Privacy, Data Protection & Information Management – Page 30

Hold the phone…is “metadata” personal information? Who knows?

Feb 12 2016

By Cameron Abbott, Simon McDonald and Meg Aitken

The ongoing debate surrounding what “metadata” actually is, and how it should be characterised under privacy laws has once again resurfaced. This time, the Federal Court will have a chance to decide on the issue, following a decision by the Privacy Commissioner to appeal a finding that denied a journalist access to metadata on the basis that it was not personal information.

Way back in 2013, a then technology journalist for Fairfax, Ben Grubb, asked Telstra to provide him with metadata and other information held by it in relation to his mobile phone on the basis that it constituted ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act) and he was therefore entitled to it.

Telstra did provide some information to Mr Grubb (including his outgoing call records, bills and the customer details they had stored for him), however it submitted that the “metadata” produced from his mobile phone use on Telstra’s network was not personal information, as it was not linked to him in a way that made his identity apparent or reasonably ascertainable.

Unsatisfied with this answer, Mr Grubb lodged a complaint with the Privacy Commissioner. In May 2015, the Commissioner held that Telstra ‘cross-matched’ data across its mobile network in such a way that it was possible to determine a customer’s identity and that Telstra was therefore in breach on NPP 6.1 (as it then was) by refusing to provide Mr Grubb with access to his personal information.

Telstra appealed to the Administrative Appeals Tribunal of Australia (AATA). Taking a strangely narrow approach to the issue, Deputy President Forgie ruled that the mobile network data was not personal information for the purpose of the Privacy Act. Instead, she said that the metadata was actually information about the service provided by Telstra and the delivery of that service, rather than about Mr Grubb and his mobile phone use. On that basis, Telstra was not obliged to provide Mr Grubb with access to the information, despite it being generated directly from his use of Telstra’s services.

Seem contrary to the deliberately broad concept of personal information that is designed to protect individuals? We agree, and so does the Privacy Commissioner. ‘Stay on the line’ to see how the Federal Court approaches the issue.

Access the determination and reasons for determination of Privacy Commissioner Timothy Pilgrim in Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 (1 May 2015) here.

Access the AATA decision of Deputy President S A Forgie in Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991 (18 December 2015) here.

Access the Office of the Australian Information Commissioner’s Press Release here.

Privacy concerns over Westfield’s ticketless parking system

Feb 05 2016

By Cameron Abbott, Meg Aitken and Shirley Chen

Westfield has sidelined the SMS feature of its ticketless parking system this week due to concerns it breached Australian privacy laws.

Westfield’s newfangled ticketless parking system attempted to make parking quicker and easier for shoppers by scanning car number plates on entry and exit of their carparks, and sending an SMS notification to registered parkers recording their entry time and an alert message when their free parking time was nearly up. To register for the service, users were merely required to provide a name, license plate number and phone number (with no verification).

Privacy experts raised the alarm that any person could register false details and track another person’s physical location via the SMS notifications. This was a particular worry for those in domestic violence situations and could also potentially enable stalking or thieves to determine when homeowners had left their houses. The feature’s Terms and Conditions failed to address any of these issues.

The SMS service is currently suspended as internal investigations are conducted, though the rest of the ticketless parking system and app continue to operate.

Learn more about the ticketless parking system here.

Read the ITNews report on the issue here.

‘EU-US Privacy Shield’ agreed for trans-Atlantic data flow

By Cameron Abbott and Meg Aitken

A new trans-Atlantic data transfer framework has been agreed between the European Commission and the United States this week. Known as the ‘EU-US Privacy Shield’, the new arrangement is intended to offer greater legal certainty for businesses and afford EU citizens increased protection when their data is transferred across the Atlantic to the US.

The new regulations will replace the US-EU Safe Harbor framework, which was invalidated by the European Court of Justice last October on the basis that the generalised access that public authorities had to the data and content of electronic communications violated fundamental privacy rights. Read our earlier blog post on the Safe Harbour decision here.

