the CVV was no protection against fraud, because it was accessed as part of the same attack.

If the next hacker gets the driver’s licence card-number, along with licence-number and expiry-date, the card-number provides no protection at all.

Organisations have to understand that the critical issue is:

The retention of authentication-data in databases creates an unmanageable vulnerability

For vulnerability to attacks to be reduced, security-sensitive data must either:

• not be stored at all – an application of the vital principle of data minimisation; or
• be retained only for the few seconds to a minute needed for the authentication process to be completed. Then that data must be expunged, to prevent access by future hackers.

Media Contacts for Australian Privacy Foundation board members:

The SA Ambulance Service has disclosed that the personal details of 28,000 patients have been stolen.¹

Those details include people’s name, date of birth, age, address, and in some cases, their pension number and health notes.

Juanita Fernando, chair of the Australian Privacy Foundation’s (APF’s) Health Committee said, “That’s prime fodder for identity theft and something we all need to take seriously.”

The Ambulance Service says the data was on a storage device that was stolen from a consultancy firm in July. The consultants had apparently held the data since the early 2000s.

There’s no indication that the device was encrypted – a basic security precaution.

Neither is there any indication that a proper risk assessment occurred before the Ambulance Service handed over the sensitive personal details about lots of South Australians to the consultants.

Fernando continued, “If you use an ambulance you should be able to have confidence that your private data will not end up in the hands of a consultant and disappear ten years later.”

She added, “Those people had no control over the data. The first they knew about the problem was reading it on the ABC website.”

The APF calls on the Ambulance Service to provide full disclosure of what has gone wrong. It is insufficient for the Service to say it “regrets” the theft.¹

The Foundation calls on the Service to immediately take steps to prevent similar problems.

Fernando concluded, “South Australians are entitled to solutions, not regrets and excuses.”

Media Contacts for Australian Privacy Foundation board members:

References

1. ABC News. SA Ambulance Service patients’ personal information stolen from consultancy firm, 10 November 2021. https://www.abc.net.au/news/2021-11-10/sa-ambulance-service-data-stolen/100608028

The Victorian government’s “Health Legislation Amendment (Information Sharing) Bill 2021” was hurried through its first Parliamentary vote last week.¹ The Bill links all patient medical and health information through a single portal, to be shared between authorised end-users, decided and controlled by the Secretary of the Department of Health. The Legislative Council can interrupt the Bill’s progress.

The powers embodied in the Bill are unprecedented, threatening patient-doctor confidentiality, risking health and wellness should some individuals decide not to seek clinical attention for potentially life threatening or serious illnesses and conditions. But the APF cannot locate the Privacy Impact Assessment (PIA) supporting the Bill. The PIA, assuming one was conducted, must be published in the public domain if Victorians are to trust the Bill.

The APF asks Victoria’s Legislative Council to pause the Bill’s passage and send it back to the lower house for amendment, requesting a more thorough community consult than has occurred. Some information must be withheld from the collection enabled by the Bill, especially where there is no patient consent. Patient health and wellbeing, even lives, are at stake here.

Juanita Fernando, chair of the APF Health Committee said “The data collected and linked by the portal will authorise use of each patient’s current and historical medical information, including mental health and ambulance services; evidently a complete record of every Victorian person’s sensitive and private information.”

The disproportionate powers embodied in the Bill also require a softening of Victoria’s Health Privacy Principles to operate.

Fernando continued, “ People will have no ability to consent to or opt-out of the process. They cannot even look at a complete log of who can see what and who has seen what.” She concluded, “Only a dozen or fewer sentinel events need to be flagged for medical emergencies, so we wonder at the need for the Victorian government to harvest and centrally store such a rich database of sensitive patient information.”

