It’s not just spies who want your data
23 Nov 2020|

Australia’s domestic intelligence agency, the Australian Security Intelligence Organisation, released a rare public statement last week aimed at raising awareness about the use of social media and professional networking services for espionage purposes. ‘Think before you link’ focuses on foreign intelligence threats and rightly cautions Australians to be careful about revealing personal information on networking services. It is ASIO’s first public awareness campaign and marks a significant step in the right direction for Australian intelligence agencies as they seek to engage in more regular dialogue with the public, something they have long struggled to do.

But beyond foreign intelligence threats, there’s a broader issue that also deserves our attention. The problem is data—or, more specifically, the accumulation of stolen, scraped or traded personal information that affects everyone, not just government and defence employees. While it may not involve state secrets, personal data is a form of sensitive information and it needs to be protected.

In fact, many different groups—ranging from cyber criminals and marketers to banks and law enforcement agencies—derive value from personal information. So, even though ASIO’s warning focuses on Australians being recruited or duped by professional spies, online targeting and the creation of fake profiles and inauthentic networks are not just the realm of highly resourced state-sponsored cyber operatives. The tools and techniques used are cheap, simple and widely accessible. It’s not difficult, or expensive, to create an online presence with a unique artificial intelligence-generated profile picture. And it’s not just intelligence agencies manufacturing online personas.

Nor does engagement with these fake online personas always involve inducements such as generous gifts and trips overseas, particularly during a pandemic. It may not even be obvious to the victim that they are giving information away. In 2016, suspected Iranian threat actors stole data directly from their victims through a keylogger they hid in a CV-creation application that they required their victims to use as part of the job application process.

While people can limit their public disclosure of personal information on networking sites, they often still need to share personal data with online companies to accomplish common tasks like renting property and looking for a job. These companies should have robust privacy policies that state what information they collect, why they collect it and how they share, use and store it, but such policies are often ambiguous and written in legalese. Privacy policies are also often written to protect the company (the data taker) rather than the consumer (the source of the data).

More worryingly, it’s not always clear that these companies are capable of keeping people’s personal information secure. There are a significant number of unsecured databases left open and accessible to the public and organisations regularly suffer data breaches. The Office of the Australian Information Commissioner’s notifiable data breach report for the first half of 2020 shows that malicious or criminal attacks still remain the highest cause of data breaches. Once a data breach occurs, control of the data is lost. If it’s biometric data, like face, fingerprint or iris geometry, the consequences are even more serious. Unlike a password, your biometric data is a lot harder to change.

Data itself can be difficult to monetise, but deep insights into individuals derived from data are highly valuable. Data broking is believed to be a US$200 billion industry. The industry has developed a business model that revolves around aggregating datasets (online and/or offline data, such as loyalty card shopping data) that have been bought or publicly scraped, analysed and then sold to buyers for different uses. In the US, there are examples of police purchasing hacked data and  immigration authorities and the US military buying location data, and even Facebook is alleged to have bought back data.

In Australia, data brokers operate in the shadows. As users and consumers, we have no way of knowing exactly what happens to our data, which makes it difficult to truly protect our privacy or to provide informed consent as to how our data is used. To bring the industry out of the dark, the government should consider introducing a national registry of data brokers and implementing federal laws similar to those in California, which require data brokers to register with the state attorney-general.

Changes could also be made to the OAIC’s notifiable data breach scheme to better protect the privacy of personal data. Currently, the scheme requires regulated entities to report a data breach only if it is ‘likely to result in serious harm to any of the individuals to whom the information relates’. What constitutes ‘serious harm’ is ambiguous and this reporting requirement applies only to regulated entities, not all entities that could hold troves of personal data. And it is left to the entity that lost control of the data to decide what is considered ‘serious harm’.

The European Union’s General Data Protection Regulation better implements this protection by obligating all companies that are responsible for data to report a data breach to the supervisory authority within 72 hours after an assessment of risk to the data subjects’ rights and freedoms. The Australian scheme should be similarly broadened to better capture data breaches and clarify reporting requirements. Canada is proposing a Digital Charter Implementation Act that would impose fines on companies that breach the privacy of Canadians. Australia should explore the implementation of similar fines to encourage data holders to better secure people’s personal data and deter businesses from holding data they don’t need.

To lay the groundwork for a prosperous, data-driven economy that values privacy, more robust data protections and regulations should be implemented that give data subjects more control over their information.