Category: privacy

India’s technocracy

India’s Aadhaar national identity system is a huge and brave experiment to stamp out corruption and strengthen national security.

Buzzfeed today has an in depth look at India’s Aadhaar national identity system.

1.12 billion Indians are now enrolled in the system that’s rapidly becoming mandatory as everything from telephone companies to job interviewers demand an identification number.

Aadhar is far from without critics with warnings that the database has a rich potential for abuse and the risk of betraying Indians’ biometric data should the system be compromised.

The latter point is important as biometric data isn’t like passwords – once biometric data been compromised it can’t be changed which opens up massive possibilities for identity fraud.

Regardless of the risks, India’s state and Federal governments are pressing ahead with the system and making sure it is a fundamental part of national life. Coupled with the recent demonetisation of the economy, the nation’s governments now have a very good picture of most Indian’s lives.

For civil rights campaigners this is a worrying system while government officials and politicians claim it will stamp out fraud and strengthen national security.

India is leading the way in where many other nations are going in coming years, it would be worthwhile watching how Aadhaar develops.

The science of money and data mining

The use of data mining by private and government agencies is widespread and only going to become more so. Do we care about the consequences?

Last week I wrote a piece for Fairfax Metro – the Sydney Morning Herald and Melbourne Age – looking at how government agencies and private credit companies are mining data.

That story sparked a range of interest with my doing a twenty minute segment on ABC Brisbane today on the topic which morphed into a deeper discussion on surveillance, particularly with the Australian government’s ‘metadata’ laws.

I’ll also be talking on ABC Radio Perth on Monday, March 6 about this story at 6.15am local time (9.15am Sydney and Melbourne).

In the wake of the Australian government’s Centrelink scandala national disgrace that is only getting worse – it’s worthwhile discussing exactly what data is being gathered and how it is being used.

The answer is almost everything with commercial operators like Experian pulling in data from sources ranging from credit card applications to social media services although store loyalty cards remain the richest information source.

As the Australian Tax Office spokesperson pointed out, none of this is particularly new as they have been collecting bank deposit data since the Federal government introduced income taxes in the 1930s.

The arrival of computers in 1960s changed the scale and scope of tax offices’ abilities to track citizens’ finances and gave rise to the major commercial credit bureaus.

With the explosion of personal electronics and internet connected devices in recent years along with increased surveillance powers being granted to government and private agencies, that monitoring is only going to grow.

The best citizens can expect is to have their data protected and respected with financial providers only using what is ethical and relevant in determining our access to banking and insurance products.

Politically the only way to ensure that is to make it clear through the ballot box, the question is do we care enough?

When governments misuse data

The Australian government’s misuse of data in harassing welfare recipients is something that should worry all citizens

Last year the Australian Federal government had a smart idea. To fix its chronic budget deficit, it would use data matching to claw back an estimated three billion dollars in social security overspending.

Unfortunately for tens of thousands of Australians the reality has turned out to very different with the system mistakenly flagging thousands of former claimants as being debtors.

How the Australian government messed up its welfare debt recovery is a cautionary tale of misusing data.

Data mis-match

At its core, the problem is due to the bureaucrats mismatching information.

Australia’s social security system requires unemployment or sickness benefit claimants file a fortnightly income statement with Centrelink, the agency that administers the system, and their payments are adjusted accordingly.

Most of those on benefits only spend a short time on them. According to the Department of Social Services, two thirds of recipients are off welfare within twelve months of starting.

Flawed numbers

Despite knowing this, the bureaucrats decided to take annual tax returns, average the individual’s income across the year and match the result against the fortnightly payment.

That obviously flawed and dishonest method has meant hundreds of former welfare recipients have been falsely accused of receiving overpayments.

Compounding the problem, the system frequently mis-identifies income because it fails to recognise employers may use different legal names, leading to people having their wages double counted and being accused of not reporting work.

