Australia's new Privacy Principles - things to consider

Effective today (12th March 2014), Australia's Information Privacy Principles and National Privacy Principles will be replaced by 13 Australian Privacy Principles (APPs). Here are the important points to note:

• Applies to all organisations that turn over more than $3 million per year and collect personal data.
• Fines up to $1.7 million for breaches.
• Organisations must be transparent about how they collect, use and store personal data.
• Organisations cannot collect data “just in case they need it”.
• If personal data is disclosed to a 3rd party, the organisation disclosing the data is responsible for ensuring the 3rd party understands their obligation and that the consumer knows about the disclosure.

This effectively gives the Office of the Australian Information Commissioner (OAIC) teeth as the fines are now significant when compared to previous legislation. For example, Australian Telecommunications giant Telstra has only been fined a measly $10,200 AUD for their recent violation.

Mindful collection and sharing

The days of "we'll ask for the information in case we need it" are gone. Organisations need to think about what they really need to achieve the task at hand and collect only what they need. As consumers, we should be able to sign up for online services in a shorter amount of time instead of frustratingly getting stuck on a submission form which constantly complains we haven't filled in certain fields.

Marketing programs and processes need to be reviewed to ensure personal data is not being inappropriately shared with 3rd parties. Many companies disregard the flow of information and the lack of visibility & understanding around how this is done, sometimes through no fault of their own. The number of technology integration points involved is challenging, but as privacy is now tied to financial penalties, this is a huge risk to businesses and should be addressed urgently through the involvement of IT departments and potentially external assistance.

If information is justifiably shared outside of the organisation, they will need to have the ability to determine if an overseas 3rd party they are disclosing personal information to also complies with the privacy act. This is a function many organisations will not have and will need to be included as part of their risk management program.

Personal information

In all things privacy-related, things tend to be up for debate, none more so than the term "personal information". The safest way for organisations to tackle this ambiguity is to assume data can be tied together from various sources, even when not immediately obvious as to how, to form context that can be tied to an individual. For example, an IP address is a potential identifier of an individual when combined with information from the relevant Internet service provider.

Personal data can also be stored in unexpected locations that organisations may be unaware of, the most obvious being application logs. IT departments need to perform an internal audit of the information applications use and ensure they are not subject to inadvertent personal data leakage through logs as a result of log file settings.

There is also additional administrative overhead in dealing with personal information and its access. The right technologies and a properly implemented reliance on external information providers can help. For example, power can be given to individuals to have complete control over the information stored about them through self-service portals. In addition, there may not be a need to store certain pieces of information. Standards exist (e.g. pick your favourite federated identity standard) that allow a relying party requiring information about an individual to ask for it from an identity (or attribute) provider and use it in flight without having to store the information on disk.

Beyond the more mature federated identity standards, there are emerging ones such as User Managed Access (UMA) that place more power in the hands of consumers (i.e. the rightful owners of the data). While not yet supported in many technology stacks, the concepts are sound and organisations would do well to adopt the thinking behind what UMA is attempting to achieve in the longer run.

Summary

Australian organisations need to treat personal data like they would financial information. For example, there are a raft of measures dictated by the PCI-DSS standard regarding the storage and usage of credit card numbers. While the number of credit card data breaches have proven PCI-DSS alone does not prevent breaches, existing data protection standards are a good start for organisation struggling to deal with the implications of the new privacy principles. Organisations would do well to adopt many of the same measures dictated by security standards in protecting personal data as a start. As they understand the requirements and data flows over time, more sophisticated security and access management measures can be implemented to round out an evolving security program.

Social identities are becoming our online driver’s licence

Note: This is a companion blog post to an article I wrote earlier this year for CSO Australia. The original essay was too long for an online publication, so I split it up into 2 related, but independent pieces.

For the generation that assumes a priori that the Internet is a tangible, more-essential-than-oxygen component of the air, social networks have become the digital manifestation of their identities as people. Most use each social network for a specific purpose. For example, Facebook content is typically personal and LinkedIn content is almost always professional. Where possible, we try to confine their use within our subconscious boundaries, but they invariably bleed into each other through porous walls. Nevertheless, each is a persona; a one dimensional representation of our real selves.

While online, much of our significant actions require some form of identification: a licence that says enough about us as unique individuals. While we don’t need a driver’s licence to walk along a road, we do need one to drive along it. Similarly, to do anything of significance online, we need to prove who we are to varying degrees; we need a licence that says enough about ourselves to be allowed to perform certain activities.

A majority of our individual activities both online and off can be divided into two categories: transactions and interactions. We transact with retailers, financial institutions and governments. We interact with friends, family, colleagues, employers and government institutions. There are exceptions to these, but a majority of what we do conforms to this model.

The word “transact” in this sense is not always tied to financial activities. Anything that has a negative real-life impact when fraud is committed can be deemed as transactional. In life, our identity matters when we transact and interact with retailers, financial institutions, governments and other people. There is however, a distinct difference in the acceptable forms of identity when comparing transactional activities and interactions which is tied to risk. It is why certain organisations will accept your Facebook account as proof of identity, but others will not.

