The Capability on SBS Greek Radio

Your face is becoming the latest weapon in the world of digital surveillance, and the humble driver's licence looms as a game-changer in tracking individuals through both the real and virtual world.

In Mandarin:

据ABC报道,一旦驾照被引入到生物识别数据库中,政府和一些私人部门将可以获取人们的的照片、年龄和地址等详细信息。

专家警告说,政府和一些有组织的犯罪团伙都有可能出于需要而获取个性化的元数据,人们正面临着失去对自己生物识别特征控制权的风险。

业内观点:

科技和法律方面的专家卡蒂娜·迈克尔(Katina Michael)教授说,在全国可访问的数据库中,大约50%的人已经存储了视觉化的生物特征,而驾照的引入会将这个比例一下提升到80%。

她表示,收集生物识别数据的最大风险之一是生物识别技术方式的漏洞。

迈克尔教授说,“当警察在系统内通过照片来查询个人信息时,不是一对一的搜索匹配,你把一个人的脸放在哪里,可能会得到好几十个人选的搜索结果”。

她说,虽然一段时间后这些被搜索的个人名字可能会被清除,但他们的数据可能会保留在与刑事调查相关的数据库中,而真正的惯犯或恐怖分子却往往不办护照和驾照,来逃避这个系统的管理。

斯蒂芬·威尔逊(Stephen Wilson)经营着一家咨询公司,负责研究和跟踪企业与政府领域的生物识别技术趋势。

他说,目前即便是非常安全的生物识别系统也需要相当长的时间才能准确处理图像。

而当消费者热衷于便利性,例如能够通过面部或指纹的快速扫描来打开手机或访问银行账户,就会忽视安全性,而这就会诱发问题。

威尔逊说,“ 我们在电子数据库里曝光得越多,我们被以生物识别特征匹配的可能性就越大。另外,对试图犯罪的人来说,想要伪造一个驾照,可以从系统里找到一长串与他们长相相似的照片来选择”。

生物识别技术研究所(Industry Trend Tracker)的年度行业调查显示,面部识别将是未来几年最有可能增加的生物识别发展趋势。

受访者们认为,个人隐私和数据保护问题是这个市场上最大的制约因素。

Mandatory Data Breach Notification (2017 Amendment to Privacy Act)

Today I had the pleasure to speak to Meredith Griffiths, reporter of the ABC, on the newly enacted Mandatory Data Breach Notification (MDBN) that take effect on Feburary 28, 2018.

Some of the main points I made in the interview with the help of my colleagues at the Australian Privacy Foundation (primarily David Vaile) were:

MDBN doesn't go far enough because:

  1. small business, <$3m annual turnover are exempt from MDBN
  2. self-assessment of "serious harm" is ambiguous (on what test to companies come forward? and only if PC agrees it is serious? what if slightly serious on one view, and very serious on another- do companies take the easy way out and not disclose?)
  3. companies are given 30 days to make a data breach notification to the privacy commissioner (too long for customers to be kept in the dark and thereafter how long might it take the Privacy Commissioner to determine 'seriousness' and/or publicly response with an unenforceable determination)
  4. what about data breaches offshore (how do Aussies respond to loss of their PI abroad)?
  5. what about 'open data' re-identification thru AI/machine learning?
  6. OAIC is overloaded, slow, determinations are also unenforceable and very rare.

So where does this really leave us? We have a law that neither prevents breaches of personal information nor compensate individuals for privacy breaches. What we need to do is consider the outcomes of the ALRC from 2008 that stipulated we need a tort on the serious invasion of privacy so that individuals CAN sue other individuals (like hackers), or companies (like Google) or government agencies for breaches in their privacy (whether accidental or deliberate or through some form of negligence).

The lack of auditability of the new law means that current practices that rely on de-identification to safeguard people's personal information, say in the case of OPENGOV data initiatives, may not be enough down the track as the threat of increases from machine learning algorithms that can look at patterns of information and highlight individuals like finding a needle in a haystack. The issues of going down this path are grave- including the potential for re-identification and bringing several disaparate treasure troves together like social media data, and government data, and personal records together to be analysed.

