Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts

Sunday, 16 April 2023

Services Australia can no longer off its own bat crack welfare recipients' PC, mobile, email & social media passwords in order to spy - since 13 October 2015 its been obliged to use the Australian Federal Police, an even more indiscreet Commonwealth agency.

 

On 17 July 2015 Deputy Secretary of the Dept. of Human Services (now Services Australia) Malisa Golightly, of ‘Robodebt’ notoriety, wrote to the Deputy Secretary of the National Security and Criminal Justice Group in the Attorney-General’s Department, seeking the department's continued inclusion as an enforcement agency under the Commonwealth Telecommunications (Interception and Access) Act 1979.


At that time the Dept. of Human Services employed 295 investigators and 89 intelligence analysts who typically conducted 3,000 criminal investigation per year – using the full range of powers available to an “enforcement agency” in the 1 July 2015 version of the Telecommunications (Interception and Access) Act.


Here is a potted history of what happened after that.


ITNews, 4 April 2022:


Services Australia is using telecommunications metadata and password-bypassing software to investigate welfare recipients suspected of claiming single payments while in relationships.


The Centrelink administrator told the Attorney General’s Department (ADG) that metadata is used to detect “people who receive payments as a single person while in a marriage-like relationship,” according to documents obtained by iTnews.


Submissions to AGD in 2015 and again in 2022 [pdf], obtained through a freedom of information request, list types of fraud the agency uses welfare recipients’ telecommunications metadata to detect.


A Services Australia spokesperson told iTnews that both telecommunications metadata and password-bypassing technology from Israeli vendor Cellebrite are only used when fraudulent claims trigger criminal investigations.


This contrasts with the more common non-compliance investigations, which prevent and recover debts resulting from over-payments, such as the notorious robodebt scheme.


However, the spokesperson would not say how much money a person needs to be suspected of being overpaid before a non-compliance investigation is tipped into a criminal investigation, making it hard to estimate the extent to which the technologies are used to determine relationship-status.


Moreover, welfare recipients told iTnews, while Services Australia has said that Cellebrite is only used for criminal investigations, data may be extracted from their devices before charges have been laid; and Services Australia may continue to pursue the debt as a non-compliance investigation even if the suspect is not prosecuted…...


Metadata and relationship-status


It is not clear what types of metadata are used to glean if welfare recipients are single, however criteria listed on Services Australia’s website for “how we assess if you’re a couple” includes: “financial aspects of your relationship, the nature of your household, social aspects of your relationship, [and] if you have a sexual relationship.”


The Services Australia spokesperson told iTnews that "the key metadata we request enables us to identify records linked to telephone numbers or IP addresses to support criminal investigations.”


The spokesperson did not answer whether it includes geolocation data on a device’s connection to the internet or the sender-recipient records of a user's communications.


Services Australia was cut off from directly asking telcos for metadata in late 2015, after having had the power since 2009.


It now makes requests for metadata, "where required", through the Australian Federal Police.


Services Australia has asked the government at least twice to have its powers back.


According to the FoI, Services Australia requested AGD declare it an 'enforcement agency' under Section 176A of the Telecommunications (Interception and Access) Act (TIA) in 2015 and made the same request seven years later during a current review of electronic surveillance laws…...


In response to its 2015 application, AGD suggested “joint investigations arrangements with a criminal law-enforcement agency” as an “alternative means of accessing historical telecommunications data.” The welfare provider took the advice.


Since Services Australia started accessing telecommunications metadata indirectly through the AFP, it is unclear how many investigations involved fraud claims based on relationship-status.


According to its most recent annual reports, in 2021–22 Services Australia conducted 709 criminal investigations, 988 administrative investigations and made 203 referrals to the CDPP.


A quick look at the Commonwealth Ombudsman' views on the often erratic response of the Australian Federal Police to its requirement to comply with telecommunication data law:

https://www.ombudsman.gov.au/__data/assets/pdf_file/0021/112476/Report-into-the-AFPs-use-and-administration-of-telecommunications-data-powers.pdf


There were several important factors that informed my decision to commence an investigation, including:

the covert and intrusive nature of this power

the duration and potential scale of non-compliance with the TIA Act as a result of ACT Policing accessing telecommunications data outside the AFP’s approved process

the omission of the affected records from our Office’s regular compliance inspections

previous recommendations our Office has made to the AFP about non-compliance with the TIA Act. 


Like law enforcement Services Australia is not eager to advertise the shortcomings of its own errant staff, but the character of this bureaucracy which uses covert surveillance on welfare recipients is not above interrogation. 


Services Australia is a federal government department which includes Centrelink.


A brief Internet search reveals for the most part sparsely worded information. The following is a compilation from government and media sources.


