18 May 2018

Reidentification

Protecting unit-record level personal information: The limitations of de-identification and the implications for the Privacy and Data Protection Act by Vanessa Teague, Chris Culnane and Benjamin Rubinstein for the Office of the Victorian Information Commissioner (OVIC) offers cautions about de-identication in Victoria's public and private sectors.

The report states
De-identification is a subject that has received much attention in recent years from privacy regulators around the globe. Once touted as a silver bullet for protecting the privacy of personal information, the reality is that when it involves the release of data to the public, the process of de-identification is much more complex. 
As improvements in technology increase the type and rate at which data is generated, the possibility of re-identification of publicly released data is greater than ever. Auxiliary information – or secondary information – can be used to connect an individual to seemingly de-identified data, enabling an individual’s identity to be ascertained. Auxiliary information can come from anywhere, including other publicly available sources online. 
In recent examples of successful re-identification that we have seen in Australia, it is clear that those releasing de-identified data did not appreciate the auxiliary information that would be available for re-identification – in that they did not expect re-identification would be possible. Individual data elements may be non-distinct and recognisable in many people, but a combination of them will often be unique, making them attributable to a specific individual. This is why de-identification poses a problem for unit-record level data.
 OVIC comments
This report is one of a number of publications on de-identification produced by, or for, the Victorian public sector. Notably, in early 2018 Victoria’s Chief Data Officer issued a de-identification guideline to point to what ‘reasonable steps’ for de-identification looks like in the context of data analytics and information sharing under the Victorian Data Sharing Act 2017 (VDS Act). This paper is not aimed at the work conducted by the Victorian Centre for Data Insights (VCDI), where information sharing occurs within government with appropriate controls, and it is not intended to inhibit that work. Rather, it speaks to the use of de-identification more broadly, in circumstances where so-called ‘de-identified’ data is made freely available through public or other less inhibited release of data sets, which occurs in so-called “open data” programs. This report should be interpreted in that context. ...
This report has been produced to demonstrate the complexities of de-identification and serve as a reminder that even if direct identifiers have been removed from a data set, it may still constitute ‘personal information’. The intention is not to dissuade the use of de-identification techniques to enhance privacy, but to ensure that those relying on and sharing de-identified information to drive policy design and service delivery, understand the challenges involved where the husbandry of that data is not managed. ... Public release of de-identified information may not always be a safe option, depending on the techniques used to treat the data and the auxiliary information that the public may have access to. Wherever unit level data – containing data related to individuals – is used for analysis, OVIC’s view is that this is most appropriately performed in a controlled environment by data scientists. Releasing the data publicly in the hope that ‘de-identification’ provides protection from a privacy breach is, as this paper demonstrates, a risky enterprise.
The authors go on to state
A detailed record about an individual that has been de-identified, but is released publicly, is likely to be reidentifiable, and there is unlikely to be any feasible treatment that retains most of the value of the record for research, and also securely de-identifies it. A person might take reasonable steps to attempt to deidentify such data and be unaware that individuals can still be reasonably identified.
The word ‘de-identify’ is, unfortunately, highly ambiguous. It might mean removing obvious identifiers (which is easy) or it might mean achieving the state in which individuals cannot be ‘reasonably identified’ by an adversary (which is hard). It is very important not to confuse these two definitions. Confusion causes an apparent controversy over whether de-identification “works”, but much of this controversy can be resolved by thinking carefully about what it means to be secure. When many different data points about a particular individual are connected, we recommend focusing instead on restricting access and hence the opportunity for misuse of that data. Secure research environments and traditional access control mechanisms are appropriate.
Aggregated statistics, such as overall totals of certain items (even within certain groups of individuals) could possibly be safely released publicly. Differential privacy offers a rigorous and strong definition of privacy protection, but the strength of the privacy parameters must be traded off against the precision and quantity of the published data.
This paper discusses de-identification of a data set in the context of release to the public, for example via the internet, where it may be combined with other data. That context includes the concept of “open data”, in which governments make data available for any researchers to analyse in the hope they can identify issues or patterns of public benefit.
Therefore, it’s important to emphasise that this document should not be read as a general warning against data sharing within government, or in a controlled research environment where the combination of the data set with other data can be managed. It is not intended to have a chilling effect on sharing of data in those controlled environments.
 In reference to statutory responsibilities the report comments
In taking ‘reasonable steps’, a data custodian must have regard to not only the mathematical methods of de-identifying the information, but also “the technical and administrative safeguards and protections implemented in the data analytics environment to protect the privacy of individuals”.
Therefore, there is a possibility that in some circumstances, a dataset in which ‘reasonable steps’ have been taken for de-identification under the VDS Act may not be de-identified according to the PDP Act, because individuals may still be ‘reasonably identified’ if the records are released publicly outside the kinds of research environments described in the VDS Act.
In this report, we describe the main techniques that are used for de-identifying personal information. There are two main ways of protecting the privacy of data intended for sharing or release: removing information, and restricting access. We explain when de-identification does (or does not) work, using datasets from health and transport as examples. We also explain why these techniques might fail when the de-identified data is linked with other data, so as to produce information in which an individual is identifiable.
Does de-identification work? In one sense, the answer is obviously yes: de-identification can protect privacy by deleting all the useful information in a data set. Conversely, it could produce a valuable data set by removing names but leaving in other personal information. The question is whether there is any middle ground; are there techniques for de-identification that “work” because they protect the privacy of unit-record level data while preserving most of its scientific or business value?
Controversy also exists in arguments about the definitions of ‘de-identification’ and ‘work’. De-identification might mean:
• following a process such as removing names, widening the ranges of ages or dates, and removing unusual records; or 
• achieving the state in which individuals cannot be ‘reasonably identified’.
These two meanings should not be confused, though they often are. A well-intentioned official might carefully follow a de-identification process, but some individuals might still be ‘reasonably identifiable’. Compliance with de-identification protocols and guidelines does not necessarily imply proper mathematical protections of privacy. This misunderstanding has potential implications for privacy law, where information that is assumed to be de-identified is treated as non-identifiable information and subsequently shared or released publicly.
De-identification would work if an adversary who was trying to re-identify records could not do so successfully. Success depends on ‘auxiliary information’ – extra information about the person that can be used to identify their record in the dataset. Auxiliary information could include age, place of work, medical history etc. If an adversary trying to re-identify individuals does not know much about them, re-identification is unlikely to succeed. However, if they have a vast dataset (with names) that closely mirrors enough information in the de-identified records, re-identification of unique records will be possible.
4. Can the risk of re-identification be assessed?
For a particular collection of auxiliary information, we can ask a well-defined mathematical question: can someone be identified uniquely based on just that auxiliary information?
There are no probabilities or risks here – we are simply asking what can be inferred from a particular combination of data sets and auxiliary information. This is generally not controversial. The controversy arises from asking what auxiliary information somebody is likely to have.
For example, in the Australian Department of Health's public release of MBS/PBS billing data, those who prepared the dataset carefully removed all demographic data except the patient’s gender and year of birth, therefore ensuring that demographic information was not enough on its own to identify individuals. However, we were able to demonstrate that with an individual's year of birth and some information about the date of a surgery or other medical event, the individual could be re-identified. There was clearly a mismatch between the release authority's assumptions and the reality about what auxiliary information could be available for re-identification.
5. How re-identification works
Re-identification works by identifying a ‘digital fingerprint’ in the data, meaning a combination of features that uniquely identify a person. If two datasets have related records, one person's digital fingerprint should be the same in both. This allows linking of a person's data from the two datasets – if one dataset has names then the other dataset can be re-identified.
Computer scientists have used linkage to re-identify de-identified data from various sources including telephone metadata, social network connections, health data and online ratings, and found high rates of uniqueness in mobility data and credit card transactions.  Simply linking with online information can work.
Most published re-identifications are performed by journalists or academics. Is this because they are the only people who are doing re-identification, or because they are the kind of people who tend to publish what they learn? Although by definition we won’t hear about the unpublished re-identifications, there are certainly many organisations with vast stores of auxiliary information. The database of a bank, health insurer or employer could contain significant auxiliary information that could be of great value in re-identifying a health data set, for example, and those organisations would have significant financial incentive to do so. The auxiliary information available to law-abiding researchers today is the absolute minimum that might be available to a determined attacker, now or in the future.
This potential for linkage of one data set with other data sets is why the federal Australian Government's draft bill to criminalise re-identification is likely to be ineffective, and even counterproductive. If re-identification is not possible then it doesn't need to be prohibited; if re-identification is straightforward then governments (and the people whose data was published) need to find out.
The rest of this report examines what de-identification is, whether it works, and what alternative approaches may better protect personal information. After assessing whether de-identification is a myth, we outline constructive directions for where to go from here. Our technical suggestions focus on differential privacy and aggregation. We also discuss access control via secure research environments

