Privacy Advocates Oppose Aussie Data Breach Laws

schliz writes "This week, Australia's Attorney-General released a discussion paper about introducing laws that would force companies to notify members of the public any time personal information about that customer falls into the wrong hands. California introduced similar mandatory data breach notification laws in 2003, but Australian privacy advocates are now opposing the move, saying it's a decade too late."

Too late?

[gmanterry]

It doesn't make the data more secure but perhaps the exposure will shame companies into better security.

Re:Too late?

[rtb61]

That exposure should also extend to law enforcement. Whilst it could be argued that to allow investigation to proceed that invasions of privacy by police and other agencies, there should be a time limit on it. Eventually the police and other investigatory agencies should be held accountable for all their invasions of privacy.

Where any invasion of privacy did not lead to a conviction or even a charge being made against the person whose privacy they invaded, the police and other investigatory agencies should be held accountable for the now obviously false grounds for that invasion of privacy. People have a right to know when their privacy has been invaded, when they are being treated as a criminal behind their back and, when they are being accused without their knowledge.

Citizens deserve the right to know, within a reasonable time period, say within 1 year of the invasion of privacy, that the breach of their rights has occurred, why it occurred, the basis of any accusations against and what corrective measures are being taken when the reason for the investigation proved false.

The idea that investigatory agencies have carte blanche to accuse people and invade their privacy without review by those people whom they have accused is appalling and those people have a right to challenge what has occurred and to seek correction of records and apologise for those false accusations.

wait, what? They should make up their minds...

[Tastecicles]

...data security is such an issue (or at least it should be) that breaches should be notified, not least to incentivise companies to make sure that data is secure. This is me, a privacy advocate saying; this is better late than never. Yes, they should have done it a decade ago, but this game of one-upmanship the so-called privacy advocates at large are playing saying "Fuck you, we're not listening to you any more because you should have done this long ago!" only serves to damage the campaign.

Privacy != Security

Since when has security and privacy even been the same things. The companies now, jizz data to anyone who'll pay for it. Even banks sell financial data these days, telecoms is a data selling field day. None of these things would be 'notified' as a data breach, since they're normal data selling business.

So not only is it a deflection, a way of heading off a decent privacy law, it would give people a false sense of privacy. They hadn't been notified their data had been lost because it hadn't been lost, it had been sold. It had been stripped of the name and sold in aggregate, it had been handed over to any random man in uniform on a random claim.

They've had a massive expansion of data requests, none of those would be notified, the only people who find out about those are if there is a trial and that data is used as evidence. Every bogus request is done in secret. What kind of notification law is that?

Re:Privacy != Security

[sumdumass]

Generally, in theory at least, authorized data transfers wouldn't be using it to commit identity theft or fraud or other damaging acts. However, notifying customers of a data breach by unauthorized entities, could allow those customers to take steps to monitor their credit and or make the company liable if something damaging happens from it.

Re:Privacy != Security

Yeah, imagine, getting a text "Your personal data, including SSN, address, phone number, and other collected data from your browser was sold by company X to company Y and Z". A few minutes later, you find out company Z made another deal with A through H and so on. And at the end of the day, you'd think, OMG these bastards made a fortune just from selling my data alone, and I still have to pay for their crappy services.

Re:Privacy != Security

[Bob9113]

authorized data transfers wouldn't be using it to commit ... other damaging acts.

That statement misses the point of the privacy advocates; that the authorized data transfers are, in fact, being used to commit other damaging acts. As both a student of economics and having spent several years doing behavioral targeted advertising, I am strongly convinced that it is damaging to our economy. It causes consumer behavior that is very different from rational self-inteterest, which is the bedrock upon which the efficiency of the free market must rest. It leads to wasted GDP, loss of consumer confidence, and ultimately reduces consumption (and hence production) in the long run.

I am guessing you know all that, at least in rough terms, but it is impotant to identify that point when commenting on things like authorized data transfers and their potential to cause harm. This is harming our society, right now, in real dollars and cents. A portion of our GDP is being turned into unearned income for amoral companies who have no other choice if they want to remain competitive with their amoral competition. I don't think we can (or even should) expect companies to be strongly moralistic at their shareholders' expense, so we need to cut off the cashflow that encourages them to do harmful things. Stopping that inefficient flow of our GDP would stimulate the economy and create jobs -- and isn't that what all our politicians claim they support?

That's not an argument

[Hentes]

I tought there are some real arguments against the law in TFA, but there's only whining how it's too late. Well it certainly won't help data exposures before the passing of the law, but I don't know of any event that made such a regulation obsolete. It is in fact still very common for corporations to lose loads of personal data because they are too lazy to protect it. A law like this may not be effective enough to change that, but definitely not because it's 'too late'. It's as actual as ever.

Re:That's not an argument

[myowntrueself]

I tought there are some real arguments against the law in TFA, but there's only whining how it's too late. Well it certainly won't help data exposures before the passing of the law, but I don't know of any event that made such a regulation obsolete. It is in fact still very common for corporations to lose loads of personal data because they are too lazy to protect it. A law like this may not be effective enough to change that, but definitely not because it's 'too late'. It's as actual as ever.

You know how children can be sometimes. They want something, mum and dad don't give it to them, they throw a temper tantrum and get all worked up. Finally mum and dad give it to them. Kids response; "don't want it now".

Re:That's not an argument

[gl4ss]

the only argument in there is that every organization is breached already.

it's just PR to bring up his name on the press really.

