Privacy Safe Harbour and Australia

Privacy ‘safe-harbour’ and Australia

 – not safe enough?

The decision by the European Court of Justice to declare the Safe Harbour arrangements between the US and EU invalid will have interesting repercussions not only for European citizens and companies such as Facebook and Google, but also for countries that increasingly rely on selling services overseas like Australia and New Zealand.

The decision was made as result of a case brought by Austrian citizen Maximillian Schrems on the use of his data by Facebook and in particular the practices of the US government as revealed by Edward Snowden.

This judgment has the consequence that the Irish supervisory authority* is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. http://curia.europa.eu press release 6 October
*Facebook European HQ is in Ireland

Safe Harbour, is an agreement that had been in place since 2000. It was supposed to give the protections to private data collected by multinational companies on EU citizens wherever it was stored. This allowed Facebook to store EU citizens’ data in the US or wherever it was most efficient, but required them to treat it to the EU’s standards, rather than the more relaxed US standards.

The judgement is an indication of the deep unhappiness in Europe with the US’s cavalier approach to non-US citizen’s data. The US’s binary approach to citizen rights makes many non-US citizens bristle. It is like the Pax Romana of the Roman Empire 2000 years ago.

This decision will not ‘destroy cloud’ in Europe or elsewhere. However, it will require some reorganisation. In this, it will hurt second and third tier players more than Facebook, Amazon and Google.

Moreover, the decision will not seriously curb mass surveillance. The dirty little (not so) secret is that all countries spy on their citizens for mostly good reasons, including the Europeans. It’s just that the US is better at it than most others.

When the big players jostle, smaller countries feel the waves.

For Australian organisations, not only those who hold EU citizens’ data, this decision should cause them pause for thought. Organisations that do not take privacy seriously, or only respect the privacy of a subset of their stakeholders, need to rethink their approach, if only in terms of the reputational damage of a breech in markets like the EU.

The Internet becomes less than one – Time for an International Law of Cyberspace

The Internet has never been one network for all, As much as some might wish, it is a motley collection of many nets with a very minimal governance. The main effect of this decision is to further balkanise the Internet in a similar way to content geo-blocking and country firewalls.

Smaller countries like Australia and New Zealand should be concerned. We need to be able to trade on an even playing field in services. And that means having an Internet that is common to us and our competitors, both in terms of technology and policy. We need common laws governing cyberspace as much as we need trade barriers on physical goods like rice to be reduced.

This is the time that Australia, New Zealand and similar countries should be pushing hard diplomatically for an international ‘Law of Cyberspace’ which achieves the equivalent that the conventions on the Law of the Sea  achieved for maritime commerce. It took 300 years for the Law of the Sea to come to pass and it’s still being updated – let’s hope that the law of cyberspace takes much, much less time.

 

 

 

The trusted insider

The trusted insider.

Helping organisations protect themselves against trusted insiders

I attended the Security in Government (SIG) conference in Canberra earlier this month. I am somewhat biased, but I think that SIG is probably the best annual security related gathering in Australia.

If you compare it to a lot of international gatherings SIG certainly holds its own. Although, the US and German conferences in particular have glitz and size, the quality of the discussion and the more intimate nature is refreshing. SIG, as you may have guessed is primarily targeted at government, but there are good lessons for all organisations to be had there. Ok, enough of the fanboy …

The 2014 SIG theme was the ‘trusted insider’. Whilst the discussions were often very good, I wondered whether there are additional approaches to reducing the problem of the trusted insider. These approaches focus more on the relationship between employees and their organisations.

http://pixabay.com/

Who are the trusted insiders?

A trusted insider is somebody who uses their privileged access to cause harm to their employer or their interests. I’ll be a bit controversial here and note that, whether these people are traitors, spies or whistle-blowers depends somewhat on perspective. In any case these people evoke strong almost visceral emotions in many people.

Why are organisations so concerned about the trusted insider?