15 May 2018

Should Robots Have Privacy?

'Schrödinger's Robot: Privacy in Uncertain States' by Ian E Kerr in (2019) 20 Theoretical Inquiries in Law asks
Can robots or AIs operating independent of human intervention or oversight diminish our privacy? There are two equal and opposite reactions to this issue. On the robot side, machines are starting to outperform human experts in an increasing array of narrow tasks, including driving, surgery, and medical diagnostics. This is fueling a growing optimism that robots and AIs will exceed humans more generally and spectacularly; some think, to the point where we will have to consider their moral and legal status. On the privacy side, one sees the very opposite: robots and AIs are, in a legal sense, nothing. Judge Posner, for example, has famously opined that they do not invade privacy because they are not sentient beings. Indeed, the received view is that since robots and AIs are neither sentient nor capable of human-level cognition, they are of no consequence to privacy law. 
This article argues that robots and AI operating independently of human intervention can and, in some cases, already do diminish our privacy. Rejecting the all-or-nothing account of robots and privacy described above, I seek to identify the conditions that give rise to diminished privacy in order to see whether robots and AI can meet those conditions. To do so, I borrow from epistemic privacy — a theory that understands a subject’s state of privacy as a function of another’s state of cognizance regarding the subject’s personal facts. Epistemic privacy offers a useful analytic framework for understanding the kind of cognizance that gives rise to diminished privacy. 
I demonstrate that current robots and AIs are capable of developing truth-promoting beliefs and observational knowledge about people without any human intervention, oversight, knowledge, or awareness. Because machines can actuate on the basis of the beliefs they form in ways that affect people’s life chances and opportunities, I argue that they demonstrate the kind of cognizance that definitively implicates privacy. Consequently, I conclude that legal theory and doctrine will have to expand their understanding of privacy relationships to include robots and AIs that meet these epistemic conditions. An increasing number of machines possess epistemic qualities that force us to rethink our understanding of privacy relationships with robots and AIs.