Links to MDBN include:

https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

https://www.oaic.gov.au/media-and-speeches/news/retailers-check-out-mandatory-data-breach-reporting-obligations-and-prepare-for-2018

Having a statutory tort of serious invasion of privacy (like in the UK and US) or a common law tort (like in New Zealand), allows individuals to sue other entities depending on the severity of the privacy breach. Why is Australia lagging so far behind other advanced digital nations? When will this legislation be amended?

Already, we are seeing large ICT companies set up "shop-fronts" in Australia with NO enforceable penalties to international misdemeanours when it comes to amassing treasure troves of data, and data breaches offshore. How do we hold these companies accountable when they are taking in a lot of business from Australian consumers and yet seem to be let out in the "wild" to do as they please, storing data on the Cloud either in the USA or Ireland. Bruce Schneier called this "data as a toxic asset". As the toxicity rises, we can expect major pollution spills.

For now, at least we can say that the MDBN is a step in the right direction despite that it falls short through exemptions and loopholes. It can have some reputational impact on "data addicts" that don't do the right thing via their subscriber base, but little more. Sadly, large corporations can handle this reputational damage in their "risk appetites". The fines are also "measly" when it comes to government or regulatory action, and so corporate and government entities in particular are left to their own devices here in Australia. While well-meaning, it seems that it is nothing more than a theatrical show- data hosts are still not responsible for bettering their security practices or urgently responding and fixing a breach.

Data is a bit like mental illness. You can't see it. It is not tangible. You cannot put a price on mental health, and you cannot put a price on your personal data. While we can manage damage to property very well, because we can see a scratch on a car, or the loss of inventory, we cannot see data as we see a broken arm.

We already have very weak Privacy Legislation- Australia needs to get serious like Europe (through the General Data Protection Regulation, considered the gold standard) has on the value of personal identifiable information (PII). Both the liberal and labour governments need to listen to the commissioned reports by the Australian Law Reform Commission, and act on the implementation of statutory tort legislation with respect to intrusions of privacy. There is no reason why this has not happened yet.

Agencies may access IDs

Government agencies could get approved access to part of the Commonwealth's newly proposed facial recognition program.

The Facial Verification Service, part of the federal government's new "Capability" program, would be accessible by departments such as the Department of Human Services or the Australian Taxation Office.

The system would be used to provide a one-for-one match from a person's existing photo with any other government-issued identities they may hold, rather than returning multiple potential matches.

The Attorney-General's Department said government agencies and private businesses would have to complete a privacy impact statement before given access.

"Organisations using the service would need to demonstrate their lawful basis to do so under the Privacy Act, and could only use the FVS where they gain a person's consent to use their images," a spokesman said.

Surveillance expert Professor Katina Michael of the University of Wollongong said access should only be granted on a case-by-case basis, concerned that Capability could be linked to a person's metadata or even tax file number.

"What I can't understand is it's open at all times indefinitely," Professor Michael said. "That is not professional. It's warrantless searching."

She also raised concerns about the private sector having access to the system.

"It's going to be bidirectional. This is a lovely symbiosis between government and industry. This is the only way that government can crawl their way into the data sets of Facebook and Google."

When originally launched in November, the FVS used photos captured by the Australian Border Force from passports or citizenship photos, and was only available to the Department of Foreign Affairs and Trade or the Australian Federal Police.

Earlier this month, the federal government announced it would establish the national facial recognition system drawing on issued identification from all Australian jurisdictions allowing FVS users to access state or territory databases.

The Capability now comprises three parts, the Document Verification Service, the FVS and the Facial Identification Service.

The FIS allows law enforcement to scan photos of unknown persons and match them with multiple government records.

