Mandatory Data Breach Notification (2017 Amendment to Privacy Act)

Today I had the pleasure to speak to Meredith Griffiths, reporter of the ABC, on the newly enacted Mandatory Data Breach Notification (MDBN) that take effect on Feburary 28, 2018.

Some of the main points I made in the interview with the help of my colleagues at the Australian Privacy Foundation (primarily David Vaile) were:

MDBN doesn't go far enough because:

  1. small business, <$3m annual turnover are exempt from MDBN
  2. self-assessment of "serious harm" is ambiguous (on what test to companies come forward? and only if PC agrees it is serious? what if slightly serious on one view, and very serious on another- do companies take the easy way out and not disclose?)
  3. companies are given 30 days to make a data breach notification to the privacy commissioner (too long for customers to be kept in the dark and thereafter how long might it take the Privacy Commissioner to determine 'seriousness' and/or publicly response with an unenforceable determination)
  4. what about data breaches offshore (how do Aussies respond to loss of their PI abroad)?
  5. what about 'open data' re-identification thru AI/machine learning?
  6. OAIC is overloaded, slow, determinations are also unenforceable and very rare.

So where does this really leave us? We have a law that neither prevents breaches of personal information nor compensate individuals for privacy breaches. What we need to do is consider the outcomes of the ALRC from 2008 that stipulated we need a tort on the serious invasion of privacy so that individuals CAN sue other individuals (like hackers), or companies (like Google) or government agencies for breaches in their privacy (whether accidental or deliberate or through some form of negligence).

The lack of auditability of the new law means that current practices that rely on de-identification to safeguard people's personal information, say in the case of OPENGOV data initiatives, may not be enough down the track as the threat of increases from machine learning algorithms that can look at patterns of information and highlight individuals like finding a needle in a haystack. The issues of going down this path are grave- including the potential for re-identification and bringing several disaparate treasure troves together like social media data, and government data, and personal records together to be analysed.

Links to MDBN include:

https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

https://www.oaic.gov.au/media-and-speeches/news/retailers-check-out-mandatory-data-breach-reporting-obligations-and-prepare-for-2018

Having a statutory tort of serious invasion of privacy (like in the UK and US) or a common law tort (like in New Zealand), allows individuals to sue other entities depending on the severity of the privacy breach. Why is Australia lagging so far behind other advanced digital nations? When will this legislation be amended?

Already, we are seeing large ICT companies set up "shop-fronts" in Australia with NO enforceable penalties to international misdemeanours when it comes to amassing treasure troves of data, and data breaches offshore. How do we hold these companies accountable when they are taking in a lot of business from Australian consumers and yet seem to be let out in the "wild" to do as they please, storing data on the Cloud either in the USA or Ireland. Bruce Schneier called this "data as a toxic asset". As the toxicity rises, we can expect major pollution spills.

For now, at least we can say that the MDBN is a step in the right direction despite that it falls short through exemptions and loopholes. It can have some reputational impact on "data addicts" that don't do the right thing via their subscriber base, but little more. Sadly, large corporations can handle this reputational damage in their "risk appetites". The fines are also "measly" when it comes to government or regulatory action, and so corporate and government entities in particular are left to their own devices here in Australia. While well-meaning, it seems that it is nothing more than a theatrical show- data hosts are still not responsible for bettering their security practices or urgently responding and fixing a breach.

Data is a bit like mental illness. You can't see it. It is not tangible. You cannot put a price on mental health, and you cannot put a price on your personal data. While we can manage damage to property very well, because we can see a scratch on a car, or the loss of inventory, we cannot see data as we see a broken arm.

We already have very weak Privacy Legislation- Australia needs to get serious like Europe (through the General Data Protection Regulation, considered the gold standard) has on the value of personal identifiable information (PII). Both the liberal and labour governments need to listen to the commissioned reports by the Australian Law Reform Commission, and act on the implementation of statutory tort legislation with respect to intrusions of privacy. There is no reason why this has not happened yet.