Searches

The Age reports that Australian Federal Police 'will be given sweeping new powers to demand identification from travellers under new laws to boost counter-terrorism efforts at Australia's airports' on the basis of what Prime Minister Turnbull characterises as 'dangerous times'.

The AFP will be able to ask anyone for ID and eject them from the airport as part of a 2018 budget announcement. Under existing laws, police can only demand ID if they have reasonable grounds to suspect someone is involved in criminal activity.

Home Affairs Minister Peter Dutton commented 
There's certain conditions that need to be met at the moment before police can ask for that identification. Which is an absurdity and it’s an issue that the police have raised with us. So we're addressing an anomaly and a deficiency in the law at the moment. 
The new rules will not require domestic  travellers to carry ID.

We can presumably expect calls for similar checking by state/territory police at other transport nodes, such as major rail stations, and public/private entertainment or retail facilities.

14 May 2018

Information Economics

'Information Wants to Be Expensive, Not Free! And this is Bad for Justice, Democracy, the Economy' by Dieter Zinnbauer ( (Transparency International) comments
This essay is rather speculative. I argue that there is a very much overlooked characteristic of information goods, particularly digital information goods – that leads to a substantive, yet rarely discussed market failure with far-reaching consequences for important classes of information related to our education and research system, the judiciary, markets and democracy at large. 
This overlooked feature is the positionality of many information goods. Positionality means that the utility of a specific information item for user x depends on the level of consumption of the same item by other users. Specific types of information are more valuable (or at times only valuable), when they are very exclusively available only to a small band of users. Or more intuitively, the fewer other people have a specific piece of information at a given point in time, the more valuable it may be to me.
Surprisingly, this simple characteristic is rarely discussed in the information literature or perhaps seems just too obvious to merit deeper analysis. Yet, as I will try to show, the positionality of information has far-reaching implications for the functioning of information markets and for the actual incentive systems of different players that all too often seem to be mis-construed as overly pro-social. And putting a focus on positionality also highlights the relevance and urgency for revisiting related regulatory policies, in order to ponder possible corrective interventions to tackle the ensuing informational imbalances and exclusive practices that positionality-oriented pricing structures for such information will generate.
The argument is developed as follows: The introductory chapter presents a number of quotes that are indicative of different perspectives on information dynamics and lays out the rationale for this essay. Chapter 2 briefly discusses the conventional view and analysis of market failures in information that serve as backdrop against which the argument developed here is set. Chapter 3 introduces the concept of positionality and argues for its applicability to many information markets. Chapter 4 traces the implications of informational positionality that primarily works through pricing for exclusivity across key societal institutions: research and education; the judicial system, markets and investment and finally politics and democratic decision-making.
The concept of information as positional goods offers a fresh perspective with regard to market failures and informational problems in all these areas. In addition, such a prism suggests to revisit the incentives involved and thus the overall political economy dynamics of how different stakeholders define and act upon their interests in these situations. As it turns out, commitment to openness and fair and inclusive information access may run less deep than is usually assumed. The analysis also suggests that many open government initiatives have only a limited remedial effect on these market failures. Chapter 5 develops a set of speculative conjectures about how information positionality might shape information markets in the near future – or may have already begun to do without much public notice. Finally, chapter 6 flags some ideas for possible entry points for remedies and regulatory approaches. As mentioned at the outset the line of reasoning is rather exploratory and seeks to flag specific issues and ideas for discussion and further investigation rather than exploring them in detail.

