Author - Liz Bodey

1
Critical Vulnerability: Vulnerability in Widely Used Open Source Software is Discovered
2
Mask Off: Social Media Giants to Unmask Trolls or Risk Themselves Becoming Liable for Defamation Payouts
3
Privacy Pandemic: Australians Losing Trust in Institutions’ Use of Their Data
4
An even ‘hacking’ field – Government Surveillance Bill passed by Parliament
5
Russia got hacked – ironic right?
6
Even the Best Fall Down Sometimes: Nine Network suffers large-scale cyber attack
7
A Home Affair: Department of Home Affairs ordered to compensate Asylum Seekers following inadvertent disclosure
8
Less than two weeks to go: New Zealand Privacy Act commences 1 December 2020
9
Leaky Port: City of Port Phillip Inadvertently Discloses Personal Information on Federal Government Website
10
Australian Privacy Act Under Review

Critical Vulnerability: Vulnerability in Widely Used Open Source Software is Discovered

By Cameron Abbott, Rob Pulham, Max Evans and Ella Krygier

A critical security vulnerability has been discovered in Apache Log4j, an open-source logging library used by many popular Java applications to provide logging functionality for troubleshooting purposes, according to the Australian Cyber Security Centre (ACSC).

The software’s vulnerability, known as Log4Shell, allows for remote code execution, which, if left unfixed, could allow cybercriminals to take control of IT systems, steal personal data, passwords and files, and install backdoors for future access, simply by adding an additional line of arbitrary code. According to the ACSC, malicious cyber actors have used this vulnerability to target and compromise IT systems globally and in Australia, which led the ACSC to publish advice on mitigation and detection recommendations.

Read More

Mask Off: Social Media Giants to Unmask Trolls or Risk Themselves Becoming Liable for Defamation Payouts

By Cameron Abbott, Rob Pulham, Warwick Andersen, Max Evans and James Gray

In a significant development in online regulatory oversight, the Australian government announced over the weekend that it will introduce new laws handing Australian courts the power to order social media companies to reveal the identities of anonymous trolls or risk themselves being liable for defamation payouts.

The so called “social media anti-trolling legislation” which the government has said will be introduced into parliament this week proposes to require social media companies stand up a functional and easy-to-use complaints and takedown process for users, who upon suspecting they are being defamed, bullied or attacked may file a complaint with the social media platform requesting that the relevant content be removed.

If that request is denied, the complainant can ask the social media company to provide the details of the “troll” so as to enable the complainant to commence an action. If this request is further denied, or if the social media platform is “unable to do this”, complainants may apply to obtain a court order requiring the social media company to release the identification details of the anonymous user so that a defamation action may be pursued. Failure to comply with such a court order will render the social media company themselves liable for the defamation claim.

Significantly, the reports indicate that these new laws will push legal responsibility for defamatory content from the author or page manager to the social media company which runs the platform. This represents a key move away from social media platforms being distributors of content but rather, in the eyes of online safety, being deemed publishers themselves. We will keep you posted as these proposed laws progress.

Privacy Pandemic: Australians Losing Trust in Institutions’ Use of Their Data

By Cameron Abbott, Rob Pulham, Max Evans and James Gray

In the age of QR code check-ins and vaccination certificates, as Australia edges towards a post-pandemic (or mid-pandemic, it increasingly seems) “normal”, new research from the Australian National University (ANU) has revealed that Australians have become less trusting of institutions with regards to data privacy.

The ANU researchers said that the decrease in public trust between May 2020 and August 2021 was small but “statistically significant”. A key reason for this decrease, according to the researchers, was concern around “how their private data from check-in apps might be used by major institutions” as lockdowns and the use of apps for contact tracing intensified.

The institutions which experienced the greatest loss of trust were social media companies (10.1% decline), telecommunications companies, and federal, state and territory governments. This echoes sentiment from the OAIC following its recent ‘community attitudes to privacy’ survey that Australians trust social media companies the least when it comes to handling personal information, followed by the government.

While it remains to be seen whether this loss of trust becomes a permanent trend, one way to make Australians more comfortable with an organisation’s data practices – as reinforced by the OAIC – is to ensure the purpose of the collection and use of personal information is clearly understood. The OAIC has found that Australians are increasingly questioning data practices where the purpose for collecting personal information is unclear.

With increased penalties for privacy non-compliance looming, there’s never been a better time to revisit your privacy policies and collection statements to make sure that these are clear, so your organisation can stand out against this trend and build consumer trust.

An even ‘hacking’ field – Government Surveillance Bill passed by Parliament

By Cameron Abbott and Ella Richards

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (Identify and Disrupt Bill) passed both houses of federal parliament on 25 August 2021. The new legislation extends the power of law enforcement agencies to identify and disrupt suspected online criminal activity through the provision of three new warrants.