The key features of the new EU-US Privacy Shield are:

Stronger obligations on US companies to protect the personal data of EU citizens
More robust enforcement powers granted to both EU and US regulators, including greater monitoring and prosecution by the US Department of Commence and Federal Trade Commission (FTC)
Clearer conditions, limitations, redress avenues and safeguards for data transferred across the Atlantic
Expanded obligations for US companies to prove compliance
Several new avenues for EU citizens to lodge complaints about data misuse, including the establishment of a new independent privacy Ombudsman

The new Privacy Shield is still awaiting final approval from the College of Commissioners and will be subject to further review by the Article 29 Working Party before it is introduced. Much of the detail has not been released, so while the principles have been articulated, the impact on the obligations of affected companies is still far from clear.

Read the European Commission press release here for further details.

Our US and EU colleagues have drafted a more detail description which can be accessed here for further information.

Scary statistics reveal 39,000 reported cybercrime incidents in 2015

Feb 01 2016

By Cameron Abbott and Meg Aitken

Following its launch in November 2014, the Australian Cyber Online Reporting Network (ACORN) has revealed it fielded 39,000 reports of cybercrime from individuals and organisations in 2015. Fraud was the most commonly reported cybercrime, with 19,232 reports being made to ACORN last year.

Prominent data analytics group and credit bureau, Veda revealed similarly worrying statistics in the Veda 2015 Cybercrime and Fraud Report, noting that in 2015, 1 in 4 Australians reported being a victim of identity theft at some stage, up 7% from 2014. The report also suggests that Australians are becoming increasingly concerned about the risk of cybercrime and identity theft.

Veda has projected that 2016 will see even greater numbers of cybercrime attacks on individuals, firms and government agencies as the ‘Internet of Things’ further develops, reliance on social media grows and a profound amount of personal information and data continues to be collected.

Read the ACORN quarterly statistics reports here.

Malware attacks a Melbourne hospital’s outdated IT system

Jan 29 2016

By Cameron Abbott and Meg Aitken

Don’t say we (and Microsoft) didn’t warn you, a prominent Melbourne hospital’s IT system that runs on an outdated and unsupported Windows operating system, Microsoft XP, was hacked last week.

Microsoft recently activated the end-of-life phase for Windows 8, 9 and 10 and encouraged users to transition to the company’s supported operating systems in order to prevent security incidents. The same process was undertaken for Microsoft XP in 2014; however the hospital continued to use the platform in some departments.

The pathology department was the primary victim of the attack and staff were reportedly forced to manually process blood tissue and urine samples while the electronic system was compromised. Fortunately, highly sensitive patient information is not believed to have been accessed by the hackers.

It has been reported that the hospital is now expediting plans to upgrade its IT systems.

Access the media release here.

Microsoft cuts support for Internet Explorer 8, 9 and 10

Jan 13 2016

By Cameron Abbott and Meg Aitken

Today, Microsoft will initiate the ‘end-of-life’ phase for the company’s older Web browsers, Internet Explorer 8, 9, and 10. Customers using the outdated browsers will be sent an ‘end-of-life upgrade notification’ as technical support and security updates have now ceased.

Microsoft has encouraged the several hundred million users who currently operate the outdated browsers to upgrade to Internet Explorer 11 or Microsoft Edge, which they suggest offers better-quality security and improved performance.

While users currently running Internet Explorer 8, 9 and 10 will still be able to use their browsers, Microsoft has warned there is a significant security risk of continuing to run the outdated versions. Without the periodic security updates and routine technical support, the outdated browsers will be vulnerable to cyber-attacks, malware and other security threats.

Australian Corporations have an obligation to keep materials secure under the Privacy Act 1988 (Cth) and should therefore consider the risk that using the unsupported browsers may not be sufficient to meet this requirement.

Access the Microsoft release here.

Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy

Nov 30 2015

By Cameron Abbott and Meg Aitken

While the festive season approaches and retailers prepare for their busiest time of the year, a sophisticated form of point-of-sale malware, known as ‘ModPOS’, has reared its ugly head and is targeting payment terminals in the U.S.