Shock and awe

Under pressure from their political masters, the aggressive tactics of Centrelink and its debt collectors have left many of those accused shocked and distressed.

I can barely breathe when I think about this. My time period to pay is up tomorrow. I asked them for proof before I pay and I have heard horror stories of debt collection agencies, people being asked to pay so much, people being told there will be a black mark on their credit. I am so terrified. It’s so stupid for me to be terrified but I can’t help it. I am a student, I can’t afford anything!

Reading the minister’s response to criticisms, it’s hard not to come to the conclusion that intimidation was a key objective.

The numbers of people involved are staggering. The department of Social Services reported 732,100 Australians received the Newstart unemployment allowance in 2015-16. Should 66% of those have moved off the benefit during the tax year then up to 488,000 people will receive ‘please explain’ notices.

Nearly half a million people being falsely accused of welfare fraud is bad enough, but that is only last year’s figures – due to a  law change by the previous Labor government, there is no limit to how far back Centrelink can go to recover alleged debts.

The System is working

Claiming the Centrelink debacle is a failure of Big Data and IT systems is wrong – the system is working as designed. The false positives are the result of a deliberate decision by agency bosses and their ministers to feed flawed data into the system.

How this will work out for the Australian government as tens of thousands more people receive unreasonable demands remains to be seen. Recent comments from the minister indicate they are hoping their ‘tough on welfare cheats’ line will resonate with the electorate.

Regardless of how well  it turns out for the Australian government, the misuse of data by its agencies is a worrying example of how governments can use the information they collect to harass citizens for short term political advantage.

Beyond welfare

While many Australians can dismiss the travails of Centrelink ‘clients’ as not concerning them, the same data matching techniques have long been used by other agencies – not least the Australian Taxation Office.

With the Federal Treasurer threatening a campaign against corporate tax dodging and the failure of the welfare crackdown to deliver the promised funds, it’s not hard to see small and medium businesses being caught in a similar campaign using inappropriate data.

More importantly, the Australian Public Service’s senior management’s incompetence, lack of ethics and proven inability to manage data systems is something that should deeply concern the nation’s taxpayers.

In a connected age, where masses of information is being collected on all of us, this is something every citizen should be objecting to.

Guessing ethnic affinity

Big data can create big risks, particularly when a service like Facebook starts racially profiling

What’s your ethnic affinity? Apparently Facebook thinks its algorithm can guess your race based upon the nature of your posts.

This application is an interesting, and dangerous, development although it shouldn’t be expected that it’s any more accurate than the plethora of ‘guess your age/nationality/star sign’ sites that trawl through Facebook pages.

Guessing your race is something clumsy and obvious but its clear that services like Google, LinkedIn and Facebook have a mass of data on each of their millions of users that enables them to crunch some big numbers and come up with all manner of conclusions.

Some of these will be useful to governments, marketers and businesses and in some cases it may lead to unforeseen consequences.

The truth may lie in the data but if we don’t understand the questions we’re asking, we risk creating a whole new range of problems.

Apple CEO Tim Cook on Privacy and Profits

Apple CEO Tim Cook discusses privacy, profits and cars with NPR’s All Things Considered

“Privacy is a fundamental human right”. A short, but sweet and fascinating, NPR interview with Apple CEO Tim Cook.

Cook goes onto to avoid discussing the likelihood of Apple Cars and expounds the advantages of repatriating corporate profits back to the US, something we can expect cash rich companies like Apple to start agitating for after the next Presidential election.

The interview, which is only eight minutes long, is well worth a listen as Apple positions itself against competing internet giants Google and Facebook over the topic of privacy.

 

The need for an IoT manifesto

As the internet of things rolls out, more care in the design of products and services will be needed

Last May at the ThingsCon conference in Berlin a group of European designers came together to form the IoT Manifesto.

Now vendors have the ability to put a chip into almost anything companies and designers are tempted to add connectivity simply for the sake of doing so.

