Family Planning NSW Data Breach

Katina Michael with Ally Crew, "Family Planning NSW Data Breach Financially Motivated", ABC Radio National Australia. May 14, 2018.

https://www.fpnsw.org.au/ on May 14, 2018

https://www.fpnsw.org.au/ on May 14, 2018

Thanks to executive producer Eleni Psaltis.

Consumer Digital Touchpoints Online: It's messy

I asked everyone from Facebook to data brokers to Stan for my information. It got messy

It is almost impossible to understand your full Facebook data footprint. (Credit: ABC) 

It is almost impossible to understand your full Facebook data footprint. (Credit: ABC) 

28 April 2018

By technology reporter Ariel Bogle

Brands I've never heard of have my details.

Deciphering your Facebook data can be like leafing through a corporate-owned teen diary.

In 2007, one of my first comments was telling a friend she had a "fashionable mullet", but my online data footprint has exploded since then.

I downloaded my data from Facebook in an effort to understand how brands target me with personalised advertising — an activity that accounted for 98 per cent of the social giant's 2017 revenue.

Your name, age and location are the least of it. Every like, link and interaction can add to your profile, whether it's an inferred political preference — are you liberal or conservative? — or an interest in board games.

But as Wired has detailed, Facebook's data download provides an incomplete picture.

To fix that, I asked for my personal data (you can too, thanks to the Privacy Act) from everyone from data brokers to advertisers.

What did I find? That understanding who knows what about you online is a sisyphean undertaking. One that takes dozens of emails and almost one month.

What do data brokers know?

Ever heard of a data broker? If you haven't, that's no mistake.

"They rarely have a public presence," said Sacha Molitorisz, a digital privacy researcher at the University of Technology Sydney.

"My guess is there is an intuition somewhere there, that what they're doing might not be palatable to customers."

Data brokers are companies that may gather online and offline information — census data, surveys and purchase histories, for example — to create consumer profiles that they serve to advertisers.

In the market for a new car? An expectant mother? These are the types of insights they look for.

If advertisers want to reach these people, they can source special audience information from data brokers and target ads to them on Facebook.

This is allowed under Facebook's Partner Categories program, but after the Cambridge Analytica scandal, the company said it would be winding the option down.

A Facebook spokesperson said ad campaigns run this way would end by October 1, 2018.

For now, though, Facebook works with three providers in Australia: Quantium, Axciom and Experian.

I contacted all three and asked for my personal data. All three said they had nothing — but that's not the whole story.

How am I targeted?

Earlier this year I was served a Facebook ad for 100% Pure New Zealand. Facebook told me it was based on a dataset provided by the data analytics firm Quantium.

But if Quantium doesn't have my personal details, how does it target me?

The tourism ad was sent to two consumer segments — "outdoor enthusiasts" and "travellers" — a Quantium spokesperson said.

The company received de-identified purchase data, likely from Woolworths Rewards program, which was then used to create anonymous groups likely to purchase something based on their past shopping behaviour.

My de-identified data was probably in there. Then, apparently, Quantium matched it up with my de-identified data from Facebook.

"Publishers like Facebook de-identify their users' personal data utilising the same encryption algorithm used by Quantium," the Quantium spokesperson said.

"The de-identified data from both parties is passed into a secured anonymisation zone for matching purposes. This allows the two datasets to be matched without using any personal information."

In some cases, it gets more mysterious.

In Settings, Facebook lists the advertisers it says are running ads, using contact lists they uploaded to the platform.

Experian said it had no personal information about me, but Experian Data Quality is listed as having uploaded my contact information to Facebook.

A company spokesperson said it could not confirm why I was connected to Experian Data Quality.

"Based on the information you provided to us, we again confirm that Experian's Data Quality and Targeting (Marketing Services) in A/NZ does not hold any personal information on you," she wrote in an email.

Who else has your email?

Brands are only meant to upload contact lists to Facebook for advertising if they have permission to do so.

In the case of the video streaming service Stan, seeing its ad on Facebook made sense — I'm a subscriber, and apparently, I've watched the TV show Billions.

A Stan spokesperson said the ad I saw was intended to remind people "who may be fans of the show" that a new season was available.

It does this to highlight content the company thinks subscribers are interested in, using its internal analytics.

"We matched your encrypted email to data held by Facebook to facilitate the surfacing of that content," she added.

