Tag: privacy

1
You can be anonymised, but you can’t hide
2
Who have you been giving your name and number to? A cautionary tale
3
Facing up to privacy risks
4
The OAIC engages in more in-depth investigations and stronger exercise of its power
5
Privacy Awareness Week (Personal Data): technology suspicion – consumer concerns surrounding voice and digital assistants
6
Encryption bill to give unprecedented power
7
China’s main security agency linked to cyber intellectual property theft
8
Time to opt out of having a My Health Record has been extended
9
Q3 Notifiable breaches industry league results: Health first … lawyers a solid third!
10
Open Government? – political misstep leads to privacy breach

You can be anonymised, but you can’t hide

By Cameron Abbott, Michelle Aggromito and Karla Hodgson

If you think there is safety in numbers when it comes to the privacy of your personal information, think again. A recent study in Nature Communications found that, given a large enough dataset, anonymised personal information is only an algorithm away from being re-identified.

Anonymised data refers to data that has been stripped of any identifiable information, such as a name or email address. Under many privacy laws, anonymising data allows organisations and public bodies to use and share information without infringing an individual’s privacy, or having to obtain necessary authorisations or consents to do so.

But what happens when that anonymised data is combined with other data sets?

Read More

Who have you been giving your name and number to? A cautionary tale

By Cameron Abbott and Allison Wallace

Have you inadvertently given the owners of global, searchable databases of phone numbers and associated names access to your entire contact list?

We suspect that you cannot confidently answer “no”.

In yet another tale of why you should read the terms of use and service of apps and other online products you download or sign-up to use, we’ve recently been exposed to the shock of having your name appear on a complete stranger’s phone, after they’re given your number (but not your name) to call you. We asked the question of how this could happen – and found the answer to be quite alarming.

The Samsung Smart Call function, which is powered by Hiya, boasts that it allows you to “deal with spam the easy way”, by letting you know who is calling you, even if their number is not saved in your contact list. In theory, this is a handy tool, and in the context of robocalls or other unsolicited marketing calls, doesn’t create any privacy issues. But when the database which powers the function contains the names and numbers of (we suspect) millions of private citizens, this becomes quite concerning.

So, how do private numbers (and the names of their associated users) come to be listed in databases such as Hiya? Well, for one, anyone who downloads the Hiya app is given the option to share their contacts. If they do, and your number is saved to their phone, your details will become part of the database. We have no doubt that many who download and use the Hiya app didn’t realise what they were signing up for (or what they were signing up their entire contact list for) – because they didn’t read the terms of use. This also begs the question – are companies like Hiya properly satisfying their privacy obligations merely by asking users to “opt in” to share their contacts?

Hiya is of course not the only “caller ID” app on the market – a quick search of the Apple App store reveals numerous other options for download – including Truecaller, Caller-ID, Sync.ME and CallHelp. In 2018, Hiya reached 50 million active users worldwide, while Truecaller’s website says it has over 130 million daily active users. Those figures of course would barely scrape the surface of the number of names and phone numbers held in their collective databases.

In case you’re wondering how much damage could really be done by a third party having access to your name and phone number – think about all of the things your number is linked to. Your Facebook, your Gmail, maybe even your bank account and credit cards. Information is power – and this is the kind of information that could easily allow hackers to wreak a reasonable amount of havoc. So before you sign-up to a new app, take the time to read the terms of service, because your use could not only be exposing your personal information, but that of your entire contact list.

Facing up to privacy risks

By Cameron Abbott and Karla Hodgson

Images of dramatically aged friends and family members have been flooding social media feeds over the last week, courtesy of FaceApp, an app that uses AI to digitally age a user’s photo. While many have been asking themselves “why would I make myself look older?” others have been discussing the risks of allowing an app to access and store personal data.

The app’s privacy policy allows FaceApp to retrieve information such as IP addresses and location data from users, in addition to the photo the user has selected for editing. When users agree to FaceApp’s terms of service, they agree to grant FaceApp a perpetual and irrevocable licence to use this data, including their name and likeness, which can be used for any purposes, including commercial purposes.

Read More

The OAIC engages in more in-depth investigations and stronger exercise of its power

By Cameron Abbott, Rob Pulham and Jacqueline Patishman

Following two key data incidents concerning how the Commonwealth Bank of Australia (CBA) handled data, the OAIC has successfully taken court action binding the banking heavyweight to “substantially improve its privacy practices”.

As a quick summary of the incidents, the first incident involved the loss of magnetic storage tapes (which are used to print account statements). These contained historical customer data including customer statements of up to 20 million bank customers. In 2016, the CBA was unable to confirm that the two magnetic tapes were securely disposed of after the scheduled destruction by a supplier.

Read More

Privacy Awareness Week (Personal Data): technology suspicion – consumer concerns surrounding voice and digital assistants

By Cameron Abbott, Rob Pulham, Michelle Aggromito, Max Evans and Rebecca Gill

Protecting personal data is a fundamental aspect of any privacy regime. As we become more technological advanced, organisations are finding innovative ways to interact with consumers through more intuitive communication channels, such as voice recognition via digital assistants. But not everyone trusts such technology, as Microsoft’s April 2019 report on voice assistants and conversational artificial intelligence has found.

The report found that 41% of voice assistant users were concerned about trust, privacy and passive listening. Other interesting findings of the report include:

Read More

Encryption bill to give unprecedented power

By Cameron Abbott and Wendy Mansell

The Coalition government is attempting to pass large-scale decryption reforms which will give sweeping powers to law enforcement agencies for overt and covert computer access.