In many cases this is opens up a range of security risks ranging from the screaming baby monitor to the hackable jeep.

Coupled with the security risks of your intimate devices being hacked there’s the related privacy risks as millions of devices collect data ranging from how hard you press your car’s brake pedal through to last time you burned your breakfast toast.

In an era where governments and businesses are seeking to amass even more information about us, there are genuine concerns about what that data is going to be used for and why it is being collected in the first place.

The IoT manifesto looks to manage these problems facing the sector through ten guiding design principles;

  1. Don’t believe the hype around the IoT
  2. Only design useful things
  3. Deliver benefits to all stakeholders
  4. Keep everything secure
  5. Promote a culture of privacy
  6. Gather only a minimal amount of data
  7. Be transparent about who that data will be shared with
  8. Give users control over their data
  9. Design durable products
  10. Use the IoT and its design to help people

All of the principles are laudable and it’s not hard to think that meeting the guidelines would make devices and services that aren’t just useful and safe but also simpler, cheaper and more effective.

There’s many ethical, business and safety issues facing the Internet of Things as connected devices rollout across almost every industry. The IoT Manifesto may well be a good framework in which to design them and the cloud services they’ll depend upon.

Social media types, IoT gadgets and the internet’s future –ABC Nightlife May 2015

Paul Wallbank regularly joins Tony Delroy on ABC Nightlife on to discuss how technology affects your business and life.

Along with covering the tech topics of the day listeners are welcome to call, text or message in with their thoughts and questions about technology, change and what it means to their families, work and communities.

If you missed the May program, it’s now available on our Soundcloud account.

For the May 2015 program Tony and Paul looked at some of the gadgets coming out of the Internet of Things, what your social media posts say about you and Mary Meeker’s big Internet Trends report.

Join us

Tune in on your local ABC radio station from 10pm Australian Eastern Summer time or listen online at www.abc.net.au/nightlife.

We’d love to hear your views so join the conversation with your on-air questions, ideas or comments; phone in on 1300 800 222 within Australia or +61 2 8333 1000 from outside Australia.

You can SMS Nightlife’s talkback on 19922702, or through twitter to @paulwallbank using the #abcnightlife hashtag or visit the Nightlife Facebook page.

Who owns a smartcar’s smarts?

The question of software ownership in a smartcar opens a range of difficult questions about the internet of things.

Automakers Say You Don’t Really Own Your Car states the Electronic Frontiers Foundation.

In their campaign to amend the US Digital Millenium Copyright Act to give vehicle owners the right to access and modify their automobiles’ software the EFF raises an important point.

Should the software licensing model be applied to these devices then purchasers don’t really own them but rather have a license to use them until the vendor deems overwise.

Cars, of course, are not the only devices where this problem arises. The core of the entire Internet of Things lies in the software running intelligent equipment, not the hardware. If that software is proprietary and closed then no purchaser of a smart device truly owns it.

Locking down the smarthome

This raises problems in smarthomes, offices and businesses where the devices people come to depend upon are ‘black boxes’ that they aren’t allowed to peer into. It’s not hard to see how in industrial or agricultural applications that arrangement will often be at best unworkable.

Four years ago tech industry leader Marc Andreessen pointed out how software is eating the world; that most of the value in an information rich economy lies in the computer programs that processes the data, not the hardware which collects and distributes it.

That shift was flagged decades ago when the initial fights over software patents occurred in the 1980s and 90s and today we’re facing the consequences of poorly thought out laws, court decisions and patent approvals that now challenge the concepts of ownership as we know it.

Is ownership outdated?

However it may well be that ‘ownership’ itself is an outdated concept. We could be entering a period where most of our possessions are leased rather than owned.

If we are in a period where ownership is an antiquated concept then does it matter that our cars, fitness bands, kettles, smoke alarms and phones are in effect owned by a corporation incorporated in Delaware that pays most of its tax in the Dutch Antilles?

Who owns the smartcar’s data?

