Quantcast
Channel: Salinger Privacy
Viewing all 79 articles
Browse latest View live

Magic and rocket science: de-identification is the new black

0
0

De-identification … it’s the latest buzzword.

With all the press it’s been getting recently, you could be forgiven for thinking that de-identification is the magic solution to all the privacy problems facing open data and Big Data projects.  But like other forms of magic, this may prove to be just an illusion.  Resolving privacy risks is easier said than done.

Increasingly our clients want advice on how to do data-matching, or release datasets under Open Data initiatives, or conduct Big Data analytics, in a privacy-protective manner.  Some are seeking to participate in cross-agency research projects; others are facing requests to hand over their data to the NSW Data Analytics Centre; while others are simply seeking to find policy or operational insights by leveraging their own data via business intelligence systems.  All are worried about the privacy risks.

There is big picture advice available, like the OAIC’s new guide on how the APPs apply to Big Data, and our own guide to resolving the ethical issues raised by data analytics.  But the one aspect of the discussion that I see causing the most angst is de-identification.

Is de-identification the answer?  Is it the same thing as anonymisation?  How do we even do it?

The Australian Privacy Commissioner Timothy Pilgrim recently described de-identification as “privacy’s rocket science – the technology that unlocks the potential of where we want to go, while protecting individual rights”.  But he also warned that just like space flight, “the risks of getting it wrong can be substantial and very public”.

Thud.  Ouch.  That’s the sound of over-excited data analysts falling back to earth.

As a society, we want privacy protection because it is the oil that lubricates trust, and without trust we cannot function.  The fear of being monitored and targeted for what we say or do has a chilling effect on our freedom of speech.  Public health outcomes cannot be realised if people don’t trust the anonymity of their health information; think of the clients of sexual health, mental health and substance abuse services in particular.  But we also want the full value of data to be realised.  If big data analytics can help find a cure for cancer, or prevent child abuse, we’re all for it.  Bring it on, we all say.

And for the organisation holding data, de-identification sounds like a magic solution, because if you can reach a state with your data where it is not possible for any individual to be identified or re-identified from the data, then it no longer meets the legal definition of “personal information”.  And that means you don’t have to comply with the Privacy Act when you collect, store, use or disclose that data.  Legal risks resolved, hooray, let’s all go home.

So de-identification seems to promise that we can have our cake and eat it too.  It’s the holy grail of data management.

BUT … and this is a big but … can true de-identification ever be achieved, without the utility of the data also being lost?

I have written before about how easily an individual’s identity, pattern of behaviour, physical movements and other traits can be extrapolated from a supposedly ‘anonymous’ set of data, published with good intentions in the name of ‘open data’, public transparency or research.  The examples are many: Netflix, AOL, the Thousand Genomes Project, the London bike-sharing scheme, Washington State health data, and my personal favourite, the NYC taxi data.

So should we throw in the towel, and give up on trying to pursue data analytics?  (Or even worse, give up on privacy?)  No, I don’t believe so.  I think we just need to get better at de-identification, because there is more than one way to skin this particular cat.

But we’re not going to get better at de-identification unless we understand it.  Privacy professionals should not be seduced by boffins who whisper techy sweet nothings in our ear like ‘SLK’ and ‘k-anonymity’, ‘differential privacy’ and ‘encryption’.  Instead, we need to better understand the language and the techniques involved in de-identification for ourselves, so that we can perform proper risk assessments, and know which privacy controls to apply when.

(For what it’s worth: SLKs are keys used to link data about people with confidence, using a code generated from details like their name, gender and date of birth.  The code works only as a pseudonym, so don’t even think about describing SLKs as offering true anonymity, or you’ll get a grumpy tweet from me.)

Privacy professionals need to better understand the relative merits and limitations of different de-identification techniques.  Open data advocates and data analysts need to develop deeper understanding of the full spectrum of privacy threats that can impact on individuals.  And we all need clearer guidance on how to balance data utility and data protection, within the scope of privacy law.

The UK’s Data Protection Commissioner has a really useful Anonymisation Code of Practice – but it’s not a light read at 108 pages.  In the US, the National Institute of Standards and Technology has published a 54-page paper on de-identification which laments the absence of standards for testing the effectiveness of de-identification techniques, and just this month academics from the Berkman Center for Internet & Society at Harvard University have produced a 107-page tome proposing “a framework for a modern privacy analysis informed by recent advances in data privacy from disciplines such as computer science, statistics, and law”.

But in the meantime I think we need a brief, lay person’s guide to de-identification.  A non-boffin’s set of crib notes, if you like.

Perhaps that will be my blog for another day.  Just as soon as I’ve mastered pulling a rabbit out of a hat.

 

Photograph (c) Shutterstock


What’s in the bag: data analytics or social surveillance?

0
0

If de-identification is the new black, then data analytics is the new ‘it’ black handbag: trendy, sexy despite its increasing ubiquity, and capable of holding – and hiding – anything.  It’s the opacity of the data analytics handbag that has me worried.

The NSW Government is throwing serious money at data analytics.  For example Data61, a business arm of the CSIRO, has been funded close to $4M by the NSW Government to tackle Sydney’s traffic congestion.  The project includes using data collected real-time from Opal Cards (Sydney’s public transport smart cards), as well as ‘anonymised’ data from in-vehicle GPS devices.  But did Opal Card users sign up for that?  Did car drivers agree to that?  And can geolocation data ever be anonymous?

(In some exquisite timing, that news came in the same week that Charlie Pickering of The Weekly poked his funny-but-serious stick at the privacy threats from Big Data, including in particular the public fallout and subsequent apology after the sale of cars’ GPS data by TomTom to police in the Netherlands.  Ooops.)

Even more important for those of us in NSW is the establishment of the Data Analytics Centre (DAC).  Minister for Innovation and Better Regulation Victor Dominello says the DAC will be his lasting legacy.  Special legislation was passed last year to establish the regime for information-sharing between public sector agencies and the DAC, but crucially, that legislation makes very clear that it does not override the privacy principles governing agencies.  The limitations on using and disclosing personal information for purposes unrelated to the original purpose of collection still apply.  Agencies can’t just disclose personal information about their clients – be they students, patients, prisoners, tenants, licence-holders, consumers, ratepayers, passengers or whatever – willy-nilly.  (Yes, ‘willy-nilly’ is a technical privacy legal term, Mum.  Because I said so.)

Yet I have seen presentations about the work of the DAC which suggest that any privacy concerns have been ‘resolved’ simply because DAC got its own legislation.  Huh?  DAC CEO Dr Ian Oppermann has said that the DAC legislation has dealt with the “not allowed” argument that agencies previously gave for not sharing their data.  Minister Dominello has also been quoted as saying that the “barrier” posed by privacy and confidentiality has been dramatically reduced because of the new DAC legislation: “instead of being Mount Everest, (the barrier) is just a small molehill”.

But how can that be, when the DAC legislation explicitly states that it does not alter the legal privacy obligations on agencies?  The DAC website even notes that privacy laws have not been changed, and says sharing of personal data is excluded from the DAC.

Yet public sector agencies have started receiving requests from the DAC to hand over their data, without advice as to how the disclosure of the data requested will comply with their privacy legal obligations.  These requests might ask for ‘anonymous’ data, but suggest an outline that includes unit record data, with direct identifiers intact, that would easily enable identification of their clients.

Even if DAC does not know names yet, identifiability is surely within reach.  Their stated goal, in a current project mapping data in South Sydney region, is to “get it down to 30-minute intervals of not only who lives where with whom, but who travels in, who travels out, who travels around, or who stays put”.  They claim to be collating data not only from public sector agencies including Opal Card data, but from energy and water utilities, telcos, banks and car-share companies.  Given the potency of geolocation data and metadata to enable individuation and identification of individuals, the privacy implications are enormous.

This is serious, Big Brother stuff.

How can agencies possibly hand over unit record data, in a state that would surely risk identification of the individual, without breaching their privacy obligations?  Rightly, agencies are concerned about the impact on public trust if they get it wrong, and about the “unexpected consequences of sharing”.  And yet Minister Dominello is also quoted as saying he is getting close to using his “sledgehammer” coercive powers to demand data be handed over to the DAC.

Is the problem that we are all talking at cross-purposes here?  Perhaps there isn’t a shared understanding within the NSW Government about what ‘anonymity’ means.  Or about just how broad the definition of ‘personal information’ goes.  Just because you don’t know someone’s name, doesn’t mean that you’re not breaching their privacy.

It would be no surprise if there is not a shared understanding on these issues.  Even now, 16 years after the NSW privacy laws commenced, I often hear public servants quite incorrectly assert that their privacy obligations only relate to ‘private’ information (and disturbingly, this presentation from the ABS makes the same claim); or that privacy laws don’t cover information observed in the public domain (like CCTV footage, say); or that celebrities don’t have privacy rights.  Or that who ‘owns’ the data is somehow relevant; or that children have no privacy rights; or that information linked to an address is not personal information about the people who live there.  Misunderstanding of what our privacy laws actually say is sadly very common.

Even amongst the research community there are conflicting definitions of ‘anonymity’ and ‘de-identification’.  Some use the terms interchangeably, but others maintain a distinction.  In the presentation referenced above, the Chief Methodologist at the ABS uses a definition of ‘anonymity’ which only means removing direct identifiers like name and address.  In the words of The Economist, the “stripping of a few details as the only means of assuring anonymity, in a world choked with data exhaust, cannot work”.  So when the ABS uses the word ‘anonymity’, they mean something less than the process offered by k-anonymity, which also removes indirect identifiers like date of birth, ethnicity and many other factors as well.  De-identification suggests a final state, being the point where privacy laws can cease to apply, because there is no longer a reasonable chance of identifying an individual.

Public trust in government agencies doing data analytics depends on getting privacy right.  But do the researchers, statisticians and data scientists have enough guidance on their ethical and legal obligations?

And do the public servants acting as custodians of our personal information have enough guidance on how to conduct de-identification in a way that protects our privacy, relieves them of their legal obligations to not disclose the information, yet still offers up data to the DAC and elsewhere that is of public utility?  Getting de-identification right is very, very hard.

The NSW Privacy Commissioner’s office is so shamefully under-resourced that it struggles to produce the type of sector-wide guidance that could genuinely add value to both the DAC and the rest of the public sector.  (I know they are working on various guidelines, but timing is everything when horses are already bolting.)

Any such guidance also needs to distinguish between the ethical and legal considerations when doing big data analytics for the purpose of generating insights, compared with using analytics to apply or operationalise those insights.

For example, it is one thing to discover the insight that apparently people who buy lots of pasta pose higher risk to car insurers than people who buy lots of red meat.  It is another thing to ‘operationalise’ that insight into offering different insurance products based on the shopping habits of the individual customer.  Or in another context: if a university learns from its data analytics program that students from an indigenous background are at significantly higher risk of failure than non-indigenous students, what is the proper ethical and legal response to this insight?  Surely we would not want the university to stop admitting indigenous students.  (For more guidance on developing an ethical framework for Big Data projects, check out our eBook on this topic.)

So I am wondering how the DAC is resolving these complex issues.  It’s hard to know; there are lots of media articles about the what, but not much transparency about the how.

Have the six Cabinet-approved DAC projects undergone privacy impact assessment?  Do they use Privacy by Design methodology?  Do they follow the requirements of the National Statement on Ethical Conduct in Human Research, which would necessitate the approval of a Human Research Ethics Committee (HREC) before any personal information was collected, used or disclosed for a research purpose?  (I don’t know about you, but I doubt NSW Cabinet meetings bear much similarity to the deliberations of a HREC mulling over the public interest considerations at stake.)

Can they satisfy the various legal tests usually applied to research involving personal information?  What method is being applied to de-identify information, when and by who?  Has it been tested to ensure it could withstand a re-identification attack?

And will the considerations be different, if the purpose is not only research to guide a public policy response, but a project to actually track down individuals in order to penalise them?  Minister Dominello is reportedly planning to use the DAC to identify and target slumlords, by combining data from energy and water utilities, local council records, and Fair Trading complaints.

Hmmm, let’s just think about that for a moment.  How might this data analytics project work, and what might the privacy risks be?

Let’s say you have some examples of properties known to have been illegally over-crowded with tenants, and you have data about their history of water and electricity consumption.  And let’s say you get data from the water and power companies, showing everyone’s water and electricity consumption levels.  You could start with aggregated data; no need to identify anyone yet.

Now render all that data into a bell curve of water and electricity use.  (You remember bell curves from Stats 101 at Uni, right?)  Plot the consumption data from the known illegal tenancies on the bell curve and see if they are outliers.  If not, maybe you need to narrow your range of data subjects, by increasing the number of elements used in the data.  Throw in the council zoning records.  First you might want to exclude all commercial premises from your dataset, but that still might not be enough to give you an accurate picture of what might be suspicious levels of residential use.  Next, you might realise that many apartment buildings have a single shared meter, so you will need to figure how to break down the shared figure into something more indicative of use-per-household.  Even then, you can’t necessarily distinguish which apartment resident is the one hogging all the resources.  I don’t know how to resolve those problems for now (and nor can body corporates with residents cranky about their utility bills), but for the sake of this exercise let’s just imagine that DAC has magically figured that one out already.

Hmmm, what else?  Swimming pools use a lot of water and power, so to exclude those people you might also need data from another dataset which knows where all the swimming pools are.  Maybe local council records again, or Google Earth?  But to match the data together, you might now need to know the specific address or GIS coordinates of all water and electricity customers.  Not so de-identified anymore; we’re now into ‘personal information’ and hence prohibitions on use and disclosure, but regardless, let’s keep going with this hypothetical exercise.

Now let’s say you are left with a bell curve of water and power consumption data for all residential properties which don’t have swimming pools, and you can somehow tell the houses from the apartments, and the high-consumption apartments from their low-consumption fellow apartments.  And let’s say that you have been able to refine the data to the point where the consumption data from the properties known to have been used as illegal tenancies are clustered in the top 1% or so – the outliers.

The question then becomes: who else is going to be an outlier – and thus under suspicion – when it comes to unusually high consumption of water and electricity?  People using hydroponics to cultivate certain green leafy products, that’s who.  Well, you might not have much sympathy for them, but what if we’re also talking about Aunty Mildred who lovingly tenders her hot-housed roses?  And how about people with home dialysis machines?

What about those of us who just really really like long hot showers?  (Honestly, if taking long hot showers was an Olympic sport, my family would be well stocked with green and gold tracksuits.)  Or how about people who have cats who have been known to knock the kitchen tap on full, immediately before going on holidays?  (Yeah, I’m looking at you Felix.)  Does that mean we they will be targeted by the Minister’s door-knocking inspectors as well?

Of course, once data analytics is being used to identify and target individuals or households for some kind of intervention, the activity has moved well beyond ‘research’ or even public policy development.  If DAC wants the address of all the ‘outlier’ customers, the use or disclosure of that personal information needs to be authorised on other grounds, such as law enforcement.  In NSW, the test for non-health, non-sensitive personal information is that a disclosure must be “reasonably necessary … in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed”.  Is being plotted as an outlier on a bell curve enough to provide reasonable grounds to believe an offence has actually been committed?  (Or if you are going to also use data about known properties with a history of Fair Trading complaints, that begs the question: why collect energy and water data on all households to start with?)

At what point does data analytics become just a fancy name for social surveillance on a mass scale?  Fishing expeditions masquerading as law enforcement or public safety initiatives are the very type of activity that privacy laws are intended to protect us from.  Allowing our lives to be ruled by algorithms means surrendering not only our privacy, but our autonomy as individuals, and as citizens.

These are fascinating, big picture philosophical questions.  There are no easy answers.  As a recent article in Wired notes, scientists are just as confused about the ethics of Big Data research as the rest of us.

I have had some wonderfully engaged discussions recently with researchers, scientists, philosophers, lawyers and lay people on these very questions, as I run a series of workshops around Australia on behalf of PRAXIS, on navigating privacy considerations in research, for the research community and members of HRECs.  (I also like to pose these questions to Felix, but he just ignores me and continues playing with the kitchen tap.)

Where do we turn, to help resolve these ethical questions?  Privacy legislation can be horribly tangled, but it is the closest thing we have to help navigate a way forward.  Privacy principles were developed deliberately, as a way of codifying our society’s values and ethics.  They represent a considered balancing act between the public interest served by protecting privacy, and other social objectives such as law enforcement, research in the public interest, and the proper administration of government.

So I have faith that our privacy laws can guide the way, so long as in the rush to develop ‘big data’ analytics, the data scientists actually pause long enough to develop a nuanced understanding of what their privacy legal obligations entail.

Like many women, I love my black handbags – not just because they look good, but for what they can hold, and what they can hide.  But when it comes to the DAC, I would like to see that black handbag turned inside out, so we can all see what’s going on inside, with our data – and judge for ourselves whether or not we think it is ethical and appropriate.

 

Photograph (c) Shutterstock

Why I’m taking leave of my Census: a privacy expert’s reluctant boycott

0
0

Dear Magistrate,

In case the ABS is prosecuting me for non-completion of this year’s Census, I thought I should explain to you my reasons why I have decided that a boycott is the only moral position I can take.

The short version is this:  Yes to a national snapshot.  No to detailed data-linking on individuals.  That’s not what a census is for.

I have wrestled with what my personal position should be.  I am normally a fan of the Census.  It has an important role to play in how we as a people are governed.  As a former public servant with a policy and research background, I believe in evidence-based policy decisions.  As a parent and a citizen, I want good quality data to help governments decide where to build the next school or hospital, or how to best direct aged care funding, or tackle indigenous disadvantage.