It is estimated that the first ModPOS data hacks occurred in 2013 and that millions of credit and debit cards used at a broad variety of U.S. retailers have since been compromised. The unique complexity of the code, which experts say has never been seen before in malware, made it tricky to decipher.

Cyber security experts have warned that ModPOS has the ability to not only “scrape” credit and debit card numbers from the memory of point-of-sale terminals, but that the multifaceted code also records keystrokes of computer operators and transmits stolen data. If that isn’t enough, the malware is particularly difficult to detect and is reportedly capable of infiltrating despite security software and data controls.

More details about ModPOS malware can be found here.

Hotel Industry Payment Systems Under Attack

Nov 26 2015

By Cameron Abbott and Meg Aitken

Stayed at one of Hilton Worldwide Holdings’ (Hilton) hotels between 18 November – 5 December 2014 or 21 April – 27 July 2015? Check your bank statement.

Within the same week, both the Hilton and Starwood Hotels & Resorts Worldwide Inc. (Starwood) have discovered the point-of-sale terminals at a number of hotels across the globe have been infected with malware.

The malicious malware has enabled hackers to pinch the credit and debit card information of Starwood and Hilton customers, however there is apparently no evidence that personal contact information provided as part of the hotels’ guest-reservation system or loyalty rewards program was stolen.

While the attack on Starwood was confined to 54 of its hotels in North America, the Hilton attack affected the chain’s hotels globally, including Australian establishments. The number of cards compromised has not been revealed by either hotel.

Starwood and Hilton hotels are not the only luxury hotel chains to be affected by data hacks in 2015. The Mandarin Oriental and Trump International have also reported data security breaches involving intrusive malware this year. In the case of Starwood the hack occurred over eight months without detection showing how sophisticated some of these attacks are.

Starwood’s media release can be found here. Hilton’s media release can be accessed here.

Victorian Racing Integrity Commissioner Seeks Access to Metadata

Nov 05 2015

By Cameron Abbott and Melanie Long

Riding on the coverage and continued success of the Spring Racing Carnival, Victoria’s Attorney General and Racing Minister, Martin Pakula, has revealed that the Office of the Racing Integrity Commissioner is seeking access to metadata retained under the data retention scheme, which came into operation on 13 October 2015. In a letter to the Attorney General, Martin Pakula said that access to the data was critical for the effective conduct of the Office of the Racing Integrity Commissioners’ functions and ensures that the racing industry is ‘free from corruption.’ Internet Australia has opposed the application stating that ‘access to what amounts to people’s very personal and private communications information should be restricted to regular law enforcement agencies and not granted to quasi investigatory bodies.’ The revelation comes after a spokesperson from the Attorney General’s Department disclosed that it was ‘considering applications from a number of organisations for access to metadata.’

Martin Pakula’s tweet attaching an image of his letter to the Attorney General can be found here.

Internet Australia’s media release can be found here.

Computerworld Australia’s article reporting on the application of organisations for access to metadata under the data retention scheme can be found here.

European Court of Justice Declares EU/US Safe Harbour Decision Invalid

Oct 07 2015

By Cameron Abbott and Melanie Long

The European Court of Justice has declared a decision by the European Commission on the legitimacy of the EU/US safe harbour scheme (safe harbour decision), invalid. In the wake of the Snowden scandal, Austrian citizen, Maximilian Schrems, lodged a complaint against Facebook with the Data Protection Commissioner in Ireland (the location of Facebook’s European headquarters). The Irish supervisory authority rejected Mr Schrems’ complaint on the basis of the safe harbour decision. In invalidating the safe harbour decision, the European Court of Justice declared that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” Further, that the safe harbour scheme, by not providing for an individual to pursue legal remedies in order to have access to personal data relating to them, or to obtain the rectification or erasure of such data, compromised, “the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.”

The consequence of this decision is that the EU/US safe harbour scheme is contrary to the Data Protection Directive, which provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

The European Court of Justice’s press release can be found here.

To read the full judgment of the European Court of Justice click here.

Catagory:Privacy, Data Protection & Information Management