Data Expert Warns Encryption Laws could have Catastrophic Outcomes

encryption.jpg

A University of Wollongong data expert has labeled the government's proposed encryption laws delusional and warns they could have catastrophic consequences.

The changes would force technology companies to help police access encrypted messages.

Professor Katina Michael, from the School of Computing and Information Technology says the powers are unprecedented and have no oversight.

She is speaking to ABC reporter Kelly Fuller.

Citation: Katina Michael with Kelly Fuller, “Rushed Encryption Laws Herald a Watering Down in National Security”, ABC Illawarra: Radio, 6 December 2018, https://soundcloud.com/kelfuller/data-expert-warns-encryption-laws-could-have-catastrophic-outcomes

Mandatory Data Breach Notification (2017 Amendment to Privacy Act)

Today I had the pleasure to speak to Meredith Griffiths, reporter of the ABC, on the newly enacted Mandatory Data Breach Notification (MDBN) that take effect on Feburary 28, 2018.

Some of the main points I made in the interview with the help of my colleagues at the Australian Privacy Foundation (primarily David Vaile) were:

MDBN doesn't go far enough because:

  1. small business, <$3m annual turnover are exempt from MDBN
  2. self-assessment of "serious harm" is ambiguous (on what test to companies come forward? and only if PC agrees it is serious? what if slightly serious on one view, and very serious on another- do companies take the easy way out and not disclose?)
  3. companies are given 30 days to make a data breach notification to the privacy commissioner (too long for customers to be kept in the dark and thereafter how long might it take the Privacy Commissioner to determine 'seriousness' and/or publicly response with an unenforceable determination)
  4. what about data breaches offshore (how do Aussies respond to loss of their PI abroad)?
  5. what about 'open data' re-identification thru AI/machine learning?
  6. OAIC is overloaded, slow, determinations are also unenforceable and very rare.

So where does this really leave us? We have a law that neither prevents breaches of personal information nor compensate individuals for privacy breaches. What we need to do is consider the outcomes of the ALRC from 2008 that stipulated we need a tort on the serious invasion of privacy so that individuals CAN sue other individuals (like hackers), or companies (like Google) or government agencies for breaches in their privacy (whether accidental or deliberate or through some form of negligence).

The lack of auditability of the new law means that current practices that rely on de-identification to safeguard people's personal information, say in the case of OPENGOV data initiatives, may not be enough down the track as the threat of increases from machine learning algorithms that can look at patterns of information and highlight individuals like finding a needle in a haystack. The issues of going down this path are grave- including the potential for re-identification and bringing several disaparate treasure troves together like social media data, and government data, and personal records together to be analysed.

Links to MDBN include:

https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

https://www.oaic.gov.au/media-and-speeches/news/retailers-check-out-mandatory-data-breach-reporting-obligations-and-prepare-for-2018

Having a statutory tort of serious invasion of privacy (like in the UK and US) or a common law tort (like in New Zealand), allows individuals to sue other entities depending on the severity of the privacy breach. Why is Australia lagging so far behind other advanced digital nations? When will this legislation be amended?

Already, we are seeing large ICT companies set up "shop-fronts" in Australia with NO enforceable penalties to international misdemeanours when it comes to amassing treasure troves of data, and data breaches offshore. How do we hold these companies accountable when they are taking in a lot of business from Australian consumers and yet seem to be let out in the "wild" to do as they please, storing data on the Cloud either in the USA or Ireland. Bruce Schneier called this "data as a toxic asset". As the toxicity rises, we can expect major pollution spills.

For now, at least we can say that the MDBN is a step in the right direction despite that it falls short through exemptions and loopholes. It can have some reputational impact on "data addicts" that don't do the right thing via their subscriber base, but little more. Sadly, large corporations can handle this reputational damage in their "risk appetites". The fines are also "measly" when it comes to government or regulatory action, and so corporate and government entities in particular are left to their own devices here in Australia. While well-meaning, it seems that it is nothing more than a theatrical show- data hosts are still not responsible for bettering their security practices or urgently responding and fixing a breach.

Data is a bit like mental illness. You can't see it. It is not tangible. You cannot put a price on mental health, and you cannot put a price on your personal data. While we can manage damage to property very well, because we can see a scratch on a car, or the loss of inventory, we cannot see data as we see a broken arm.