Re:Notification != punishment

[sumdumass]

I do not think that all or nothing is any better.

I don't really think law enforcement requests should be notified- if the investigation points to no wrong doing, the information is destroyed and not retained by law enforcement. On the other hand, cold cases can be solved because investigations have access to new technology later and notifying someone they were investigated may be enough to remove this future evidence. It's like that guy in Florida who killed people. He put a surgical tube full of someone else blood in his arm and assisted people wanting blood for DNA evidence in getting the blood out of it. He knew he was hit and took steps to get around it. But your imagination is as good as mine or anyone else in what we will be able to do forensically in the future.

For telecom data, sure. For automatic fines, maybe if there is signs of gross negligence or something, sure. There are plenty of 0 day flaws or exploits out there and we shouldn't really be neglecting due process.

All I know is doing nothing because you can't have it all is still nothing. at least if you know your personal information was disclosed by company X 2 months before your credit report shows a maxed out credit card with a 20k limit, you can go after company X for the trouble it causes.

Too little too late

[CuteSteveJobs]

Is this Attorney-General could be the most disliked Attorney-General in Australian History? Does she think throwing the public a morsel will distract them as she beats them to death with a stick? Good luck with that.

http://www.canberratimes.com.au/opinion/politics/roxons-calls-on-slippers-crudities-show-questionable-judgment-20121017-27rgz.html
http://www.crikey.com.au/2012/10/18/how-not-to-launch-a-public-debate-by-the-a-gs-department/
http://www.crikey.com.au/2011/10/20/asio-reels-in-a-g-line-on-illegal-fishing-hook-line-and-sinker/

And the reason is it's too late? No sense...

[eisonlyme]

So how late is too late?
I read the opinion piece and...well..it's stupid. He says it's a good thing, but it's too late and will take too long to implement so lets just not do it at all. Insert car analogy here is one so wants...
We should always strive to improve even if we're a bit late to do so. A better late then never approach I think is best most of the time...Yes I know, there is plenty of times too late is too late.
The mind boggles, maybe someone else here can shed light on why? Maybe there is a better alternative now?

Re:And the reason is it's too late? No sense...

[Elbereth]

The linked opinion piece seems a bit hastily and sloppily written. It spends far too much time grumbling about inconsequential crap.

I think the main point is that this: it's too little, too late, and stands in the way of truly progressive legislation. The argument is that people will became complacent and develop a false sense of security. This doesn't even attack a symptom; it's simply raises a red flag whenever the symptom flares up. In the early days, raising the alarm and educating the mainstream about privacy exploits was useful and informative, but now it's just a delaying tactic used by the powers-that-be to avoid taking any real, decisive action to attack the problem. The author is advocating serious regulation, which he feels is long overdue. He's not willing to compromise on this issue any more, though he might have done so ten years ago, when there seemed to be a fair chance that the regulation he was seeking would be in place by now.

Some people favor slow, incremental changes that are studied in-depth for years before they're implemented. Some people prefer sweeping changes to be implemented NOW. This guy is tired of in-depth studies, delays, and bureaucracy. He wants change to happen NOW, and he's getting pissed off at having to compromise. Maybe he wrote some really great, philosophical essays on his beliefs and why they're important ten years ago, but he's probably tired of repeating himself, and he's perhaps coming across as bitter and childish, to those who can't understand why he's so annoyed at being offered a compromise now that he might have grudgingly accepted ten years ago.

Sometimes it's best to best to let the young firebrands to handle the PR, rather than bring out the bitter old guard. The message is the same, but the delivery is radically different.

Naked In Public

[some+old+guy]

Those of us who were around as scientists, engineers, and programmers back in the 1980's and '90's committed a collective epic fail of foresight when we didn't insist on "privacy by design" standards from the outset. In our headlong rush to connectivity and interoperability, we built systems that were ripe for commercial, governmental, and criminal data mining, and did not effectively campaign for legal safeguards or adequately forewarn the general public. We were, in our heady world of fast-paced progress and self-congratulation, irresponsible. Yes, we had our heroes trying to sound a warning, but they were too few and went unheeded. The rest of us just let it happen.

The cow has long been out of the proverbial barn. The best we can hope for is to corral the cow to some extent, and warn people about wild cows.

We as professionals owe a duty to the public to scream from the hilltops at every opportunity that There is no privacy on the internet! of any real sort, and make it clear that it is both naive and utopian to expect any. The power of money and government, and the avarice of criminals, have made it so and there can be no going back.

The analogy I use is that of walking out one's front door. You are in clear sight. Do not open your wallet if you want no one to see what's in it. Do not speak publicly if you desire confidentiality. You are in public every time you access the internet as much as every time you step out to the pub. Act accordingly.

New laws are indeed too late. There is no legal time machine to roll back what has already been done.

Like CAN-SPAM, a weak law is an excuse to not have

[raymorris]

My understanding of their position, with which I don't agree, is that passing a weak law now would serve as an excuse to not pass a strong one. By way of comparison, CAN-SPAM is so weak it basically legalizes spam. If CAN-SPAM did not exist, there would be pressure to pass a (better) law. CAN-SPAM takes the pressure off and they feel the new privacy rule would do the same, reduce the motivation for having a good law. As I said, I don't necesarily agree, but I understand their reasoning.

Re:Notification != punishment

[fremean]

I support being told when someone has unauthorized access to my data... for example... the coles breach a couple of years ago (what you didn't hear about that? not surprised - they only just admitted to it after months of me hounding) and the pizza hut breach (they still won't admit to it)