The reforms have caused significant controversy as they may force tech companies and communications providers to modify their services, creating “systemic weaknesses” for intelligence agencies to exploit. However many point out these same vulnerabilities may be utilised by criminals.

Further the potential repercussions of these reforms may undermine consumers’ privacy, safety and trust through unprecedented access to private communications. This could have anti-competitive effects, as the reputations of Australian software developers and hardware manufacturers will suffer within international markets.

At the same time, the harsh reality that terrorists and organised crime increasingly utilise these technologies to evade surveillance highlights a very clear problem for law enforcement authorities.

We won’t seek to suggest where the balance between these interests should lie, but the debate rages on. Stay tuned.

China’s main security agency linked to cyber intellectual property theft

By Cameron Abbott and Wendy Mansell

In April 2017, PWC, in collaboration with BAE Systems’ published a report on “Operation Cloud Hopper”, which exposed a cyber espionage campaign being conducted by a China-based threat actor. The report suggests that Operation Cloud Hopper is almost certainly the same threat actor known as “APT10”, a Chinese group thought to be behind cyber-attacks against many countries including Japan, Canada and America.

Recently it has been reported that there are links between China’s Ministry of State Security (MSS) and Operation Cloud Hopper. These allegations are from U.S based firm CrowdStrike who have recognised ties between Operation Cloud Hopper and the MSS Tianjin Bureau.

There is no confirmation that the MSS is behind the Cloud Hopper attacks, however Dr Adrian Nish, Head of Threat of Intelligence at BAE Systems said that there is “no reason to doubt” the claims.

The term “Cloud Hopper” describes a technique where cyber espionage groups “hop” from cloud storage services and infiltrate Australian IT systems. Operation Cloud Hopper is responsible for the theft of intellectual property from a number of Australian companies, primarily focused on mining, engineering and professional services firms.

In a week full of news about China activities in the region, the suggestion of state sponsored hacking thefts is a salient warning to companies that their core intellectual property assets are at risk if not well secured.

Time to opt out of having a My Health Record has been extended

By Cameron Abbott and Keely O’Dowd

Australians now have until 31 January 2019 to decide whether or not to have a My Health Record. The deadline to opt-out of having a My Health Record has been extended again.

Due to privacy and security concerns raised by various stakeholders and medical professionals, the Australian Government has proposed two sets of legislative changes to the My Health Record legislation to strengthen existing privacy protections set out in the legislation and established a Senate Committee inquiry to assess whether the My Health Record system is working and how it can be improved. In July this year, we blogged about the privacy and security concerns raised about the My Health Record system.

During the Senate Committee inquiry, it was revealed by the Office of the Australian Information Commissioner (OAIC) that since the My Health Record system commenced in July 2012, the OAIC has received 88 My Health Records mandatory data breach notifications and 11 mandatory data breach notifications. The data breaches generally involved incorrect information being uploaded to a My Health record.

It is evident to us that the My Health Record system has significant privacy and security issues that should be properly considered before the opt-out period ends. These issues are highlighted in the Senate Committee inquiry final report. In addition, the amending legislation designed to strengthen the privacy protections of the My Health Record system is still being debated in the Senate.

Extending the time for people to decide whether or not to opt-out of a My Health Record is a sensible approach. This gives individuals more time to properly understand the implications of having a My Health Record and for important privacy issues to be considered by the Australian Government.

However if ongoing concerns remain about the privacy and security protections of the My Health Record System by 31 January 2019, if in doubt, better to opt out!

Q3 Notifiable breaches industry league results: Health first … lawyers a solid third!

By Cameron AbbottKeely O’Dowd and Colette Légeret

The Office of the Australian Information Commissioner (OAIC) has released its third quarterly report of notifiable data breaches. This is the second OAIC report to be released covering a full quarter.

The report revealed that OAIC received 245 notifications of data breaches, marginally up from 242 notifications in the second quarterly report.

Some interesting figures from the OAIC’s report are as follows:

  • 18% of notifications were from health service providers, 14% were from the finance sector; 14% were from the legal, accounting and management services sector; 7% were from the private education sector, and 5% were from the personal services sector;
  • 85% of data breaches involved individual’s contact details, 45% involved financial details, 35% involved identity details, 22% involved health details, 22% involved tax file numbers, and 7% involved other types of personal information; and
  • 57% of data breaches were due to malicious or criminal attack, with 37% due to human error, and 6% due to system faults, with cyber incidents, namely compromised credentials or phishing being the main the cause of

Of the 245 data breaches, 58 affected only one individual – however, 7 affected more than 10,000 individuals.

These figures are a clear reminder of the need to ensure that your business is equipped to deal with data breaches. To learn more about this, take a look at this 60-second video by Cameron Abbott. With professional services ranking a solid third, we’ll take some of our own advice too!

Open Government? – political misstep leads to privacy breach

By Cameron Abbott and Keely O’Dowd

Navigating the political terrain and party politics can be a treacherous journey for any politician.

Recently, we have been captivated by a political misstep that involved the tabling of approximately 80,000 confidential and unredacted Cabinet documents of a former Government in the Victoria Parliament. In usual circumstances, these documents would have remained confidential for 30 years, unless the former Government consented to the release of the documents.  However, in an attempt to seek an advantage in the political arena, the Victorian Government of the day decided to release these documents in Parliament and online.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.