Human Microchips: Employers Going Too Far

download.jpg

Human microchip implants have been around for awhile, used by home automation enthusiasts and biohacking movements. But Swedish company Epicenter is taking the technology to a whole new context as a workplace monitoring tool.

The microchips have been implanted into 150 employees and will enable them to open doors, use photocopiers and make purchases from the company cafe. However, privacy is a concern for many people.

Professor Katina Michael joined Nic to discuss the importance of personal choice in using implantables and the problems that may arise when companies and governments use the technology for potentially nefarious purposes.

Citation: Katina Michael with Nick Healy, "Human Microchips: Employees Go Far", 2SERFM Breakfast, May 5, 2017, 6.45-6.50am, http://2ser.com/human-microchips-employers-going-far/, Producers: Jennifer Luu.

ANALYSIS: Human Microchipping Poses Dangers to Health, Privacy

WASHINGTON, April 30 (RIA Novosti), Lyudmila Chernova – Although hardly a
novel idea, microchipping humans arouses justified concerns about risks to health and
privacy, experts told RIA Novosti Wednesday.

“Along with the potential risks to health, there is a real risk to freedom and privacy, one
of the key purposes of RFID is the tracking technology. Besides, numbering people is
very dehumanizing. It turns you into a barcode on the package of meat that’s get
tracked like inventory,” said Dr. Katherine Albrecht, an RFID microchip and consumer
privacy expert.

Katina Michael, an associate professor at the University of Wollongong, echoed the
opinion, stating that implanting automatic identification technology for non-medical
purposes could entail the total loss of the right to privacy.

“There is a grave danger in it, as someone who gets an implant does not have control
over bodily privacy. They cannot remove the implant on their own accord. They do not
know when someone is attempting to hack into their device, no matter how proprietary
the code that is stored on the device, and no matter whether the implant has built-in
encryption,” Michael told RIA Novosti.

In 2007 Albrecht and Associated Press Reporter Todd Lewan revealed to the public
studies that showed microchips cause cancer when they are implanted into laboratory
animals. The finding led to the suspension the VeriChip company’s work.
“In our research we found that between one and ten percent of laboratory animals
implanted with radio frequency microchips developed cancer adjacent to and even
surrounding the microchips,” Albrecht said.

“Pacemakers can also cause cancer, but in a case of a pacemaker where the alternative
is literally dying, it is worth the risk. However, in a case of something like an
identification microchip or dosages of drugs being delivered to the body, that does not
make any sense. Most people would prefer to simply take those drugs themselves than
run the risk of an implant,” she added.

Dr. Michael also explained that implanting microchips is not new in the health industry,
as society has already adopted implantables for a variety of uses. However, implantables
for medical applications or for the identification of animals have a number of
documented health side effects in line with Dr. Albrecht’s opinion.

“People with microstimulators have described … varying levels of neurological response
that were not as prescribed, … or health implications such as infection, or even ongoing
stress,” said Michael, adding that there are a whole gambit of health issues that no one is
really studying properly.

The expert claimed that these kinds of technologies are being tested already, but have
not yet been approved by the FDA for use as medical devices.

However, Albrecht said that the FDA appears to have never looked at the studies
pointing to the dangers.

“One of the things I learned is that the FDA relies on the company that’s looking for the
approval to provide the evidence of the safety and of the danger of the product. They
don’t do independent research, and I think there is a very serious potential to having the
companies be the ones that determine the safety of their own product,” she said.

The VeriChip Corporation implanted identification microchips into diabetic and
Alzheimer's patients as a trial with Blue Cross Blue Shield in 2007. The trial was stopped
due to cancer risks.

In recent years, advocates of the technology have promised neural implants that could stimulate the brain to help people with depression, implants that would deliver certain
amounts of medication which may be remote controllable. The technologies involved
are not new, and neither is the argument on their appropriateness.