Appropriate use of social identities

The key to understanding appropriate use for social identities is context. In real life, activities that require proper identification such as a passport or driver’s licence are transactional.

If you analyse the scenarios you are familiar with in dealing with retailers, financial institutions and governments, you will quickly realise that for anything we classify as an interaction, using social identifiers for access is sufficient. For transactions, they are not.

In the Information Security world, this is known as using the appropriate Level of Assurance (LOA) for the appropriate context. A higher LOA is required for transactions than interactions. The progression to a higher LOA is typically achieved using multi-factor authentication. If you’ve ever received a code on your mobile phone immediately after your username and password has been accepted and asked to enter it into a site before it allows you access, you have used multi-factor authentication. The SMS code sent to your mobile phone increases your LOA.

In situations where social identities play a part in the authentication process, they are best used as first level of authentication. As a “lightweight” identity, this provides the personalisation we psychologically crave and the added usability organisations would like to provide. The fact that personalisation provides additional insight to organisations is a bonus for them. When the interactions verge on being transactional, the LOA needs to be raised using either a second factor or a stronger form of identification. In real life, this is best demonstrated by the fact that a driver’s licence is sufficient for entry to a bar but a passport is required to cross international borders.

Excessive collection of personal information

A major concern regarding the use of social identities as a login mechanism relates to the amount of sensitive personal information stored within social networks. Using your Facebook account to login to another site does not necessarily give it access to your Facebook account (e.g. to make updates). More commonly, the login process involves sharing an amount of information about yourself that the site requires.

The word “requires” is used loosely here. Far too often sites ask for more information than they actually need because they can. We have become so accustomed that we accept it as the norm. Bad data collection practices have trained us into accepting additional risk as a condition for using the Internet. In reality, most sites really only need a way to contact you (e.g. email) and perhaps your name. Put simply, a site should only ask for the information it needs for you to complete your tasks.

The breach the Australian Broadcasting Corporation’s website suffered earlier this year is a perfect recent example of data collection misuse. The information stolen included easily cracked hashed passwords and personal details about each person that the website did not need. When we give up our information to an organisation, we almost never have control over anything that happens to it after the fact.

This is something that the Kantara Initiative is attempting to address through its User Managed Access (UMA) work group and the associated UMA protocol. But until this or something like it is mandated across sites that store information about individuals, it is extremely difficult to address the lack of control we have over our personal details and their proliferation.

Note (not part of original blog post): I strongly suggest checking out Ian Glazer's "Big P Privacy in the Era of Small Things" video if you are interested in exploring and understanding this topic in more depth.

Potential benefit of social identities

Social networks have the potential to reduce the number of places that our information is stored. In addition, they can potentially become the gatekeepers to our information. Imagine if the interaction between a social network and another site included the obligation to delete our information upon request by the social network using a protocol like UMA? Better still, what if it required that the information used be transient and disappears when our session with the site in question ends? Nothing actually gets stored.

In fact, some social networks enforce this today, although this is used more as a defensive tactic to reduce the likelihood that a partner site becomes a competitor by replicating all their user data than a way to protect the information for the benefit of users. Sites that do not conform to the policy are unceremoniously prevented from being able to interact with the social network in any way.

There are benefits to be had for the sites accepting social identities as logins too. Studies have shown that user drop-off rates decrease because users no longer have to fill in forms to access the site. Data storage costs drop as a result and for organisations that do not want to be front page news for losing user data, this risk is no longer present.

A driver’s licence is not a passport

We began by referencing the generation of digital natives driving the assimilation of our digital and physical lives. They influence online innovation today through their demands and expectations. They are the demographic many businesses target. As a result, their behaviour shapes the evolution of the online world and by extension, the real world.

The rest of us have to begrudgingly adapt to a reality being built for them. Like it or not, social identities are becoming the Internet’s driver’s licence of choice. However, social identities are not our online passports. The world is not ready for that reality. And unless social networks start vetting people like banks do, that reality is unlikely to ever be achieved.

Does the average person care about personas?

Earlier this week, ReadWriteWeb wrote about Google's plans to launch a new service called Circles. They didn't quite get the launch date right, but it looks like it's a real product that Google will release pretty soon.

The article embeds a great presentation by ex-Googler, Paul Adams who now works for Facebook. I completely skimmed over the presentation (i.e. didn't even know it was there) while reading the original article, but came across it again thanks to Jonathan Sander's tweet.

It's quite a lengthy presentation but well worth the read. Essentially, it talks about how current social networking services (like Facebook) don't really reflect how we behave in real life where we have various personas (e.g. one for family, another for friends and yet another for colleagues) which we present based on the context of the interaction we're having.

This is not the case in most online interactions. On Facebook for example, everyone is a "friend". It's rather difficult to share things with subgroups. It's not impossible, but it's very fiddly and time-consuming. That said, there are things we simply cannot share ONLY with a subset of our connections. For example, I can be quite picky with who sees my photos but my status updates go out to all my "friends". Side note: I underlined the word "sees" in that last sentence because your photos on Facebook aren't actually private. They control visibility on your photos using a "security by obscurity" mechanism. For example. here is a photo of mine (Heston Blumenthal's famous Bacon and Eggs Ice Cream for those playing along) which is supposedly only viewable by my friends. But because I managed to figure out the actual link to the photo (it's not very difficult for the average web user), I can now link to it for the whole world to see.