But as a former Deputy Privacy Commissioner, and a privacy consultant for the past 12 years, I can also see the privacy risks in what the ABS is doing.

Months ago I wrote an explanation of all the privacy risks caused by the ABS’s decision to keep and use name and address information for data-linking, in the hope that reason would prevail.  I was assuming that public and political pressure would force the ABS to drop the proposal (as they did in 2006 when I was Chair of the Australian Privacy Foundation and we spoke up about it).  Lots of people (as well as one penguin, the marvellous Brenda, the Civil Disobedience Penguin), are now coming to realise the risks and speak out against them, but right now, just a few days out, it looks like the ABS is pushing ahead regardless.

There are those who say that we shouldn’t boycott the Census because it is too important.  To them I say:  Bollocks.  (If you pardon my language, Your Worship.)  We know where that ‘too big to fail’ argument leads: to more arrogance, more heavy-handed treatment of citizens, more privacy invasions.

And there are the demographers who say the Census data should be linked to other health records like PBS prescription records, because if we as patients were asked for our identifiable health data directly, we would refuse to answer.  To them I say:  Hello, THAT’S THE POINT!  It’s my health information, not yours.  You should ask me nicely, and persuade me about your public interest research purpose, if you want access to my identifiable health records.  Maybe then I will say yes.  But going behind people’s backs because they would refuse their consent if asked is not what the National Health & Medical Research Council’s National Statement on Ethical Conduct in Human Research is about.

This morning I suddenly realised: the ABS is behaving like a very, very bad boyfriend.  He keeps on breaking promises, pushing boundaries and disappointing you, but you forgive him each time.  You don’t want to call him out in case then he gets angry and dumps you.  So you just put up with it, and grumble over drinks to your girlfriends.

And this bad boyfriend keeps saying these reassuring things, like “oh we’ll only keep the data for four years”, and “the names and addresses are in a separate database”.  To that I say:  Nice try, but that’s a red herring.

Although there are certainly heightened privacy and security risks of accidental loss or malicious misuse with storing names and addresses, the deliberate privacy invasion starts with the use of that data to create a Statistical Linkage Key (SLK) for each individual, to use in linking data from other sources.  Please don’t believe that SLKs offer anonymity.  SLKs are easy to generate, with the same standard used across multiple datasets.  That’s the whole point: so that you can link data about a particular individual.  For example, Malcolm Turnbull would be known by the SLK URBAL241019541 in the type of datasets the ABS wants to match Census data against, including mental health services (yes, mental health!) and other health records, disability services records, early childhood records, community services records, as well as data about housing assistance and homelessness.

Anyone with access to these types of health and human services datasets can search for individuals by generating and searching against their SLK.  All you need to know is their first and last names, gender and date of birth.  Scott Morrison is ORICO130519681.  Kylie Minogue is INGYL280519682.  Deltra Goodrem is OOREL091119842.  Now tell me that privacy will be absolutely protected if Census data is coded and linked using an SLK as well.

Never mind four years; the ABS could destroy all the actual name and address data after only four days or four seconds – but if they have already used it to generate an SLK for each individual Census record, the privacy damage has been done.

(Oh, and that line about how “we’ve never had a privacy breach with Census data”?  To that I say:  Great!  Let’s keep it that way!  DON’T COLLECT NAMES.)

So I say no.  No.  I am not putting up with that bad boyfriend any longer.  I believe in the importance of the Census, which is why I am so damn pissed off (sorry again Your Worship) that the ABS is being such a bad boyfriend to the Australian people: trashing not only our privacy, but the value of our data too.  It’s time to break up with them.

I have come to this decision with a heavy heart.  I am normally a law-abiding citizen.  Plus, I don’t really fancy facing a $180 fine for every day that I refuse to comply with a direction to complete the Census, with no cap on the number of days.  (Seriously, what kind of heavy-handed law is that?  Are you really going to keep hitting me with daily fines for the rest of my life, Your Worship?)

I know that I could give the ABS misinformation instead.  Say my name is Boaty McBoatface and that I am a 97 year old man living with 8 wives, that I have 14 cars, my language at home is Gibberish and that my religion is Jedi.  Giving misinformation is a common, rational response by about three in ten people who want to protect their privacy when faced with the collection of personal data they have no choice about.  Of course, that is also a crime in relation to the Census, but at least that one maxes out at an $1,800 fine.

But I won’t do that, because I do believe in the integrity of the census data.  I don’t want people to have to give misinformation in order to protect themselves.  We shouldn’t be placed in that position.

The definition of ‘census’ is “an official count”.  I actually want to stand up and be counted.  But only counted; not named or profiled or data-matched or data-linked, or anything else.  The privacy risks of doing anything else are just too great.

I have thought about just refusing to provide my name.  But even if I don’t give my name, if the ABS is determined to link my Census data with other datasets, there would be enough other information in my Census answers (sex, age, home address, previous home address, work address) to let them proceed regardless.  It won’t be enough to protect my privacy.

So until the ABS reverses its decision to match Census data about individuals with other datasets about individuals, I am not going to answer the Census questions at all.

I am sorry, Your Worship.  I don’t like being forced to choose, because I believe Australians deserve to have both good quality statistical data for government decision-making, AND their privacy respected.  But on Tuesday night, I will choose privacy.

The Census should be a national snapshot, not a tool for detailed data-linking on every individual.  Now convict and fine me if you disagree.

Yours sincerely,

Anna Johnston

 

Photograph (c) Shutterstock

Individuation – Re-thinking the scope of privacy laws

0
0

In Australia, our information privacy rights turn on the definition of ‘personal information’.  If data meets the definition of ‘personal information’, there will be privacy obligations attached to it; otherwise, all bets are off.  But is this approach to protect privacy serving us well?

Although certainly a less nebulous term than ‘privacy’, relying on the phrase ‘personal information’ has its own drawbacks, because challenges can be made to its breadth.  The components of the definition which are argued about include that the information must be ‘about an individual’, and that the individual must be ‘identified … or … reasonably identifiable’.

The full bench of the Federal Court has just heard submissions in the Privacy Commissioner’s appeal against the AAT decision in Grubb v Telstra.  In December last year, the AAT ruled that mobile network data is not ‘personal information’ subject to the Privacy Act, because it is ‘about’ connections between mobile devices, rather than ‘about an individual’, notwithstanding that a known individual triggered the call or data session which caused the connection.

You might think this distinction is – as Minister McCormack said about privacy concerns and the Census – ‘much ado about nothing’.  (Boom tish!)  But as I have noted before, taking such a narrow view of the word ‘about’ is a slippery slope, that could undermine our privacy laws.  If banks start arguing that their records are only ‘about’ transactions, not the people sending or receiving money as part of those transactions – or if hospitals claim that medical records are ‘about’ clinical procedures, not their patients – we may as well all pack up and go home.  Let’s hope the Federal Court sees sense on this question.

The even more contentious part of the definition of ‘personal information’ is the notion of identifiability: is an individual reasonable identifiable from the information at issue?  The flip side of identifiability is the challenge of de-identification.

These debates are an attempt to create clarity from ambiguity: Is it personal information or not?  And thus: is it in or out of the scope of the privacy principles?  Is it worth protecting?

But increasingly, I am of the view that trying to force the world into this type of ‘personal information or not’ binary legal structure is not helpful.  Perhaps, if our objective is to protect people’s privacy, our laws need to grapple with a broader view of the types of practices which can harm privacy – regardless of whether ‘personal information’ is at stake.

The UN’s Special Rapporteur on Privacy, Joe Cannataci, has written about privacy as enabling the free, unhindered development of personality.  You could think of privacy as related to the right to self-determination, or as an element of autonomy.

And if you think of the purpose of privacy laws as protecting individual autonomy, we should be ensuring that our laws regulate all types of activities which can impact on autonomy.  Because it is individuation, rather than identification, which can trigger privacy harms.

In other words, you can hurt someone without ever knowing who they are.

Individuation means you can disambiguate the person in the crowd.  This is the technique used in online behavioural advertising; advertisers don’t know who you are, but they know that the user of this device has a certain collection of attributes, and they can target or address their message to the user of this device accordingly.

Once we move beyond straight-up advertising, the impact on individual autonomy becomes more acute.  Individuation can lead to price discrimination, like surge pricing on Uber based on knowing how much phone battery life you have left.  Or market discrimination, like Woolies only offering car insurance to customers it has decided are low risk.  Or in the world of Big Data, social or government interventions can be triggered by an algorithm assessing your collection of attributes, without necessarily knowing who you are.

Geolocation data likewise offers high rates of individuation, even without identification.  I have written before about how privacy harms could arise from using geolocation data to figure out the likely home address of people who have visited a strip club or an abortion clinic.  Individuals could be targeted for harm, without the perpetrator ever knowing who they are.

The Facebook / Cornell University ‘research’ project on emotional contagion offers another fine example of causing privacy harm, without ‘personal information’ being involved.  Although the researchers argued that no personal information was at stake (and, thus in theory there were no privacy impacts) because they did not know who their research subjects were, they deliberately manipulated the news feeds of almost 700,000 Facebook users, in order to trigger emotional outcomes for people who had no idea they were even part of a ‘research’ project.

Other examples are on a smaller scale, but no less disturbing.  Taking photos of the genitals of a sedated patient – even if those photos do not lead to identification of the patient, and even if the photos are never shared – is a gross violation of a person’s dignity and autonomy.

All these activities hold the potential to impact on individuals’ autonomy, by narrowing or altering their market or life choices.

Philosophy professor Michael Lynch has said that “taking you out of the decision-making equation” matters because “autonomy enables us to shape our own decisions and make ones that are in line with our deepest preferences and convictions. Autonomy lies at the heart of our humanity”.

Yet for now, our legal protections for privacy only kick in when there is an ‘identifiability’ dimension to an activity.

Perhaps it is time to re-think the scope of our privacy laws, to encompass individuation and autonomy as well as identification.  In March this year a statutory cause of action for serious invasions of privacy, that could go beyond our limited ‘personal information’ protection laws, was recommended by the NSW Legislative Council Standing Committee on Law and Justice in its report Remedies for the serious invasion of privacy in New South Wales.  The NSW Government is due to respond on 5 September.

So between the impending decision in the Grubb v Telstra case, and the response from the NSW Government to the recommendation to introduce a statutory tort of privacy, the scope of our privacy laws might just be in for a timely shake-up.

 

Photograph (c) Shutterstock

Dear Diary: Should you be public or private, personal or Ministerial?

0
0

I had a dream last night – well, more of a nightmare really.  I dreamt that my home had been burgled.

As I walked through my home, seeing possessions flung about but nothing obviously missing, I was thinking: what is there to steal anymore anyway?  No-one wants scratched Alanis Morissette CDs or pre-loved Wiggles DVDs when you can just stream all the music and movies you want.  Surely there is no market anymore for second-hand stereo systems.  (In 1990 when my parents’ house was burgled, their Beta video player was left behind.  Not stupid, those burglars.)  And who needs a fell-off-the-back-of-a-truck TV when new ones cost less than a phone?

But then I realised that the burglars had discovered my diary.  Urghhhh.  Shudder.  All my most private thoughts.  Thoughts I would not share with my closest friends, let alone you, dear reader.

In this age of social media and Big Data, where we Instagram our food before eating it, tell the world about our relationship status via Facebook, ask Siri to write our text messages for us, and let the flashlight app on our phones know precisely where we have been, a personal diary may be the last vestige of privacy we have left.  Which is why I woke from my nightmare feeling like I had been violated.

They’re funny things, diaries.

Unlike memoirs, which are written with a reader in mind, a personal diary is the one place where we can record our innermost thoughts and feelings, in absolute privacy.  It’s a place where freedom of thought and freedom of expression can run wild.  The diary is the perfect example of how privacy is an enabler of those other freedoms – even when there is precious little liberty to be found.  While hiding from the Nazis in the Secret Annex, Anne Frank wrote in and of her diary that “The nicest part is being able to write down all my thoughts and feelings, otherwise I’d absolutely suffocate”.

But of course, sometimes private diaries became public, to the embarrassment of either the author or their colleagues.  In 1992, former NSW Government Minister Terry Metherell’s habit of keeping a diary eventually led to the downfall of Premier Nick Greiner.

What stuck in my memory from that day was the response of Bob Carr, then NSW Opposition Leader, which was to claim that he had burned his diaries, while also seemingly contradicting himself by quoting the line made famous by Mae West: “Keep a diary and someday it’ll keep you”.  (Which, in Bob Carr’s case, eventually came true some 22 years later, when he published his Diary of a Foreign Minister.)

More recently, Australian Attorney General George Brandis has been fighting to keep his Ministerial diary private.  This involves a somewhat awkward stance, as he is the Minister in charge of both privacy and Freedom of Information laws.

But that’s not the only irony to be found in the tension between privacy and freedom of information.  This year, ‘Right to Know Day’ was celebrated on 28 September.  Brandis made two announcements.  The first was that while Timothy Pilgrim has been appointed as Australian Information Commissioner, neither the FOI Commissioner nor the Privacy Commissioner roles are to be separately filled.

The second was to announce that amendments will be made to the Privacy Act to criminalise the re-identification of published ‘anonymous’ government data.  This law reform proposal appeared to have come out of left-field, until the next day it was revealed that academics from the University of Melbourne had been able to re-identify data published at the Federal Government’s data.gov.au website.

Released as open data by the Department of Health in August, the dataset included around 1 billion Medicare claims made between 1984 and 2014, by about 10% of the Australian population.

At the time, the Department said that a number of de-identification techniques had been applied, including “encryption, perturbation and exclusion of rare events”.  However using only publicly available information, Dr Vanessa Teague and her colleagues were able to decrypt the service provider ID numbers.

There is surely a risk that patients’ medical histories could be discovered as a result of knowing the identity of each provider.  The Department stated that birthdates were replaced with year of birth, locations of the health services described only by the State or Territory, and the dates of each health service provided were “randomly perturbed to within 14 days of the true date”.  However imagine if you were one of the 1,500 or so people who downloaded this dataset before it was taken offline; and now imagine that you knew from other sources that a particular patient you were interested in saw a particular service provider on a particular date.  (For example, you know your ex-girlfriend saw her GP on a particular date because you drove her to her appointment; or you know a celebrity saw a particular specialist because the paparazzi photographed them coming out of the surgery.)  You could at least start to narrow down your search by finding all the patients with the correct year of birth who saw that health service provider within a 14 day window around the correct date.  Depending on what other variables are evident from the data, from there you might just be able to identify which patient is the one you are interested in – and then link through to every other Medicare claim they made over 30 years, without even having to decrypt the patient number.

Less than a week after that re-identification scare, the Australian Public Service Commission confirmed that data on 96,000 public servants was downloaded nearly 60 times before they withdrew the published dataset, after realising that identification codes for the employing agencies could potentially be used to identify the public servants who filled in their annual employment survey.

Resolving the tension between extracting the most value from government datasets (part of our ‘right to know’ as citizens) and protecting the privacy of the individuals to whom the data relates is no easy task.  However like many other commentators, I would suggest that criminalising the people who find re-identification vulnerabilities is not the best approach.

We should instead focus efforts on improving understanding of de-identification techniques (and re-identification risks) amongst privacy professionals and open data advocates, as well as the research community, so as to minimise the risk of these data breaches occurring in the first place.

Otherwise I expect that we will keep seeing data breaches like these.  And unlike me and my fear of stolen diaries, the affected individuals won’t be able to wake up and think: ‘oh thank goodness, it was all just a bad dream’.

 

(FYI: If you would like to learn more about this topic, I will be joining Information Commissioner Timothy Pilgrim and other experts on a panel workshopping de-identification myths, realties and limits at the GovInnovate Summit next month.)

 

Photograph (c) Shutterstock

Social licence and pragmatic tools: how to unlock public data

0
0

So November has been quite the month for discussing big ideas about Big Data.  Between the iappANZ ‘Trust in Privacy’ Summit, the Privacy Commissioner’s De-identification Workshop, and the Productivity Commission’s draft report into Data Availability and Use, much has been said about public trust or ‘social licence’ as a pre-condition to effective data use.

(And that was before we even got to the two damning reports into #Censusfail released last week, from the Senate Economics References Committee and Cybersecurity Special Advisor to the PM Alastair MacGibbon.)

But how do you create the right conditions for better data-sharing?

I believe that if you want to facilitate data-sharing for the public good, you need two conditions:

  • First, you need data custodians to feel they are on solid legal ground when they decide to release data; and
  • Second, you need public trust.

I was asked to appear before the Productivity Commission earlier this week, to discuss some of their draft recommendations on this topic.  With the objective of releasing the public value in datasets held by both government and the private sector, the Productivity Commission has recommended creating a new regulated category of data, to be known as ‘customer data’.  Although I disagree with that particular recommendation – as outlined in the Salinger Privacy submission I believe the scope of the definition of ‘personal information’ is already sufficient – I nonetheless enjoyed a spirited debate on the issue with Chairman Peter Harris AO.

Mr Harris said that the reason he wanted to move away from the definition of ‘personal information’ and instead talk about ‘customer data’ is because he wants businesses to treat their data as an asset, instead of as a ‘privacy compliance issue’.  (There followed a brief period of furious agreement between us that privacy policies are generally well-crafted yawn-fests which consumers ignore.)

Mr Harris also believes that consumers should be able to realise the value of their own data.

Personally, I think discussions on assets and the valuing of data tends to spill over into debate about who ‘owns’ data, which just muddies the waters.  Privacy laws are deliberately drafted to be agnostic on the question of the ownership of data.