In a two year period covering 2005 to September 2006 Centrelink investigated 790 APS Code of Conduct complaints, with 766 referred for investigation and 585 staff found to have accessed the private information of welfare recipients or entered into a conflict of interest situation in breach of the code. Sanctions for these breaches reportedly ranged from 19 dismissals, 92 resignations and, more than 300 salary reductions or fines. Another est. 134 staff were demoted, reprimanded and warned. Five cases were referred to the AFP or Director of Public Prosecutions.


In 2006–07 Centrelink staff breached the information privacy principal in 367 instances, including 108 unauthorised access, 4 unauthorised disclosure and 10 unauthorised use. Another 17 new cases were opened with the Office of the Privacy Commissioner, bringing the total to 20 cases for the year. Centrelink finalised six cases with the office and as at 30 June 2007, 14 cases were still open.


By the next financial year 2007-08, Centrelink recorded 355 privacy breaches of which 100 were unauthorised access, 13 unauthorised disclosure and 1 unauthorised use. The remainder of breaches said to be primarily mailing errors.


In 2008-09 Centrelink found 368 proven privacy incidents of which 85 were unauthorised access of information, 14 were unauthorised disclosure and 1 was unauthorised use.


Financial year 2009-10 saw Centrelink admitted to 465 proven privacy incidents and it appears to have undertaken 286 staff code of conduct complaints investigations in which 187 staff member were found to have breached the code of conduct.


The following financial year 2010-11, Centrelink undertook 197 staff code of conduct complaints investigations, including 25 investigations of improper use of internet or email, and 67 investigations of ‘improper access to personal information’. The latter occurring when employees accessed records either without a business reason, or despite being directed not to do so, for example if the records belonged to themselves, family or friends. A total of 128 Centrelink staff members were found to have breached the code of conduct.


In 2011 Centrelink & Medicare were integrated into the Dept. of Human Services.


In 2011-12  the Dept. of Human Services finalised 205 staff breaches of the APS Code of Conduct, including:

  • 68 instances of improper access to personal information;

  • 5 unauthorised disclosure of information;

  • 10 conflict of interest;

  • 48 inappropriate behaviour other than bullying or harassment;

  • 17 harassment and/or bullying;

  • 8 fraud other than theft;

  • 1 theft;

  • 8 improper use of resources other than email;

  • 25 improper use of internet or email;

  • 8 inappropriate use of government vehicles;

  • 7 improper use of position or status;

  • 4 behaviour of the employee outside of work;

  • 2 misuse of drugs and/or alcohol, and

  • 2 other.


The next year 2012-13 the Dept. of Human Services finalised 165 matters involving 214 breaches of the code of conduct - across the gamut of human behaviour displayed in the workplace including 82  instances of improper access to personal information, 5 unauthorised disclosure of information and 26 conflict of interest. 


In 2013-14 the Department of Human Services reported there were 472 matters involving staff breaches of code of conduct of which 234 were finalised, including 118 improper access to personal information, 4 unauthorised disclosure, 181 conflict of interest and 66 fraud. 


The next financial year 2014-15 saw reports of 1,939 substantiated privacy incidents from which there were officially 268 findings of staff breaches of the code of conduct.


In 2015-16 there were 368 findings of a breach of the code of conduct.


Note: From 21.9.2015 to 18.2.2016 Stuart Robert was the Minister for Human Services.


In 2016-17 there were a reported 304 staff breaches of the code of conduct.


NOTE: From 21.9.2015 to 18.2.2016 Stuart Robert was the Minister for Human Services.


In 2017-18 a total of 235 staff code of conduct investigations were completed and 224 findings of a breach were made.


In 2018-19 the Department of Human Services reported a total of 249 staff code of conduct investigations were completed, with 241 findings of a breach of the code.


NOTE: From  29.5.2019 to 30.3.2021 Stuart Robert was Minister for Government Services, which included the Dept. of Human Services in his portfolio.

In May 2019 the Dept. of Human Services had a name change, becoming Services Australia.


From July 2017 to end June 2019 almost half of the breaches arose from unauthorised access to information, where staff had inappropriately accessed customer records. Almost a quarter of all breaches allegedly related to incorrect reporting of income by staff who were also in receipt of Centrelink benefits.


The Commonwealth Ombudsman's Report of 2019-20 mention that;  We received more complaints about Services Australia than any other agency (11,222), although this was a decrease of 3.7 per cent compared to last year


In one case; A complainant’s disability support pension (DSP) was cancelled as a result of a staff error and while seeking a review of this error they received an inheritance.

A trustee acting on behalf of the complainant contacted Services Australia however was unable to have the DSP payments reinstated, despite payments not being made in excess of 12 months.

As a result of the Office’s engagement with Services Australia during an investigation, the complainant’s circumstances were reviewed and they were back-paid over $45,000 for the entire period since their DSP was cancelled. Additionally, Services Australia provided feedback to the officer who made the initial error to improve future service.