Cashless Economy

Goodbye privacy? Matthew Lesh of the IPA in today's The Age - 'Measures to tackle black economy are suspiciously totalitarian' - comments
The Turnbull government’s proposed ban on cash payments above $10,000 is a disturbing breach of our right to privacy, an attack on the basic liberty of free exchange, and will worsen Australia’s red tape crisis. ... In practice, the ban will be ineffective and unenforceable. A transaction limit will not make criminals suddenly law-abiding citizens – they will flout the rules by using multiple smaller transactions and illegal bank accounts with stolen identities. 
The ban will, however, prevent the many genuine uses of cash, including keeping transactions private from prying eyes, avoiding credit card transaction fees, and the preference for physical cash over non-material digital currency. 
In 1984, George Orwell explored how Big Brother uses surveillance to control citizens. "Always the eyes watching you and the voice enveloping you. Asleep or awake, working or eating, indoors or out of doors, in the bath or in bed – no escape," Orwell wrote. 
The intention of the cash ban is to create an accessible digital record of transactions that government can monitor. This establishes a creepy precedent, foreshadowing a future in which you are only allowed to make purchases that Big Brother can watch. If the government should be able to track our transactions why stop at $10,000? Why not $5000? Why not, as some commentators have proposed, $0? 
In the long-run, a cashless society would immensely empower the state, which could use our spending habits to reward and punish certain behaviour, or introduce taxes on savings. Imagine a future in which because you spend "too much" on unhealthy food, the government charges you higher taxes; or because you don't have a gym membership you have to pay a higher Medicare surcharge. 
Cash is not only an important protection from state power, it also provides privacy from partners and families, and financial institutions and businesses.
 The Treasurer's Budget Speech referred to measures that
include outlawing large cash payments of greater than $10,000 in the Australian economy. 
This will be bad news for criminal gangs, terrorists and those who are just trying to cheat on their tax or get a discount for letting someone else cheat on their tax. 
It's not clever. It's not OK. It's a crime.
More detail is provided in the statement that
The Government will combat the harm the black economy is doing to honest individuals, businesses and the Australian community. The black economy is a complex, costly and growing economic and social problem covering a range of issues which detract from the integrity of Australia’s tax system. 
In response to the Black Economy Taskforce Final Report, the Government is announcing a comprehensive approach to stamping out the black economy, levelling the playing field for all businesses, and changing perceptions that black economy behaviour is acceptable. 
New measures include
  • increasing the ability of enforcement agencies to detect and disrupt black economy participants. 
  • removing the unfair advantage black economy participation gives businesses by removing deductions for non‑compliant payments and changing the Government’s procurement procedures to incentivise tax compliance in supply chains. 
  • consulting on reforms to the Australian Business Number (ABN) system to improve the confidence the community has in identifying who they are dealing with, including development of rigorous new identification systems for company directors (DINs). 
  • introducing an economy‑wide cash payment limit for large cash transactions of $10,000 to reduce the ability of black economy operators to use cash to avoid their tax and reporting obligations and launder the proceeds of crime.  
  • providing additional funding to the Tax Practitioners Board to take action against tax agents that facilitate activity in the black economy. 
  • expanding the taxable payments reporting system to contractors in industries with higher identified risks of not reporting their income.
The Government is also creating an Illicit Tobacco Taskforce which will investigate, prosecute and dismantle organised crime groups operating in illicit tobacco. The taxing point of tobacco will also be moved to when it enters Australia to help starve the illegal tobacco market.

Nonhuman Animals

'Exonerating the Innocent: Habeas for Nonhuman Animals - Wrongful Convictions and the DNA Revolution: Twenty-Five Years of Freeing the Innocent' (University of Denver Legal Studies Research Paper No. 18-16) by Justin F. Marceau and Steve Wise comments
It is hard to conceive of a greater blemish on our justice system than the punishment of innocent persons. The idea of imprisoning or executing an innocent person almost defies the human capacity for empathy; it is nearly impossible to imagine oneself in such circumstances. Advances in science and the work of non-profits like the Innocence Project have made the exoneration of more than 300 people possible. And while the struggle to liberate unjustly incarcerated persons must continue, and should be accelerated, the cruelty of punishing innocents is not limited to the incarceration of human animals. It is time to consider the need to liberate at least some nonhuman animals from the most horrible confinement. These nonhuman animals are unquestionably innocent, their conditions of confinement, at least in some cases, are uniquely depraved; and their cognitive functioning, much less their ability to suffer, rivals that of humans. It is time to seriously consider habeas type remedies for nonhuman beings. 
We are cognizant that the call for nonhuman habeas may cause some to construe this project as one that dishonors or diminishes the efforts that have led to exonerations and the work that remains to be done in the context of human innocence. Nothing could be further from our purpose. One of us has been involved in death penalty defense and litigating claims of wrongful incarceration since graduating from law school, and the commitment to those issues remains unflappable. Indeed, we hope the salience of the cause of liberating humans will be reinforced by our efforts to cross the species barrier. It does no disservice to the cause of innocent humans to suggest that we pay closer attention to the suffering of nonhuman animals. Just as we look back in disgust at our forefathers who were less careful in their protection of human innocents, we predict that our grandchildren will judge us for the way we collectively treat nonhuman animals.
This Chapter proceeds in three parts. First, it analyzes the question of whether exoneration or innocence in the context of nonhuman confinements is illogical. Second, assuming it is a proper question at all, it examines why we would consider exonerating nonhuman animals, that is to say, what are the scientific and social reasons for contemplating relief for humans? Finally, the Chapter considers the practical viability of nonhuman habeas at least for a limited class of nonhuman animals subject to particularly harsh conditions. In so doing, the Chapter discusses the cutting-edge cases filed in recent years by the Nonhuman Rights Project (“NhRP”) seeking habeas review for chimpanzees.
'Meaning in the lives of humans and other animals' by Duncan Purves and Nicolas Delon in (2018) 175(2) Philosophical Studies 317–338 argues that
contemporary philosophical literature on meaning in life has important implications for the debate about our obligations to non-human animals. If animal lives can be meaningful, then practices including factory farming and animal research might be morally worse than ethicists have thought. We argue for two theses about meaning in life: (1) that the best account of meaningful lives must take intentional action to be necessary for meaning—an individual’s life has meaning if and only if the individual acts intentionally in ways that contribute to finally valuable states of affairs; and (2) that this first thesis does not entail that only human lives are meaningful. Because non-human animals can be intentional agents of a certain sort, our account yields the verdict that many animals’ lives can be meaningful. We conclude by considering the moral implications of these theses for common practices involving animals.
 The authors ask
Can animals1 have meaningful lives? This question has been largely omitted from discussions of meaning in contemporary analytic philosophy. It has also been largely ignored by the animal ethics literature. Perhaps the omission is a result of philosophers thinking that the question is misplaced or that it involves a category mistake. Yet, we will argue, the omission is important, because assessing the possibility of meaning in animal life is vital for understanding the full scope and content of our ethical obligations to animals. If meaning is a constituent of a good life, and some of our practices deprive animals’ lives of meaning, then this may be an overlooked way in which our practices harm them. 
In this paper we argue for two theses about the meaningfulness of animal life: (1) that the best account of meaningful lives requires acting intentionally in ways that contribute to final value; and (2) that this does not entail that the lives of animals are necessarily meaningless. A life can count as ‘meaningless’ either because it possesses zero meaning or because attributing meaning to a life of that sort would be a category mistake. To illustrate the difference, the number 2 is heatless, not because it is cold, but because it is not the sort of thing to which the concept HEAT applies. Analogously, a virus’s life is meaningless, not because it possesses zero meaning, but because the concept MEANING simply doesn’t apply. Our second thesis can be understood as a rejection of the claim that the lives of animals are meaningless in either of these senses. To the contrary, to the extent that animals can be intentional agents, our account of meaning yields nuanced verdicts concerning which animal lives are meaningful. It also accounts for the intuitively right range of cases involving humans. Section 2 discusses some prominent theories of meaning in the recent philosophical literature and their associated problems. In Sect. 2 we also propose and defend our intentional theory of meaning. In Sect. 3 we consider the implications of this theory for the possibility of meaning in the lives of animals. In Sect. 4 we discuss the ethical importance of the possibility of meaning in animal life.
In the US the Ninth Circuit in Naruto, a Crested Macaque, by and through his Next Friends, People for the Ethical Treatment of Animals, Inc., v. David John Slater; Blurb, Inc., a Delaware corporation; Wildlife Personalities, Ltd., a United Kingdom private limited company (No. 16-15469, D.C. No. 3:15-cv-04324- WHO) has affirmed the dismissal by the US Northern District of California court in the 'Monkey Selfie Case'.

