Oz gummint's de-anonymisation crime is as mind-bendingly stupid as we feared
Disclosure is a lesser crime than research; government agencies are exempt; and don't Google your own key
The text of the government's proposed bill outlawing data re-identification looks worse than researchers feared.
Apart from the legislation's maximum two-year stretch for anybody that cracks whatever key an agency applies to the data, there's also the points that government agencies are exempted from the bill (giving them what looks like permission to discover identities from datasets), and there's no exemption for academic research.
The best researchers can hope for is that if they apply to the Attorney-General George Brandis, he might issue a determination that it's okay to carry out research; or that after being subjected to an investigation, the researcher might be cleared by the Privacy Commissioner.
In other words, academic research is within the personal gift of a ministerial determination, unless the researcher has a vast appetite for risk and uncertainty.
Oh, and if Vulture South reads this part correctly, the law reverses the usual burden of proof in criminal matters: “Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (2) (see subsection 13.3(3) of the Criminal Code).”
Since agencies are allowed to re-identify data (as the ludicrous law says, the law doesn't apply if an agency really wants identities “the act was done in connection with the performance of the agency’s functions or activities” or there's a court order, the law lends the same exemptions to contractors to agencies.
As well as two years contemplating the prison cell wash-basin, the law provides for civil penalties of up to AU$144,000 (800 penalty units, which currently stand at $180 apiece).
A second offence under the law would be reasonable, if the rest of the law wasn't such a mess: if you re-identify data (unless you're doing so inside a government agency because why shouldn't the Tax Office strip away the anonymity of medical records?) you must not disclose the data to anybody but the originating agency.
Again, government agencies (and their contractors) are exempted from this clause – was this drafted by George Brandis' press secretary after the Parliamentary Midwinter Ball or something? – so not only can the Australian Taxation Office re-identify medical data, it seems to be allowed to publish that data.
The penalty for disclosing data is two years, but only $108,000 (600 penalty units) – that is, disclosure is less serious than researching the strength of the anonymisation.
As well as the Kafkaesque construction of the legislation, the bill suffers the same potential for abuse as laws that protect digital rights management schemes: it doesn't matter if the anonymisation applied is weak.
Let's take the standard Statistical Linkage Key 581 (described here), under which I am:
If an agency chooses, it now has license to use this very weak key as its “anonymisation” with the protection of the law. If I used Google to identify myself in a published data set, I've broken the law.
As my colleague Darren Pauli previously wrote:
The amendments, as they currently stand, are so mind-bendingly out-of-touch they make your correspondent cry.
There appears no benefit to outlawing decryption research. It directly undermines the security of the online economy, the internet more broadly, and the processes of open source research which produced the very tried-and-tested encryption tools Vulture South would hope the Government will use to protect citizen data.
Our hopes were misplaced. ®
Sponsored: Becoming a Pragmatic Security Leader