In his following 2020-21 annual report the Commonwealth Ombudsman placed Services Australia in; the number of disclosures assessed meeting the criteria under s 26 of the Public Interest Disclosure Act 2013 and alleged kinds of disclosable conduct to which the disclosures relate. 


This involves 8 instances of:

Contravention of a law of the Commonwealth, state or territory (5)

Maladministration (2)

Abuse of public trust (2)

Wastage of public money (2)

Conduct that results in, or that increases, the risk of danger to the health or safety of one or more persons (3)

Abuse of public office (3)

Conduct that may result in disciplinary action

(6) 


In 2021-22 the Commonwealth Ombudsman reported that 52% of complaints it received from the public involved Services Australia-Centrelink.


Sunday, 4 July 2021

Queensland, West Australian and Victorian state police services have admitted trying to access logs of contract tracing services created since the start of the COVID-19 pandemic – the other five state & territory police services denying having done so thus far

 

Crikey, 1 June 2021:


Police across the country are attempting to access personal data from mandatory COVID-19 check-in apps for reasons other than contact tracing, despite promises that the data would only be used for public health reasons.


Police in Queensland, Western Australia and Victoria have all owned up to trying to access logs of data created by Australians using check-in applications as part of their investigations, and enquiries by Crikey suggest that police in other states could also access this data using a warrant.


Privacy advocates have slammed state governments for lying to Australians about what the data would be used for.


We were told this data would only be used for contact tracing. Police made that a lie,” Electronic Frontiers Australia’s Justin Warren told Crikey. “People will remember that next time governments want us to give them data about ourselves.”


One of the major tools in fighting the spread of COVID-19 and managing outbreaks has been contact tracing, which has been aided by various tech solutions.


When the federal government first proposed the contact tracing app COVIDSafe (which used Bluetooth to log close contacts), it responded to fears of a mass surveillance state by announcing the data would not be used by police.


But adoption of a QR code check-in system — the widely used, low-tech alternative now mandatory in many places around the country — was left to states to implement. As it turns out, these states did not assume the same protections for their citizens, meaning that data volunteered in the name of public health has been accessed for other reasons…..


Read the full article here.


Monday, 21 December 2020

Australian Competition & Consumer Commission takes Facebook Inc to Federal Court over allegedly misleading and deceptive conduct, December 2020

 

Australian Competition & Consumer Commission, media release, 16 December 2020:


ACCC alleges Facebook misled consumers when promoting app to 'protect' users' data


The ACCC has instituted proceedings in the Federal Court against Facebook, Inc. and two of its subsidiaries for false, misleading or deceptive conduct when promoting Facebook’s Onavo Protect mobile app to Australian consumers.


Onavo Protect was a free downloadable software application providing a virtual private network (VPN) service.


The ACCC alleges that, between 1 February 2016 to October 2017, Facebook and its subsidiaries Facebook Israel Ltd and Onavo, Inc. misled Australian consumers by representing that the Onavo Protect app would keep users’ personal activity data private, protected and secret, and that the data would not be used for any purpose other than providing Onavo Protect’s products.


In fact, the ACCC alleges, Onavo Protect collected, aggregated and used significant amounts of users’ personal activity data for Facebook’s commercial benefit. This included details about Onavo Protect users’ internet and app activity, such as records of every app they accessed and the number of seconds each day they spent using those apps.


This data was used to support Facebook’s market research activities, including identifying potential future acquisition targets.


Through Onavo Protect, Facebook was collecting and using the very detailed and valuable personal activity data of thousands of Australian consumers for its own commercial purposes, which we believe is completely contrary to the promise of protection, secrecy and privacy that was central to Facebook’s promotion of this app,” ACCC Chair Rod Sims said.


Consumers often use VPN services because they care about their online privacy, and that is what this Facebook product claimed to offer. In fact, Onavo Protect channelled significant volumes of their personal activity data straight back to Facebook.”


We believe that the conduct deprived Australian consumers of the opportunity to make an informed choice about the collection and use of their personal activity data by Facebook and Onavo,” Mr Sims said.


The Onavo Protect website stated that the app would “save, measure and protect” users’ mobile data, while advertisements on Facebook’s website and app included statements such as “Keep it secret. Keep it safe… Onavo Protect, from Facebook”.


The ACCC is seeking declarations and pecuniary penalties.



The attached document below contains the ACCC’s initiating court document in relation to this matter. We will not be uploading further documents in the event this initial document is subsequently amended. 


Concise statement 


ACCC v Facebook Inc & Ors_ Concise Statement ( PDF 2.34 MB ) 


Background 


US-based Facebook, Inc. owns global social media and private messaging platforms including Facebook, Instagram and WhatsApp. 


US-based Onavo, Inc. and Onavo Mobile Ltd, based in Israel, were mobile analytics companies that were acquired by Facebook in October 2013. After the acquisition Onavo Mobile became Facebook Israel Ltd. 


Apple removed Onavo Protect from its App store in 2018 for non-compliance with its developer terms such as, among other things, collecting information about other apps installed on a user’s device for the purposes of analytics. It was later also removed from the Google Play store and was discontinued in 2019. 


The ACCC’s Digital platforms inquiry final report examined a range of issues involving digital platforms and consumers, including concerns about Onavo Protect and how its users’ data was being collected and used. 


In December 2020, in an unrelated action, the US Federal Trade Commission (US FTC) brought proceedings against Facebook, alleging that the company is illegally maintaining its personal social networking monopoly through a years-long course of anticompetitive conduct. The US FTC alleges that Facebook engaged in a systematic strategy including its 2012 acquisition of Instagram and 2014 acquisition of WhatsApp, and the imposition of anticompetitive conditions on software developers to eliminate threats to its monopoly. The court documents filed by the US FTC refer to Facebook’s use of Onavo Protect data to identify future acquisitions as part of the allegation that Facebook is illegally maintaining a monopoly.


Wednesday, 20 May 2020

Australian Minister for Home Affairs Peter Dutton makes a grab for even more surveillance powers



Crikey, 15 May 2020:

The government’s proposed scheme to enable foreign intelligence services to spy on Australians will enable Australia’s intelligence agencies to circumvent measures designed to protect journalists from unfettered pursuit of their sources.

Labor’s Mark Dreyfus yesterday exposed the loophole, with Home Affairs officials left unable and unwilling to explain why their minister Peter Dutton was proposing a runaround on existing procedures designed to protect journalists’ sources.

The Telecommunications Legislation Amendment (International Production Orders) Bill 2020 will to pave the way for agreements between Australia and the United States, and other “like-minded countries”, for the direct accessing of surveillance information, including real-time wiretapping, by intelligence agencies from both counterpart countries. In Australia, such requests would be signed off by members of the Security Division of the Administrative Appeals Tribunal (AAT), which is heavily stacked with former Coalition MPs and staffers.

In hearings before the intelligence and security committee yesterday, shadow attorney-general Dreyfus asked Dutton’s bureaucrats why existing protections around accessing the metadata of journalists were not part of the proposed process.

When the Abbott government introduced mass surveillance laws in 2015, the mainstream media belatedly realised that journalists’ phone and IT records would be easily accessed by intelligence and law enforcement agencies under “data retention” laws. In response, a “Journalist Information Warrant” (JIW) process was hastily put together that would require agencies to apply for a special warrant, with more stringent thresholds and procedural safeguards, like a Public Interest Advocate, if agencies wanted to obtain data relating to a journalist’s sources.

No such safeguard exists under the International Production Orders (IPO) process, meaning that if a journalist’s data was held by a US company — such as Google, Apple, Facebook or Microsoft — it could be obtained by ASIO or the Australian Federal Police (AFP) from those companies through an IPO without a Journalist Information Warrant, unlike information held by a local company such as Telstra.

Are you able to tell us why an Australian journalists whose telecoms data is held by a US carrier should have fewer protections than an Australian journalist whose telecoms data is held in Australia?” Dreyfus asked Home Affairs bureaucrats…..

Dreyfus pressed further. The Journalist Information Warrant process was not replicated in this bill, was it, he asked.

It is not replicated,” Warnes had to admit, before insisting an AAT authorisation was enough protection.

Dreyfus went further. “The Journalist Information Warrant process has a public interests monitor provided. There is no such public interest monitor provided in the authorisation process that is provided under this bill is there?”

That’s correct,” the bureaucrat admitted.

So it’s not the same level of protection for journalists whose data is held by a US carrier. It’s a lesser level of protection isn’t it?” said Dreyfus.

Different considerations at play, yes,” Warnes , humiliated, had to admit.

Dreyfus also pointed out that the Journalist Information Warrant process had additional criteria that had to be considered in granting warrants. They weren’t in the IPO scheme, were they?

That’s correct,” Warnes said.

So why should an Australian journalist whose telecoms data is held by a US carrier have fewer protections than an Australian journalist whose telecoms data is held in Australia?”

I don’t have anything further to add,” Warnes said.

Dreyfus told him to come back to the committee with a better explanation for why the loophole was being pursued by the government…..

