But not all of the thinking is clear enough.

It’s being touted that there’s a simple solution to driver licence data being compromised.

That solution is said to be the addition of a card-number.

So, instead of just the licence-number and expiry-date being used to authenticate a claim that a person is entitled to use that identity document, the card-number would also be required.

This was implemented recently in NSW, and it has now been announced for immediate implementation in Victoria, with about 1m of that State’s 5m licences to be urgently re-issued.

But will that achieve the aim?

Credit-cards have had a 3- or 4-digit ‘card verification code’ or ‘card security code’ on the back (variously called a CVV, CVC or CSC) since about 2000. Its function is identical to that of a card-number on a driver’s licence (on the front of the card in NSW and on the back in Victoria).

The MedLab attack gained access to credit-card details – including in some cases the CVV.

So the CVV was no protection against fraud, because it was accessed as part of the same attack.

If the next hacker gets the driver’s licence card-number, along with licence-number and expiry-date, the card-number provides no protection at all.

Organisations have to understand that the critical issue is:

The retention of authentication-data in databases creates an unmanageable vulnerability

For vulnerability to attacks to be reduced, security-sensitive data must either:

• not be stored at all – an application of the vital principle of data minimisation; or
• be retained only for the few seconds to a minute needed for the authentication process to be completed. Then that data must be expunged, to prevent access by future hackers.

Media Contacts for Australian Privacy Foundation board members:

It is past time for Australian MPs, ministers, government agencies and contractors to develop some humility. They do not, and cannot, control worldwide privacy regimes and security threats, or the algorithms ruling shared, aggregated or online digital information. Unenforceable assurances will no longer work.

People in Australia will only trust and have confidence in government and business collecting, storing, and using their vulnerable personal information if it is done in trust-worthy privacy-enhancing systems, covered by strong laws with minimal exemptions, and with easy enforcement when things go wrong – not the mess of loopholes, exceptions, back-door tricks and ‘wet lettuce-leaf’ indirect enforcement we have under current law. The key defects set out below require amendments to bring privacy protection under Australian law, mainly Privacy Act 1988 (Cth), into the 21st century and up to the standard of peer developed countries.

• The legal definition of ‘consent’ needs to be fixed to reflect its real meaning, requiring ‘active and properly informed consent’ rather than ‘implied consent’. Silence, pre-ticked boxes, or inactivity mustn’t be accepted as valid ‘consent’. What we’re told about risk and disclosure must be blunt and clear.
• Privacy Act exemptions are out of control and insidious. At least the following must be removed:
  • employee records
  • registered political parties, and political ‘acts and practices’
  • journalism, except reports about public officials and others in performance of their duties
• The Australian Broadcasting Corporation Act 1983 should be amended to:
  • ensure Australians are not required to provide their personal information or register for a mandatory account to access the ABC’s full digital media services
  • forbid ABC from sharing (re-)identifiable personal information with other entities or platforms
• Personal information should only be exposed to publication as ‘Open Data’, or other uncontrolled circulation, if it is genuinely and permanently anonymous. It should be banned from being described or treated as ‘de-identified’ unless the process used conclusively proves the data can no longer ever be re-linked to a person, under any circumstances, at any time in the future, backed up by ongoing audits.
• We need a statutory tort for breach of privacy, at last, as recommended by five Australian Law Reform reviews over three decades. Australia must no longer be the only equivalent country where citizens have no means to take legal action to protect their personal dignity. The blueprint’s been discussed and consulted on for years, it’s ready to go, the rest of the world copes, let’s stop the fudging and do it.
• We need a dedicated, properly resourced Privacy Commissioner again, to address the current privacy complaint backlog, and future data privacy exploits and threats. A conflicted, sporadic regulator fails us.

We recognise the importance of ensuring security of Australians’ and their freedoms. The rationale for national security law comes from the importance of ensuring that freedoms are protected. We are concerned to ensure that the ‘forest isn’t lost for the trees’ in this reform process and that the guiding and predominant principle in this reform is that our national security framework serves to protect the freedoms that ought to be enjoyed by all Australians.

Key points from the submission (please see here for complete details):

• Time for Consultation with Experts, Stakeholders and the Community

The timeframe for introduction of a Bill repealing the Telecommunications (Interception and Access) Act 1979 (“the TIA”), the Surveillance Devices Act 2004 (“the SD Act”) and aspects of the Australian Security Intelligence Organisation Act 1979 Act (“the ASIO Act”) be delayed by at least twelve (12) months to allow for consultation with experts, stakeholders and the community.

• Compliant with Human Rights

The objects of a simplified Act ought to be coupled with clear requirements that the use of national security and surveillance powers are expressly balanced with Australia’s obligations pursuant to international human rights law.

• Warrants and Judicial Oversight 

Warrants for access to information should only be authorised by the Federal Court of Australia or a Supreme Court of a State or Territory.

• Decision Records of Judicial Authorisation

A redacted form of judicial decision records for the issue of warrants ought to be published. Transparency, accountability and oversight of the operation of warrants is possible by publicizing the legal principles (rather than the specific facts) of warrants issued and would enhance public confidence in the oversight of such Australia’s electronic surveillance regime.

• Revised Definition of ‘Communication’

A simplified definition of communication could be introduced as “any exchange or record of information in any form between two or more locations”. This would ensure that the definition of ‘communication’ is widened, simplified and technology neutral.  This definition of communication would only be acceptable with an enhanced focused on the protection of human rights and with judicial oversight and increased reporting obligations. 

Media Contacts: