The recent data breach at Optus has shown that Australia’s privacy laws urgently need reform, writes Dr. Binoy Kampmark.
THINGS ARE NOT GETTING BETTER for Optus, a subsidiary of Singapore-based Singtel and Australia’s second largest telecommunications company.
The struggling company responsible for one of Australia’s biggest data breaches faces burning allegations and questions on multiple fronts. It’s also proving to be rather reticent about details about what was compromised in the leak.
Firstly for the claimed story which was vague in places. On September 22, the telecom company announced that data on up to 9.8 million customers had been stolen from its database. As of 2017, this includes names, dates of birth, phone numbers, email addresses, and in some cases addresses, passport numbers, or driver’s licenses.
Appropriately and perversely, a study by the Australian Institute of Criminology that same year found that one in four Australians had been the victim of identity crime or a general misuse of personal information. A less than comforting observation by the authors was that such rates were “comparable to the 27 per cent reported by respondents to the 2012 identity fraud survey conducted for the UK National Fraud Authority”.
In the case of Optus, the company claims the breach was caused by a “sophisticated cyberattack.” The view from outside of Optus is slightly different. The attack appears to have taken place when an application programming interface (API) was linked to an Optus customer database so that it was easily accessible. Basically, an API enables the transfer of data. Left naked and vulnerable, users can happily infiltrate systems they otherwise would not have access to.
Optus CEO Kelly Bayer Rosmarin’s near-tearful defense of the infraction was downright underwhelming, despite some rumors in the press ‘a bold and correct call to face the media in a video call that felt oddly intimate and completely candid’. During a mixed performance, she claimed so “We are not the villains” and suggested that the API was not made freely available.
Bayer Rosemary, however, is defending a crumbling front made almost absurdly strong by their seemingly minor responsibilities. Notable among them have been Australia’s recently retired tennis star Ash Barty as the company’s Chief Inspiration Officer and Australian Formula 1 driver Daniel Ricciardo as Optus’ Chief Optimism Officer.
Less ridiculous is the general reluctance to have data security overseen by a spectrum of Australian companies. As Tom Burton from the Australian Financial Report snide remarks, “intensive lobbying by financial, payment, telecommunications, media and marketing interests” belated reforms “a trusted, secure, reliable and efficient regulatory framework to govern the burgeoning digital economy and the data that powers it”.
As a feature of this reluctance, Australian banks grumbled and grumbled when asked to confirm bank account holder details linked to the account before making payments.
Those wounded and reeling over identity breaches had little opportunity to remedy. Australians, almost unique in the Anglo family of smug self-praise, have no separate right to sue civilly for invasion of privacy. Australian common law remains perversely obstinate in articulating a clear tort on the subject, and legislators have not been quick to legislate matters.
That Data Protection Act 1988 (Cth), given its numerous exceptions for small businesses, employee files, the media, and political parties, is just a poor, shoddy cover. It certainly falls far short of its much-distant European cousin, the General Data Protection Regulation (GDPR).
In a 2019 report published by the Department of Home Affairs (DHA) under Freedom of Information, David Lacey and Roger Wilkins, a former Attorney General’s Office Secretary, noted this ‘overall the reaction system [to data breaches] is either non-existent or bad from the citizen’s point of view.. the authors ‘Significant deficiencies identified in response standards, formal government reporting channels and meaningful consumer protections’.
The situation has been made tremendously worse by Australian legislation requiring customer data to be retained for up to two years, although there is no strict requirement not to retain such data after that period. The DHA states that such a policy ensures “Australia’s law enforcement and security agencies have lawful access to data, subject to strict controls.”.
That Telecommunications consumer protection codewhich is overseen by the Australian Communications and Media Authority (ACMA), also allows telecom companies to store personal data for billing purposes “up to six years before the date the information is requested”. However, this does not require the retention of passport details, driver’s licenses and Medicare numbers.
The implication of such provisions is unmistakable. They have encouraged companies to engage in behavior that has made security weak and breaches likely. They have become slovenly servants of government paranoia.
Companies like Optus simply cannot be relied upon to respond to such crises.
Digital rights attorney Lizzie O’Shea’s somber assessment is devastating:
“My third IT law is that whenever there’s a data breach, one of the first lines out of the speaker’s mouth is that they take security seriously — even if they’ve proven demonstrably that they aren’t.”
Though she accepts the obvious point that Optus is not directly responsible for the behavior, she strongly suggests so “You can’t complain that something has been stolen if you haven’t locked the front door.”
The political implications are enormous. Should such telcos be required to store data under the problematic data retention law that has been attacked in the EU? (In September, the European Court of Justice ruled that Germany’s general data retention law violated EU law.) Making such organizations owners of such information makes them rich targets.
Penalties have been suggested. In connection with the European Union and California, severe monetary sanctions apply, as Home Secretary Clare O’Neil has noted. Current fines in the range of $2.2 million for businesses and $440,000 for individuals are ridiculous.
There are promises from Optus to replace compromised documents. But when it comes to legal protections, Australian policymakers continue to look at privacy through a fractured and outdated lens.
dr Binoy Kampmark was a Cambridge Scholar and is a Lecturer at RMIT University. you can dr Follow Kampmark on Twitter @BKampmark.
Support independent journalism Subscribe to IA.