Friday, 15 May 2020

Law Council of Australia is very concerned with some aspects of Minister for Home Affairs Peter Dutton's proposed amendments to the Australian Security and Intelligence Act 1975 (Cth) (ASIO Act)


"The Australian Security Intelligence Organisation Amendment Bill 2020 will modernise ASIO's powers and, in doing so, improve ASIO's capacity to respond to these threats [by]....lowering the minimum age of a questioning subject in relation to a terrorism matter from 16 to 14...empowering the Attorney-General to issue warrants, including orally....allow non-intrusive tracking devices, such as a device placed on a vehicle, or in a person's bag, to be authorised internally...." [Minister for Home Affairs & Liberal MP for Dickson Peter Dutton in House of Representatives Hansard, 13 May 2020]

Law Council of Australia, media release, 13 May 2020:

Statement on proposed amendments to the ASIO Act by Law Council President, Pauline Wright


The Law Council of Australia is very concerned with some aspects of the proposed amendments to the Australian Security and Intelligence Act 1975 (Cth) (ASIO Act) released today in parliament.
If adopted, the amendments would redesign the Australian Security and Intelligence Organisation’s (ASIO’s) compulsory questioning warrant regime and repeal its specific detention powers.
It would also make some significant changes to ASIO’s surveillance powers, including permitting warrantless (that is, internally authorised) surveillance in relation to the use of certain tracking devices.
The Law Council welcomes the repeal of the ASIO detention regime in relation to the investigation of terrorism, which is consistent with its longstanding policy position. However, the amendments propose a re-design of the use of questioning warrants and we are concerned that there may be very limited time to scrutinise the proposed laws, which are lengthy, complex and highly intrusive on individual rights.
The proposal to reduce the age of minors who may be subject to questioning from 16 to 14 years and the conferral of powers on police to apprehend and detain persons for the purpose of bringing them in for compulsory questioning also requires detailed scrutiny by the Law Council, amongst the many other amendments.
The Law Council is concerned that the government is now rushing the Bill, despite having had over two years to develop the re-designed questioning legislation since the PJCIS tabled its report in May 2018.
Now there is a sense of urgency given that ASIO’s current questioning powers are due to sunset in 7 September, and the amendments are set to commence by or before that date.
This is not a Bill to be hurried through.
The Law Council will need to carefully scrutinise the Bill and we look forward to providing a comprehensive submission to the inquiry. 
~~~~~~~~~~~~~~~~~
The Australian Security Intelligence Organisation Amendment Bill 2020 can be found here.

The Sydney Morning Herald, 14 May 2020:

With Federal Parliament flat out dealing with the social and economic fallout of the COVID-19 pandemic, now is hardly the right time for a government to introduce legislation giving ASIO the power to question 14-year-old children, interfere with the rights of legal advisers, and enable the tracking of individuals without the need for a warrant..... 

Dutton's law would allow ASIO to seek a warrant so it can question young people aged 14 to 18 if they are a target of an ASIO investigation into politically motivated violence: broad criteria to say the least. 

Then there is a serious attack on the fundamental right of a person, whether they be 14 or 40, to choose their own lawyer when they are subject to investigation by ASIO. The bill allows for a prescribed authority, which is a judge or Administrative Appeals member selected by the government, to stop a person ASIO is seeking to question from contacting their lawyer if "satisfied, based on circumstances relating to the lawyer, that, if the subject is permitted to contact the lawyer, a person involved in activity prejudicial to security may be alerted that the activity is being investigated, or that a record or other thing the subject may be requested to produce might be destroyed, damaged or altered". 

This power is sweeping and allows for hearsay "evidence" to be used. All ASIO would have to do is tell the judge or AAT member that it has heard from "sources" that the lawyer requested by the detainee is a security risk. 

But even if the lawyer passes muster and sits with his or her client, the ASIO officers doing the questioning can have the lawyer removed. The explanatory memorandum of the bill says that can happen, "if the lawyer's conduct is unduly disrupting questioning. This may be the case where, for example, a lawyer repeatedly interrupts questioning (other than to make reasonable requests for clarification or a break to provide advice), in a way that prevents or hinders questions being asked or answered." So if the ASIO officers are badgering or harassing a frightened 14-year-old, or asking questions that are completely irrelevant, they have carte blanche. 

As a lawyer, one hears and reads stories about colleagues in authoritarian states where such powers are given to and used by security agencies, but one never expected it in democratic Australia....

Friday, 24 April 2020

The fact that Minister for Home Affairs & Liberal MP for Dickson Peter Dutton is always lurking in the shadows during national crises continues to be a worry


"I’m going to keep going until I get the numbers. I’m not stopping" [Minister for Home Affairs & Liberal MP for Dickson Peter Dutton on the subject of his desire to be Australian prime minister, quoted in "The Bigger Picture", April 2020]

It has become notable that since September-August 2018 when Peter Dutton's bid to topple then prime minister Malcolm Turnbull succeeded but his bid to become Australian prime minister failed - primarily because he and Turnbull were both outfoxed by a duplicitous Scott Morrison - Dutton disappears into the shadows during the worst phases of national crises or major political scandal.

One suspects he does so as he doesn't want voters to negatively associate him with either crises or scandal, because he hasn't given up his ambition to be prime minister after the next federal election.