The Australian Doctors Federation is alarmed and, with the APF, raises serious questions about the Bill, calling for public debate, careful examination and resolution of community concerns.²

Media Contacts for Australian Privacy Foundation board members:

References

1. Health Legislation Amendment (Information Sharing) Bill 2021, Victorian Legislation, October 2021. https://www.legislation.vic.gov.au/bills/health-legislation-amendment-information-sharing-bill-2021
2. Australian Doctors Federation (ADF) Rushed VIC government health database law raises more questions than answers, media release; 14 October 2021

More specifically, this merger is a test of regulators’ resolve to analyse the effects on competition of a tech giant acquiring a vast amount of highly valuable data through a takeover. Google could exploit Fitbit’s exceptionally valuable health and location datasets, and data collection capabilities, to strengthen its already dominant position in digital markets such as online advertising. Google could also use Fitbit’s data to establish a commanding position in digital and related health markets, depriving competitors of the ability to compete effectively. This would reduce consumer welfare (including degrading data privacy options), limit innovation and raise prices.

Past experience shows that regulators must be very wary of any promises made by merging parties about restricting the use of the acquisition target’s data. Regulators must assume that Google will in practice utilise the entirety of Fitbit’s currently independent unique, highly sensitive data set in combination with its own, particularly as this could increase its profits, or they must impose strict and enforceable limitations on data use.

Wearable devices could replace smartphones as the main gateway to the internet, just as smartphones replaced personal computers. Google’s expansion into this market, edging out other competitors would thus be significant. Wearables like Fitbit’s could in future give companies details of essentially everything consumers do 24/7 and allow them to feed digital services back to consumers. The way wearables are being used to track COVID-19 infections and give access to doctors and health information is a timely illustration of this. Although, perhaps justified, subject to strong safeguards, in a public health emergency, the exploitation of such data in a commercial context is an important concern that demands close scrutiny by regulators both for its anticompetitive effects (where huge bundles make it near-impossible for entrants to compete against incumbents) and anti-consumer effects (creating ever bigger bundles that undermine consumer choice).

The acquisition of Fitbit could expand Google’s immense power in digital markets into the $8.7 trillion global healthcare market1through its strength in data and data analytics. Google has already made significant inroads into healthcare. Regulators must carefully assess the proposed deal’s implications for innovation and its potential to undermine the ability of companies to bring new products to consumers in the area of digital healthcare.

The results of unfortunate merger control decisions in the past have likely contributed to the rise of tech giants. Subsequent concerns now have to be addressed through more costly and lengthy ex-postantitrust enforcement proceedings and other competition interventions. Such harms to consumers are far better prevented than cured. Therefore, before deciding whether this takeover can proceed or not, regulators must carefully analyse its full implications for consumers and consider its potential for far-reaching and dynamic effects on digital and health markets.

Signatory Organisations

• AccessNow, EU
• Australian Privacy Foundation, Australia
• BEUC –The European Consumer Organisation, EU
• Centerfor Digital Democracy, US
• Centre for Responsible Technology, Australia
• Color of Change, US
• Consumer Federation of America, US
• Derechos Digitales, Latin America
• EDRi (European Digital Rights), EU
• Idec – Brazilian Institute of Consumer Defense, Brazil
• New America’s Open Technology Institute, US
• Omidyar Network, US
• Open Markets Institute, US
• Open Society European Policy Institute, EU
• Privacy International (PI), Global
• Public Citizen, US
• Public Interest Advocacy Centre, Canada
• Public Knowledge, US
• Red en Defensa de los Derechos Digitales (R3D), Mexico
• Trans-Atlantic Consumer Dialogue, EU-US

Download the media release:

Consumer and Citizen Groups Have Serious Concerns About Google Fitbit Takeover – Common Statement

“The limited information until Sunday was released by poorly-briefed Ministers with little understanding of the problem and of the proposed solution. Sunday’s incomplete documents raise more questions than they answer. Public trust has been undermined rather than earned. We need an open, independent Privacy Impact Assessment based on wide public and expert consultation,” said board member Dr Monique Mann.

What would be the basis for trust in an app like this?