(I also asked for all my personal data from Stan, and the hours of television I've watched makes for a terrifying spreadsheet, by the way.)

 

The contact list mystery

But Stan is not the only brand that has my information.

As I write this article, there are more than 300 brands that Facebook lists as having my contact information — the majority of which I've never heard of.

There's a sushi restaurant in Perth, for example, called Tao Café. I've never visited.

I got in touch, and Tao Café office manager Annette Sparks was equally baffled about its appearance on my list.

But she said that the food delivery company Deliveroo ran ads on behalf of the company, and suggested that's how my contact details may have been bound up with the sushi venue.

So, onto Deliveroo.

While they couldn't discuss my personal situation, a spokesperson said Deliveroo does provide "marketing support" to its restaurant partners — essentially, it runs ads promoting them as part of the delivery service.

Did Deliveroo then share my email with cafes from Perth to Singapore? The company said no.

"Under no circumstances does Deliveroo share any customer details with restaurants or other third parties as part of these marketing campaigns," the spokesperson said.

I'm left none the wiser about why Tao Café was on the list — and there are other mysteries too.

According to Facebook's list, various American political candidates have my contact information.

As does the official Facebook page of the actress Kate Hudson.

What can I do?

Mark Zuckerberg has said Facebook users own their data, but it's an unusual kind of ownership.

Ownership feels largely meaningless when your data is scattered around the internet.

There is no one company to blame. The architecture of online advertising is set up this way.

"The issue is that in the digital space … personal data is very much sought after, and there are all [kinds of] different players who stand to benefit from access to that data," Mr Molitorisz said.

"There needs to be greater transparency with how our data is used."

This is the reality of surveillance capitalism, according to Professor Katina Michael, a privacy expert at the University of Wollongong.

Our data is a valuable commodity, and time is not on our side when it comes to understanding who wants it and where it's going.

"We don't measure it, we don't write it down like we do calorie-controlled diets," Professor Michael said. 

"We don't realise how much we're giving away."

Ariel Bogle, April 28, 2018, "I asked everyone from Facebook to data brokers to Stan for my information. It got messy", ABC Radio Nationalhttp://www.radioaustralia.net.au/international/2018-04-28/i-asked-everyone-from-facebook-to-data-brokers-to-stan-for-my-information-it-got-messy/1752610

Now that Facebook have acknowledged "mistakes", what's next?

abcnews.png

Citation: Katina Michael with Joe O'Brien, "Now that Facebook have acknowledged "mistakes", what's next?" ABC 24 hrs: Mornings with Joe O'Brien, channel 24, 11am-11.12am.

obrien.jpg

Joe O'Brien is the host of ABC News 24's morning news program and was previously co-host on ABC News Breakfast. Joe has more than 20 years experience in journalism and has been with the ABC since 1995. He presented the 7pm ABC News programs in both Queensland and New South Wales, and regularly presented the national Midday Report on ABC TV. Joe's extensive reporting experience covers everything from drought and floods to sport and politics. He was first based for the ABC in Rockhampton, and then in Brisbane as a reporter and presenter. Follow @JoeABCNews

The Capability on SBS Greek Radio

Your face is becoming the latest weapon in the world of digital surveillance, and the humble driver's licence looms as a game-changer in tracking individuals through both the real and virtual world.

In Mandarin:

据ABC报道,一旦驾照被引入到生物识别数据库中,政府和一些私人部门将可以获取人们的的照片、年龄和地址等详细信息。

专家警告说,政府和一些有组织的犯罪团伙都有可能出于需要而获取个性化的元数据,人们正面临着失去对自己生物识别特征控制权的风险。

业内观点:

科技和法律方面的专家卡蒂娜·迈克尔(Katina Michael)教授说,在全国可访问的数据库中,大约50%的人已经存储了视觉化的生物特征,而驾照的引入会将这个比例一下提升到80%。

她表示,收集生物识别数据的最大风险之一是生物识别技术方式的漏洞。

迈克尔教授说,“当警察在系统内通过照片来查询个人信息时,不是一对一的搜索匹配,你把一个人的脸放在哪里,可能会得到好几十个人选的搜索结果”。

她说,虽然一段时间后这些被搜索的个人名字可能会被清除,但他们的数据可能会保留在与刑事调查相关的数据库中,而真正的惯犯或恐怖分子却往往不办护照和驾照,来逃避这个系统的管理。