As Dutton's worldview is as much a threat to democratic processes as is the worldview of current prime minister Scott Morrison, voters would do well to keep in mind what Dutton would like to impose on Australian society.

Sydney Criminal Lawyers, 20 April 2020:

Peter Dutton Proposes Prison for Refusing to Provide Passwords

Home Affairs Minister Peter Dutton has been absent from the media spotlight in recent times, ever since he contracted coronavirus.

And many are asking where the man at the helm of curtailing civil liberties on a federal level has been in the midst of the current pandemic.

The man at the helm of the surveillance state

Mr Dutton has been credited with proposing a wide range of laws designed to increase the power of authorities at the expense of individual liberties.

Perhaps most recently, Mr Dutton proposed laws which would result in prison time for those who fail or refuse to hand over their passwords or PINs when requested to do so by authorities.

Peter Dutton has said the laws are needed to help police catch criminals who are hiding behind encryption technology – a line we have heard many times before as the country’s law makers put in place draconian measures to grant police and other authorities surveillance powers that encroach upon our privacy.

Under the proposals, which is currently on hold, people who are not even suspected of a crime, could face a fine of up to $50,000 and up to five years’ imprisonment for declining to provide a password to their smartphone, computer or other electronic devices.

Furthermore, anyone (an IT professional, for example) who refuses to help the authorities crack a computer system when ordered will face up to five years in prison. If the crime being investigated is terrorism-related then the penalty for non-compliance increases to 10 years in prison and/or a $126,000 fine.

Tech companies who refuse to assist authorities to crack encryption when asked to do so, will face up to $10 million in fines. What’s more, if any employee of the company tells anyone else they have been told to do this, they will face up to five years in gaol.

Under the legislation, foreign countries can also ask Australia’s Attorney General for police to access data in your computer to help them investigate law-breaking overseas.

Australia’s hyper-legislative response to September 11

Since the September 11, 2001, terrorist attacks in the United States, the Australian parliament has responded to the threat of terrorism here and overseas by enacting more than 80 new laws and amending existing laws – many of them with wide-reaching consequences, such as the terrorism laws used to conduct raids on journalist Annika Smethurst’s home and the ABC’s head offices, as well as charge former military lawyer and whistleblower David Mc Bride with offences that could see him spending the rest of his life in gaol.

Controversial metadata laws too, introduced in 2015, seriously impact our personal privacy requiring telecommunications companies to retain metadata including information on who you call or text, where you make calls from, and who you send emails to.

The problem is that once these kinds of extraordinarily heavy-handed powers are legislated, they are very seldom retracted or rescinded. In many cases, over time, they are expanded. Australia’s oversight body the Australian Law Reform Commission can review laws that are already in place, but it has limited powers which only enable the commission to make recommendations for change, not to actually change the laws themselves.

Police already have the power to seize a phone or laptop if you have been arrested.

Border Force has even more extensive seize and search powers.

The extensive powers of border force

In 2018, Border Force made headlines after intercepting an British-Australian citizen travelling through Sydney airport seizing his devices.

Nathan Hague, a software developer was not told what would be done with his devices, why they were being inspected or whether his digital data was being copied and stored. He believes his laptop password was cracked.

Australian Border Forces have extensive powers to search people’s baggage at Australian airports. These are contained in section 186 of Customs Act 1901 (Cth). These include opening baggage, reading documents, and using an X-ray or detection dog to search baggage.

The Customs Act allows officers to retain an electronic device for up to 14 days if there is no content on the device which renders it subject to seizure. And if it is subject to seizure, the device may be withheld for a longer period.

ABF officers have the power to copy a document if they’re satisfied it may contain information relevant to prohibited goods, to certain security matters or an offence against the Customs Act. A document includes information on phones, SIM cards, laptops, recording devices and computers.

Tuesday, 10 March 2020

Australia finally gathers its courage and takes Facebook Inc to court over Cambridge Analytica privacy breaches


Office of the Australian Privacy Commissioner, media release, 9 March 2020:

The Australian Information Commissioner has lodged proceedings against Facebook in the Federal Court, alleging the social media platform has committed serious and/or repeated interferences with privacy in contravention of Australian privacy law. 

The Commissioner alleges that the personal information of Australian Facebook users was disclosed to the This is Your Digital Life app for a purpose other than the purpose for which the information was collected, in breach of the Privacy Act 1988. The information was exposed to the risk of being disclosed to Cambridge Analytica and used for political profiling purposes, and to other third parties. 

“All entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said. 

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed. 

“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy. 

“We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users’ expectations.” 

The statement of claim lodged in the Federal Court today alleges that, from March 2014 to May 2015, Facebook disclosed the personal information of Australian Facebook users to This Is Your Digital Life, in breach of Australian Privacy Principle 6. Most of those users did not install the app themselves, and their personal information was disclosed via their friends’ use of the app. 

