Technology and online rights

IBM says a hack of our census is “inevitable”

The ABS has a history of being hacked, and now The Australian is reporting that IBM says a hack of our census is “inevitable” ($):

An IBM Worldwide Security Solution Architect has waded into the census privacy debacle, declaring Australia’s sensitive census data will be “inevitably” hacked.

Philip Nye, a global security expert based on the Gold Coast, addressed Prime Minister Malcolm Turnbull and Trade Minister Steve Ciobo on Twitter, calling for mandatory breach laws to be implemented.

… “Data leaks continue to occur despite the best efforts of governments and organisations,” the organisation said in a statement.

“The safest way to avoid risk is to destroy the names and addresses immediately.

“In previous censuses, respondents were allowed to opt-in to having personally identifiable information retained, and it is the position of EFA that respondents to the 2016 Census should have the same privacy protections afforded to respondents of previous censuses, in line with community expectations.

As The Australian reported earlier, Malcolm Turnbull today moved to reassure Australians about their privacy.

“The Australian Bureau of Statistics in undertaking the census, always protects the people’s privacy and the security of their personal details is absolute. And that is protected by law and by practice, so that is a given,” the Prime Minister told reporters in Canberra.

Continue reading here ($)

facebooktwitter

Metadata mission creep? Who would have thought?

Victoria_Police

The latest proposal from Victoria Police to monitor mobile phone use highlights the danger of mission creep under mandatory metadata retention laws:

The so-called textalysers… are able to analyse metadata to determine whether someone was using their mobile phone at a specific time – while driving, for example.

… The model proposed by New York authorities involves the analysis of a mobile device’s metadata after a road incident to determine whether the device had been used in the lead up to the event.
… Privacy laws are slowing progress of the proposed new legislation, although Israeli company Cellebrite, which produces the technology, claims that the textalyser system doesn’t have the ability to read the content of text messages and social media updates, but rather to determine whether the device was used at a certain time to send text messages.

However, Australia’s new metadata retention laws, which allow for the time and basic surface details of every message sent to be stored and made available to law enforcement agencies, could speed the technology’s introduction here.

While the government justified the introduction of metadata laws largely to fight terrorism, the inherent danger with gathering mountains of personal data (beyond privacy and data security issues) is that once it exists other entities will inevitably demand access (see that list here).

In fact, the IPA’s Simon Breheny predicted this as early as 2012, and the IPA’s Chris Berg warned about the likelihood of the compulsorily acquired metadata being used for purposes other than national security at the time of its introduction in 2014:

A lot of opponents of data retention have pointed out that this creates a very real risk of unauthorised access. It’s hard to keep data secure.

Yet just as concerning is authorised access. Once these databases have been created they will be one subpoena away from access in any and every private lawsuit.

facebooktwitter

The many, many government agencies requesting warrantless data access

On FreedomWatch last year, Chris Berg said this:

Under the data retention bill passed earlier this year, the number of agencies with access had been strictly limited to criminal law enforcement agencies. As the IPA argued at the time, this was almost certain not to last – regulators across the country have been chomping at the bit for years to get a hold of our internet records, and it would be trivially easy for this or future governments to quietly reinstate these agencies into the data retention scheme.

And those regulators have wasted no time in requesting to be given this access. According to information released under freedom of information laws, an extraordinary 61 agencies have already sought authorisation to access telecommunications data held under the federal government’s 2015 mandatory data retention laws.

You can see the full list here.

We are seeing now how this legislation highlights the expansive nature of the modern government. You might be aware that the state and federal governments have created a plethora of bodies with dubious public benefit. For example. the various state governments bodies specifically dedicated to regulating greyhound and harness racing, or the Commonwealth’s National Measurement Institute, which exists to maintain “Australia’s units and standards of measurement”. What you might not have known is that these bodies (and even non-government entities, such as the RSPCA) have decided that they need warrantless data access to carry out their work.

For many of these agencies, that can hardly be the case. Can you imagine what laws the NMI enforces that would require data access at all?

If these agencies need access to data, they should be told to get a warrant.

facebooktwitter

Government agencies requesting data access without a warrant

net-neutrality

The ease with which the government would resort to undermining the privacy of its citizens just to make regulatory enforcement slightly easier is deeply concerning.