The Court media statement indicates
the panel held that the animal had constitutional standing but lacked statutory standing to claim copyright infringement of photographs known as the “Monkey Selfies.” The panel held that the complaint included facts sufficient to establish Article III standing because it alleged that the monkey was the author and owner of the photographs and had suffered concrete and particularized economic harms. The panel concluded that the monkey’s Article III standing was not dependent on the sufficiency of People for the Ethical Treatment of Animals, Inc., as a guardian or “next friend.” 
The panel held that the monkey lacked statutory standing because the Copyright Act does not expressly authorize animals to file copyright infringement suits. The panel granted appellees’ request for an award of attorneys’ fees on appeal. 
Concurring in part, Judge N.R. Smith wrote that the appeal should be dismissed and the district court’s judgment  on the merits should be vacated because the federal courts lacked jurisdiction to hear the case. Disagreeing with the majority’s conclusion that next-friend standing is nonjurisdictional, Judge Smith wrote that PETA’s failure to meet the requirements for next-friend standing removed jurisdiction of the court.

AGSVA

The Australian National Audit Office report Mitigating Insider Threats through Personnel Security - consistent with past ANAO and Parlt Committee reports - identifies concerns regarding the national security vetting regime.

The audit report objective was to assessment of 'the effectiveness of the Australian Government’s personnel security arrangements for mitigating insider threats'.

ANAO states
 The Protective Security Policy Framework (PSPF) outlines a suite of requirements and recommendations to assist Australian Government entities to protect their people, information and assets. Personnel security, a component of the PSPF, aims to provide a level of assurance as to the eligibility and suitability of individuals accessing government resources, through measures such as conducting employment screening and security vetting, managing the ongoing suitability of personnel and taking appropriate actions when personnel leave. In 2014, the Attorney-General announced reforms to the PSPF to mitigate insider threats by requiring more active management of personnel risks and greater information sharing between entities. At the time of the audit, further PSPF reforms were being considered by the Government. 
The Australian Government Security Vetting Agency (AGSVA) was established within the Department of Defence (Defence) from October 2010 to centrally administer security vetting on behalf of most government entities (with the exception of five exempt intelligence and law enforcement entities). Centralised vetting was expected to result in: a single security clearance for each employee or contractor, recognised across government entities; a more efficient and cost-effective vetting service; and cost savings of $5.3 million per year. ANAO Audit Report No.45 of 2014–15 Central Administration of Security Vetting concluded that the performance of centralised vetting had been mixed and expectations of improved efficiency and cost-effectiveness had not been realised. ... 
The effectiveness of the Australian Government’s personnel security arrangements for mitigating insider threats is reduced by: AGSVA not implementing the Government’s policy direction to share information with client entities on identified personnel security risks; and all audited entities, including AGSVA, not complying with certain mandatory PSPF controls. 
AGSVA’s security vetting services do not effectively mitigate the Government’s exposure to insider threats. AGSVA collects and analyses information regarding personnel security risks, but does not communicate risk information to entities outside the Department of Defence or use clearance maintenance requirements to minimise risk. Since the previous ANAO audit, AGSVA’s average timeframe for completing Positive Vetting (PV) clearances has increased significantly. AGSVA has a program in place to remediate its PV timeframes, and it has established a comprehensive internal quality framework. AGSVA plans to realise many process improvements through procuring a new information and communications technology (ICT) system, which is expected to be fully operational in 2023. 
Selected entities’ compliance with PSPF personnel security requirements was mixed. While most entities had policies and procedures in place for personnel security, some entities were only partially compliant with the PSPF requirements to ensure personnel have appropriate clearances. None of the entities had fully implemented the PSPF requirements introduced in 2014 relating to managing ongoing suitability. In addition, entities did not always notify AGSVA when clearance holders leave the entity.
It goes on to note that
AGSVA’s clearances do not provide sufficient assurance to entities about personnel security risks. A significant proportion of vetting assessments in 2015–16 and 2016–17 resulted in potential security concerns being identified, but the majority (99.88 per cent) of vetting decisions were to grant a clearance without additional risk mitigation. On rare occasions AGSVA minimised risk by denying the requested clearance level and granting a lower level, or avoided risk by denying a clearance. In some cases identified concerns, which were accepted by AGSVA on behalf of sponsoring entities, should have been communicated to entities or managed through clearance maintenance requirements. 
AGSVA does not provide information about identified security concerns to sponsoring entities outside Defence due to a concern that disclosure would breach the Privacy Act 1988. The PSPF was revised in 2014 to require AGSVA to update its informed consent form to allow such disclosure to occur. Defence and AGD gave a commitment to Government in October 2016 that AGSVA would start sharing risk information in 2017–18. AGSVA updated its consent form in February 2017, but its revised form does not explicitly obtain informed consent to share information with entities. Consequently, AGSVA has not met the intent of the Government’s 2014 policy reform. 
AGSVA’s information systems do not meet its business needs, which has resulted in inefficient processes and data quality and integrity issues. Defence is in the scoping and approval stages of a project to develop a replacement ICT system, which is expected to be fully operational in 2023. The audit included additional work on information security, which is the subject of a report prepared under section 37(5) of the Auditor-General Act 1997.