Despite fears about rogue hackers attacking organisations from the outside, the trusted insider is still considered the biggest threat to an organisation. In Australia and overseas, trusted insiders ‘going rogue’ have caused the significant damage to national security, government agencies and private organisations. The harm done can be from loss of secrets, money or even life.

Secrets: The most glaring examples in the information security space have probably come out of the USA in recent times. People like Edward Snowden and Chelsea (Bradley) Manning spring to mind in the national security sphere. However, some Swiss banks have also been stung by Bradley Birkenfield whom some in those establishments might call a trusted insider and the US tax agency would call a whistle-blower!

http://pixabay.com/

Money: Fraud is probably the most significant threat to private organisations from trusted insiders, particularly those in the finance and insurance industry. Sometimes the size of an event can be enormous, such as when $2billion was lost in 2011 through ‘unauthorised transactions’ in a Swiss bank.

http://pixabay.com/

Life and property: Whilst we often focus on loss of information confidentiality, trusted insiders were also responsible for assassinating the Indian Prime Minister Indira Gandhi in the 1980s and shooting fellow soldiers in the USA and Afghanistan in the last decade. There have also been a number of cases of ‘issue motivated’ insiders harming organisations by damaging plant and equipment.

http://pixabay.com/

What motivates the trusted insider?  C.R.I.M.E.S.

The motivations of trusted insiders are varied, however they broadly fit under the standard drivers of criminal behaviour as described by the mnemonic ‘crimes’.

Coercion – being forced, blackmailed or intimated

Revenge – for a real or perceived wrong, it could be about disaffection and or a grudge

Ideology – radicalisation or advancement of an ideology /religious objective

Money – for cash, profit, dosh, moolah – whatever you call it, and/or

Exhilaration or Ego– for the excitement or because they think that they are in someway cleverer than their compatriots –  Christopher Cook seemed driven by the excitement..
The USA’s “worst intelligence disaster” was Robert Hanssen, who might be described as an egomaniac.

Sex and personal relationships. The combination of sex and coercion is a lethal one.

Of course, some are also mentally fragile and may not have a motivation that is exactly clear to others.

End of part 1

In the coming part, we talk about some approaches to the trusted insider problem.

Privacy and social login

Is it possible to enhance privacy with social login?

The likelihood that any Australian Government is going to create an online identity credential now seems distant with the National Trusted Identities Framework (NTIF) almost forgotten. How quickly the Internet forgets, but maybe that’s a good thing if you’re Mario Costeja González.

But the need that the NTIF sought to fill has not gone away. Governments are trying to work out how to service their citizen/customer/users at lower cost. The Internet offers one possibility, but in taking their services online, government agencies expose themselves and us to different threats and potentially higher risk. However, it seems inevitable that government agencies will follow financial institutions in offering higher value transactions online. In the end, the economic argument is likely to drive government agency migration online with more high trust services. Recent federal and state/territory budget announcements are only likely to spur this movement.

There are a number of threats that need to be mitigated before a government agency could potentially provide its services online. Probably the key issue is for the agency to be sure that a user requesting access to a site is who they say they are. Currently issuing the customer with a username and password mostly does this, but the model is beginning to fail. The problem is that most people don’t interact with government agencies on a regular basis and yet information sensitivity and computer capabilities require users to adopt increasingly complex and non-sensical passwords.

It's all getting a bit hard
It’s all getting a bit hard

This in turn makes the passwords more difficult to remember even as they are harder to crack. It also means that password resets are much demanded. Yet at the same time, customers are expected to change their passwords regularly, not to write them down or repeat them for other online services.

It seems clear that these password requirements largely force customers to break their user agreements and either, write their passwords down, or worse re-use them for other services/websites.

It also puts government agencies in a bind. They want to provide online access to their services because it could be cheaper to operate than bricks and mortar outlets (if they didn’t have to reset too many passwords), but they also do not want to be embarrassed by privacy and security breaches.

Social Login providers

One option is the use of a social login to help secure online authentication. This could enhance user information security and minimise privacy breaches. Social login, also known as social sign-in, is a form of simple sign-on (to web resources) using existing membership of a social networking service such as Facebook, Yahoo, Twitter or Google+ to sign into a third party website in lieu of creating a new login account specifically for that website or service. Social login is designed to simplify logins for end users as well as provide more and more reliable demographic information to website owners. Social login can be used as a mechanism for both identity authentication and user authorisation.

Google website authentication

Social login is being adopted by private sector organisations for a number of reasons including: Rapid registration; Verified email contacts; and Customer stickiness. However social login also offers three major benefits for government agencies.

–       Currency of contact data. Contact data such as email tend to be kept up to date by the user.

–       Passwords are less easily forgotten because they are regularly used. At the same time, the social login passwords are not transmitted from the user to the agency website.

–       Security. Agencies can leverage security technologies implemented by the social networks that they might never be able to replicate themselves. Because of their resources, social networks such as Google and Facebook are able to detect and patch zero day exploits quickly.

So what are the privacy risks?

A user, when accepting the convenience of a social login, can share a significant amount of their information between a third party website (such as a government agency) and the social network. The social site is informed of every social login performed by the user. Often, it is worth considering whether users understand exactly what they are sharing and whether they are giving informed consent to share. However this risk can be mitigated with the creation of clear and detailed login screens, which explain what the users are sharing.

As an example, the following information is returned when a Facebook user agrees to share their ‘Basic Profile’. Other than the email, the information is not verified and may not be present. However, several organisations claim that the quality of the data returned is in general very good because social network users feel social pressure from their friends to be accurate.

Address Birthday Verified Email
Display Name Family Name Formatted Name
Gender Given Name Homepage
Preferred Username Profile Photo Time Zone

At the same time, it is not necessary for the third party website to collect all the information if it is not required.

Another issue surrounds current sensitivities with the USA NSA’s indiscriminate hoovering of online data. It is important to note that because all the large social networking sites are based in the USA, they are subject to USA’s laws and customs related to security and privacy. Under that regime, Australians are given significantly fewer protections than USA citizens or residents. Effectively, the social networking site itself provides the main protection for reputational reasons. However, readers may be aware that there have been recent moves in the USA to change this approach for what the US charmingly calls ‘aliens’ like Australians and give the same protections for all users irrespective of citizenship.

Can we get the benefits of social login and have citizen privacy as well?

With careful design it seems possible that social login could enhance privacy for users at the same time as providing benefits to government agencies. Considering the social login as an adjunct to agency authentication rather than the whole process could be an answer. If customers nominate their social login at the same time as they were enrolled into a government service, they could later use their social login as the first stage of an authentication process. This would provide an outer layer of defence against hacking. The user could then login to the agency itself using a separate authentication process.

The advantages of this model, beyond defence in depth, are that the user logs into the agency with their authenticated social login username, but does not gain access to sensitive information without providing an agency specific authentication. The social network also does not receive any sensitive information beyond the fact that a user logged in at a website. The use of government portals can be used to obfuscate which agency a user is accessing. At the same time, with consent, contact information from the social login site could be compared with that held by the agency and presented to users so that they can choose to update the information held on them by the agency.

At both the state and federal level, government agencies are starting to actively consider social login. Provided that governments are also prepared to carefully design the user interaction so that the social networks don’t get any more personal information than the user/citizen is prepared to share – by turning off analytics and sharing social network authentication gateways across groups of government agencies, it can provide benefit to users and government alike.

In the longer term, government will be able to verify citizens online when they wish to enrol themselves for services. The possibility arises to use the Document Verification Service (DVS) combined with social history to connect an entity to an identity, but that may be a discussion for another time.

I’d love to hear what you think.

Alex

This article originally appeared under the title “Can social login be privacy enhancing” in the May 2014 edition of Privacy Unbound, the journal of the International association of privacy professionals (IAPP) Australia New Zealand chapter and can be found here at this link iappANZ_MayJournal

Direct link to the IAPP:  https://www.privacyassociation.org/

IAPP ANZ http://www.iappanz.org/

 

Privacy changes in Australia

Privacy strengthened in Australia

The Australian Privacy Principles come into force on 12 March. The APPs extend coverage of privacy laws to most business with turnover of $3 million or more.

Fines of $1.7 million are possible for breaches.

Privacy - Sony executives bow in apology post Playstation breach in 2011
Execs bow post Playstation breach in 2011

Australian Privacy Principles

The Privacy Act now includes a set of 13 new harmonised privacy principles. The APPs regulate personal information handling by the federal government. In addition, the law significantly expands the number of private sector organisations covered.

The new Australian Privacy Principles (APPs) replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations. The changes do not generally replace existing state of territory privacy legislation (eg Victoria & ACT) which will probably cause some confusion at the edges

A number of the APPs are quite different from the existing principles, including

  • APP 7  -on the use and disclosure of personal information for the purpose of direct marketing, and
  • APP 8 – on cross-border disclosure of personal information.

The OAIC gets teeth

The Privacy Act now includes greater powers for the OAIC which include:

  • conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
  • accepting enforceable undertakings
  • seeking civil penalties in the case of serious or repeated breaches of privacy

In some ways Australia is just catching up with Europe, Canada and USA, but its worth noting that breaches can mean organisations get fines of up to $1.7 million. It is probably an understatement to say that this could  have a serious impact on company finances as well as reputations.

One thing that is very good about these changes is that there is better alignment with good information security practice. We hope that these changes may help some organisations improve the state of their information security as they become privacy compliant.

For more information on the APPs and the OAIC’s APP guidelines, visit this link –  Australian Privacy Principles.

Credit Reporting is changing too

The Privacy Act now includes new credit reporting provisions including:

  • introduction of more comprehensive credit reporting, a simplified and enhanced correction and complaints process
  • introduction of civil penalties for breaches of certain credit reporting provisions
  • requiring credit providers to have an external dispute resolution scheme if they want to participate in the credit reporting scheme. The scheme must be recognised under the Privacy Act.

For a more detailed explanation of the credit changes see: Privacy business resource 3: Credit reporting — what has changed

A new mandatory credit reporting privacy code (CR code), created by the Australian Retail Credit Association ( OAIC’s Codes Register ) also starts on 12 March 2014.

We can help

We are helping government agencies and businesses assess the privacy impact of their activities in light of these legal changes. In particular, we have recently worked with the health and finance sectors in Queensland, the ACT and Victoria.
Please  contact us at Resilience Outcomes for assistance.

cyber identity security

Cyber Identity theft service sold personal information on US citizens by compromising multinational consumer and business data aggregators

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of US residents has allegedly infiltrated computers at some of America’s largest consumer and business data aggregators, including Dun & Bradstreet according to Krebs on Security. 

If you’re Australian or a resident of other countries where these guys operate, you had better hope that these companies didn’t leak information between their subsidiaries and the main office – because you know that would never ever (cross fingers) happen !!

This looks like a solid investigation by the guys/gals at Krebs. The hackers at the back of this identity theft service didn’t exfiltrate data from their targets wholesale, they just compromised the targets and allowed their customers to directly query information and charged them between 50c and $2.50 US for personal records and up to $15 for credit checks – via Bitcoin or Webmoney of course!

Compromised systems accessed through the criminal service seem to include

Importantly, the compromise was probably targeted as much on gaining information about companies to take out fraudulent loans  on them according to a Gartner analyst. If a criminal can masquerade as a large company, they can take out a much larger loan on their behalf than they could on all but the richest people.

This may take a little while to play out, but it is likely to have an impact on legislative requirements for information security by data aggregator firms. By their very nature, they hold aggregated data from millions of customers. Each piece of data requires protections, together the data becomes far more valuable and therefore a greater target for cyber criminals and foreign espionage. How we deal with aggregation remains one of the keys to the risk based handling of big data.

Information Security for health practitioners

Is it possible for health practitioners to  achieve information security?  Maybe a better question is  “How can health professionals balance privacy, information security and accessibility in an online world?” Or even, should the medical profession be bothered with keeping private and sensitive information secure?

Over the last few months, I’ve been working with a number of health practitioners to help them improve their information security. Much of this has been done with a view to the introduction of electronic health records.

I sympathise with hospital administrators, doctors and nurses. They don’t have a lot of time to think about security and privacy. However, the fact is that they have to do better.

monash university - surgery clinic 2012

Criminals follow the money

According to the Australian Institute of Health and Welfare, the health system costs just under 10% of Australia’s GDP (AUD121.4 billion in 2009/10 according to the AIHW) . In the US, it is around 18% (USD2.6 trillion in 2010 according to the CDC).  With this much money involved in the health system, it is a fat series of targets for cyber attack and fraud.

Terrorist vector? Probably not.

The Department of Homeland Security has even gone so far as to suggest that the health system could be targeted by terrorists and activists in the USA. I am not convinced by this or similar suggestions as the no1 aim of terrorists remains to create terror. Terrorists understand this and seek targets and methods along those lines. It matters less how few people a terrorist kills. It is more important for the terrorists that they have an audience that can clearly see a hard link between cause (terrorist attack) and effect (death, destruction etc). The  murder of a single UK soldier in May 2013 by allegedly Al-Qaeda inspired terrorists with machetes has created significant community angst, not only in the UK where it occurred  but in Australia, Canada and the USA. Yet, it is likely that more people died on that same day on the roads in London. My point is this, that if terrorists discovered some way of causing significant death or maiming from medical equipment, I do not doubt that they would use it. However, it is likely that the effect on the collective public consciousness would not be as great as the machete attack mentioned above.

However, we must accept that it is possible, if not altogether probable. One identified flaw is the chronic inability of many health systems to patch their software and applications.

One high consequence scenario involves hackers attacking defibrillators and insulin delivery systems remotely. I think this comes into the unlikely but possible category. Shodan, was used by a hacker to access the controls of a blood glucose monitor connected to the Internet by WiFi.

Whilst we can probably discount to some extent the terrorist threat, I can imagine the attraction of such attacks as assassination vectors or for the installation of ‘ransomware‘. Thus the high consequence threat from foreign governments and organised crime can’t be as easily discounted.

Beyond the extreme, privacy compromise and fraud

Beyond these extreme events, there is the possibility that patient or staff privacy can be compromised by weak information security. Dr Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, talking about the US health system has been quoted . “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”…. Unfortunately, it is not possible to hide one’s health under the mattress!

I experienced this personally about a week ago when my daughter’s optometrist sent through the results of her recent eye test, only it wasn’t. The attachment data was for somebody I had never met.

We have a tendency to compare the worst case scenario of e-health privacy with the best case scenario of the current system. We all know that it isn’t the case as my example above shows.

Good information security will also help protect healthcare organisations from fraud. Fraud is estimated to be a USD60 Billion impost on US hospitals. Methods that are being used by fraudsters include

  • Diversion of fee revenue
  • Diversion of controlled items (eg drugs)
  • Collusion with suppliers; and
  • Diversion of accounts receivable.

The same methods are being used in medical practices, albeit on a smaller scale.

What to do

A holistic approach is needed. We have worked with a number of medical practices to implement the key elements of the information security standard ISO 27000. This ensures that the practice has a risk based approach which mitigates threats based on real world experience of consequence and likelihood. Working with practice owners and stakeholders, we determine tolerance to information risk and work with them to implement controls which make sense and meet any regulatory requirements.

If you think this is something your organisation needs, please contact us at [email protected]