However coincidentally at the iappANZ Summit just a few days earlier, Malcolm Crompton had also raised the concept of data being classed an asset – although he was coming from quite a different angle.  Malcolm’s point was that assets not on the balance sheet are usually ignored by company directors, so that by bringing personal information onto the balance sheet (for example through a change in accounting standards), you could potentially have more of an impact on ensuring privacy protection than strengthening our existing principles-based privacy laws.

In a similar vein, the brilliant information security blogger Bruce Schneier had this to say earlier this year, after yet another damaging data breach revelation: “data is a toxic asset and saving it is dangerous”.

So I came away unconvinced that we need a new, regulated class of ‘customer data’.  If a business doesn’t yet understand that the information they hold about their customers is potentially both an asset and a liability, and it is therefore in their best interests to get their privacy practices right, calling it something new is not going to help.

But on the subject of language, I admit to being a fan of the term ‘data custodian’.  The Productivity Commission’s draft recommendation 5.4 is to impose annual reporting obligations on data custodians, to make them justify their decisions about data access requests.  Hmmm, I’m not convinced on that one.  I made a submission that if the objective is, as the Productivity Commission says, to “streamline approval processes for data access”, then what data custodians need instead is pragmatic assistance.

My view is that the ideal privacy law sets tough standards that are nonetheless easy to comply with.

My experience over many years working with clients trying to comply with privacy laws is that the wording or ‘toughness’ of the rules themselves is almost irrelevant to the individual who needs to apply them.  What matters to that decision-maker is how quickly and easily the standards can be found, understood, and followed.

For example, put yourself in the shoes of Phil the physiotherapist, or Sue the Centrelink manager, or Shari who is rostered on the front counter at a business.  An insurance company investigating a personal injury claim has asked to see their file on Joe Bloggs.  Phil and Sue and Shari don’t know whether they’re allowed to hand it over.  Their first thought is: “Am I allowed to disclose this information?”

And likewise, the custodian of datasets of public value wants to know: “Can I lawfully disclose this information, in this format, in these circumstances, to this person or body requesting it?”

To answer any one of these questions can often involve a painstaking task of navigating through privacy principles, and exemptions, and applying the case law.  It’s a lot easier to just say “no”, and “because of the Privacy Act”.  Privacy gets a bad name.  Research projects get bogged down.  People start demanding exemptions from privacy law.

Instead, I would like to see the process of navigation made much simpler.  The rules can be tough, so long as they are easy to find, understand and apply.

Earlier this year we developed a tool for organisations regulated under NSW privacy laws, which includes not only State and local government agencies, but also private sector organisations operating in NSW if they hold ‘health information’.  We mapped out the Disclosure rules under the two NSW privacy statutes into a flowchart based, question-and-answer format, to guide decision-making.  Because of all the different exemptions and special rules for different types of personal information, the flowcharts in our Untangling Privacy guide run over seven pages – but the user can move through them quickly.

Untangling Privacy works together with our annotated guide to the NSW privacy laws, PPIPA in Practice, which explains the interpretation on offer from both the Privacy Commissioner and case law (updated quarterly) about what each part of each test of each rule means in practice.

But although they come as downloadable eBooks, our guides are effectively still in analogue form.  We would love to have the time and funding to turn our two guides into a properly automated and digital tool: an ‘app’ so that all types of data custodians, both big and small, could very quickly navigate through to the correct rule for their situation, and could also click through to see up-to-date interpretation of that rule.  This type of pragmatic tool would enable data custodians to really quickly figure out their answer, each time they are approached with a request to share or disclose the data that they hold.

In an ideal world, the app would also be made available to the public for free.  There would be no more hiding behind “because of the Privacy Act”.  I suggested to the Productivity Commission that this type of app would also help consumers exercise control over their data, because they could more easily understand what the privacy laws actually allow for.

So instead of creating yet more legal and reporting obligations on data custodians, let’s build them pragmatic tools.

(Venture capitalists / Treasury officials / Philanthropists / Google : you know where to find me!)

But how about the second half of the equation needed to facilitate greater data-sharing?

I suggest that to gain the kind of public or consumer trust necessary to allow for more data-sharing, you have to make every effort to ensure that every possible step is taken to prevent things going wrong … but also that people will be protected in the event that something does go wrong.

Prevention of data breaches requires better education of both data custodians and policy-makers.  Alastair MacGibbon, in his recent review of the Census, recommended that there should be a ‘Cyber Bootcamp’ for Ministers and senior public servants.  What a brilliant idea!  I would love to see a ‘Privacy Bootcamp’ as well.  (Mr Harris raised only a bemused eyebrow at this suggestion of mine.)

But while prevention is better than the cure, we need to ensure there are cures as well.  Our system of statutory privacy principles is not enough.  There are many privacy breaches which cause individuals harm, for which they currently cannot seek a remedy.

So I argued that if you want to promote greater data-sharing, you will need to convince the public that their privacy is going to be protected – or that if all else fails, they will be compensated for any significant harm that they suffer.  In my view, that means that the Government should take greater steps to offer remedies for people who suffer serious privacy harm, in parallel with any steps to increase the level of risk posed to individuals from greater data-sharing.

The Australian Government currently has two privacy-related Bills before Parliament, one of which is the data breach notification bill, and the other is a proposal to criminalise the re-identification of ‘de-identified’ government datasets.  However neither of those Bills will actually provide remedies for victims of privacy invasions.

I suggest that if the Government is serious about unlocking the public value in data, it should not proceed with legislation or projects to increase the amount of data-sharing without first engendering public trust, or gaining a ‘social licence’.  At the least, we need legislation to create a statutory tort of privacy, as already recommended by the Australian Law Reform Commission and other inquiries.

I don’t think we need new names for personal information, or new accounting standards for data.  But if we want to promote data-sharing in the public interest, while at the same time protecting privacy, we need to offer pragmatic assistance to data custodians, and better legal protections to consumers.

 

Photograph (c) Shutterstock

Happy New Year! The Privacy Officer’s guide to 2017

0
0

Season’s Greetings, dear readers!  It is almost time to start winding down, take a break … and then before the champagne has entirely worn off no doubt you will be taking stock, and planning ahead.  (Well, OK, maybe after a few days of restful time at the beach or cricket first.)

What will 2017 bring for privacy professionals?

First, for those in need of some holiday reading over the break, may I suggest that you could:

  • Catch up on some of our influential blogs. If you trust the wisdom of the crowd, you might like the most-read Salinger Privacy blogs from 2016, which were Taking Leave Of My Census (yes, that’s the one that went viral after being re-published by Fairfax, which also caused the Salinger Privacy website to crash in all the excitement, oops), Unlocking Public Data, and Individuation.  And our blog from 2015 offering 17 examples of why we need a statutory cause of action also kept getting readership well into 2016.   But for a gripping thriller, I would also suggest our blog on data analytics – it’s a longer read than most, but as well as a better understanding of the privacy risks of data analytics, you will also get to learn about how my cat’s water-wasting habit makes me look like a slum landlord.  (It’s fascinating, I promise.  And bizarrely relevant.)
  • Stuff your own stocking with Salinger Privacy eBooks on topics like Big Data, Workplace Surveillance, and our flowcharts guide to the NSW Disclosure rules.

So what lies ahead for privacy professionals in 2017?  I shall be so bold as to make some wild predictions:

  • GDPR-readiness testing will ramp up, as will the level of panic.
  • And yes, there will be more data breaches. Oh lord, there will be many, many more.

So what should be on your agenda?

Call it a work plan, call it a wish-list, call it what you like – but I would suggest that if Santa doesn’t bring you everything here, you might need to make these your 8 New Year’s Resolutions:

  1. Show you care about the privacy of your customers by changing the social media ‘sharing’ buttons on your website to ‘do not track’ versions like these from Privacore.
  1. Avoid a #censusfail – remind HR to implement privacy awareness training.
  1. Review what data is being collected and used.  Check in with ICT to make sure you know about all their Big Data projects (buzzwords to look out for: Data Warehouse, data analytics, Business Intelligence, dashboard and reporting projects) – and then advise them on how to build-in privacy best practice.  But meanwhile don’t forget about records management for all the little comms like text messages.
  1. Review what data is being disclosed without authority.  New laws like GDPR and the Victorian Protective Data Security Standards (as well as the Australian Government Information Security Manual and NSW equivalent guidelines) are going to ramp up the requirements to classify and label data in order to apply the right infosec controls.  Ask ICT about implementing tools like these from JanusNet.
  1. Review what data is being publicly released.  Talk to your ICT & Comms people about de-identification and the risks of re-identification, and establish ethical review processes for research and other data analytics projects.
  1. And while you’re talking to ICT, please remind them not to do dumb stuff like putting database backups on a publicly-facing website! This was the cause of the Red Cross data breach affecting more than 1M people in Australia, the Capgemini leak of Michael Page recruitment data, as well as the leak of more than 43,000 pathology reports in India.
  1. Hope for the best, but also plan for the worst. Don’t wait for mandatory data breach notification laws – develop a data breach response plan now.  And check out Red Cross as an example of good customer communications in the wake of their data breach.
  1. And finally: look after yourself too! Stay on top of your professional development.  If you haven’t already, join iappANZ.  And look out for our specialised training for privacy professionals.  We already offer face-to-face workshops on things like privacy risk management, but coming soon in 2017 will be our new online pay-per-view Privacy Professionals Training modules.  Yippee!

Our own New Year’s Resolutions?  Here at Salinger Privacy we really really do want to finish that guide to De-identification for Dummies Privacy People that we promised months ago and which is half-written, as well as the aforementioned new online training modules … but the beach also beckons …

All the best, dear readers, for a safe and happy holiday season for you and yours.  See you in 2017!

 

Cartoon designed for Salinger Privacy by (c) Unfold Design

Mobiles, metadata and the meaning of ‘personal information’

0
0

The Federal Court has today determined not to resolve the great privacy question leftover like a bad hangover from 2013: When is information ‘about’ Ben, and when is it ‘about’ a device or a network?

While at first glance you might think that the Privacy Commissioner losing an appeal would be bad news for privacy, the decision in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 is not quite the train wreck that some have suggested.  It has not gutted the definition of ‘personal information’, nor has it said that metadata from telecoms is not protected by the Privacy Act.  It simply clarified that the word ‘about’ is an important element in the definition of ‘personal information’.

That might not sound like something worth arguing about, but understanding this little word ‘about’ has been critical in the on-going case involving Telstra and the definition of ‘personal information’ – upon which all our legislated privacy principles rely.

First, the background. When the Australian Government was preparing in 2013 to introduce its mandatory data retention laws, to require telcos to keep ‘metadata’ on their customers for two years in case law enforcement types needed it later, tech journo Ben Grubb was curious as to what metadata, such as the geolocation data collected from mobile phones, would actually show. He wanted to replicate the efforts of a German politician, to illustrate the power of geolocation data to reveal insights into not only our movements, but our behaviour, intimate relationships, health concerns or political interests.

While much fun was had replaying the video of the Attorney General’s laughable attempt to explain what metadata actually is, Ben also worked on a seemingly simple premise: “the government can access my Telstra metadata, so why can’t I?

Exercising his rights under what was then National Privacy Principle (NPP) 6.1, Ben sought access from his mobile phone service provider, Telstra, to his personal information – namely, “all the metadata information Telstra has stored about my mobile phone service (04…)”.

At the time of his access request, the definition of ‘personal information’ was “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.

(Since then, the definition of ‘personal information’ has changed slightly, NPP 6.1 has been replaced by APP 12, and the telecom data retention laws were passed with a provision making it very clear that data that is required to be kept under the new data retention provisions is to be considered ‘personal information’ under the Privacy Act. Nonetheless, Ben Grubb’s case has ramifications even under the updated laws, because the breadth of the definition of ‘personal information’ was at issue.)

Telstra refused access to various sets of information, including location data on the basis that it was not ‘personal information’ subject to NPP 6.1. Ben lodged a complaint with the Australian Privacy Commissioner.  While the complaint was ongoing, Telstra handed over a folder of billing information, outgoing call records, and the cell tower location information for Ben’s mobile phone at the time when Ben had originated a call, which is data kept in its billing systems.

What was not provided, and what Telstra continued to argue was not ‘personal information’ and thus need not be provided, included ‘network data’. Telstra argued that that geolocation data – the longitude and latitude of mobile phone towers connected to the customer’s phone at any given time, whether the customer is making a call or not – was not ‘personal information’ about a customer, because on its face the data was anonymous.

The Privacy Commissioner ruled against Telstra on that point in May 2015, finding that a customer’s identity could be linked back to the geolocation data by a process of cross-matching different datasets. Privacy Commissioner Timothy Pilgrim made a determination which found that data which “may” link data to an individual, even if it requires some “cross matching … with other data” in order to do so, is “information … about an individual”, whose identity is ascertainable, meaning “able to be found out by trial, examination or experiment”. The Privacy Commissioner ordered that Telstra hand over the remaining cell tower location information.

Telstra appealed the Privacy Commissioner’s determination, and in December 2015 the Administrative Appeals Tribunal (AAT) found in Telstra’s favour – but not for the reason you might have expected.  The case clearly turns on how the definition of ‘personal information’ should be interpreted, with both parties arguing about whether or not Ben was ‘identifiable’ from the network data, including how much cross-matching with other systems or data could be expected to be encompassed within the term ‘can reasonably be ascertained’.

Indeed the AAT judgment went into great detail about precisely what data fields are in each of Telstra’s different systems, and what effort is required to link or match them up, and how many people within Telstra have the technical expertise to even do that, and how difficult it might be. But then – nothing. Despite both parties making their arguments on the topic of identifiability, the AAT drew no solid conclusion about whether or not Ben was actually identifiable from the network data in question.

Instead, the AAT veered off-course, into questioning whether the information was even ‘about’ Ben at all. Using the analogy of her own history of car repairs, Deputy President Stephanie Forgie stated:

“A link could be made between the service records and the record kept at reception or other records showing my name and the time at which I had taken the care (sic) in for service. The fact that the information can be traced back to me from the service records or the order form does not, however, change the nature of the information. It is information about the car … or the repairs but not about me”.

The AAT therefore concluded that mobile network data was about connections between mobile devices, rather than “about an individual”, notwithstanding that a known individual triggered the call or data session which caused the connection. Ms Forgie stated:

“Once his call or message was transmitted from the first cell that received it from his mobile device, the data that was generated was directed to delivering the call or message to its intended recipient. That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it. It is not about the content of the call or the message. The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb. It could be said that the mobile network data relates to the way in which Telstra delivers the service or product for which Mr Grubb pays. That does not make the data information about Mr Grubb. It is information about the service it provides to Mr Grubb but not about him”.

Well. That was a curve ball no-one saw coming.

(Even Telstra had proceeded through to the AAT on the assumption that the data they held was at least about Ben, with legal counsel for Telstra saying “I’m dealing here with the question of mobile network data in relation to Mr Grubb’s mobile telephone service. It’s difficult for me to see how that could not be information about him. It’s information about his service”.  Telstra had instead been arguing the point that whether or not Ben was identifiable from that data in a pragmatic sense, given the way the data was held in separate systems, and not necessarily indexed with reference to the customer.)

The AAT’s interpretation seemed to conflate object with subject, by suggesting that the primary purpose for which a record was generated is the sole point of reference when determining what that record is ‘about’. In other words, the AAT judgment appears to say that what the information is for also dictates what the information is about.

In my view, the AAT’s interpretation of ‘about’ was ridiculous. Why can’t information be generated for one reason, but include information ‘about’ something or someone else as well? Why can’t information be ‘about’ both a person and a thing? Or even more than one person and more than one thing?

But more importantly, the AAT’s interpretation was damaging.  It completely undermined our privacy laws.

Even car repair records, which certainly have been created for the primary purpose of dealing with a car rather than a human being, will have information about the car owner. At the very least, the following information might be gleaned from a car repair record: “Jane Citizen, of 10 Smith St Smithfield, tel 0412 123 456, owns a green Holden Commodore rego number ABC 123”.

If the AAT’s position – that a car repair record has no information ‘about’ Jane Citizen – had been left unchallenged by the Privacy Commissioner, then Jane would have no privacy rights in relation to that information, and the car repairer would have no privacy responsibilities either.

If Jane’s home address was disclosed by the car repairer to Jane’s violent ex-husband, she would have no redress. If the car repairer failed to secure their records against loss, and Jane’s rare and valuable car was stolen from her garage as a result, Jane would have no cause for complaint.  Jane wouldn’t even have the right to access the information held by the car repairer, to check that it was correct.

Imagine how far you could you take this argument.  Banks could avoid their privacy responsibilities by arguing that their records are only ‘about’ transactions, not the people sending or receiving money as part of those transactions.  Hospitals could claim that medical records are ‘about’ clinical procedures, not their patients.  Retailers could claim their loyalty program records are ‘about’ products purchased, not the people making those purchases.

Fortunately, the Privacy Commissioner quickly moved to appeal the AAT’s ruling to the Federal Court.  But unfortunately, the grounds on which the Privacy Commissioner appealed were too narrow.

Instead of arguing that information could be ‘about’ more than one thing – i.e. that metadata could be ‘about’ both the delivery of a network service and the customer receiving that service – the Privacy Commissioner’s legal team argued that the phrase ‘about an individual’ was redundant, and should simply be ignored.  (Updated: Although note – it would appear that the Privacy Commissioner also tried to argue alternate grounds, such as that the AAT erred “by posing a test that it had to determine whether the information was about the complainant or about something else”, but the Court dealt with all the grounds as if they raised the same issue; contrast paras 46 and 57 in the judgment.)