Since as early as 2012, the IPA has warned mandatory data retention would not be used solely for national security purposes.

Now, it is being reported that Primary Industries and Regions SA is seeking to become the next agency which can access retained data without requiring a warrant.

They can join this list of government agencies who should be told if they want data access, they should get a warrant:

Continue Reading →

facebooktwitter

What role does the government have in dealing with cyber-bullying?

typing_1200x1200

Parents, teachers, schools, and communities have a role to play in helping kids deal with cyber-bullying. But what role does the government have?

I have a short peer-reviewed comment paper, published this month, proposing a different way of thinking about the cyberbullying problem. We need to make sure that governments, in their zeal to tackle bullying, do not limit the social learning that is crucial to child development.

First, cyberbullying is not a new form of social activity but rather one new form of bullying. Second, how we conceptualise cyberbullying in relation to traditional bullying will affect our policy approach. Such a subordinate categorisation helps us to direct the possible policy and social responses away from technological or legal responses, which focus on the characteristics of new technologies, and towards the relationships of children in as much as out of school. It also helps to avoid a false sense that by targeting specific forms of expression the bully problem is being tackled. Finally, this approach has the advantage of clarifying the costs of anti-cyberbullying policies, and underlines the importance of respecting the rights of children both to be protected from bullying as well as to develop their identities.

You can read the whole paper here.

facebooktwitter

Is this the next step, following mandatory data retention?

Draft national security legislation revealed last Friday would add little value to Australia’s efforts to combat terrorism, and will be a significant regulatory burden on the telecommunications sector.

According to the exposure draft, the Telecommunications and Other Legislation Amendment Bill 2015 would if passed compel carriage service providers to “do their best” to

protect telecommunications networks and facilities from unauthorised interference, or unauthorised access, for the purposes of security. Carriers and carriage service providers must notify changes to telecommunications services or telecommunications systems that are likely to have a material adverse effect on their capacity to comply with this duty 

Since such service providers would naturally “do their best” to see that their networks are uncompromised, it is unclear what is added by the bill. It is fuzzy law at best, and would be remarkably difficult for a person to know if they are meeting their legal obligations.

While the national security benefits are unclear, the proposed regulatory burdens are not. For instance, section 314A(3) of the bill requires carriage service providers to notify the government (the “Communications Access Co-ordinator“) of its intention to implement a change to telecommunications services. Sections 315A and 315B could potentially see the Attorney-General issue directions to carriage service providers to “cease using or supplying… carriage services” or “to do, or to refrain from doing , a specified act or thing within the period specified in the direction.”

From mandatory data retention, to online piracy legislation, 2015 has seen a suite of burdensome but ineffectual laws passed at the intersection of technology, telecommunications and national security. If passed, these new proposals would add to that list.

facebooktwitter

Victorian taxi industry waves the white flag

uber_or_taxi

After a year-long campaign of misinformation, the Victorian Taxi Association (VTA) has finally raised the white flag. The Guardian reports:

Victoria’s Taxi Association has abandoned industrial action and campaigning as a response to Uber, admitting the industry has not responded well to customer criticism.

On Monday the association’s chief executive, David Samuel, announced an initiative calling for honest feedback from taxi customers so that the industry could adapt and respond.

To say they haven’t responded well to customer criticism is putting it mildly. As customers unhappy with the level service, availability, and convenience of traditional taxis have gradually abandoned them for new competitors like Uber, the VTA has responded with fear-mongering and calls for government crackdowns.

Their favourite claim was that Uber is unregulated, and therefore unsafe.

On the first point, Uber drivers is not “unregulated”. They are regulated by the same road rules and laws that cover all drivers. They are also subject to a variety of safety measures, which include third party criminal background checks.

Perhaps most importantly, there are quality control and feedback measures embedded in the Uber app, which are intrinsic to their business model. As I argued in the Herald Sun in May, this not only makes Uber (and competitors like Lyft) more convenient than traditional taxis, it also makes them safer.

At the very least, the Victorian Taxi Association seems to have finally realized that this strategy will not work.

The industry’s only chance of survival is to adapt, innovate, and compete with Uber — and future competitors — in the marketplace. Something which, so far, they have failed to do.