斯蒂芬·威尔逊(Stephen Wilson)经营着一家咨询公司,负责研究和跟踪企业与政府领域的生物识别技术趋势。

他说,目前即便是非常安全的生物识别系统也需要相当长的时间才能准确处理图像。

而当消费者热衷于便利性,例如能够通过面部或指纹的快速扫描来打开手机或访问银行账户,就会忽视安全性,而这就会诱发问题。

威尔逊说,“ 我们在电子数据库里曝光得越多,我们被以生物识别特征匹配的可能性就越大。另外,对试图犯罪的人来说,想要伪造一个驾照,可以从系统里找到一长串与他们长相相似的照片来选择”。

生物识别技术研究所(Industry Trend Tracker)的年度行业调查显示,面部识别将是未来几年最有可能增加的生物识别发展趋势。

受访者们认为,个人隐私和数据保护问题是这个市场上最大的制约因素。

Mandatory Data Breach Notification (2017 Amendment to Privacy Act)

Today I had the pleasure to speak to Meredith Griffiths, reporter of the ABC, on the newly enacted Mandatory Data Breach Notification (MDBN) that take effect on Feburary 28, 2018.

Some of the main points I made in the interview with the help of my colleagues at the Australian Privacy Foundation (primarily David Vaile) were:

MDBN doesn't go far enough because:

  1. small business, <$3m annual turnover are exempt from MDBN
  2. self-assessment of "serious harm" is ambiguous (on what test to companies come forward? and only if PC agrees it is serious? what if slightly serious on one view, and very serious on another- do companies take the easy way out and not disclose?)
  3. companies are given 30 days to make a data breach notification to the privacy commissioner (too long for customers to be kept in the dark and thereafter how long might it take the Privacy Commissioner to determine 'seriousness' and/or publicly response with an unenforceable determination)
  4. what about data breaches offshore (how do Aussies respond to loss of their PI abroad)?
  5. what about 'open data' re-identification thru AI/machine learning?
  6. OAIC is overloaded, slow, determinations are also unenforceable and very rare.

So where does this really leave us? We have a law that neither prevents breaches of personal information nor compensate individuals for privacy breaches. What we need to do is consider the outcomes of the ALRC from 2008 that stipulated we need a tort on the serious invasion of privacy so that individuals CAN sue other individuals (like hackers), or companies (like Google) or government agencies for breaches in their privacy (whether accidental or deliberate or through some form of negligence).

The lack of auditability of the new law means that current practices that rely on de-identification to safeguard people's personal information, say in the case of OPENGOV data initiatives, may not be enough down the track as the threat of increases from machine learning algorithms that can look at patterns of information and highlight individuals like finding a needle in a haystack. The issues of going down this path are grave- including the potential for re-identification and bringing several disaparate treasure troves together like social media data, and government data, and personal records together to be analysed.

Links to MDBN include:

https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

https://www.oaic.gov.au/media-and-speeches/news/retailers-check-out-mandatory-data-breach-reporting-obligations-and-prepare-for-2018

Having a statutory tort of serious invasion of privacy (like in the UK and US) or a common law tort (like in New Zealand), allows individuals to sue other entities depending on the severity of the privacy breach. Why is Australia lagging so far behind other advanced digital nations? When will this legislation be amended?

Already, we are seeing large ICT companies set up "shop-fronts" in Australia with NO enforceable penalties to international misdemeanours when it comes to amassing treasure troves of data, and data breaches offshore. How do we hold these companies accountable when they are taking in a lot of business from Australian consumers and yet seem to be let out in the "wild" to do as they please, storing data on the Cloud either in the USA or Ireland. Bruce Schneier called this "data as a toxic asset". As the toxicity rises, we can expect major pollution spills.

For now, at least we can say that the MDBN is a step in the right direction despite that it falls short through exemptions and loopholes. It can have some reputational impact on "data addicts" that don't do the right thing via their subscriber base, but little more. Sadly, large corporations can handle this reputational damage in their "risk appetites". The fines are also "measly" when it comes to government or regulatory action, and so corporate and government entities in particular are left to their own devices here in Australia. While well-meaning, it seems that it is nothing more than a theatrical show- data hosts are still not responsible for bettering their security practices or urgently responding and fixing a breach.

Data is a bit like mental illness. You can't see it. It is not tangible. You cannot put a price on mental health, and you cannot put a price on your personal data. While we can manage damage to property very well, because we can see a scratch on a car, or the loss of inventory, we cannot see data as we see a broken arm.