The Court summarised the submission made on behalf of the Privacy Commissioner as “that if there is information from which an individual’s identity could reasonably be ascertained, and that information is held by the organisation, then it will always be the case that the information is about the individual … In other words, the words ‘about an individual’ would ‘do no work’ and have no substantive operation”.

The Federal Court, in an unanimous decision by Justices Dowsett, Kenny and Edelman, flatly rejected that line of argument: “We do not accept this submission”.

So the Privacy Commissioner played a high stakes game, and lost.  The result is a decision that ultimately takes us nowhere.

The Federal Court made it clear that it was not deciding whether or not the metadata to which Ben Grubb was seeking access actually met the definition of ‘personal information’ – because it was not asked to.  (And indeed, appeals to the Federal Court from the AAT can only be brought on questions of law.)

The Court noted: “There was no ground of appeal which alleged that the AAT erred in its conclusion that none of the information was about Mr Grubb. In other words, the Privacy Commissioner did not seek to establish that any of the information was about Mr Grubb”.  And just to hammer home the point, the Court said: “this appeal concerned only a narrow question of statutory interpretation which was whether the words ‘about an individual’ had any substantive operation. It was not concerned with when metadata would be about an individual”.

If the Federal Court had actually been allowed to apply the definition to the facts of this case, we might have had a proper answer.  We might even have had a broader answer than that proffered by the AAT, because the Federal Court diverged from the AAT’s view in one critical respect: unlike the ludicrously narrow, binary ‘information can only be about one thing’ view taken earlier by the AAT, the Federal Court judges said that information and opinions “can have multiple subject matters”.

That’s right: if only they had been allowed to do so, the Federal Court might have overturned the AAT’s case, on the basis that the information in question could be about both “the way in which Telstra delivers the service or product for which Mr Grubb pays” and “about Mr Grubb”.

So, to re-cap …

The court made no decision about whether or not the metadata was ‘about’ Ben Grubb, because it wasn’t asked to.

The court made no decision about whether or not Ben Grubb’s identity could be ascertained from the metadata (alone or in conjunction with other data), because it wasn’t asked to.

The court made no decision about whether or not Ben Grubb’s metadata was ‘personal information’, because it wasn’t asked to.

This case was about a question of law, not the application of that law to a particular set of facts.

The only thing decided today was that the phrase “about an individual” is an important element in the definition of personal information, as the definition existed in 2013.

(Updated: Or perhaps the only thing decided was that the phrase “about an individual” was an important element in NPP 6, the Access principle, as it existed in 2013.  The phrase appears in both places.  The judgment flip-flops on whether the case was about interpreting the phrase “about an individual” in the definition of ‘personal information’ at s.6, or in the Access principle at NPP 6, or both.  The AAT judgment, and the Privacy Commissioner’s submissions to the Federal Court in appealing the AAT judgment, were clearly about the definition of ‘personal information’ at s.6 of the Privacy Act [see paras 40, 42, 46 and 62 of the Federal Court judgment], and yet the Court concluded that the issue before it was simply interpretation of NPP 6 [see paras 57 and 80].  This certainly does not help the situation for anyone trying to figure out if/how/when the Federal Court’s comments apply to the law as it stands today – either to APP 12 which replaced NPP 6, or the new definition of ‘personal information’, or both.)

The Court reiterated that there are two elements: an ‘identifiability’ element, and an ‘about’ element.  The Federal Court said this:  “The words ‘about an individual’ direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters”.

So where does this leave us?

First, I doubt that any organisations – not even Telstra – will start popping champagne corks in the belief that they are somehow off the hook in terms of their privacy obligations.  I saw no evidence of reckless abandonment of privacy obligations in the wake of the AAT judgment, and rightly so.  Whether government or business, organisations are pragmatic.  They know that maintaining customer trust is essential, and so arguing the toss with a customer or citizen about whether or not a record is ‘about’ that individual is not going to engender that trust.

Second, remember that the definition of ‘personal information’ changed in 2014.  It now says “information or an opinion about an identified individual, or an individual who is reasonably identifiable…”.  So that element of ‘about’ is still there, but it is now a little more intertwined with the element of ‘identifiability’.  It’s not clear whether that subtle change in language makes any practical difference, but you cannot just assume that today’s Federal Court judgment directly applies to the law as it stands today.

So if Ben Grubb were to tomorrow ask Telstra anew for access to his metadata, things could end up very differently.  Since he first asked in 2013, the definition of ‘personal information’ has changed; a law has been passed to state explicitly that metadata kept by telecoms under the new data retention rules is personal information subject to the Privacy Act (where it relates to an individual or a communication to which the individual is a party); and the Federal Court has said that information can be about ‘about’ more than one thing or person at a time, so the AAT’s more binary characterisation can probably be ignored.

But finally, that element of ‘about’ is still problematic.  By saying that the individual needs to “be a subject matter” of the information, this judgment may have had the effect of slightly narrowing the definition of ‘personal information’, more so than if the language of “relating to” had been used instead.  (By contrast, the latest European privacy law, the GDPR, defines ‘personal data’ more simply as “any information relating to an identified or identifiable natural person”.  Neat, huh?)

However importantly, the judges also said this: “even if a single piece of information is not ‘about an individual’ it might be about the individual when combined with other information”.  In my view, this has left open the possibility that a piece of data might still be captured by the definition of ‘personal information’, even though at first glance it appears to have as its subject matter/s not an individual, but a network, a communication or a device.  The judges stressed the need to consider “the totality of the information”.  In other words, linkability to an identifiable individual might still make something ‘personal information’, and thus within the scope of our privacy laws.

So what next … will the Privacy Commissioner appeal to the High Court?  Or will he ask the Government to introduce an amendment to the legislation, to make our definition more like the GDPR’s?

Perhaps instead of muddying the waters further with yet more legislative or judicial activity, what we need first is some updated guidance from the Privacy Commissioner.

 

Photograph (c) Shutterstock


Hashing, Beyonce & rainbows: a lay person’s guide to de-identification

0
0

Are you embarrassed to admit that you don’t know your statistical linkage keys from your house keys?  Think ‘hashing’ is something you do to potatoes, and ‘adding salt’ is something you do to hot chips?  Imagine ‘rainbow tables’ have something to do with pre-schoolers’ craft-time?  Assume ‘adding noise’ refers to something your teenagers do?

Then read on, my friend.  You need de-identification to be demystified for you, stat.

Some people are happiest when working with words, and others are happiest when working with numbers.  So coming from my word-loving arts/law background, I was the statistical outlier when I was invited to join a panel of experts at the OAIC’s #deIDworkshop in Canberra late last year.  There was some serious intellectual firepower represented amongst the cryptographers (that’s something to do with maths, apparently), statisticians and data scientists.  Quite a few PhDs sitting at that table.  I felt distinctly non-boffin.

Information Commissioner Timothy Pilgrim opened the workshop by noting that de-identification “can be a smart and contemporary response to the privacy challenges of big data – which aims to separate the ‘personal’ from the ‘information’ within data sets”.

What followed was a robust debate amongst the panellists about how to define or measure de-identification, as well as how best to achieve it.  There was much discussion about whether releasing unit record data publicly can ever be considered ‘safe’ from re-identification risk.

But what I found most compelling about our discussions at the workshop was the absence of a common language to help explain either privacy law to the we-like-numbers people, or maths and statistics to the we-prefer-words people.  This is a critical failing, because privacy professionals need to understand de-identification, to do their job properly.  (By ‘privacy professionals’ I mean the privacy officer, the lawyer, the governance or compliance manager, the audit and risk committee: anyone who needs to understand and apply privacy law or data protection rules, and assess risk, for their organisation.)

The Productivity Commission’s recent report into data use makes the point that data breaches from poor data security are much more common than those from re-identification attacks on ‘open data’.  But de-identification is not only useful as a privacy-protective tool in relation to ‘open data’; it is also useful for protecting data that shouldn’t see the light of day at all.

For the individual whose data is at stake, de-identification matters because if they cannot be identified from a dataset, then they are less likely to suffer a privacy invasion.  Even if the data is on an unencrypted and not-even-password-protected smartphone that is lost at an airport, if no-one can identify from the data that Phillip Bloggs was in the dataset, then Phillip is less likely to be publicly embarrassed by the accidental disclosure of his membership of the N Sync Fan Club.  (Of course privacy harms can occur even without identification, but that’s a separate topic.)

For the organisation holding personal information, de-identification matters because it is simply sensible risk management.  Preventing harm to the individuals whose data you hold, and protecting the reputation of your organisation, requires privacy professionals to utilise a broad range of privacy, information security and data loss prevention controls.  Having de-identification as part of your toolkit means you can not only improve compliance with privacy rules, but also better leverage the value of your data.

But privacy professionals can’t apply the law without first understanding the relative merits and limitations of different de-identification techniques.  We don’t need to become technical experts – but we do need to know the right questions to ask of the technical experts, so that we can assess the legal and reputational risk of what they propose, and know which privacy controls to apply when.

We should no longer be bewildered or bamboozled by terminology like ‘SLKs’ and ‘k-anonymity’, ‘differential privacy’ and ‘hashing’.

To this end, we have finally finished what I promised last year: the latest Salinger Privacy eBook is a non-boffin’s introduction to de-identification for dummies beginners privacy professionals.

We have taken a fictional group of high school students with fun names like Kanye Peacock and Beyonce Phoenix, and illustrated how different de-identification techniques would apply to a dataset of their exam results.  Our guide runs through what aggregation means, what k-anonymity means and how to achieve it, and what pseudonymity means.  We explain the circumstances in which Kanye can be re-identified from his ‘indirect identifiers’ (and thus how a recipient of the data could figure out that he flunked his Spanish exam), and how some data recipients might be able to figure out Angelina Cherry’s test scores even from ‘aggregated’ data.

We explain what it looks like when you replace Beyonce’s name, date of birth and gender with a statistical linkage key, and the circumstances in which you might use a pseudonym like an SLK instead of a different de-identification technique.

(Spoiler alert: Beyonce’s SLK is HONEY121120002.  Note that gender is not coded as M or F, but as 1 or 2, in which male = 1 and female = 2.  Who are the sexist bastards who came up with that standard, huh?  I think that instead of a 2 at the end of her SLK, Beyonce should get an A for Awesome.  But perhaps that’s just me.)

And you will see the limitations of each method.  For example, if there is another girl with the same date of birth as Beyonce in the dataset whose name is Fey Phoenetics, she will have the same SLK, and so their records could be linked together erroneously.  As will Teyla Chomney’s and Leyla Thorn’s.  (Can you tell I had fun coming up with those names?  But I digress…. )  The protections offered by ‘hashing’ some data elements can be undermined by attackers using ‘rainbow tables’, but can be strengthened if instead you first ‘salt’ the data.

We’ve even covered ‘differential privacy’ and the technique of ‘adding noise’ to data, which is now a hot topic thanks to Apple.  (Who would have thought that solving the great privacy challenge of our time would be given a boost by the need to figure out people’s favourite emojis?)

Our guide ends with a checklist of factors to consider for any given de-identification proposal.

We don’t profess to be experts in statistical techniques; far from it.  There are excellent, detailed, lengthy guides available from regulators around the world, to guide academic and clinical researchers, data scientists and statisticians in how to de-identify data for their particular purposes.

But if you’re a privacy professional who just wants to understand how de-identification fits into privacy or data protection law, a simple illustration of how each different technique works, and a plain language overview of the strengths and weaknesses you need to factor into your risk assessment considerations, then this guide is for you.

 

Demystifying de-identification: An introductory guide for privacy officers, lawyers, risk managers and anyone else who feels a bit bewildered is now available as an eBook from the Salinger Privacy online store.

 

Photograph (c) Shutterstock

Just because you can disclose, doesn’t mean you should

0
0

Let’s talk about discretion and trust.  And perhaps also the public interest.

These are not the usual words I would use when introducing a discussion of the Disclosure principles in privacy law, but right now they seem apt.  Because right now I am hopping mad about the disclosure by our government of one woman’s personal information to the media.

The matter I am talking about involves a single mother, but at a deeper level it involves all of us.  We are all citizens, we are all ‘clients’ of government agencies at various times throughout our lives, and we all entrust our personal information to those government agencies.  We expect that our privacy will be respected in return.  This is the story of what happens when it isn’t.  This is the story of Andie Fox, but it could just as easily be the story of you or me.

So the story is this: About a month ago, single mum Andie Fox wrote an opinion piece about her experiences dealing with Centrelink, which was published in Fairfax newspapers.  A few weeks later, a journalist with the Canberra Times, Paul Malone, wrote an article about Centrelink, also published in Fairfax newspapers.  That article included details about Ms Fox’s criticisms of Centrelink, but then also says “there are at least two sides to every story”, and in particular that “Centrelink has a different story”.  Mr Malone’s article went on to reveal details about Ms Fox’s financial affairs and personal affairs, as well as quotes from Centrelink general manager Hank Jorgen about Centrelink’s dealings with Ms Fox.

(Just who gave Ms Fox’s information to the journalist is unclear.  The article attributes comments to Mr Jorgen, but officials claimed the information was collated by DHS officials and approved for release by the Minister’s office.  Later it was revealed that two responses were given to the journalist, one from the department and the other from the Minister’s office.)

The personal information about Ms Fox disclosed to the journalist, and revealed by the journalist to the world, included:

The agency says Ms Fox’s debt is a Family Tax Benefit (FTB) debt for the 2011-12 financial year which arose after she received more FTB than she was entitled to because she under-estimated her family income for that year.

The original debt was raised because she and her ex-partner did not lodge a tax return or confirm their income information for 2011-12.

Centrelink says that after Ms Fox notified the department that she had separated from her partner, the debt due to her partner’s non-lodgement was cancelled.”

and

“Centrelink made numerous attempts to get in touch with Ms Fox via phone and letter but many of these attempts were left unanswered. Between November 16 and January 17 Centrelink made four phone calls and sent six letters to Ms Fox.

Centrelink says it was not until 2015 that she informed them that she had separated from her partner in 2013.

Mr Jongen said the experience described by Ms Fox could have been avoided if she had informed the department she had separated from her partner in a timely way, and if she had lodged her tax returns in a timely way.”

Wow.  So much for privacy.

How exactly does a government agency get away with disclosing this kind of deeply intimate information about a person’s relationship history, tax affairs and social security benefits?

Let’s break it down.

Australian Privacy Principle (APP) 6 governs the disclosure of personal information by federal government agencies like Centrelink and the Tax Office.  There are various grounds under which personal information can be disclosed, but let’s skip straight to the grounds that might possibly be relevant in this case.  (BTW we have ‘untangled’ the Disclosure rules for you under NSW privacy legislation, but haven’t yet tackled the APPs.)

  1. Consent (APP 6.1(a))

Clearly not.  Ms Fox wrote a follow-up blog detailing the “disturbing experience” of having her personal information distributed to the media, and asked “Is this what happens when you criticise government?”  I think we can safely say that Ms Fox did not authorise the release herself.

  1. Individual should reasonably expect the disclosure for a secondary purpose which is related to the primary purpose for which it was collected (APP 6.2(a))

OK, this one is trickier.  Let’s say that the primary purpose for which Ms Fox’s personal information was collected was to administer her social security payments.  Is providing that information to a journalist a purpose that is somehow related to the administration of her payments?  Debatable.  Even if it is related, is the disclosure to the journalist something Ms Fox should have reasonably expected?

The guidelines from the OAIC on APP 6.2(a) actually have this to say on the topic:

“Examples of where an individual may reasonably expect their personal information to be used or disclosed for a secondary purpose include where …

the individual makes adverse comments in the media about the way an APP entity has treated them. In these circumstances, it may be reasonable to expect that the entity may respond publicly to these comments in a way that reveals personal information specifically relevant to the issues that the individual has raised”.

And in 2010 the OAIC handled a privacy complaint from someone in a similar position to Ms Fox, and found that the agency had met this test (albeit under an earlier version of the privacy principles).  The Privacy Commissioner in that case noted that:

“The information provided by the agency was confined to responding to the issues raised publicly by the complainant. The Commissioner considered that the complainant was reasonably likely to have been aware that the agency may respond, in the way it did, to the issues raised.”

First, I would query whether in this case, the information provided to the journalist was “confined to responding to the issues raised publicly by the complainant”.  Most of Ms Fox’s original piece was about the bureaucratic nightmare of dealing with Centrelink processes: queues, being on hold on the phone, being pushed to use an online system which didn’t cater for her circumstances.  These experiences were not refuted by Centrelink.

Ms Fox had also written about the phenomenon known as sexually transmitted debt in the context of our tax and social security system, in which a legitimate payment of the Family Tax Benefit to one parent can later be described as an over-payment and thus a ‘debt’ because the other parent simply has not yet lodged their own tax return for the relevant financial year – something over which you might have little control at the best of times, but which can become impossible if the relationship has since broken down.  Her original piece was about the traumatic experience of having to prove to the government that her relationship with the other parent had ended, before she could demonstrate that the ‘debt’ should be cancelled.  Again, Ms Fox’s description of the way in which our tax and social security system operates (in particular, to the detriment of newly-single parents) was not refuted.

Instead, we got finger-wagging editorialising about how Ms Fox should have updated her records in a more timely way, and how often Centrelink had tried to contact her.  The inferences to be drawn from those comments – perhaps, that Ms Fox is disorganised or disengaged and thus has herself to blame for the ‘debt’ being raised – are in turn disputed by Ms Fox in her follow-up blog.  And in any case, they are hardly examples of correcting ‘false statements’, as the Minister later suggested had been made by Ms Fox.