The statement of claim also alleges that Facebook did not take reasonable steps during this period to protect its users’ personal information from unauthorised disclosure, in breach of Australian Privacy Principle 11. 

Commissioner Falk considers that these were systemic failures to comply with Australian privacy laws by one of the world’s largest technology companies. 

Background 

The documents filed by the Office of the Australian Information Commissioner (OAIC) in the Federal Court are: 
  • Originating application 
The OAIC is an independent statutory agency established to promote and uphold privacy and information access rights. It has a range of regulatory responsibilities and powers under the Privacy Act 1988, Freedom of Information Act 1982 and Australian Information Commissioner Act 2010. 

The Privacy Act includes 13 legally binding Australian Privacy Principles (APPs) which apply to agencies and organisations covered by the Privacy Act (APP entities). 

APP 6 provides that ‘if an APP entity holds personal information about an individual that was collected for a particular purpose, the entity must not use or disclose the information for another purpose (the secondary purpose), unless the individual has consented to the use or disclosure’ (or another exception applies). 

APP 11 provides that ‘if an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances, to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.’ 

The Commissioner may apply to the Federal Court for a civil penalty order alleging that an APP entity has engaged in serious and/or repeated interferences with privacy in contravention of s 13G of the Privacy Act. 

The Federal Court can impose a civil penalty of up to $1,700,000 for each serious and/or repeated interference with privacy (as per the penalty rate applicable in 2014–15).

Wednesday, 28 August 2019

Do you know exactly who Medicare, your GP, specialist doctor or local area health service are sharing your personal medical information with?


Electronic Frontiers Australia, media release, 26 August 2019: 

Australia, Melbourne — Monday 26 August 2019 — EFA, Future Wise, Digital Rights Watch and APF today call again for a comprehensive review of privacy provisions for healthcare data. 

 Following the HealthEngine scandal in 2018, and the recent use of Pharmaceutical Benefits Scheme (PBS) data to assist recruitment into research on Bipolar disorder, a Twitter user on Friday 23 August shared a SMS message attempting to recruit him into a clinical trial. 

This appears to have occurred through the use of Precedence Healthcare’s InCa (Integrated Care) health platform. Research by members of digital rights organisations today revealed that sensitive patient details—including contact details, demographics and complete medical histories—can be shared with a wide range of partners, including, it appears, private health insurers. 

Dr Trent Yarwood, health spokesperson for Future Wise and a medical specialist, said “Secondary uses like this are a very ethically murky area. People don’t generally expect to have personal details from their healthcare providers made available to anyone, even if well intentioned.” 

The terms and conditions of the application include access to data from myHealthRecord. “While the My Health Records Act includes privacy provisions, once this data is accessed by an external system, these provisions no longer apply,” continued Dr Yarwood. “I’m very concerned that practices making use of this system are not aware of just how widely this data can be shared—and that they are expected to fully inform patients of the nature of the data use,” he concluded. 

“This kind of barely-controlled data sharing is only possible because of how little privacy protection is provided by the current legislation,” said Justin Warren, Electronic Frontiers Australia board member. 

“People have made it clear time and time again that information about their health is extremely personal, private, and they expect it to be kept secure, not shared with all and sundry,” he said. “What people think is happening is quite different to what actually is, and these companies are risking catastrophic damage to patient trust with their lust for data.” 

“If you found out your doctor was sharing your full medical history with private health insurers, or the police, would you keep seeing them?” he added. 

Robust privacy protections are needed for all Australians, such as by finally giving us the right to sue for breach of privacy, requiring explicit consent for each disclosure of medical or health data to a third party, and proper auditing of record-access that is visible to the patient. It is imperative that the risks of health data sharing receive greater attention. [my yellow highlighting]

Australian Health Information Technology, 25 August 2019: 

This Seems To Be A System Of Sharing Personal Health Information That Is Rather Out Of Control. 

I noticed this last week: How does Inca collect and share health information? 

Updated 1 month ago 

Precedence Health Care’s Integrated Care Platform (Inca) is a cloud- based network of digital health and wellness services, including MediTracker mobile application services. 

It is important that all users of Inca services understand how the network collects and shares health information (“personal information”) and are aware of their responsibilities for gaining informed consent from patients. 

To the extent applicable (if at all), the Health Privacy Principles (or equivalent), which operate in some jurisdictions, should guide your actions. In the absence of applicable Health Privacy Principles, you should refer to relevant Commonwealth, State or Territory privacy legislation, and assistance can also be derived by referring to the website of the Office of the Australian Information Commissioner. You should make sure you are familiar with the applicable principles or other relevant guidance, and also with Precedence Health Care’s Privacy Policy. 