The next question of course is if the software in our smart devices is secret and untouchable then who owns the data they generate?

Ownership of a smartcar’s data could well be the biggest issue of all in the internet of things and the collection of Big Data. That promises to be a substantial battle.

In the meantime, it may not be a good idea to tinker too much with your car’s software or the data it generates.

The risks of government surveillance – how Australia’s data retention laws hurt

The Australian government is about to pass data retention laws which will be expensive and won’t work

This morning I’m speaking on ABC Radio’s Overnights about the risks of the Australian government’s law to force telecommunications companies to retain users’ metadata for two years.

While the act, currently before the Senate having passed the House of Representatives last week after the poorly named ‘opposition’ Labor Party supported it, mandates that telcos and ISPs will have to retain the details of users’ connection times, places and type of device for two years and that government agencies will be able to access this data without a warrant.

The program was broadcast on 26 March 2015 at 4.15am Eastern Time with Trevor Chappell and is can be listened to on the ABC radio website.

Some resources on the data retention bill follow;

How the Internet of Things could overtake the law

The internet of things is going to present challenges for governments and regulators.

Last March the Australian internet industry celebrated twenty years of commercial operations with the Rewind/Fast Forward conference that looked at the evolution of the online economy down under and its future.

Naturally the Internet of Things was an important part of the discussion looking at the internet’s future and one of the panels examined the effects of the IoT on industry and society.

During the session chairman of the Communications Alliance industry association, John Stanton, raised an important point about how the IoT creates problems for existing laws and the regulators as a wave of connected devices are released onto the market place.

The risks are varied, and Stanton’s list isn’t exhaustive with a few other aspects such as liability not explored while some of the issues he raises are a problem for other internet based services like cloud computing and social media.

Roaming rules

Having fought many regulatory battles over roaming charges and access between networks, it’s not surprising Stanton and the Communications Alliance would raise this as an issue.

Dealing with roaming devices will probably be a big challenge for mobile Machine to Machine (M2M) technologies, particularly in the logistics, airline and travel industries. We can expect some bitter billing battles between clients and their providers before regulators start to step in.

Number schemes

Again this is more an issue for mobile M2M consumers. Currently every SIM card has its own phone number once the service is activated.  It may be that regulators have to revise their numbering schemes or allow providers to use alternative addressing methods to contact devices.

Data sovereignty

Where data lives is going to continue to be a vexed issue for cloud computing consumers, particularly given the varied laws between nations.

Short of an international treaty, it’s difficult to see how this problem is going to be resolved beyond companies learning to manage the risks.

Identity management

Data integrity is essential for the IoT and accurately determining the identity of individuals and devices is going to be a challenge for those designing systems.

Over time we can expect to see some elegant and clever solutions to identity management in the IoT however masquerading as a legitimate device will always be a way malicious actors will try to hack systems.

Privacy

For domestic users, the privacy of what remains in data stores is going to be a major concern as domestic devices and wearables gather greater amounts of personal information. We can expect laws to be tightened on the duties and obligations of those collecting the data.

Access Security

Who can do what with a networked device is another problem, should a malicious player or a defective component get onto the system, the damage they can do needs to be minimised. What constitutes unlawful access to a computer network and the penalties needs to be carefully thought out.

Spectrum allocation and cost

Governments around the world have been reaping the rewards of selling licenses to network operators. As the need for reliable but low data usage IoT networks grows, the economics of many of the existing licenses changes which could present challenges for both the operators and governments.

Access to low cost and low data access networks

Following on from the economics of M2M networks, the question of mandating slicing of scarce spectrum for IoT applications or reserving some frequencies becomes a question. How such licenses are granted will cause much friction and many headaches between regulators and operators.

Commercial value of information

How much data is worth will always be a problem in an economy where information is power and money. This though may turn out to be more subtle as information is only valuable in the eyes of the beholder.