But even if the information provided to the journalist had been a more direct correcting-an-error-of-fact, should Ms Fox have ‘reasonably expected’ Centrelink to brief a journalist in response to her opinion piece?  Judging from the outcry on social media and across politics, it would seem that plenty of people did not expect a Centrelink customer’s personal information to be splashed about in the way experienced by Ms Fox.  (Apart from anything else: don’t they have anything better to do?)

Despite the OAIC’s guidelines on interpreting this exemption, I think Centrelink would be drawing an extremely long bow to argue that their disclosure was either a related purpose or within reasonable expectations, let alone both.

  1. Authorised by another law (APP 6.2(b))

Now here is where it gets interesting – this is what Centrelink and the Minister are publicly using to justify the disclosure.  Though which law has been harder to pin down.

On 28 February, Minister Alan Tudge told Parliament that “We are able under the Social Services Act (sic) to release information about the person for the purposes of, as I quote, ‘correcting a mistake of fact, a misleading perception or impression or a misleading statement in relation to a welfare recipient’.”  However the Minister was quoting not from the Act itself, but from cl.11 of statutory guidelines which constrain the power of the Secretary of the Department of Human Services, of which Centrelink is a part, to disclose personal information under section 208 of the Social Security (Administration) Act 1999.  In such a case, a public interest certificate must first be issued by the Secretary.  The Department later confirmed that no such public interest certificate had been issued in relation to Ms Fox’s personal information.

Instead, the Department claimed that the disclosure was actually made under section 202 of the same Act, which governs the routine collection, use and disclosure of personal information.  Because it is about routine matters necessary “for the purposes of the social security law”, disclosures made under s.202 do not require the Secretary’s authorisation.  This is a standard, operational provision, about the normal functioning of Centrelink, and what the 35,000 staff employed by the Department can and can’t do with our personal information as they go about their work.

So the Department has effectively claimed that its disclosure of Ms Fox’s details to a journalist was lawful on the basis that the disclosure was made “for the purposes of the social security law”.  What purpose of social security law was being served by the disclosure to the journalist?  A Departmental spokesman is quoted as saying:  “Unfounded allegations unnecessarily undermine confidence and takes staff effort away from dealing with other claims”.

The Department doubled-down on this rationale a few days later, with the Secretary of the Department Kathryn Campbell telling an Estimates committee in Parliament that the disclosure of personal information about clients to the media does not even need a public interest certificate from the Secretary under s.208, if it is released under s.202 “for the purposes of maintaining the integrity of the system”.

Ms Campbell is also quoted as saying:  “That’s why we felt that it was appropriate to release the information, so that people knew it was important to file their tax returns and tell us about changes in their circumstances.”

Just let that sink in for a moment….  so the Secretary of the Department is saying that Ms Fox was made an example of, to remind the rest of us to lodge our tax returns on time?

One journalist summarised the problem thus: “Campbell … described an interpretation of social security law so broad that it effectively adds up to a license for the Department to disclose information against any citizen criticising government policy”.

In fact, if you interpret s.202 that broadly, there is very little limit to what federal public servants could start doing with your or my personal information, regardless of whether we have publicly criticised Centrelink.

Next time it might not be the PR unit releasing the personal information; it might be a limelight-seeking junior Centrelink staffer who decides to tweet about named ‘welfare cheats’ – for the purposes of maintaining the integrity of the system, of course.  Or a staffer might decide to tell the media about a celebrity who was late filing their tax returns – as a way of reminding the public about the importance of filing their tax returns on time, clearly.  Or perhaps a staffer could get away with telling a mate who pays child support that his ex-wife has a higher income than his mate suspects – for the purposes of maintaining the integrity of the system, obviously.

However this interpretation of s.202 is being questioned.  Legal academic Darren O’Donovan has questioned whether the Department has read its ‘discretion’ too broadly, as has Legal Aid Victoria.  In particular, since s.208 creates a specific mechanism for disclosures of personal information to ‘correct the record’, but which requires a public interest certificate to be issued by the Secretary in compliance with statutory guidelines, can s.202 really be read as also allowing an alternative pathway to disclosure, one which is predicated on broader, vague purposes and which does not require the Secretary’s authorisation at all?

(And even if you believe s.202 is that broad, surely it cannot authorise the disclosure of personal information that was released by the Minister’s office in error?)

So if the Department’s interpretation of the breadth of s.202 is wrong, what then?  Well then, a disclosure of information that was not authorised or required by or under the social security law is a crime, punishable by up to two years’ imprisonment for the individual who made the disclosure.

Also, Centrelink would not be able to claim the ‘any other law’ exemption under APP 6.2(b), and therefore could be looking at a possible breach of the APPs.  Labor has asked federal police to investigate, and the OAIC is looking into the matter.  The OAIC can apply to court for a civil penalty order up to $1.7M, and Ms Fox could seek a remedy for herself, if it is found that there has been a breach of APP 6.

Of course, it is not just legal concerns which have been raised about the department’s decision to publicly respond to Ms Fox’s opinion piece by releasing her personal information.  There are plenty who have questioned the ethics of the decision, even if it is found to be lawful.  Some have raised the potential chilling effect on free speech and political discourse, while others have noted the power imbalance between a single parent blogger and the might of the government.  Where was the concern for Ms Fox’s well-being?  Where was the discretion?  Did no-one think this might be a bad idea, to go pick a fight with a single mum?  Did no-one say: just because we (think we) can disclose, doesn’t mean we should.

I spoke with ABC Radio’s Jon Faine about this case, and described Centrelink’s actions as legally arguable, but morally reprehensible.  Paul Shetler, former head of Australia’s Digital Transformation Office, described Centrelink’s actions as “pretty shocking”.

And that was before it was revealed that the Minister had asked for extra information about Ms Fox … or that the Minister’s office had sent ‘For Official Use Only’ material to the Canberra Times journalist … or that that the Minister’s office is regularly receiving updates on Centrelink clients who have made public complaints on social media.

This case just compounds the effect of #censusfail and #notmydebt on a cynical and weary public.  We are so often compelled, either by law or by financial need, to hand over details about our private life to government.  In return, we expect government agencies to actually mean it when they say “we take your privacy seriously”.  Otherwise, that phrase becomes a joke, up there with “your cheque is in the mail”, and “your call is important to us”.

The way the bureaucracy has dealt with Ms Fox has shown to be hollow the privacy promises made by Centrelink.  Worse, it also undermines the privacy promises made by other agencies which share personal information with Centrelink, such as the Tax Office.  The ATO has confirmed that once tax information about an individual is provided to Centrelink, that data becomes subject to Centrelink’s secrecy laws, rather than the rules found under the taxation legislation.  And it is Centrelink’s interpretation of its own ‘secrecy’ provisions which has led us here today.

This case is a stupid and petty own-goal for the government.  If Centrelink or the Minister’s office were trying to disprove the accusations of “unprofessionalism and callousness in the way it has tried to crack down on welfare overpayments”, they have spectacularly failed.  Maybe they wanted to challenge Ms Fox’s description of feeling ‘terrorised’ by her dealings with the bureaucracy, but instead they simply proved her point.  If the purpose of the disclosure was to maintain confidence in the welfare system, they instead caused confidence to plummet.  If the idea was to paint Ms Fox as a ‘welfare cheat’, they instead earned her the sympathy of every other working parent who has ever tried to navigate their way through Centrelink to claim FTB or the child-care rebate.

I believe this will rebound not just on Centrelink, but throughout the federal public sector.  The long-term impact will be to set back the government’s bigger picture digital transformation agenda, including e-health, digital identity and electronic voting projects, because public trust in how federal government institutions treat citizens’ personal information will simply continue to sink, unless trust is restored.

The repercussions have already included Labor re-thinking its support for veterans’ affairs legislation before Parliament, that would insert a similar provision to s.208, to allow for the disclosure of a veteran’s records, including medical records, at the discretion of the Secretary.  The Veterans Affairs Minister has since had to order a new, independent Privacy Impact Assessment be conducted before the Bill proceeds to debate in the Senate.  Meanwhile, evidence before a Senate Inquiry has heard that the Tax Office has raised concerns about the impact on the integrity of the ATO, when tax data is used by Centrelink.  Just imagine the fight in Parliament next time privacy-invasive laws are proposed.

The UK Information Commissioner’s office has noted that citizen and customer trust is essential for the efficacy of public policy and services: “trust and public engagement is a prerequisite for government systems to work”.  The Harvard Business Review has described customer trust as “the key that will unlock” access to data, so critical in the type of forward-thinking information economy our Prime Minister likes to promote.

So when government says “trust us with your personal information”, they have to mean it.  Because we are all Andie Fox.

 

Photograph (c) Shutterstock

GDPR & PbD: what Aussies need to know about new privacy laws

0
0

Unless you’ve been living under a rock recently, you have probably at least heard about this new big thing in the privacy world called ‘GDPR’ … and maybe you have even wondered whether it matters to you.  But once you realised it is a new European privacy law, did you mentally switch off?  Well folks it’s time to switch back on, sit up straight and pay attention, because EU privacy law is going to impact on Australian organisations, whether we like it or not.  Some of us will be directly regulated, others only indirectly affected, but there will be an impact nonetheless.

So first, the headline facts.  GDPR stands for General Data Protection Regulation.  It is a new privacy law which will apply from May 2018 across all 28 EU member states – including the UK for now, and likely even post-Brexit too.  The GDPR will replace the current set of differing national privacy statutes with one piece of legislation, and will offer a one-stop-shop approach when dealing with the privacy regulators across those 28 countries.  So the GDPR is about harmonising privacy law across the EU, and streamlining its application.  That’s the fairly impressive carrot.

The stick is impressive too: fines for failing to comply with the GDPR will reach up to €20M, or 4% of a company’s annual global turnover, whichever is the greater.  Oh yeah, these new penalties are aimed squarely at the Facebooks and Ubers and Googles – behemoths who could previously afford to shake off smaller fines as the price of doing business.

While those potential penalties are startling enough, the other kicker is the new, expanded reach of GDPR, well beyond European land borders.  The privacy rules in the GDPR apply to any organisation which offers goods or services (including free services) to, or monitors the behaviour of, “data subjects in the Union”.  That is EU-legalese for “anyone inside the EU” – not just citizens.

Your organisation does not need to have any physical or legal presence in the EU to be directly regulated.  If you offer your goods or services to people in the EU, you will be required to comply with the GDPR.  So if you are a retailer selling Aussie cossies to Greta of Germany, you will need to comply.  If you are a travel agent booking tours to Uluru for Bertrand from Belgium, ditto.

Even for those of us not directly regulated by the GDPR, there will be indirect impacts.  Europe has raised the bar in terms of expectations about privacy protection, and the rest of the world is likely to follow.

Take for example the Accountability principle, which requires organisations to be proactive.  This means that if you don’t have an effective privacy compliance program, you can be found in breach of your data protection obligations even if you don’t suffer a data breach.

Although by no means a European invention – our APP 1 has the same objective – the financial penalties attached to the GDPR are intended to kick-start proper privacy governance in even the most heel-dragging organisations.  No surprise then that Elizabeth Denham, the UK Information Commissioner, has described the Accountability principle as a “game changer”:

“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”

To help achieve this, the GDPR embeds a requirement to do ‘data protection by design’, or as we tend to know it, Privacy by Design (PbD).  In our view, the GDPR will be the stimulus for plenty of talk about PbD – but it needs to be more than just a hollow set of catchy promises.

Turning PbD into a reality poses significant challenges for any organisation.  There is a cultural divide between the lawyers who are comfortable with principles-based fuzzy law and concepts like ‘within reasonable expectations’, and the system engineers who need to code for decision-making in a binary fashion.  Even the central tenets of PbD are fuzzy: what is a solution architect actually supposed to do if she is told to ‘embed privacy into the design’?

(Well, actually, here at Salinger Privacy we have developed eight Privacy Design Strategies, which offer clearer guidance for system designers.  And now, just in time for you to get ready for Privacy Awareness Week, we have launched new online training modules on this topic: how to identify privacy risks in projects, and how to resolve those risks.  Our objective is to turn abstract privacy principles into concrete design strategies, so that privacy officers and system designers can work together to deliver on the promise of PbD.)

The GDPR also has a strong focus on getting reactive strategies right.  Although data breach notification (DBN) requirements have been around in the United States for some years now, and Australia has just passed its own DBN laws, the GDPR ramps up the pressure further, by setting a default 72-hour timeframe on notifying the relevant regulator.  However the GDPR also offers escape clauses for organisations that have “appropriate technical and organizational measures” in place to protect data.  We predict the result will be bigger infosec spends on data loss prevention technologies.

There are other ways in which I am already seeing the influence of the GDPR in Australia, such as new thinking about the right of consumers to data portability from the Productivity Commission.  And last month on behalf of iappANZ I was one of four panellists discussing the impact of the recent Privacy Commissioner v Telstra case, when discussion inevitably turned to comparisons with the GDPR.  The GDPR skips straight past the is-this-data-‘about’-an-individual dilemma in Australian privacy jurisprudence, by defining ‘personal data’ more simply as “any information relating to an identified or identifiable natural person”.

Finally, the GDPR was carefully drafted to reject the old binary “either it’s personal information or it’s not” approach to de-identification, in favour of recognising that de-identification is a risk management tool, not a perfect end-state.  Further, the GDPR explicitly refers to “taking into consideration the available technology” when testing for (re)identifiability, meaning that considering a dataset in isolation is not enough.  This more nuanced and pragmatic approach is influencing contemporary thinking on the topic, including our own introductory guide to de-identification techniques.

So whether your organisation will be directly regulated by GDPR or not, I predict that privacy professionals across Australia will be feeling its positive influence for years to come.

Vive l’Europe!

P.S. If you would like more information about the scope of the GDPR requirements and its impact on information security programs, see the GDPR White Paper from janusNET.  For an overview of the GDPR from a legal perspective you can download a guide from Hunton & Williams.  Or for the official guidance from the EU privacy regulators, see the guidelines being progressively released by the Article 29 Working Party, as advisors to the European Commission.

 

Image (c) Shutterstock

The privacy paradox: We want to have our data and eat it too

0
0

Much of the work we do here at Salinger Privacy involves Privacy Impact Assessment of new projects.  One of the things I love about PIAs is that they’re not just about ticking off legal compliance – they need to consider community or stakeholder expectations about the project as well.  But how do you test for community expectations?  Most PIAs don’t have the time or budget to commission specific research.

So it is that every few years, I await with bated breath the results of the OAIC’s latest Community Attitudes Survey.  It’s like a little goldmine of stats, that anyone can use.  For instance in this year’s results, released earlier this month, I found this nugget: while 86% of people see secondary use of their personal information as ‘misuse’, that number falls if the purpose of the secondary use is for research or policy-making purposes, in which case only 40% continue to be uncomfortable with the idea.  (A quick digression: actually, 40% of nay-sayers seems quite high, don’t you think?  This sizeable minority could pose a problem if your project is all about Big Data or data analytics for government policy-making.)

There are also insights into the extent to which Australians trust different service providers to handle their personal information.  Health service providers are at the top of the tree, and the social media industry is at the bottom.  And in news that should surprise no-one, trust declines with age, with older people more likely to question why they should hand over their personal information at all.  In other words, middle-aged crankiness is a thing.  (Yeah!  Sing it with me, fellow Gen-Xers, we’re not gonna take it!)

But can we trust these stats about, well, trust?  How accurate are they?  How well do they reflect community attitudes towards privacy issues, when privacy is such a personal value?

Former UN statistician and data journalist Mona Chalabi has said that using opinion polling to predict how people will behave is “about as accurate as using the moon to predict hospital admissions”.  She notes that society is very diverse, and so it is hard to get a representative sample of the population for survey-based statistics; people are reluctant to answer their phone to pollsters; and of course, some people lie.

(In fact, lying is one of the topics surveyed.  The 2013 OAIC survey results suggested that around 30% of people lie or give misinformation in order to protect their privacy when using websites or smartphone apps, up from 25% when the question was asked in 2007.  In 2017, the figure looks like 26% if you count people who said they provide false personal details ‘always, often or sometimes’; but 46% if you add in ‘rarely’.  Meanwhile, the Productivity Commission says that ACMA says the figure is 47%.  So who – or which figure – to believe?)

Some demographic factors appear to influence an individual’s attitude towards privacy, including age, gender, ethnicity and socio-economic status.  But wouldn’t you expect that when averaged out across populations, that Australian and New Zealand attitudes towards privacy risks to be roughly the same?  Compare these stats about what apparently bothers people the most in our two countries, and think about how surveys can give the wrong impression if not analysed carefully.

A survey by the New Zealand Privacy Commissioner in 2016 asked what people found most ‘sensitive’.  It found that a large majority of respondents (80%) were sensitive about the content of personal phone conversations or email messages, and a smaller majority of New Zealanders were sensitive about personal earnings (66%), health information (65%), physical location (63%) and websites visited (54%).  Respondents were less sensitive to purchasing habits (42%), birth date (39%) and political and religious views (38%) and (31%) respectively.

So you might conclude that Kiwis are most concerned about protecting the privacy of what they write or say, but also quite concerned about the privacy of their location and what they do online.  Yet none of these topics feature in the latest Australian OAIC survey results at all.

Should we conclude that Aussies are happy to be spied on, and have both our physical movements and our online habits tracked?  Now that we have mandatory data retention with warrantless law enforcement access to our metadata, have Aussies concluded that everything is tickety-boo, because privacy doesn’t matter anymore?  No of course not.  The explanation comes not from some deep exploration of cultural differences between Australia and New Zealand, but in the way the survey questions are framed.