"For example, it can be used to identify a suspected paedophile from child exploitation material, or to identify an armed offender from a still image taken from CCTV footage," a spokesman said. There were no current plans to expand access to the FIS.

But Professor Michael was concerned the FIS would eventually be opened up to other agencies and the private sector.

Finbar O'Mallon, October 15, 2017, "Agencies may access IDs", Canberra Times, p. 8.

Personal Information Entrusted to Government Leaked to the Public

Podcast available here 

Centrelink and Veterans Leak Sources:

Summary

https://theconversation.com/how-the-law-allows-governments-to-publish-your-private-information-74304

Robo-Debt

http://www.abc.net.au/news/2017-03-21/how-centrelink-can-win-back-trust-after-the-robo-debt-debacle/8372788

http://www.canberratimes.com.au/national/public-service/centrelink-robodebt-government-pledges-fairer-deal-after-backlash-20170214-gucz6t.html

http://www.smh.com.au/federal-politics/political-news/centrelinks-robodebt-creating-a-climate-of-fear-20170307-gut1z7.html

http://www.smh.com.au/federal-politics/political-news/not-good-enough-labor-slams-centrelink-robodebt-changes-20170215-guda4r.html

Centrelink Leak

http://www.abc.net.au/news/2017-02-28/watchdog-inquiries-after-centrelink-leaked-personal-information/8310034

http://www.abc.net.au/news/2017-03-03/centrelink-debt:-senate-concerned-about-impact-of-dhs-releases/8321478

http://www.abc.net.au/news/2017-03-01/centrelink-clients-advised-personal-information-no-longer-safe/8313924

http://www.abc.net.au/news/2017-01-17/labor-calls-for-suspension-of-centrelink-debt-recovery-program/8187934

https://www.businessinsider.com.au/centrelinks-crude-new-data-matching-system-falsely-claims-people-owe-large-amounts-of-money-2017-1

Veterans Leak

http://www.theaustralian.com.au/news/latest-news/labor-backs-law-on-veteran-information/news-story/3b639743bd77dc5cb83337e075e30fd8http://www.abc.net.au/news/2017-03-02/government-wants-new-power-to-release-veterans-personal-info/8320268

http://www.news.com.au/national/politics/personal-medical-and-financial-documents-leaked-by-vets-affairs/news-story/bcdd3410b497f4175bb02faa77f9616e

http://www.illawarramercury.com.au/story/4519232/veterans-anger-over-personal-information-laws-prompt-privacy-review/?cs=12

Laws

Privacy Act 1998 Overview https://www.oaic.gov.au/privacy-law/privacy-act/

Privacy Act 1998 Quick Ref. https://www.oaic.gov.au/agencies-and-organisations/guides/app-quick-reference-tool#toc

Social Security Act 1991 http://www.austlii.edu.au/au/legis/cth/consol_act/ssa1991186/

Veterans Affairs Legislation Amendment (Digital Readiness and Other Measures Bill 2017) http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r5771

Data matching program: https://www.humanservices.gov.au/sites/default/files/documents/co050-200710-1105en.pdf

Australian Privacy Principles include:

APP 1 — Open and transparent management of personal information

APP 2 — Anonymity and pseudonymity

APP 3 — Collection of solicited personal information

APP 4 — Dealing with unsolicited personal information

APP 5 — Notification of the collection of personal information

APP 6 — Use or disclosure of personal information

APP 7 — Direct marketing

APP 8 — Cross-border disclosure of personal information

APP 9 — Adoption, use or disclosure of government related identifiers

APP 10 — Quality of personal information

APP 11 — Security of personal information

APP 12 — Access to personal information

APP 13 — Correction of personal information

 

Citation: Katina Michael speaks with Trevor Chappell "The release of personal files from Centrelink and Veterans Affairs to journalists recently and some of the ramifications of this", ABC Radio - Overnights http://www.abc.net.au/radio/programs/overnights/. Producer Michael Pavlich. 4.20am-5am, 22 March 2017.