Where information becomes particularly valuable is in financial markets and highly competitive sectors so we can see the IoT becoming part of insider trading and unfair competition actions. These will, by definition, be complex.

Like any new set of technologies the internet of things raises a whole new range of legal issues as society adapts to new ways of doing business and communicating. What we’re going to see is a period of experimentation with laws as we try to figure out how the IoT fits into society.

Clawing back our data – Telstra makes metadata available to customers

Australia’s Telstra responds to government data legislation by opening metadata to users

Today Australian incumbent telco announced a scheme to give customers access to their personal metadata being stored by the company.

In a post on the company’s Telstra Exchange blog the company’s Chief Risk Officer, Kate Hughes described how the service will work with a standard enquiry being free through the web portal with more complex queries attracting of fee of $25 or more.

The program is a response to the Australian Parliament’s controversial intention to introduce a mandatory data retention regime which will force telcos and ISPs to retain a record of customer’s connection information.

We believe that if the police can ask for information relating to you, you should be able to as well.

At present the scheme is quite labor intensive, a request for information involves a great deal of manual processing under the company’s current systems however Hughes is optimistic they will be able to deal with the workload.

“We haven’t yet built the system that will enable us to quickly get that data,” Hughes told this website in an interview after the announcement. “If you came to us today and asked for that dataset it wouldn’t be a simple request.”

The metadata opportunity

In some respects the metadata proposal is an opportunity for the company to comply with the requirement of the Australian Privacy Principles that were introduced last year where companies are obliged to disclose to their customers any personally identifiable information they hold.

For large organisations like Telstra this presents a problem as it’s difficult to know exactly what information every arm of the business has been collecting. Putting the data into a centralised web portal makes it easier to manage the requirements of various acts.

That Telstra is struggling with this task illustrates the problems the data retention proposals present to smaller companies with far fewer resources to gather, store and manage the information.

Unclear requirements

Another problem facing Hughes, Telstra and the entire Australian communications industry is no-one is quite clear exactly what data will be required under the act, the legislation proposed the minister can declare what information should be retained while the industry believes this should be hard coded into the act which will make it harder for governments to expand their powers.

What is clear is that regardless of what’s passed into law, technology is going to stay ahead of the legislators, “I do think though this will be very much a ‘point in time’ debate,” Hughes said. “Metadata will evolve more quickly than this legislation can probably keep pace with so I think we will find ourselves back here in two years.”

In many ways Australia’s metadata proposals illustrates the problems facing governments and businesses in managing data during an era where its growing exponentially, it may well turn out for telcos, consumers and government agencies that ultimately less is more.

Reducing big data risks by collecting less

Just because you can collect data doesn’t mean you should

“To my knowledge we have had no data breaches,” stated Tim Morris at the Tech Leaders conference in the Blue Mountains west of Sydney on Sunday.

Morris, the Australian Federal Police force’s Assistant Commissioner for High Tech Crime Operations, was explaining the controversial data retention bill currently before the nation’s Parliament which will require telecommunications companies to keep customers’  connection details – considered to be ‘metadata’ – for two years.

The bill is fiercely opposed by Australia’s tech community, including this writer, as it’s an expensive   and unnecessary invasion of privacy that will do little to protect the community but expose ordinary citizens to a wide range of risks.

One of those risks is that of the data stores being hacked, a threat that Morris downplayed with some qualifications.

As we’re seeing in the Snowden revelations, there are few organisations that are secure against determined criminals and the Australian Federal Police are no exception.

For all organisations, not just government agencies, the question about data should be ‘do we need this?’

In a time of ‘Big Data’ where it’s possible to collect and store massive amounts of information, it’s tempting to become a data hoarder which exposes managers to various risks, not the least that of it being stolen my hackers. It may well be that reducing those risks simply means collecting less data.

Certainly in Australia, the data retention act will only create more headaches and risks while doing little to help public safety agencies to do their job. Just because you can collect data doesn’t mean you should.