Rather than asking about sensitivity of particular issues, the OAIC 2017 Australian survey asked people to nominate the types of information they are reluctant to provide to businesses and government.  Phrased this way, not surprisingly issues related to surveillance, monitoring or profiling don’t rate at all.  Instead, we see financial status, contact information, date of birth, identity documents and health information being nominated most often.

Either way, when you consider either the New Zealand or the Australian surveys, what the law treats as ‘sensitive information’ and thus worthy of additional legal protection is not necessarily reflective of what the public see as most harmful.  For example, geolocation data and web browsing history are not categories protected to the higher standard by law, but more people are concerned about those types of information being collected or used about them, than they are about their ethnicity, sexuality or religion.

Australian Privacy Commissioner Timothy Pilgrim, in his speech launching the 2017 survey results during Privacy Awareness Week, noted that community expectations about how the law works often don’t reflect reality.  As an example, the majority of respondents believed that the Australian Privacy Act regulates various types of entities that in fact are exempt, such as media organisations (69% thought they were regulated), political parties (64%), and small businesses (66%).  Noting that we need to ‘close the gap’ between the law and the community’s expectations of how the law works, he posed the question: in which direction should we move?  In other words, should we make the law reflect community expectations about how our privacy should be protected, or just educate people better about the gaps in the law?

So, we have a gap between community expectations and the law.  But how about people’s expectations and their own behaviour: surely this at least is consistent? Ah, no.

Known as the privacy paradox, there is a disconnect between how worried about their online privacy people say they are, and the steps they actually take to protect themselves online.  There are psychological reasons for this paradox which is shared with other disconnected decision-making (exhibit A: smoking), but they tend to be ignored in favour of a conclusion that actually, privacy doesn’t really matter.

In other words, the privacy paradox is used to justify myriad privacy-invasive practices on the basis of a claim that usually goes along the lines of ‘oh no-one really cares about privacy, they all put everything on Facebook these days anyway’.  Not only is this sloppy analysis, but it allows for the social media giants (who, let’s remember, are at the bottom of the trust scale) to promote their profit-making philosophy that privacy is dead, get over it.

I find this type of thinking has unfortunately coloured the latest Productivity Commission inquiry, into data availability and use.

Across both the draft report and the final report, the Productivity Commission has extolled all the virtues of greater use of existing datasets to further research and resolve public policy problems.  I did notice a slight shift in tone from draft to final.  While the draft had an undercurrent tone suggesting that nobody but the Privacy Commissioner and a few privacy advocates care about privacy, and that most Australians were quite willing to share their data if only they could, the final report readily acknowledges that lack of trust, rather than privacy laws per se, is what holds back many data-use projects; and that privacy risks “should not be downplayed or trivialised”.

In the final report, finding 3.1 says:  “Individuals are likely to be more willing to allow data about themselves to be used by private and public organisations, provided they understand why and how the data is being used, can see tangible benefits, and have control over who the data is shared with”.

Now just pause for a moment to think about what this is actually saying.  These three elements are actually quite hard to achieve.  There is a really high bar set here, that a project or an organisation needs to clear, if it is going to engender the kind of public trust necessary to allow data-sharing to occur.  In other words, the Productivity Commission has formulated Australian community attitudes towards data-sharing as extraordinarily privacy-protective.

The Productivity Commission also found that “community trust and acceptance will be vital for the implementation of any reforms to Australia’s data infrastructure”.  There is much talk of engendering the kind of social licence necessary for public acceptance of data-sharing.  But how to get this social licence?

The Productivity Commission has explicitly rejected the option of better enabling privacy rights, whether through minor law reform (such as by fleshing out the access right in APP 12 to include the right to receive one’s personal information in machine-readable form, aka data portability), or through building decision-assistance tools to guide organisations to make better and faster decisions on releasing data under existing privacy rules, as I suggested when I appeared before the Commission.

Instead, the Productivity Commission has recommended the creation of new set of legal consumer-based access-to-data rights, along with a complex and bureaucratic system of industry-developed data-specification agreements, overseen by the ACCC.

As others have noted, these recommendations might aim to make our “complex data landscape simpler”, but “the desire to simplify in practice only makes the data landscape more complicated”.

And none of these proposed consumer rights actually offer “control over who the data is shared with”.  In fact, people having control over who their personal information is shared with runs directly counter to the other recommendations made by the Productivity Commission, which suggests that a new piece of legislation should sweep away all existing privacy and secrecy barriers – even those in State and Territory laws – to promote the sharing of data in the national interest.  (To be overseen by a National Data Custodian, helped along by Accredited Release Authorities, who can decide what data gets released to whom.)

I don’t believe that social licence for greater data-sharing – and let’s face it, we are talking here about data-sharing for unrelated secondary purposes, without the subject’s consent, not already authorised under a research exemption – can be built by sweeping away existing privacy and secrecy protections.  Even the proposed new National Data Custodian will need to make some kind of case-by-case assessment, based on a mix of legal and ethical review, common sense, knowing the customer base, avoiding the creepy, and maybe a bit of intuition as well.  The same goes for your projects too.

Because even if you comply with the law, a backlash from your customers or the wider public can bring your project undone faster than you can say ‘Australia Card’.  As the Productivity Commission warns: “It can be difficult for a data holder to know if they have community support for use of data; but they will almost certainly know if they do not”.

 

Photograph (c) Shutterstock

Balancing the ledger: accounting for the year in privacy

0
0

This Friday it will be the end-of-financial-year here in Australia, which means it’s time for a stock-take: see where we are at, count the positives and negatives, and determine our net position.  Are we in the red or the black?

So today, rather than reconcile the Salinger Privacy petty cash receipts, I thought I would do a stock-take of the year in privacy, reviewing both positives and negatives.

Herewith I present to you the Privacy Ledger for the Australian Government, FY 2016-17.

First, the privacy-positive side of the ledger:

But then there’s also the privacy-negative side of the ledger:

It’s not exactly a well-balanced ledger, is it?

This litany of privacy disasters, solely from the Australian Government and just in the past 12 months, simply doesn’t square with the rhetoric about government having or obtaining the social licence necessary for more data-sharing and data analytics.

We already see considerable scepticism from the Australian public about the re-use of their personal information by government for research or policy-making purposes, with the latest survey from the OAIC suggesting that 40% of Australians are uncomfortable with the idea.

I believe that the privacy ledger is so out of balance that we are now witnessing a profound loss of trust in government.  This doesn’t just affect the Andie Foxes or the welfare recipients or the people whose metadata is collected by the police; it affects all of us.  Because if the public loses faith in the government’s ability to handle personal information properly, then big-ticket, transformational policies and programs will stall, and public benefits will not be realised.  When people don’t trust electronic health records, some will avoid medical treatment, thus impacting on public health outcomes.  When people don’t trust what the ABS is going to do with their data, some won’t respond to the Census anymore, thus impacting on the quality and public value of the data.

Privacy Commissioner Timothy Pilgrim hinted at this, when he wrote to the Secretary of PM&C recently that, given the “several high profile privacy incidents in recent times”, there is an “urgent need” for action by the Australian Public Service to ensure compliance with privacy law, and “broader cultural change” to improve privacy protections, so as to “facilitate the success of the Australian Government’s broader data, cyber and innovation agendas”.

Pilgrim said that more work is needed by government to “build a social licence for its uses of data”, particularly in relation to proposed new uses and increasingly ‘open’ data.  He suggested that social licence can only be built through transparency about intended uses of personal information, and effective privacy governance – the current deficiencies in which were the trigger for his letter.  However he also noted that social licence can only be gained when “the broader community must believe that the uses of data which are permitted are valuable and reasonable”.

That letter was written in March, before the latest privacy-invading budget proposals were known.  I can only imagine this situation will worsen, as people contemplate proposals like the created of shared e-health records for everyone by default, or the targeted-yet-random drug-testing Ministerial thought bubble.

(Did the giant minds at Data61 ever imagine that they and their computing power would be tasked with such a crappy job as sifting through sewage analysis to pin-point drug-taking areas so that welfare recipients in those areas can then be chosen at ‘random’ for drug-testing?  There I was complaining about the NSW Government seeking to use our water and electricity consumption data to identify slum landlords, but really, this latest proposal to use Big Data on effluent just boggles the mind.  As Denham Sadler said in InnovationAus, “The plan has the potential to damage the “public good” reputation of the CSIRO and its data unit Data61 as its research smarts are press-ganged into a politically charged program.”)

Way to go, AusGov!  How to ruin public faith in government data analytics: use it not to find a cure for cancer or to tackle wicked policy problems like child abuse or climate change, but to hunt down and punish vulnerable welfare recipients.

As Fairfax economics editor Peter Martin warns, when analysing the impact of the Centrelink ‘robodebt’ program, the failed promises and the targeting of dissenters: “Eventually we will become so sceptical that we will become impossible to win over, no matter how good the budget.”

Post-budget polling indicated precisely that: people simply no longer believe anything they hear from politicians, or they have stopped listening entirely.  Only 26% of respondents thought the government could be trusted, “the lowest level since the poll began this measure in 1969.”

This loss of trust is not just about privacy, but has profound implications for the future of our democratic system of government.  It’s time the government did its own stock-take, and realised the need to balance up the privacy ledger, before it is too late.

 

Photograph (c) Shutterstock

What technology designers need to know to understand privacy

0
0

Privacy is contentious today.  Some say the information age has brought real changes to privacy norms.  With so much private data leaking through breaches, accidents and digital business practices, it’s often said that ‘the genie is out of the bottle’.  Many think privacy has become hopeless.  Yet in Europe and many jurisdictions, privacy rights have been strongly and freshly enforced, and for the very latest digital processes.

For technology designers and security pros coming to grips with privacy, the place to start is the concept of ‘personal information’ – also known as ‘personal data’ in the EU, or PII in the US.  The threshold for data counting as personal information is low: any data about a person whose identity is readily apparent constitutes personal information in most places, regardless of where it came from, or who might be said to ‘own’ it. This is not obvious to engineers without legal training, who may form a more casual understanding of what ‘private’ means.  So it seems paradoxical to them that the words ‘public’ and ‘private’ don’t even figure at all in laws like Australia’s Privacy Act!

There is a cynical myth that ‘Technology outpaces the Law’. In practice, it is the law that challenges technology, not the other way around!  The grandiose claim that the ‘law cannot keep up with technology’ is often a rhetorical device used to embolden developers and entrepreneurs.  New technologies can make it easier to break old laws, but the legal principles in most cases still stand.  If privacy is the fundamental right to be let alone, then there is nothing intrinsic to technology that supersedes that right.  It turns out that technology neutral privacy laws framed over 30 years ago are powerful against very modern trespasses, like wi-fi snooping by Google, over-zealous use of biometrics by Facebook, and intrusive search results extracted from our deep dark pasts by the all-seeing Google. So technology really only outpaces policing.

One of the leading efforts to inculcate privacy into engineering practice has been the ‘Privacy by Design’ movement (PbD), started in the 1990s by Ontario privacy commissioner Dr Ann Cavoukian.  PbD seeks to embed privacy ‘into the design specifications of technologies, business practices, and physical infrastructures’. As such it is basically the same good idea as building in security, or building in quality, because to retrofit these things too late leads to higher costs and disappointing outcomes.

In my view, the problem with the Privacy by Design manifesto is its idealism.  Privacy is actually full of contradictions and competing interests, and we need to be more mature about this.

Just look at the cornerstone privacy principles.  Collection Limitation for example can contradict the security instinct to retain as much data as possible, in case it proves useful one day.  Disclosure Limitation can conflict with usability, because it means PII may be siloed and less freely available to other applications.  And above all, Use Limitation can restrict revenue opportunities in all the raw material digital systems can gather.  Businesses today accumulate masses of personal information (sometimes inadvertently, sometimes by design) as a by-product of online transactions; real privacy means resisting the temptation to exploit it (as Apple promises to). Privacy at its heart is about restraint. Privacy is less about what you do with personal information than what you don’t do with it.

PbD naively asserts that privacy can be maximised along with security and other system objectives, as a “positive sum” game.  But it is better that engineers be aware of the trade-offs that privacy can entail, and that they be equipped to deal with real world compromises entailed by privacy just as they do with other design requirements.  Privacy can take its place in engineering along with all the other real world considerations that need to be carefully weighed, including cost, usability, efficiency, profitability, and security.

 

This is an edited extract from a chapter Stephen contributed to Darek Kloza and Dan Svantesson’s new book Trans-Atlantic Data Privacy Relations as a Challenge for Democracy?

Previously published on the Constellation Research blog.  Minor revisions made for a primarily Australian audience.

Photograph (c) Shutterstock

Why the marriage equality poll is a privacy issue

0
0

What is it about August 9th?  Last year it was that evening of national beating-your-head-against-your-laptop as the Census website went down, and stayed down.  This year, the government decided the mark the anniversary of #censusfail by handing the architects of that omnishambles, the ABS, the hospital pass of 2017: responsibility for a national same-sex marriage poll.  (Me, I marked the date by baking the ABS this special anniversary cake.  No, there’s none left, sorry.)

So, here we are, facing a ridiculous, waste-of-$122M, hurtful, divisive vote-that’s-not-even-a-proper-vote, just because some politicians are too lily-livered to do the job that we elected them to do, and want them to do, which is to make and amend laws for our nation.

Marriage equality is squarely a human rights issue, but an ABS survey about marriage equality raises some additional and important privacy issues.

First, there’s the obvious privacy argument in relation to sexuality, which is that what happens between the sheets between consenting people over the age of consent is none of anybody else’s business.

But privacy is not just about protecting what is private.  It is about allowing people the freedom to choose when, and to whom, they wish to disclose things about themselves.  So when two people want to publicly declare their love for each other, and to publicly make a commitment to each other, and they want our laws to recognise that commitment and offer protections and benefits arising from that commitment on the same basis as anyone else, that is a privacy issue.  Marriage equality is about the same values which privacy aims to protect: self-determination and autonomy, freedom of speech, and freedom of association.

If the freedom to say ‘I do’ is not freedom of speech, I don’t know what is.

The next privacy issue is whether the ABS even has the power – or should be allowed – to run a national survey about marriage equality.  My questions here, some of which may get a run in the High Court challenge next month:

  • Is opinion on same-sex marriage ‘statistical information’?

The ABS says that they are under direction “to request statistical information from all Australians on the Commonwealth Electoral Roll, as to their views on whether or not the law should be changed to allow same sex couples to marry”.

This phrase ‘statistical information’ is critical, because the ABS’s ability to be directed by the government, and its power to collect data, is limited under the Census & Statistics Act to ‘statistical information’.  The meaning of that phrase is not defined, but for surveys other than the Census, the ABS can only collect statistical information on a list of topics prescribed in the regulations, which include “births, deaths, marriages and divorces”.

But some legal experts have questioned whether opinions can ever be ‘statistical information’, in the way that facts are.  Constitutional lawyer Anne Twomey for example has described ‘statistical information’ as “numerical data concerning facts”.  So it would be one thing for the ABS to collect data about the numbers of people who are in same-sex relationships, or the number of married versus unmarried couples – but another thing entirely to ask about people’s opinions about marriage.

A similar concern was raised last year in relation to the Census.  In response to the ABS’s plans to begin using our names and addresses to create linkages between our Census responses and other data supplied to the ABS from government agencies, some commentators queried whether the ABS’s powers to direct people to complete the Census form (the defiance of which is a criminal offence) actually extend to the name and address part of the form.  Part of the argument was that names are not ‘statistical information’; for example, the ABS does not produce statistics about how many people in Australia have the name Jane Citizen.  However since the ABS has apparently not sought to have prosecuted anybody who either left off their names, or did not complete the Census at all, there has been no criminal case brought through which we could test out that theory before the courts.

So the issue that needs testing is whether or not asking for people’s opinions on marriage equality is ‘statistical information’ about marriage.  If it is not, then there are some fatal problems.  Senior law lecturer at UNSW Paul Kildea has pointed out that the Australian Electoral Commission could not disclose the electoral roll to the ABS; and the ABS could not collect the opinion data under the Census & Statistics Act.  So end of story.

  • Can it still be described as ‘statistical information’ if the survey is not conducted using proper statistical techniques?

But even if the High Court is persuaded that opinions on marriage equality is ‘statistical information’ about marriage, will the conditions under which those opinions are to be collected render the resulting data so unscientific that it could not honestly be described as ‘statistical’ anyway?

Articles in recent days have featured various pollsters pointing out that a national postal poll is such a poor methodology that it will be next to useless.  The main criticism here is that to be ‘statistical’, a poll needs to be weighted to ensure accurate representation of people across different demographic groups, whereas a voluntary postal poll is likely to be skewed in favour of older Australians.

Numerous commentators have mentioned the difficulties of postal voting for various groups, including the young who move home often, the homeless, rural indigenous populations, people who are overseas including serving members of the defence forces, etc; but there’s another group facing an inability to vote (sorry – be surveyed) too: silent electors.

There are something like 113,00 or so of us: people who are ‘silent’ on the electoral roll because for some safety-related reason, we do not want our home address publicly knowable.  (In my case, it is because on a few occasions I have been subject to death threats, just because I have spoken publicly in favour of protecting the privacy rights of individuals against the government.  The irony that the people who have threatened me chose to remain anonymous is not lost on me.)

But being a silent elector does not mean I want to be silenced.  I want my privacy, and my right to be heard.

We’re in a catch-22 here.  If the AEC discloses silent electors’ details to the ABS, they would likely be in breach of the electoral law.  The whole point of being silent is that the AEC is not supposed to tell anyone.  (Not even the people who have those big paper books on election days know!  I have to go through a little extra paperwork each time I vote, and everyone else stares at me as I get pulled out of the queue to do the special silent-voter process, but for me, it’s worth it.)