But to be fair, this isn’t entirely the taxi industry’s fault. Decades of government protection insulated the industry from competition, lowering the quality of service, and making them less responsive to customer demands. The industry benefited from this protection for decades, time will tell if it will be the cause of their downfall.

The Victorian Taxi Association’s olive branch is a step towards positive legislative reform. Perhaps if they had spent less time attacking their critics — like yours truly — we might have got to this point sooner.


For more on the sharing economy, check out the IPA’s paper by Chris Berg and Darcy Allen: The sharing economy: How over-regulation could destroy an economic revolution.

facebooktwitter

Racing integrity commissioner to have access to retained data?

sal_photo

Sal Parna, Victoria’s Racing Integrity Commissioner


Politics, like comedy, is about timing. This week Melbourne has been under its usual racing induced fever. So Victoria’s Attorney-General Martin Pakula took the opportunity on Monday to publicly appeal to the federal government that the Victorian Racing Integrity Commissioner be reinstated as one of the authorised agencies for warrantless access to telecommunications data under the data retention scheme.

Under the data retention bill passed earlier this year, the number of agencies with access had been strictly limited to criminal law enforcement agencies. As the IPA argued at the time, this was almost certain not to last – regulators across the country have been chomping at the bit for years to get a hold of our internet records, and it would be trivially easy for this or future governments to quietly reinstate these agencies into the data retention scheme.

Mandatory data retention is a rolling violation of our privacy. Is such a violation justified in order to protect the “public confidence” in the racing industry?  There are more fundamental issues of public confidence here – the public’s confidence that the government is not routinely harming the privacy of its citizens just to make regulatory enforcement slightly less bureaucratically onerous. If the Victorian Racing Integrity Commissioner needs to access data, they ought to get a warrant.

facebooktwitter

Mandatory internet data retention comes into operation today

Simon Breheny and I have been arguing the case against data retention since it was first mooted by the Gillard government – it violates the privacy of every Australian just in case they are later accused of criminality, it will be used for more than just anti-terror policies, and there are alternative policies and approaches which better respect individual liberty. You can read the IPA’s submission to the parliament’s data retention inquiry here.

But all the critiques aside, data retention is shaping up to be a case study in poor policy implementation.

Internet service providers have long argued that retaining that amount of data would be prohibitively complex. In fact, one of the most striking things about the whole debate has been the gap between how easily government has suggested implementing data retention would be and how ISPs have said it would be.

No surprise then that Fairfax is reporting that 80 per cent of ISPs are not actually going ‘live’ with data retention compliance today, but have applied for extensions of 18 months. There is widespread confusion about how much data is to be retained, and no transparency on how the ISPs will be compensated for storing masses of information on their customers’ activity.

Implementation was going to always be a problem with data retention. But it is hard not to conclude that the implementation problems ISPs are now experiencing are the direct result of the government’s lack of conceptual and technical clarity about how data retention relates to current ISP practices.

facebooktwitter

Survey shows Uber offers better service than taxis

choiceConsumer advocate group Choice has published findings of an investigation comparing taxis and ride-sharing services in Australia. As reported in The Guardian today:

Choice found little evidence to support the claim by the New South Wales Taxi Council – printed on billboards around Sydney – that ride-sharing services such as UberX were “no safer than hitchhiking”.

The UberX feature, which connects passengers with registered private vehicles, has triggered protests around the world by the taxi industry, including earlier this month in Melbourne, Sydney and Canberra.

But ride-sharing has taken off in Australia, and was used more than 1m times in the year to May, Uber says.

Investigators from Choice compared 28 taxi rides to the same number of trips using UberX. They found that taxis were more expensive nine times out of 10, and by an average of 40%.

Only with surge pricing – which boosts the cost of a UberX trip when demand is high – did taxis become cheaper, by about 6% in most instances.

Twice, the booked taxis failed to show up, which Choice’s spokesman, Tom Godfrey, put down to drivers finding longer, more expensive fares.

“Part of the problem may be that taxi drivers are told the passenger’s destination, which may make short trips less attractive. Uber drivers, on the other hand, aren’t given your destination until they turn up,” Godfrey said.

In about 62% of cases, a car booked through UberX arrived more quickly than a taxi.

Choice’s full findings can be found here.

facebooktwitter