13 May 2018

Australian Data Breach Regime and Equifax

The incisive 'The introduction of data breach notification legislation in Australia: A comparative view' by Angela Daly in (2018) 34(3) Computer Law and Security Review states
This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.
A perspective is provided in Breach of Trust: CFPB’s Complaint Database Shows Consumers Need Help After Equifax Breach from US Senators Elizabeth Warren, Brian Schatz and Robert Menendez regarding the September 2017 data breach at the global giant whose Australian arm absorbed the controversial Veda credit referencing business.

The report states
On September 7th, 2017, Equifax announced that it had allowed hackers to access the sensitive information of more than 143 million Americans in one of the largest security breaches of consumer data in history. In the wake of that breach, Equifax promised to make things right. Almost immediately, consumers used the Consumer Financial Protection Bureau’s (CFPB) consumer complaint hotline to register problems and concerns with the breach and Equifax’s response to it. This analysis contains the first comprehensive review of consumer complaints in the wake of the Equifax breach. It finds that, in the six months following the breach’s announcement, the CFPB received more than 20,000 complaints from consumers about the impact of the breach, problems with the Equifax response, or other issues with the company – nearly double the amount of complaints received regarding Equifax in the six months prior to the announcement. 
The number and nature of these complaints is particularly important because of public reports that cast doubt upon the CFPB’s investigation of Equifax and the agency’s commitment to assist consumers and address the fallout of the breach. In early February, reports indicated that the CFPB, under the new leadership of Office of Management and Budget (OMB) Director Mick Mulvaney, had declined to collaborate with other regulators in investigating Equifax and may have abandoned its own investigation. While the CFPB has confirmed that an inquiry is still open, reports suggest that the agency has slowed down or stalled the investigation into the Equifax breach and its impact on consumers. 
This report concludes that, based on the thousands of complaints received by the agency, the CFPB should act quickly and aggressively to hold Equifax accountable. Specific findings include:
• In six months between September 7, 2017, when Equifax announced the breach of sensitive consumer information, and March 7, 2018, consumers have filed more than 20,000 complaints regarding Equifax 
• The CFPB received more than 7,000 complaints of improper use of a credit report after the breach, the risks of which jumped after Equifax exposed credit card numbers, birth dates, social security numbers, and other personal information belonging to millions of Americans 
• The CFPB received more than 7,000 complaints of incorrect information on a credit report, a problem made significantly more prevalent by the increased risk of identity theft in the aftermath of the Equifax breach 
• The CFPB received more than 3,000 complaints about Equifax’s inadequate assistance in resolving problems after the breach, highlighting Equifax’s inability or unwillingness to assist consumers with their concerns 
• The CFPB received more than 1,500 complaints regarding Equifax’s credit monitoring services, fraud alerts, security freezes, and other identity theft protection products, demonstrating the company’s inadequate consumer support services in the wake of the breach
Consumers are facing myriad problems even six months after the breach, and continue to seek assistance from the CFPB. Specific complaints reported by consumers included:
• A consumer who had their “opportunity for employment...denied because of [their] Equifax credit report,” and despite apparently proving that fraud had led to the false accounts being placed on their file, was unable to get help after Equifax “re inserted” both accounts onto their report. 
• A consumer who, in the wake of the breach “was redirected to call 6 different phone numbers,” and when they were unable to get additional assistance from Equifax, their finances were “frozen for over a month,” causing them “extreme hardship.” 
• Consumers who were materially injured by Equifax’s negligent cybersecurity and reckless response to the breach. One consumer faced problems with their Equifax credit report that were “damaging [their] credit rating” when they were “in the process of buying a house.” 
• Another consumer who, after learning that their “information was part of the Equifax breach,” was unable to get Equifax to remove fraudulent accounts and inquiries from their report despite trying “multiple times,” even filing a police report over the false accounts listed on their report. 
• Another consumer who complained that Equifax had not contacted them to provide assistance with similar problems, specifically adding that “I have been a victim of identity theft and I have suffered from the credit breach.” 
Equifax continued to keep important information from the public, leaving consumers to fend for themselves. This report provides strong evidence that the CFPB must hold the company accountable and act decisively to protect the millions of consumers harmed by this breach. 
Introduction 