But if they don’t disclose silent electors’ details to the ABS, will we silent electors be disenfranchised?  I would like to think there is a solution (like maybe: silent electors can rock up to their local AEC office to be ticked off and get a special ballot paper), but the fact that the government had not already thought this issue through is yet further evidence of the ridiculous decision-making-on-the-fly that ends in a shameful waste of taxpayers’ money on bad process design.

  • Will the ABS know who voted and who didn’t?

Another catch-22 here.  If the ABS issues voting papers with personal identifiers, then the concept of voter privacy flies out the window.  But if there is no way to link voters to votes, then ensuring the integrity of the voting process is extremely difficult.  This is an inherent flaw in postal voting systems; yeah, I know you can do the whole envelope-inside-an-envelope thing, but you still have to trust the person opening the envelopes.

Do we trust the ABS?  They don’t even seem to know what is going on.  The information on the ABS website about voter privacy changed quickly, as an early promise about ‘no identifiers’ was quietly withdrawn.

On August 10, the ABS website promised: “The ABS assures Australians that there will be no personal identifiers on the survey form and all materials will be destroyed by the ABS at the end of processing.”  By the next day, the statement had been amended to say only that “The ABS assures Australians that all materials will be destroyed by the ABS at the end of processing.”

Weaselling out of privacy promises after only one day – not a good look.

  • Could the survey data be combined with other data?

Broken privacy promises brings us to the next point.  What are the “materials” that will be destroyed by the ABS?  Does that include the resulting data, or just the ballot papers?

And what does “at the end of processing” mean?  Only once they’ve sucked up all the personal information they can?

In other words: will, or could, the ABS use the marriage equality poll data for other purposes?  Could they link it to other data that the ABS holds about us?

That might sound ridiculous, but consider this: if the High Court accepts that the marriage equality poll is a survey, and the data to be collected is ‘statistical information’, then that puts our ‘votes’ in the same bucket as our Census answers.  And as we all know, last year the ABS decided that it had the power to use our names and addresses to generate statistical linkage keys, to enable it to link our Census answers with other data about each of us, from datasets given to it by other arms of government.

So if the ABS can link our Census answers, at an individual level, to our educational records, criminal records, tax records and whatever else it is hoovering up, why not also our opinions on marriage equality?  The ABS has released a statement saying that it won’t do that, but then again, they used to promise that about our Census data too.

By now hopefully you are starting to see the scope of the ultimate privacy issue at stake here.  If the High Court finds that a survey of people’s opinions about marriage equality is not ‘statistical information’, then the ABS has no power to conduct this poll, and hopefully the national stupidity will end there.

But if the High Court says that it is ‘statistical information’, then effectively the ABS will be seen to have the power to collect any data so long as they call it ‘statistical information’ with some tenuous link to one of the long list of prescribed topics, and the power to then use that data for data-matching at an individual level so long as they don’t disclose it in identifiable form. (Reminders about their secrecy obligation to not disclose is the standard ABS line whenever anyone raises privacy concerns, ignoring whether they have the power or social licence to collect or use the data in the first place).

In that scenario, there is nothing to stop the ABS compiling dossiers on every single one of us – and using their compulsion powers to do so.  They could do so off their own bat, or they could be directed to do so by the Government of the day.

Why stop with our views on same-sex marriage? Why not also ask where everyone stands on other topics conceivably within scope of the prescribed list of topics on which the ABS can conduct surveys, like abortion (births), euthanasia (deaths), or who should win The Bachelor (marriage)?

The ABS could just as easily ask how we feel about whether Barnaby Joyce should be sent home to New Zealand (migration), or whether peanut butter should be crunchy or smooth (food preparation and food consumption).

As long-time privacy advocate Graham Greenleaf has said, “If ABS can now collect opinions on anything, what limits its collection methods? One more step toward the Australian Bureau of Surveillance”.

I don’t want this wasteful, hurtful, unnecessary and unlawful survey to go ahead.  I desperately hope that the legal challenge in the High Court succeeds.  Affording equal legal rights and protections to a minority should not be subject to the opinions of the majority, and the powers of the ABS to collect and use our data need to be clarified and curtailed.

But if the legal challenge fails, what next?  Boycott “this irregular and unscientific polling”, as former High Court judge Michael Kirby first suggested?  Or do as the marriage equality advocates request, and Kirby himself then said he would also do, which is grudgingly accept this awful situation, and then rainbow glitter-bomb the electorate with messages of love, encouraging everyone you know to #voteYes?  (But FYI don’t put glitter on your actual survey form, it might render it unreadable by the ABS.)

Either way, I say bring it on.  By which I mean: bring on marriage equality.  Not this stupid poll.  We don’t need some ridiculous, divisive, non-binding, unscientific, undemocratic, wasteful excuse for a privacy invasion to get us there.

 

Photograph (c) Anna Johnston


Looking forward, looking back: privacy challenges past and future

0
0

I tend to focus on privacy disasters in this blog (link here to: oh, pretty much every other blog I’ve ever written), but sometimes it is nice to pause and reflect on the privacy successes too.  I’ve had particular reason to do so recently.

Firstly, as Privacy Commissioner Timothy Pilgrim reminded us at the iappANZ Summit last week, in just a few short months it will be 2018, and thus the 30th anniversary of the Australian Privacy Act 1988.  Secondly, a few weeks ago I helped to celebrate the 30th anniversary of the founding of the Australian Privacy Foundation.  Both these events – the creation of the APF as a civil society organisation that exists to this day, as always on entirely volunteer efforts, as well as the first national piece of privacy legislation – had their genesis in the Australia Card debates of 1985-87, when Australians were galvanised about their privacy rights in a way not seen before or since.

July also marked the 10th anniversary of the successful ‘NoID’ Access Card campaign, which was particularly close to my heart.  From 2006-2007 I co-ordinated the campaign on behalf of the APF, along with a number of other NGOs.  As I look back now, I realise what a very female experience it was: Robin Banks headed up the Public Interest Advocacy Centre which was our primary campaign partner, and the three most influential politicians we worked with to oppose the proposal were Senator Natasha Stott Despoja (Democrats), Senator Kerry Nettle (Greens), and the then Shadow Minister for Human Services, Tanya Plibersek (Labor).  Each worked tirelessly to hold the government of the day to account for Joe Hockey’s national ID card thought bubble.

Mind you, we never had the chance to celebrate our campaign victory, as within a few days of the Howard Government finally dropping the Access Card proposal I was on maternity leave (yes, the latter stages of the campaign had involved me waddling around Canberra in an increasingly pregnant state), while the others were shortly thrown into a federal election.  There was no victory party or bottles of champagne, let alone time to either reflect or pat each other on the back.  So Robin, Natasha, Kerry and Tanya: please consider this blog a very, very belated ‘thank you’.  Brava.

And yet, the battle to protect our privacy rights is never won.  At the party to mark the APF’s anniversary, I was asked to speak about the ways in which Australian law still doesn’t properly protect privacy.

I spoke briefly about the obvious, well-documented failings, like the exemptions in the federal Privacy Act for political parties, the media and employment records.  I noted the loopholes in State privacy laws, like the ‘rogue employee’ exemption in NSW, as well as the near-blanket exemption for NSW Police even when personal information is handled corruptly.  (And let’s not forget that SA and WA still don’t have privacy laws for state and local government agencies at all.)

I had my traditional whinge about governments of all stripes paying lip service to privacy, by leaving Privacy Commissioners under-funded, and ignoring consistent, well-reasoned, multi-partisan and multi-stakeholder recommendations to introduce a statutory tort of privacy.  And of course, I could not resist taking a swipe at recent shockers like the use of Census records for data-matching without specific legislative authority, and the unauthorised disclosure of a Centrelink client’s details by the Minister.

But since this was a party afterall, I also wanted to talk about the good news from the last 30 years, as well as what might be around the corner.

I reflected on the changes I’ve noticed since 2000, when I first started working in privacy law.  Though there is still a long way to go, I see greater awareness of the privacy risks of sharing personal information.  Technological evangelists are met with greater scepticism.  The US model of ‘notice and consent’ is dying a slow death, and while I’m not holding my breath for the US to catch up with the rest of the world and finally adopt omnibus privacy principles, the enthusiasm with which the big US tech companies are now talking about ethical frameworks for making decisions to limit – yes, limit – their collection or use of personal data is encouraging.

I am similarly heartened to see many of my clients thinking deeply about how they can best protect privacy, above and beyond what the legal minimum requirement asks of them.  They get it: they need community acceptance, or ‘social licence’, even more than they need legal compliance.  Privacy management as a profession is shifting from legal tick-box compliance to a more nuanced task of finding the appropriate point of intersection between law, technology and ethics.

And then we started talking about the future: what will the next 30 years bring for privacy?

Of course, I do not have a crystal ball.  And I’m not even sure that thinking about what are the hot topics right now can help predict what is just around the corner.  (When I first joined the NSW Privacy Commissioner’s Office, the three issues which exercised us were bag searches in supermarkets, speed cameras, and RFID tags, which were surely an indicator of the End of Days.  Oh, how naïve we were!  In quick succession, along came September 11 and all the related justifications for intrusions into civil liberties, and then the explosion of social media.  Yikes!)

But what we can predict is the massive disruption across multiple industries likely to result from new technologies, such as drones offering automated delivery of everything from food to weapons, as well as being an effective surveillance tool.

AI and machine learning will see the automation of everything: from self-driving vehicles to intelligent machines taking the place of not only blue collar jobs, but also white collar professionals, as increasingly decisions are made by algorithms instead of human judgment.

And we also know that the immediate privacy challenges include the coming of what UQ legal academic Dr Mark Burdon describes as the ‘sensor society’.  This is the effect of the collision of Big Data processing power with the Internet of Things, in which everything from your fridge to your car to a public rubbish bin is collecting data about you, and then somewhere, someone (or, more likely, an intelligent machine) is collating that data, and using it to draw inferences about you, and – finally – to make decisions about you.  The risks include profiling, discrimination, pricing inequality, and pre-destination.

If you had asked me in 2000, I would have said that genetic testing was going to be the driver of these types of privacy harms, but now we know that predictions and decisions can be made based on pieces of data collected from our digital breadcrumbs, instead of from drops of blood collected from our bodies.

Increasingly, the privacy challenge for individuals will be trying to beat the algorithm – trying to disprove the computer which says ‘there is no point you enrolling at Uni because you are likely to fail’, or ‘you should not be granted parole because you are likely to re-offend’.  The Centrelink ‘robodebt’ scandal has shown the human suffering that can be caused by poor algorithmic design, accompanied by human indifference to the outcomes.

(On a lighter note, my new favourite joke illustrates the risks perfectly:  Why did the computer cross the road?  Because it was programmed by a chicken.)

So those are the challenges we know are coming, sooner rather than later, because of current technological developments.  Which leads us to the perpetual challenge: ensuring the law keeps up with technology.

For the most part, I reject claims that privacy law does not keep up with technology.  Principles-based privacy laws are designed to be technology-neutral.  Let’s face it – they are based on common sense and good manners, like ‘only use personal information for the purpose for which it was collected, otherwise get consent’.  So those principles drafted by the OECD in 1980 still work today for Big Data – it’s just that they tend not to be followed.  Big Data is big business, and big business will push that envelope as far as it can.  This is why so many people think that the law is outdated. It’s not outdated. It’s just not applied widely or deeply enough.

But there is one area in which I think our privacy laws are sadly out-of-date, and that is their reliance on the identification of an individual as the trigger point for protecting that person’s privacy.  Our laws only protect ‘personal information’, and that definition relies on the individual being reasonably identifiable.  If you can claim that the person is not identifiable, then all bets are off.  But that doesn’t mean a person can’t suffer privacy harm.

In my view it is individuation, rather than identification, which can trigger privacy harms.

In other words, you can hurt someone without ever knowing who they are.

Individuation means you can disambiguate the person in the crowd.  This is the technique used in online behavioural advertising; advertisers don’t know who you are, but they know that the user of a certain device has a certain collection of attributes, and they can target or address their message to the user of that device accordingly.

Once we move beyond straight-up advertising, the impact on individual autonomy becomes more acute.  Individuation can lead to price discrimination, like surge pricing based on Uber knowing how much phone battery life you have left.  Or market discrimination, like Woolworths only offering car insurance to customers it has decided are low risk, based on an assessment of the groceries they buy.  Geolocation data likewise offers high rates of individuation, even without identification.  For example, privacy harms could arise from using geolocation data to figure out the likely home address of people who have visited a strip club or an abortion clinic.  Individuals could be targeted for harm or harassment, without the perpetrator ever knowing their name.

All these activities hold the potential to impact on individuals’ autonomy, by narrowing or altering their market or life choices, regardless of whether the individual is identifiable.

So perhaps, if our objective is to protect people’s privacy, our laws need to grapple with a broader view of the types of practices which can harm privacy – regardless of whether ‘personal information’ is at stake.  I would argue that it is time to re-think the scope of our privacy laws, to encompass individuation and autonomy as well as identification.

So if it’s not too much to ask … I look forward to seeing the Australian Privacy Foundation achieve that goal!  Happy Anniversary APF, and here’s to the next 30 years.

PS: As a result of my talk at the APF anniversary function, I was invited by fellow panellist Antony Funnell to appear on his Radio National program, Future Tense, as was our third panellist, Dr Jake Goldenfein.  You can listen to the podcast here.

 

Photograph (c) Shutterstock

Preventing and responding to data breaches: are you ready for 2018?

0
0

“We take your privacy seriously.”

Not since the advent of electronic banking finally rendered obsolete the laughable phrase “your cheque is in the mail” has there been a phrase which is more likely to induce me to – depending on my mood – engage in exaggerated eye-rolling, mutter rude things under my breath, or simply shout “liar liar pants on fire!”

News this week that hackers stole information about 50 million Uber passengers (and 7 million drivers) from around the globe has put data breaches – and their repercussions – squarely on the front page.

What is particularly galling about the Uber example was not just the failure of information security, but the immoral corporate behaviour that followed.  Instead of telling their customers or drivers (or indeed privacy regulators), Uber hid the news for a year, and paid off the hackers $100,000 to keep quiet.  If you thought the job of the privacy and security team is to keep things quiet in order to protect the firm’s reputation, you would be wrong.  Uber has now sacked its chief security officer and one of his deputies, for failing to properly disclose news of the data breach.  Privacy regulators around the world are now asking questions.

How does this stuff happen?  I don’t mean ‘how did the hackers get the data?’  I mean: Why are incredibly wealthy and powerful companies getting away with treating our personal information so shabbily that we are exposed to risk in the first place?

As security researcher and blogger Troy Hunt argues, there has been minimal accountability for data breaches because there has not been enough of a financial disincentive for companies to truly care about privacy and security.  Until now.

The consequences of a data breach will get much, much more serious in 2018.  Here in Australia, our notifiable data breaches scheme kicks off in February, with maximum civil penalties of A$2.1M for a failure to properly follow the notification requirements.  Then in May the GDPR commences, with its seriously hefty fines of up to €20M, or 4% of a company’s annual global turnover, whichever is the greater.  Even though it is European data protection law, its reach can extend to Australian organisations.

Things are ramping up in the US too.  A failure to notify the appropriate regulator and affected individuals within the specific timeframe landed an Illinois surgery in hot water earlier this year.  For delayed reporting on the loss of hard copy records about 836 patients, the US Department of Health and Human Services levied its first fine – of US$475,000 – for non-compliance with data breach notification requirements.

Of course, fines from privacy regulators are not the only cost incurred for a company dealing with the fallout from a data breach.  Following an incident earlier this year in which the personal information of more than 145 million people in the US and the UK was potentially exposed, the credit bureau Equifax lost $87.5m in the first quarter after the breach. That cost included legal and consulting fees, as well as costs related to the services offered to people whose data was compromised.  Its quarterly profits also dropped by 27%.  (And, importantly, in the wake of the Equifax breach, lawmakers in the US are finally talking seriously about the need for broad-based data protection legislation.  Hurrah!)

Meanwhile Target’s 2013 data breach, in which hackers were able to steal information about 40 million credit and debit cards used by customers in its stores, had cost it a staggering US$202M by May 2017 – with a consumer class action still outstanding.

So what might cause the kind of data breaches which, come 2018, will need to be notified?

Leaving aside examples of malicious hacking and deliberate misconduct by disgruntled employees, let’s review a few other scenarios, which are disturbingly common:

(And if those examples of insecure electronic health records from the US scare you, don’t imagine that things are magically any better here.  The Chief Information Security Officer of the Australian Digital Health Agency, the agency charged with implementing the My Health Record, said of GP clinics here: “they’re going to be sitting on a Windows XP machine that has vulnerabilities up the kazoo”.)

So, dear privacy and infosec professionals, I hope you are already mentally creating your list of ‘things I need to check that our organisation doesn’t do’.

But that’s not all of it.  Preventing data breaches is not just about the tech.  It’s about people.  All of your people.  It’s about the things that you do do.

Because just like US President Trump leaving the key in a classified lock-bag in the presence of non-security-cleared people, we all have our bad days.  (Hands up anyone who has ever accidentally emailed something to the wrong person.)  Research from both the UK and the US suggest that human frailties – ignorance, laziness, carelessness – are the root cause of more than half of all data breaches.

So here’s some more, sadly common, examples:

So what’s a privacy officer to do?

The privacy team should be working hand-in-hand with the information security team, to prevent data breaches.  The privacy messages to staff need to include: don’t collect more personal information than we need; only keep it for as long as we genuinely need it; and don’t use it for secondary purposes without permission.  The less personal information you hold, the less risk you need to manage for.