Inca collects and shares personal information about patients and other persons under care (also called “consumers”) who consent to this information being stored and shared in the network. This information may come from a variety of sources, including the clinical software systems used by GPs (e.g., Medical Director, Best Practice); other members of the patient’s care team (e.g., allied health professionals, medical specialists); the patient themselves; participating health services and pathology services; and the Commonwealth’s My Health Record. 

Inca uses this information to provide a range of health care and wellness services to the patient and their care team. 

Prior to contributing a patient’s personal information to be stored in or used by Inca, users must obtain informed consent from patients for the collection and sharing of this information. Ensuring that patients are informed about what will happen with the information that is being shared is a fundamental component of best practice in privacy, so it is important that all Inca users and patients know what information is available on Inca and who has access to that information. 

When a patient’s GP or other person authorised by the GP uses Inca to collect personal information from their general practice clinical system, Inca will extract and share the following information: 

· Patient demographics 
· Alcohol consumption and smoking status 
· Allergies and adverse reactions 
· Family and social history 
· Observations and results 
· Current medications 
· Immunisation history 
· Current and past problems 

If the patient or the GP does not wish to share some of this information, the GP’s clinical system should provide a means for declaring such data “confidential” and thereby preventing it being sent to Inca. 

GPs who do not know how to do this should contact the provider of their clinical software. Inca may also collect and share information obtained from other sources. 

These include: 

· Information that the GP or any member of the care team or the patient themselves adds to the patient record or to any notes concerning the patient’s care using Inca services, web sites or mobile devices. This information may include contact information, measurements, care plans, assessments, referrals, progress notes, appointments, and other related personal and health information. 

· Information from participating Health Services, including discharge summaries and emergency department attendance. 

· Information obtained from My Health Record. This information may include some or all of the data stored in the patient’s My Health Record. 

It is the responsibility of the provider of information stored in or used by Inca, or the person who grants access to such information, to inform the patient of the type of personal information that is so provided or made accessible. 

Inca will provide access to a patient’s personal information with the patient’s GP and care team, the patient (or their carer as authorised by the patient), participating Health Services, and some others as necessary to provide the services of Inca. Precedence Health Care may share de-identified data (that is, data from which it is impossible to ascertain who you are) to persons or organisations who are engaged in research, trials and analyses relating to improvements in health and the management of health services. The way Inca shares and protects this information is described in the Precedence Health Care Privacy Policy. 

It is important that patients understand what information is being shared, who it is being shared with, and for what purpose. It is the responsibility of the persons providing this information to ensure that each patient is aware that their personal and health information is being stored on a computer system hosted on a secure site in Australia, as described in the Precedence Health Care Privacy Policy. 

It is also important for all users of Inca to be aware that this information may not be complete, up to date, or accurate. 

In seeking informed consent to participate, patients should be advised that any measurements or notes that they enter into Inca are not continuously monitored and will be available to members of the patient’s care team only when the provider next logs in to Inca. 

Patients who are concerned about any condition should contact their GP or other health care provider using their normal means (e.g., phone) and should not use Inca for this purpose. 

Please contact Precedence Health Care’s Privacy Officer on (03) 9023 0800 or email privacy@precedencehealthcare.com if you have any questions or concerns about our Privacy Policy, or if you wish to suggest improvements. You may also contact your State’s Privacy Commissioner or Ombudsman to get advice about privacy or make a complaint. 

Here is the link: https://phc.zendesk.com/hc/en-us/articles/360021090952-How-does-cdmNet-collect-and-share-health-information- 

For background Precedence Health run a shared patient data base which is accessible to GPs, Specialists and Allied Health Staff for the purpose of care planning and co-ordinating care. Using their system allows GPs to claim a Medicare Item No for this service. They also provide patient access to the data and have services such as reminders etc in an app. 

All that said this system, on its own statements, just sucks information from everywhere (GP systems, health services and the myHR) and pops it into one database. One user, who is now switching it off, revoking consent and getting out has described to me a collection of erroneous and mis-sorted data on their record. 

More they seem to be happy to hand out the data to others claiming it is de-identified – and we all know how in-effective that can be! 

The rather loose way consent rules for disclosure appear to be enforced is also a worry. 

They even have the legendary myHR disclaimer that “It is also important for all users of Inca to be aware that this information may not be complete, up to date, or accurate.” Doh! 

You can see the Privacy Policy here if you wish! https://phc.zendesk.com/hc/en-us/articles/360021091012-Privacy-Policy- 

Don’t know about you but none of my information would go anywhere near this if I could help it! It looks like a serious unthought through shambles to me. 

What do you think? 

David.  [my yellow highlighting]