On September 7, 2017, Equifax announced that it had allowed hackers to access the sensitive information of more than 143 million Americans in one of the largest security breaches of consumer data in history. After failing to adopt strict cybersecurity measures to protect valuable consumer data, Equifax then mishandled the aftermath of the breach, failing to properly assist consumers, and in some cases, making the situation even worse. The company waited 40 days to alert consumers and regulators; initially asked that consumers waive their rights to file lawsuits just to receive free credit monitoring services; increased their profits through their partnership with LifeLock because of the ensuing rush for credit protection; and set up frustrating and ineffective call centers and other consumer support measures. 
Five months after the breach, reports indicated that Equifax was continuing to withhold information from the public about the extent of the breach. We still do not fully understand the scope of the harm to consumers or what measures Equifax is taking to avoid such catastrophic failures of cybersecurity and consumer support in the future. 
The Consumer Financial Protection Bureau was established by the Dodd-Frank Wall Street Reform and Consumer Protection Act in order to enforce federal consumer protection laws. The CFPB is responsible for protecting consumers from “unfair, deceptive, or abusive acts and practices.”3 The CFPB also has clear supervisory authority over large consumer reporting agencies, including Equifax. 
In his response to Senator’s Warren’s September 2017 letter to the CFPB, former Director Richard Cordray outlined the bureau’s authority over Equifax and efforts to investigate the breach and assist consumers. He described the CFPB’s “authority...to review the data security practices of financial institutions... to determine whether such practices violate Federal consumer financial laws...which include prohibitions on unfair, deceptive, or abusive acts and practices.” He added that the CFPB “is the only Federal agency that has any supervisory authority over the larger consumer reporting companies.” 
Director Cordray also noted that the “recent breach at Equifax poses an enormous threat to consumers,” and given that risk, informed Senator Warren that the bureau was “currently looking into the data breach and Equifax’s response.” More specifically, he claimed that the bureau was “working with our Federal and state partners to respond to the problems at Equifax,” including through efforts with other banking regulatory agencies. Director Cordray committed that the CFPB would “continue to examine and investigate consumer reporting companies,” adding that “a breach of this magnitude calls for a coordinated response.” 
Despite the severe threat to consumers and the authority and responsibility of the CFPB to investigate and respond to such threats, recent reports indicate that under the control of Office of Management and Budget Director Mick Mulvaney, the agency may have slowed down or stalled its investigation into the Equifax breach. The investigation has reportedly “sputtered since” Mr. Mulvaney took over at the CFPB, because he has “not ordered subpoenas against Equifax or sought sworn testimony from executives,” both of which are “routine steps when launching a full-scale probe.”  Furthermore, reports suggest that the CFPB “rebuffed bank regulators...when they offered to help with on-site exams of credit bureaus,” despite former Director Cordray making it clear that this cooperation was both necessary and welcome. 
In response to our inquiry, Mr. Mulvaney stated that “it is a matter of public record that the Bureau is looking into Equifax’s data breach and response,” and that any claims that there is no such investigation “are incorrect.” But Mr. Mulvaney did not specify whether the reporting about the sluggishness of his investigation is correct. Mr. Mulvaney also did not comment on whether the CFPB had stopped examining credit bureaus, or whether it had rejected offers of assistance from other bank regulators. 
Mr. Mulvaney has stated that the bureau “will be focusing on quantifiable and unavoidable harm to the consumer,” and that “quantitative analysis” would drive the work, stating, “there’s a lot more math in our future.”  Mr. Mulvaney also told his employees that “we will be prioritizing[,]” – and specifically cited – the number of complaints received on certain issues as a factor that would determine investigative priorities.  The CFPB’s consumer complaint database collects complaints from consumers around the country on a variety of issues, offering a quantitative look at the problems plaguing consumers. As Mr. Mulvaney noted, the database should serve as a guide for the bureau. 
This report does the math. It analyzes data and individual complaints from the CFPB’s consumer complaint database in order to determine the extent of the impact of the Equifax breach on consumers, the effectiveness of the CFPB response, and whether this data justified a CFPB investigation. Staff reviewed complaints that mention “Equifax” between September 7, 2017, the day the breach was announced, and March 7, 2018. Staff also read through individual complaints to understand the issues facing consumers. 
Findings 
The results of this staff review of CFPB complaints about Equifax reveal that consumers filed 21,921 complaints in the six months after Equifax announced the massive breach of consumer data – nearly double the amount of complaints related to Equifax in the six months preceding the announcement – and more complaints arrive every day. And while complaints regarding Equifax nearly doubled, consumer complaints filed regarding the company’s competitors, TransUnion and Experian, remained roughly the same or increased only slightly during the same period. 
From September 7, 2017 through March 7, 2018 – the six months after Equifax announced the breach – consumers filed 21,921 complaints regarding Equifax.  In the six months prior to the announcement, consumer filed only 11,973 complaints.