(And yes, sometimes that means saying to the CEO or venture capitalists: No, we should not be collecting intrusive location data about our customers – or, you know, littering the streets with dockless share bikes – just because we might find a way to monetise our customers’ personal information later on.)

You also need to embed a culture of good data security, at every level in the organisation.  Obviously you need good policies and procedures, and visible enforcement of those policies and procedures.  But it’s more than that: staff need training.  And reminders.  And more training.  And more reminders.  And then you can make sure that your tech is delivering on your security promises.  (For one example of data loss prevention tech, see the White Paper on data classification we wrote for our client janusNET.)

Oh, and don’t forget your contractors: third party involvement can be the weakest link in the security chain.  A study of data breaches by the Ponemon Institute and IBM found that third-party involvement was the top ranking factor that led to an increase in the cost of a data breach.  A recent example: customer data leaked from a supplier to Domino’s Pizza.  (Stop press: just this morning, news of another data breach, involving data about 8,500 current and former staff of the Department of Social Services, blamed on a third party contractor.)

Of course, while hoping for the best you still need to plan for the worst.  We all know that prevention is better than the cure … but it’s smart to have a first-aid kit, just in case.

That same study by the Ponemon Institute found that the best steps you can take to lessen the consequences of a data breach are the steps you take before the breach even occurs: staff training, and having a data breach response plan in place.

So – are you ready for 2018?

You should be doing your upmost to prevent data breaches anyway – but once the new Australian and European regimes of mandatory notification kick in, the consequences of failing to do so will become much more significant.

To help you get ready, we will shortly be launching some new privacy compliance tools, including a template Data Breach Response Plan you can download and easily customise for your organisation, as well as a template Privacy Risk Assessment Framework.  Look out for those on our website soon.

In the meantime, if you need privacy awareness staff training to help spread the message throughout your organisation, we have standard and customised eLearning options available.  Our training content has already been updated to incorporate the new data breach notification requirements.  And of course, we’ve also got our more specialised eLearning modules for privacy professionals, about identifying and mitigating privacy risks.  (Plus some more modules for privacy pros, coming soon.)

Time to get your skates on.  2018 will be here before you know it.

 

Photograph (c) Shutterstock

Better than Santa, your IoT device will know who’s naughty and nice

0
0

Best to peek carefully into your Christmas stocking this year, for Santa may have brought you more surveillance and security risks than you bargained for.

With the booming market for voice-controlled virtual personal assistant devices like Google’s Home and Amazon’s Echo, and warnings from the former head of MI5 about hackable smart toilets (which, frankly, doesn’t scare me quite as much as a hackable Boeing 757), the attention of regulators is finally turning to the impact of the Internet of Things (IoT) on our privacy and security.

When every little device can be connect to the internet, the questions include:

When stories like these abound, it is no wonder that consumers’ fears about privacy are suppressing demand for IoT devices.

Tech journo Stilgherrian has asked How many must be killed in the Internet of Deadly Things train wrecks?  Academics have called for an IoT Code of Ethics.  And security researcher Troy Hunt has argued that consumer-oriented IoT devices should come with warning labels.

Indeed, the Australian Government recently announced it would introduce a rating system for connected household devices backed with legislation if the industry did not self-regulate quickly enough.  (Hey, how cute is the idea of a cyber-kangaroo logo!)

And so just in time it seems, the IoT Alliance Australia has published its industry-led Good Data Practice guidelines.  Like the many examples we have cited above, the IoTAA guidelines focus on consumer-facing IoT devices, rather than bigger ticket ‘smart cities’ programs to manage lighting, parking, traffic, energy and waste in public spaces which, as the IoTAA recognises, raise their own privacy issues and thus need more specific guidance.

In addition to addressing the kinds of security vulnerabilities illustrated above, the IoTAA guidelines delve deeper into privacy concerns.  Indeed, some of their Good Data Practice principles will sound pretty familiar to anyone who already works in privacy, like: one, follow privacy law, two, build-in privacy by default and use privacy by design, and three, be accountable.  These are sound principles which should apply in any sector.

But there are also some privacy challenges which are comparatively novel in this world of IoT, and the IoTAA guidelines call these out.  For example, IoT devices in the home may be used by people other than the consumer who purchased them; and indeed those other individuals may have no awareness that the devices exist, let alone are already monitoring them.

(Which reminds me of the time last year when I popped over to a friend’s place and we chatted for a while before he suddenly said ‘Hey Alexa turn down the music’ and after I realised that there wasn’t actually some other person hiding around the corner called Alexa, it completely freaked me out to think that the device on the kitchen bench I had thought was some trendy new Scandi pepper grinder was actually listening to everything I said.  Luckily all we had been talking about was the cost of kitchen renovations because, well, apparently I am a Sydney-dwelling cliché.)

The guidelines also note that “Many B2C IoT services reach into homes and other domestic, sometimes intimate environments, and enable observations and inferences as to private behaviour that otherwise are not possible”.  So, like, for all those times when conversations and activities in the home are a little more spicy than discussions about what type of splashback to choose.

The proposed responses are eminently sensible too, with the guidelines stating that device designers and manufacturers need to design on the basis that the device must be safe for a child to use, and that communications to consumers must be understandable by someone with a “reasonable but below average” level of literacy.  It criticises attempts by manufacturers to shift data security risks onto consumers, noting that consumers cannot be expected to constantly monitor the use of their devices and be knowledgeable or skilled enough to install updates and patches.

The guidelines also deliberately take a broader view of the data that needs to be considered in a device’s design, beyond information about individuals who are identifiable (i.e. what privacy law protects now as ‘personal information’) to also include what they describe as ‘private’ because it is “domestic or confidential in nature” even if no individual is identifiable from the data.  Bravo, IoTAA, for recognising that privacy harms can arise through what I describe as individuation, as well as identification.  And hooray, the guidelines also stress data minimisation.  In other words, let the consumer be just a consumer, not a secondary product.

I believe these new guidelines are a really positive step, to help designers and manufacturers figure out how to build us the Internet of Safe And Useful Things, instead of an Internet of Stupid Dangerous Invasive Things.  Hopefully they will give manufacturers pause for thought before they continue down the road of just sticking a chip in everything.

From smart clothes pegs telling you when your clothes are dry, to a smart umbrella telling you it’s raining, to hair brushes telling you, um, something about how to brush your hair, to smart toilet rolls that can identify you (why??), there is mirth to be found poking fun at all the dumb things allegedly turned ‘smart’.  Because really, does anyone genuinely need their dental floss dispenser to be connected to the rest of the world?  I would suggest that our obsession with building connectivity into every little thing is getting out of hand, and it is time for a sensible re-think.

As technologist Vikram Kumar told a Technology & Privacy forum in New Zealand last year, sometimes, “the best interface to control your lights is a light switch”.

Photograph (c) Shutterstock

Yet another broken anonymity promise

0
0

In 2016, the Australian government released, for research purposes, an extract of public health insurance data, comprising the 30-year billing history of ten percent of the population, with medical providers and patients purportedly de-identified. Melbourne University researcher Dr Vanessa Teague and her colleagues famously found quite quickly that many of the providers were readily re-identified.  The dataset was withdrawn, though not before many hundreds of copies were downloaded from the government website.

The government’s responses to the re-identification work were emphatic but sadly not positive.  For one thing, legislation was written to criminalize the re-identification of ostensibly ‘anonymised’ data, which would frustrate work such as Teague’s regardless of its probative value to ongoing privacy engineering (the bill has yet to be passed). For another, the Department of Health insisted that no patient information had been compromised.  That was then.

It seems less ironic than inevitable that in fact the patients’ anonymity was not to be taken as read.  In follow-up work released earlier this week, Teague, with Dr Chris Culnane and Dr Ben Rubinstein, have shown how patients in that data release may indeed be re-identified.

The ability to re-identify patients from this sort of Open Data release is frankly catastrophic.  The release of imperfectly de-identified healthcare data poses real dangers to patients with socially difficult conditions.  This is surely well understood.  What we now need to contend with is the question of whether Open Data practices like this deliver benefits that justify the privacy risks. That’s going to be a tricky debate, for the belief in data science is bordering on religious.

It beggars belief that any government official would promise “anonymity” any more. These promises just cannot be kept.

Re-identification has become a professional sport.  Researchers are constantly finding artful new ways to triangulate individuals’ identities, drawing on diverse public information, ranging from genealogical databases to photos from celebrity gossip sites.  But it seems that no matter how many times privacy advocates warn against these dangers, the Open Data juggernaut just rolls on.  Concerns are often dismissed as academic, or being trivial compared with the supposed fruits of research conducted on census data, Medicare records and the like.

In “Health Data in an Open World (PDF)” Teague et al warn (not for the first time) that “there is a misconception that [protecting the privacy of individuals in these datasets] is either a solved problem, or an easy problem to solve” (p2). They go on to stress “there is no good solution for publishing sensitive unit-record level data that protects privacy without substantially degrading the usefulness of the data” (p3).

What is the cost-benefit of the research done on these data releases? Statisticians and data scientists say their work informs government policy, but is that really true? Let’s face it.  “Evidence based policy” has become quite a joke in Western democracies. There are umpteen really big public interest issues where science and evidence are not influencing policy settings at all.  So I am afraid statisticians need to be more modest about the practical importance of their findings when they mount bland “balance” arguments that the benefits outweigh the risks to privacy.

If there is a balance to be struck, then the standard way to make the calculation is a Privacy Impact Assessment (PIA). This can formally assess the risk of “de-identified” data being re-identified. And if it can be, a PIA can offer other, layered protections to protect privacy.

So where are all the PIAs?

Open Data is almost a religion. Where is the evidence that evidence-based policy making really works?

I was a scientist and I remain a whole-hearted supporter of publicly funded research. But science must be done with honest appraisal of the risks. It is high time for government officials to revisit their pat assertions of privacy and security. If the public loses confidence in the health system’s privacy protection, then some people with socially problematic conditions might simply withdraw from treatment, or hold back vital details when they engage with healthcare providers. In turn, that would clearly damage the purported value of the data being collected and shared.

Big Data-driven research on massive public data sets just seems a little too easy to me.  We need to discuss alternatives to Open Data bulk releases.  One option is to confine extracted research data to secure virtual data rooms, and grant access only to specially authorised researchers. These people would be closely monitored and audited; they would comprise a small set of researchers; their access would be subject to legally enforceable terms & conditions.

There are compromises we all need to make in research on human beings.  Let’s be scientific about science-based policy.  Let’s rigorously test our faith in Open Data, and let’s please stop taking “de-identification” for granted.  It’s really something of a magic spell.

Photograph (c) Shutterstock

Too much cyber, not enough privacy 101

0
0

Just as we are preparing for mandatory data breach notification to commence here in Australia, some interesting pieces of news have revealed that perhaps both corporations and government agencies have taken their eye off the ball when it comes to protecting personal information.  A lot of energy and budget is spent on cyber-strategy this and digital-first that and open-data whatever, when perhaps governments and businesses need to get the basics right first.

A NSW auditor-general’s report found that two-thirds of NSW government agencies are failing to properly safeguard their data, by not monitoring the activities or accounts of those with privileged access to data, and one-third are not even limiting access to personal information to only staff with a ‘need to know’.

Leaving aside the question of why the NSW Privacy Commissioner is not resourced adequately to undertake these audits instead of needing the auditor-general to look into data protection, this report highlights a disturbing lack of compliance with the Data Security principle, which is neither new (NSW privacy legislation turns 20 this year) nor rocket science.

Ignoring the privacy risks posed by staff misusing data is naïve; when I think of the more than 300 privacy cases against NSW public sector agencies over the past two decades, I cannot think of one that has involved a complaint arising from a disclosure to hackers, but countless have involved staff misusing the personal information to which they were given access.

But this systemic failure pales into comparison with the more recent revelation that the Department of Prime Minister & Cabinet managed to lose classified Cabinet documents by selling a filing cabinet full of them.  Seriously?  SERIOUSLY??

This is the government which later this year will create a national shared electronic health record for all Australians unless we opt out, and introduce an opt-in national digital ID, and a national face-recognition system … but they can’t manage to secure paper records?

Of course privacy risks don’t only come from rogue employees who misuse data, or from misplaced documents.  Privacy risks can also come from data that has been deliberately released to the public.

Do you remember back to 2016 when the MBS/PBS dataset, containing health information about 10% of the entire Australian population, was released as ‘de-identified’ open data but then it turned out it wasn’t really de-identified because the data about health service providers could be decrypted (in other words, doctors were identifiable)?  And do you remember that nonetheless, the Health Minister said that no patients’ information was at risk?

So, um, apparently that was not true.  It turns out that the researchers from the University of Melbourne who first re-identified doctors were indeed able to also re-identify patients, including MPs and a high-profile footballer.

And just in the past few days, the Strava data debacle has illustrated a number of other problems with open data initiatives.

(If you missed it: Strava is a social network of people who like to not only use devices like FitBits to track their movements, heart-rate, calories burned etc, but to then share and compare that data with fellow fitness fanatics.  In November 2017 Strava released a data visualisation ‘heat map’ of one billion ‘activities’ by people using its app.  In late January 2018 an Australian university student pointed out on Twitter that the heat maps could be used to locate sensitive military sites.  Uh-oh.)

First, the sheer power of geolocation data is incredible.  It can show patterns of behaviour of both individuals and groups, and reveal sensitive locations.  Not understanding the risks involved in your data before releasing it publicly is negligent.

Second, geolocation data can be used to find out more about identifiable or already-known individuals; removing identifiers from the data does not make it anonymous.

Third, privacy harms (including physical harm) can be done to individuals even if they are not personally identifiable.  (I have previously argued that our privacy laws currently fail to recognise this risk, by protecting only what is ‘identifiable’ data.)

Fourth, when individuals comprise a group, say personnel at an army base or worshippers at a mosque or clients of an abortion clinic, the risk posed by or to one becomes a risk for all.

Fifth, when data is combined from different sources, or taken out of context, or when information is inferred about you from your digital exhaust, the privacy issues move well beyond whether or not this particular app, or device, or type of data, poses a risk to the individual.  The risks become almost impossible to foresee, let alone quantify.

Finally, and of importance well beyond geolocation data: the utter failure of the US-model of privacy protection, which relies on ‘notice and consent’ instead of broader privacy principles placing limitations on collection, use or disclosure.  Many commentators have been quick to judge the users of the Strava app, saying that military personnel for example should have never allowed themselves to be tracked.  And sure, it is easy to judge.  But first, look at how the app works.  Privacy by Default it ain’t.

The Future of Privacy Forum’s review found that Strava’s request for access to location data – that little box that pops up on your phone when you first install the app, asking you to ‘Allow’ or ‘Don’t Allow’ – did not mention public sharing.  Instead, it says “Allow Strava to access your location while using the app so you can track your activities” (emphasis added).

A Strava user herself has explained how she discovered that her workout routes were accessible to (and commented on by) strangers, even when she thought she had used the privacy settings in the app to prevent public sharing of her data.  A Princeton professor (who happens to be an expert in re-identification) noted that if he couldn’t understand whether or not Strava’s privacy settings actually worked to obscure the user’s home address, or whether the use of a fake name would be enough to prevent cross-linking with other data, how is a more typical app user supposed to determine where their own level of comfort sits, and how to achieve it?

So before blaming the users, perhaps instead we should be asking why the company did not follow Privacy by Default design rules, why the privacy control settings are so complex, and why the initial permission request to users about their location data was so misleading.

This is not just a problem with Strava.  The 2017 OAIC Community Attitudes Survey found that 32% of people ‘rarely or never’ read privacy policies and notifications before providing personal information.  (And let’s face it: the other 68% of people probably lied.)  Burying detail in complex privacy policies is a lawyer’s art form.  Is it really reasonable to expect consumers to have read and understood them before they click ‘I accept’?

Then there are apps which track your location (or copy your address book, or turn on your microphone) without you being told at all: 16% of Android apps in one survey were found to give no notice about the data they were collecting from users.  Add in the revelation that Google was tracking the location of users of Android phones, even when they switched off all their location settings, and you can see that consumer-blaming is utterly misplaced.

But even if Strava had done a better job of informing its users about how their data would be shared (with the company, with other users, and ultimately with the public), there remains a problem with the ‘notice and consent’ model of privacy protection.  As academic Zeynep Tufekci has noted, ‘informed consent’ is a myth: “Given the complexity (of data privacy risks), companies cannot fully inform us, and thus we cannot fully consent.”

Putting the emphasis for privacy protection onto the consumer is unfair and absurd.  As Tufekci argues in a concise and thoughtful piece for the New York Times:

“Data privacy is not like a consumer good, where you click ‘I accept’ and all is well. Data privacy is more like air quality or safe drinking water, a public good that cannot be effectively regulated by trusting in the wisdom of millions of individual choices. A more collective response is needed.”

The data is de-identified so there is nothing to worry about.

If you don’t like it, opt out.

If you’ve done nothing wrong, you’ve got nothing to hide.

It’s time to put those fallacies to rest.  The US model of ‘notice and consent’ has failed.  Privacy protection should not be up to the actions of the individual citizen or consumer.  It’s the organisations which hold our data – governments and corporations – which must bear responsibility for doing us no harm.

They could start by minimising the collection of personal information, storing data securely, and limiting its use and disclosure to only directly related secondary purposes within the subject’s reasonable expectations.

It’s not sexy start-up-agile-cyber-digital-first whatever, but nor is it rocket science.  It’s common sense and good manners.  It’s Privacy 101.

 

Photograph (c) Anna Johnston

Viewing all 79 articles
Browse latest View live




Latest Images