APF recently encouraged the federal government to approach the proposed virus app in a way that supports, rather than undermines, trust and confidence in their bona fides and competence:

1. Publish the Design Specifications, so many more than just ‘Five Eyes’ can check them for effectiveness and vulnerabilities, and assess whether they are best practice ‘Privacy by Design’.
2. Conduct an open, independent Privacy Impact Assessment process, consulting not just public service and security interests, but appropriate representatives of the public interest from health, privacy, civil liberties, research and technical perspectives to help address all issues.
3. Before a working prototype is released, publish Technical Details, including source-code, data model and communications protocols, to help review conformance with design and squash bugs.
4. Do this before release, so serious concerns can be addressed and resolved before v1.0.

On Sunday afternoon the app was released, along with a regulatory direction and a PIA. What score out of 4 did they get for releasing the virus app in a way worthy of trust?

1. No Design Specifications. – 0
2. A Privacy Impact Assessment (PIA) dated Friday appeared on Sunday. It does not appear to have been conducted in a consultative fashion, just federal agencies talking to each other; nor to have involved a robust risk assessment on a quantitative basis. See comments below. – 0.5
3. No Technical Details except a brief undated flow illustration from the law firm doing the PIA. – 0.5
4. None of this available before the app was released, so there has been no opportunity to help spot and avoid overlooked mistakes, unintended consequences or foreseeable risks. – 0

So at best 1 out of 4. Not a promising start, however glossy the ads.

While the absence of this key information makes further analysis of other material which was released more difficult and painstaking, it’s useful to look briefly at the PIA.

The PIA?

The Privacy Impact Assessment released Sunday is a dense 78 pages. It does not identify which version of the app it refers to. It was not done using ‘a rigorous risk assessment methodology to identify the magnitude of each of the identified risks’, so it is of limited use for any ‘necessity’ or ‘proportionality’ analysis (is level of risk worth the benefits)?

For outside input, the documents cited are mostly foreign material, none from the now-failed Singapore experiment from which the code apparently originated, and only two documents from Australia were mentioned. The only other outside input appears to be second hand, via Health, comments from two other federal agencies, OAIC and Australian Human Rights Commission (there is no longer an independent dedicated Privacy Commissioner). It is unacceptable that a PIA for a critical app that could affect every Australian and their attitude to trusting government at this time did not seek independent expert or community input.

Most of the PIA is instead a painstaking analysis of formal legal compliance with the Australian Privacy Principles (APPs). The APPs have been weakened over the years to become a very complex wish list of permissive exceptions, loopholes, get-outs and exemptions. While necessary, privacy impact assessment needs to start with a close understanding of the actual impacts on and concerns of those affected by the proposal, and of those in an informed position to independently scrutinise the design and technical information. This has not been done.

(NB: APP breaches are in any case not enforceable by Australians, since unlike NZ, UK, and most other countries, we still have no right to sue for breach of privacy. The only option is a complaint to the OAIC which has endured years of government attempts to abolish or nobble it. Complaints to OAIC need not be investigated, or decided, and decisions are rare and not enforceable. So if anything goes wrong, this is not a remedy which encourages trust.)

Apparent technical input last week from government-funded entities closely linked to security agencies may have contributed something, but for many Australians the continual encroachment of these surveillance agencies into our digital lives is part of the problem, so the fact that they have apparently found nothing they are concerned about offers little comfort, and may raise concerns for some.

The PIA has 9 pages of recommendations. Without time for close analysis, without many of the core documents, and without the input from other outside entities to flush out the full range of issues, it is not possible to assess the degree to which they identify or remedy any of the problems which may arise from the app. Further inquiry is also needed to confirm what action will be taken on them, whether they would have real impact on the design or operational aspects of concern, and when anything will happen. For all its detail the PIA is flawed, somewhat reminiscent of the secretive Census 2016 PIA which failed to identify the problems or the nature and depth of public concern, and set the scene for controversy rather than trust.

This could be avoided by proper and open consultation, which APF joins many others in calling for, starting with the provision of the missing information.