But who actually cares? In reality, everyone cares...as long as we're talking about things that happen in our "real lives". The most common example is that most of us like to keep our work and personal lives separate. We don't mix the two if we can help it. I have a few friends who actually sound completely different when I call them while they are at work. They sound "more professional" when they are working. And when they aren't, they revert back to the drunk fool I know from real life :-)


When it comes to the online world however, this changes somewhat. People seem to care less about separating their personas. It's partly a generational thing: I find people over a certain age (I purposely left the exact number out because this will be different depending on your perspective on things) who are fairly web-savvy try to keep things separate as best they can.

Of course, a quick search on Facebook will probably bring up your "private persona" but if you bothered to hide all the private info and your public profile picture isn't too incriminating, this doesn't matter. However, if I ask to be your friend, you may feel obliged to accept which then gives me full access to all your updates and the photos you forgot to protect with privacy settings. This scenario demonstrates how the current social networking model is broken because even if you want to present a different persona of yourself to me within Facebook, it's extremely difficult (impossible in some cases).


But when it comes to the younger crowd, very few care about splitting their online personas (even though they still bother with the mental separation of personal v.s. work in real life). They'll accept Facebook friend requests from anyone they've ever met which more or less gives everyone they've ever met full-access to their unfiltered ramblings and photos of them passed out on a friend's carpet while drunk.


The presentation struck a chord with me because the essence (at least from an identity standpoint) behind what we're trying to do with ProfileStamp is to be able to present a persona of yourself based on the viewer. If you've got an account and played around with the settings, you'll notice that you can be very fine-grained about the information shown when someone visits your profile. In fact, beyond simply hiding information when someone isn't allowed to see something, you can have a different version of the information shown. So, instead of having a simple yes/no decision to make, we actually cycle through the various versions of an attribute and show the relevant one based on the viewer. Of course, if there is no suitable version to show, they see nothing.

The mechanisms controlling the things your share about yourself online (data, photos, status updates etc.) need to move beyond the simple on/off switch model in place today. It looks like Google Circles plans to address this. I would assume Facebook is also looking at this given they have people like Paul Adams working for them.


The toughest challenge here is not the technology. It's not even usability (although this is more important than technology). It's actually user apathy. The average person (whether they are younger or older) doesn't understand privacy or access, let alone the controls one needs to work with to specify what other people can see. Most want the controls to be in place (or think they do), but they don't want to have to do any work to make it happen. That's something we've found with our set of private beta users. Most either leave the settings alone (which means their profiles don't present any information about them) or they ask for "a button that makes all my information public".

A secondary challenge is the lack of education about the damage that can be caused (to one's finances, credit rating, personal brand and so on) should the wrong things be made public. Our team had to actually advise a few of our users to restrict pieces of information to more select groups when they made them public. But until people start to realise this, they will remain apathetic and careless. Therein lies the challenge.

What am I getting myself into?

The UK and London in particular is becoming a surveillance society according to various observers (here, here, here and here). I already knew this before I decided to move there so I'm not really surprised...at least not until today when I read this.

Essentially it talks about a proposal to install "body scanners" around the city to X-Ray people walking by to catch anyone with a weapon...or at least what looks like a weapon. I don't think I need to say very much for anyone to realise there are many many many things wrong with this proposal. First of all, I don't particularly want to potentially be subjected to X-Rays everywhere I go! Obvious health risks aside, what about our privacy rights? X-Rays are yet another form of an identifier. One could argue it's a rather high tech expensive way of presenting one's "credential". Given that fact, I sure as hell don't want it stored on some giant database somewhere for someone to look at later without my knowledge or my approval! I even have issues giving out my email address. Did you think I wouldn't have a problem with the British Government having my frigging X-Ray photos? Hell yeah!

There's already closed circuit TV around the streets of London so they can pretty much track where I'm going if they want. I was watching the news on TV the other night and it showed how they managed to track a terrorist who tried to detonate another bomb on the tube, but it didn't quite go off like he planned. They showed him exiting the train, leaving the station, walking through some train tracks, climbing a fence and through someone's house and then getting on a bus! Hey, it worked because they caught the guy this way...but that also means they could go figure out EXACTLY what everyone else is doing too!

Look, I can probably accept that they have cameras around London for "public safety", but X-Rays?! Talk about a blatant invasion of privacy! They take our pictures now. They're looking into facial recognition technology (UK police for identifying suspects and also as part of the ID card program). Now they want to take our X-Rays too? What's next? Urine and stool samples so they can see how healthy we are and what we've been eating? What about hair samples? Do they want that so they can do DNA screening to figure out who's going to be bleeding the public health system dry with health problems later in life and ship them off to another country before it's too late?

Perhaps the British Government have been spending too much time reading George Orwell's 1984 or the V for Vendetta comics.

Update: Apparently they can also track your car via number plate recognition and like monitoring people's telephones and email.