The new warrants provide the Australian Federal Police and the Australian Criminal Intelligence Commission with the power to:

  1. Modify or delete the data of suspected offenders (data disruption warrants);
  2. Collect intelligence on criminal networks (network activity warrants), and
  3. Take control of a suspected offenders’ online account (account takeover warrants).

Anyone required to assist with government hacking is protected from civil liability. However, anyone who refuses to comply can face up to 10 years’ imprisonment.

Online criminal networks are evolving rapidly with the use of anonymising technology – making the detection of serious online crime near impossible. Encrypted applications such as Discord have stated that approximately 536 verified dealers sold $100,000+ of illegal substances/stolen goods in one week, despite Discord’s “zero-tolerance” approach to illegal activity.

On the other hand, the Office of the Australian Information Commissioner (OAIC) previously warned that the new warrant powers could adversely impact the privacy of a large number of individuals – including those with no suspected involvement in criminal activity.

The complexity of online crime makes it increasingly necessary for law enforcement agencies to level the playing field, identify suspected criminal activity and intercept that activity before it is actioned. However, proportionate consideration of individual privacy rights has created a lively debate in the passage of the legislation thus far.

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 is now awaiting Royal Assent. Keep an eye on our Cyber Law Watch blog further updates.

Russia got hacked – ironic right?

By Cameron AbbottRob Pulham and Jacqueline Patishman

In mid-May, the Russian government (quietly) published a report revealing that foreign hackers had successfully compromised the Russian Government’s cyber systems. The report suggests that sophisticated hackers were pursuing the interests of a foreign state or that they were backed by a particular state but makes no statement as to who may have been behind it.

Read More

Even the Best Fall Down Sometimes: Nine Network suffers large-scale cyber attack

By Cameron Abbott, Warwick Andersen, Rob Pulham and Max Evans

Channel Nine has suffered the largest cyber attack on a media company in Australia’s history, according to reports from IT News, the AFR and Nine News.

The cyber attack, reported by Channel Nine as a variation of a ransomware attack, struck early Sunday morning, resulting in television and digital production systems being offline for more than 24 hours. The attack impaired Channel Nine’s ability to broadcast from its Sydney studios, forcing the media outlet to shift operations to its Melbourne studios.

Read More

A Home Affair: Department of Home Affairs ordered to compensate Asylum Seekers following inadvertent disclosure

By Cameron Abbott, Warwick Andersen, Michelle Aggromito and Max Evans

As a result of a recent class action, the Department of Home Affairs has been ordered by the Australian Information Commissioner, Angelene Falk, to pay compensation to asylum seekers after the Department was found to have interfered with the privacy of 9,251 detainees.

According to a media release from the Office of the Australian Information Commissioner (OAIC) , the relevant breach stemmed from February 2014, where the Department published on its website a “Detention Report”, which had embedded within it a Microsoft Excel spreadsheet containing the personal information (including full names, date of birth and period of immigration detention) of 9,258 individuals who were in immigration detention at that time.

Read More

Less than two weeks to go: New Zealand Privacy Act commences 1 December 2020

By Cameron Abbott and Keely O’Dowd

On 1 December 2020, the New Zealand Privacy Act 2020 will come into operation and repeal and replace the Privacy Act 1993.

The Privacy Act 2020 modernises New Zealand’s privacy laws and seeks to keep pace with international standards and technology. While New Zealand’s new privacy legislation is not as onerous as other international privacy laws, such as the GDPR, it still introduces significant changes including:

  • mandatory data breach notification;
  • new investigative and regulatory powers for the New Zealand Privacy Commissioner; and
  • new criminal offences and penalties, including fines of up to $10,000.
Read More

Leaky Port: City of Port Phillip Inadvertently Discloses Personal Information on Federal Government Website

By Cameron Abbott, Warwick Andersen and Max Evans

The City of Port Phillip Council has accidentally published to data.gov.au personal information of an unknown number of residents who had reported graffiti, according to an article from ITNews supported by a statement released by the council.

According to the statement, during work to automate the generation of a graffiti dataset, an incorrect version was selected which led to the unapproved publication of personal information such as names, phone numbers and/or email addresses of the persons who reported graffiti to the council. As the article notes, of the approximately 764 email addresses and 859 phone numbers that were published, 53% of the email addresses belonged to businesses and 28% of the phone numbers were for landlines and 1300 numbers.

Read More

Australian Privacy Act Under Review

By Cameron Abbott, Rob Pulham and Keely O’Dowd

In December 2019, the Australian Government announced it would conduct a review of the Privacy Act 1988 (Cth).

A year has almost passed and finally the Australian Government has publicly released details about the review. On 30 October 2020, the Australian Government released the Terms of Reference of the review. In particular, the review will cover:

  • The scope and application of the Privacy Act
  • Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
  • Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
  • Whether a statutory tort for serious invasions of privacy should be introduced into Australian law
  • The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
  • The effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
  • The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.