We already have very weak Privacy Legislation- Australia needs to get serious like Europe (through the General Data Protection Regulation, considered the gold standard) has on the value of personal identifiable information (PII). Both the liberal and labour governments need to listen to the commissioned reports by the Australian Law Reform Commission, and act on the implementation of statutory tort legislation with respect to intrusions of privacy. There is no reason why this has not happened yet.

US ESTA VISA Form Now Requesting Social Media Data

Social media profiles are currently on request by US Customs and Border protection, so at the moment this is optional, but for those wanting temporary visas, it looks like the US will be requiring a social media profile as condition of entry.  Roderick spoke with Professor Katina Michael - Associate Dean at International Faculty of Engineering and Information Sciences at University of Wollongong, who says that this has far-reaching implications for privacy and human rights.

Full Citation: Katina Michael and Roderick Chambers, "Social media profiles needed for US temporary visas", The Daily-2SERFM, 30 December 2016, 10.47-10.58am. Available: http://www.2ser.com/component/k2/item/26676-social-media-profiles-needed-for-us-temporary-visas

Online Privacy and the 2016 Census

Census Name Surname DOB.jpg

Tomorrow night Australians will fill out their 2016 census form. Last year the Australian Bureau of Statistics (ABS) announced that it will be keeping personal information from this year’s census returns for four years as an additional source of data to help improve community support services. But there are concerns about the security of identifiable information such as names and addresses, place of birth and household details. Should we be concerned? We were joined by Associate Professor Katina Michael in the School of Information Technology and Computer Science at the University of Wollongong to find out more.

Citation: Produced by Laura Chung, Katina Michael with Nik Healey, August 15, 2016, "Online Privacy and the 2016 Census", 2SERFM Breakfasthttps://2ser.com/online-privacy-2016-census/

The Apple Watch and Wearable Downsides

We are witnessing an explosion of wearable devices. People are now seen wearing a watch, a FITBIT and carrying their mobile phone. What next? Do away with all these externals and just go for an implantable that can do all of this for the price of one and is invisible? Not only are these wearables a status symbol but people truly believe they can gain many benefits from reminders to do with getting up and walking when they've been sitting all day behind a computer at work. No one can discount the potential benefits but there are also downsides. What if we lived in a future where our health insurance providers could dictate our premium based on the number of steps we took each day? What if our future employer could make a decision on whether we'd be a good employee based on our data, sold on from App companies to third parties? Don't think we will ever live in such a future? Think again-- it's already here! We just seem to be too busy to realise because we're looking for the latest gadget that will make us more hip and ultimately chew up more of our scarce time. We're too busy interacting and messaging too notice what is going on right before our very eyes. Jack and Candice explore the issues at hand in this interview.

Citation: Powerfm and Katina Michael, May 25, 2015, "The Apple Watch and Wearable Downsides" 94.9 Powerfm: 8.50am-8.56am.

Highly sort places for Aussies to live

What does your address say about you?

Quite a bit, according to those behind a website that profiles people and estimates the household ­income.

But privacy advocates have expressed concerns after the Roy Morgan Research classification tool Helix Personas began allowing users to obtain profiles by ­entering a street address.

My-location.jpg

The site, which introduced the feature in recent weeks after opening for business last year, is marketed as being able to ­categorise every Aussie into one of 56 personas.

You can find out, free-of-charge, whether your persona is of a “Fit and Fab Metrotech”, a “Penny Wise Battler” or a “Done Good Aussie Achiever”.

Residents of households in inner suburban streets are likely to find themselves profiled as well-educated and career-­focused renters with a “Big ­Future” bringing in $96,000.

Meanwhile those in a growing urban-fringe area may be categorised as “Getting By” on a household income of $79,000.

The site has been touted as potentially useful to retailers ­trying to determine where to ­locate future outlets.

However, Australian Privacy Foundation vice-chair Katina Michael said companies applying profiles could get it dramatically wrong or right.

Michael said that consumers had a choice to make in light of the “big data” trend, which often mischaracterised people.“We can continue to believe the rhetoric that says ‘We are doing no harm to individuals, it is hardly tracking when profiling small neighbourhoods’ ... or we can begin to demand an end to the on-selling of personal information,” she said.

Citation: Lachlan Hastings, May 23, 2014 "Highly sort places for Aussies to live", MX (Brisbane), p. 4.