Tags: microchipping, privacy, technology

Lyudmila Chernova, April 30, 2014, "ANALYSIS: Human Microchipping Poses Dangers to Health, Privacy", Ria Novosti [РИА Новости], http://en.ria.ru/business/20140430/189481760/ANALYSIS-Human-Microchipping-Poses-Dangers-to-Health-Privacy.html

TEDxUWollongong: The Social Implications of Microchipping People

A/Professor Katina Michael from the University of Wollongong, speaks at the 2012 TEDxUWollongong on the moral and ethical dilemmas of emerging technologies. The 3 scenarios she performs raise very interesting social implications for our humanity. http://www.tedxuwollongong.com  

Speaker playlist here

Photostream available here

Humans 'will be implanted with microchips'

All Australians could be implanted with microchips for tracking and identification within the next two or three generations, a prominent academic says. 

This VeriChip microchip contains identity and health information and is embedded under the skin. (AAP)

This VeriChip microchip contains identity and health information and is embedded under the skin. (AAP)

Michael G Michael from the University of Wollongong's School of Information Systems and Technology, has coined the term "uberveillance" to describe the emerging trend of all- encompassing surveillance.

"Uberveillance is not on the outside looking down, but on the inside looking out through a microchip that is embedded in our bodies," Dr Michael told ninemsn. 

Microchips are commonly implanted into animals to reveal identification details when scanned and similar devices have been used with Alzheimers patients. US company VeriChip is already using implantable microchips, which store a 16-digit unique identification number, on humans for medical purposes. 

"Our focus is on high-risk patients, and our product's ability to identify them and their medical records in an emergency," spokesperson Allison Tomek said. "We do not know when or if someone will develop an implantable microchip with GPS technology, but it is not an application we are pursuing."

Another form of uberveillance is the use of bracelets worn by dangerous prisoners which use global positioning systems to pinpoint their movements. But Dr Michael said the technology behind uberveillance would eventually lead to a black box small enough to fit on a tiny microchip and implanted in our bodies. 

This could also allow someone to be located in an emergency or for the identification of corpses after a large scale disaster or terrorist attack. "This black box will then be a witness to our actual movements, words — perhaps even our thoughts —-and play a similar role to the black box placed in an aircraft," he said. 

He also predicted that microchip implants and their infrastructure could eliminate the need for e-passports, etags, and secure ID cards. "Microchipping I think will eventually become compulsory in the context of identification within the frame of national security," he said.
Although uberveillance was only in its early phases, Dr Michael's wife, Katina Michael — a senior lecturer from UOW's School of Information Systems and Technology — said the ability to track and identify any individual was already possible.

"Anyone with a mobile phone can be tracked to 15m now," she said, pointing out that most mobile phone handsets now contained GPS receivers and radio frequency identification (RFID) readers. "The worst scenario is the absolute loss of human rights," she said. 

Wisconsin, North Dakota and four other states in the US have already outlawed the use of enforced microchipping. "Australia hasn't got specific regulations addressing these applications," she said. "We need to address the potential for misuse by amending privacy laws to ensure personal data protection."

Uberveillance has been nominated for Macquarie Dictionary's Word of the Year 2008.

flocking.png

Citation: Josephine Asher, "Humans 'will be implanted with microchips'", ninemsn.com, January 30, 2009.

Addendum: The following comment was provided but was not included in the final production of the article for reasons of space and readability. I provide here regardless.

  • "Technology is not foolproof. That’s one of the paradoxes of these surveillance systems," Katina Michael said. "Our ethical and legislative discourse lags far behind the diffusion and application of location based services. "There needs to be some public discourse and debate."

  • Dr Katina Michael recently received a grant from the Australian Research Council to research and propose new regulations to address these new technologies. "Implants is only one small component of the research - the main things we’re investigating relate to consumer mobile location records and data protection, socio-ethical dilemmas related to social networking applications based on the tracking of other human beings and privacy.

  • "Where do we stop and where do we begin? We have to be very careful at this early point as the new capabilities and their effects on society are relatively untested," Katina said.