We already have very weak Privacy Legislation- Australia needs to get serious like Europe (through the General Data Protection Regulation, considered the gold standard) has on the value of personal identifiable information (PII). Both the liberal and labour governments need to listen to the commissioned reports by the Australian Law Reform Commission, and act on the implementation of statutory tort legislation with respect to intrusions of privacy. There is no reason why this has not happened yet.

Is RFID safe and secure?

Elizabeth Latham, Radio Comms journalist

We've heard a lot about RFID - it's used in supermarkets, implanted in pets and even by blood banks - but is it actually secure? Is the information we put on these chips safe from hackers? RFID is a very useful technology, especially in production because it is usually non-line-of-sight (nLOS). This means that cartons or pallets do not require a particular orientation  or scanning, unlike bar codes. This aids in the automation of many tasks throughout the supply chain that have typically been labour intensive, such as checking and scanning incoming
inventory.

Organisations also have an accurate picture of stock levels, which in turn means lower inventory costs and fewer out-of-stock occurrences. 

Can you trust the RFID to hold your information? 

Dr Katina Michael, senior lecturer in the School of Information Systems and Technology, Faculty of Informatics, University of Wollongong, believes it's all a matter of context, but would not advise the use of RFID for access control types of applications.

"Security has to be identified as the number one disadvantage of RFID. Although it should be stated that researchers are working hard to overcome this hurdle, offering a variety of partial solutions," Michael said. 

While standards are beginning to emerge like EPCglobal, there is a great number of proprietary specific RFID standards on the market. The standard denotes how a message is stored, the length of a message (for example 128-bit) and a sequence of bits that tell a reader when to start and stop reading, as well as additional error-checking bits. 

How does information get tampered with?

 "It is as simple as acquiring the relevant reader and working out what each bit in the message means, and interpreting that information correctly. Bits can be encoded using a particular scheme, but once the scheme is identified, the  information can be read," Michael said. 

"Given RFID is wireless, you need be in the proximity of 90 centimetres (dependent on the range requirements of the tag) to intercept the radio signal. So once you have read the chip you can simply play back the signal you picked up and pretend to be someone you are not."

This has major implications for active tags because it means the hacker cannot only read information but write to the tag as well, and even change variables

"When a new technology enters the market, hackers are presented with a new challenge. And so the race begins for who can 'crack the code' so to speak," Michael said.

How can you protect yourself from hackers?

There are many options to choose from when trying to protect data. For example, it is possible to kill off the RFID tag after a certain time and datestamp on the chip. The information on the chip can also be encrypted and passwords placed on the tags.

Two main approaches have been adopted by researchers: either a separate piece of hardware is required (hard solution), or a software-based solution is adopted (soft solution). Blocker tags (such as ancillary RFID tags) can also help solve the problem of hacking by preventing
unauthorised scanning of items. 

It is also possible to use antennae energy analysis to gauge the distance of a reader from a tag or storing a biometric onboard the RFID chip. "All the RFID security-privacy solutions being proposed are only partial solutions and each has its benefits and limitations. At the crux of the
matter is the unique ID of the actual RFID tag, how this information is stored and whether or not passwords have a role to play and how anonymity is ensured," Michael said.

More recently, developments for human-centric applications have seen RFID go into the subdermal layer of the skin in the form of a transponder. "The argument for this latest development to 'protect' information is simple - if it's beneath the skin the ID chip cannot be stolen, is with you everywhere you go, is lightweight, it cannot be duplicated, a perpetrator
does not know you have something implanted, and the RFID chip can be accessed at crucial times with your prior consent," Michael said. 

Michael warns that the benefits of the above method of protection are misleading. Chips can still be read by persons in close proximity to an implantee, or even by unobtrusive readers that can trigger the device to emit a signal.

So, you decide. Is the risk worth it? What information is on the RFID chip and do you want someone to have access to it?

Citation: Elizabeth Latham, 2006, "Is RFID Safe and Secure?", Radio Comms, February 12, 2007: http://www.radiocomms.com.au/radiocomms/feature_article/item_022007a.asp