ASIO Questioning and Detention Powers

The report by the Parliamentary Joint Committee of Intelligence and Security on its review of the operation, effectiveness and implications of Division 3 of Part III (the questioning and detention powers) of the Australian Security Intelligence Organisation Act 1979 (Cth) considers
whether there is a need for an ASIO questioning power in the current security context, and the interaction of ASIO’s questioning and detention powers with other counter-terrorism powers that have more recently been introduced.
Those powers were discussed in ‘The Extraordinary Questioning and Detention Powers of the Australian Security Intelligence Organisation’ by Lisa Burton, Nicola McGarrity and George Williams in (2012) 36(2) Melbourne University Law Review noted here

Under
Division 3 of Part III of the Act allows ASIO, upon obtaining a warrant, to question a person under compulsion in order to obtain intelligence that is important in relation to a terrorism offence. With the Attorney-General’s consent, ASIO may request either a questioning warrant (QW) or a questioning and detention warrant (QDW) from an issuing authority (a judge acting in a personal capacity). Both warrant types require the person to appear before a prescribed authority for questioning in relation to the relevant terrorism offence/s. Under a QDW police officers take the person into custody and detain that person; under a QW the person is not initially apprehended or detained, instead appearing for questioning at a specified time. QDWs may be obtained where there are reasonable grounds for believing that, if the person is not immediately detained, the person may alert someone involved in a terrorism offence, may not appear for questioning, or may destroy or damage relevant records or things; and that relying on other methods of collecting that intelligence would be ineffective. 
The prescribed authority controls the questioning and detention process and may make a range of directions, including to detain the person or defer (or extend) questioning. Questioning may occur for up to eight hours, but this can be extended on request up to a maximum of 24 hours (or 48 hours if using an interpreter).7 Under a QDW, the person is detained until either the questioning has ceased, the above maximum questioning period is reached, or 168 hours (7 days) has passed from the time the person was brought before the prescribed authority, whichever is the earliest. 
During questioning, the person must provide any information, records or things requested. There is no privilege against self-incrimination—the person must answer the questions or produce the requested things even though it may incriminate them; however, any information provided cannot be used against the person in a criminal proceeding
The report notes
A range of safeguards apply. The [Inspector-GeneraI of Intelligence and Security] IGIS must be provided with a copy of any warrant requests, issued warrants, recordings made of questioning, and details of actions undertaken pursuant to a warrant. The IGIS may be present when a person is taken into custody under a QDW and during questioning under either warrant type.  The IGIS may raise concerns about any impropriety or illegality under the warrant and the prescribed authority must consider those concerns and may suspend questioning and other processes until the concerns are addressed. If the person wishes to make a complaint to the IGIS or the Ombudsman, then the person must be given facilities to enable them to make the complaint. 
The person may contact a lawyer. However, the person may be prevented from contacting a particular lawyer if the person is in detention and the prescribed authority is satisfied, on the basis of circumstances relating to that lawyer, that contacting that lawyer would mean:
a. a person involved in a terrorism offence may be alerted that the offence is being investigated; or 
b. a record or thing that the person may be requested to produce in accordance with the warrant may be destroyed, damaged or altered. 
A person’s contact with their lawyer can be monitored by ASIO. Reasonable opportunities must be provided for the lawyer to advise the person, and the lawyer may request permission to address the prescribed authority during breaks in questioning. The lawyer may not, however, intervene in the questioning or address the prescribed authority during questioning, except to clarify an ambiguous question. If the lawyer fails to comply with these restrictions, and is considered by the prescribed authority to be unduly disruptive of the questioning, the lawyer may be removed. If removed, the prescribed authority must permit the person to contact another lawyer. 
A range of criminal offences apply for non-compliance with the warrant, including for when the person fails to appear for questioning, makes a false statement, or fails to answer a question. Persons who commit these offences face a five year term of imprisonment. 
Secrecy offences also apply. During the life of a warrant, the person and their lawyer must not, on a strict liability basis, disclose the existence of the warrant, the fact of the questioning or detention or any operational information. In the two years following the expiry of the warrant, the person and lawyer also must not, on a strict liability basis, disclose any operational information obtained as a result of the questioning. The penalty for either offence is five years imprisonment
 The Committee makes four recommendations
R1 that the Australian Security Intelligence Organisation retains a compulsory questioning power under the Act. 
R2 that ASIO’s current detention powers, as set out in Division 3 of Part III of the Act, be repealed. 
R3 that the Government develop legislation for a reformed ASIO compulsory questioning framework, and refer this legislation to the Committee for inquiry and report. The Committee further recommends that proposed legislation be introduced by the end of 2018 and that the Committee be asked to report to the Parliament no sooner than three months following introduction. The Committee considers any proposed legislation should include an appropriate sunset clause. 
R4 that the Act be amended to extend the sunset date of 7 September 2018 by 12 months to allow sufficient time for legislation to be developed and reviewe