Privacy Commissioner, infosec boffins, call for reform of anti-hack Bill

Australian Privacy Commissioner Timothy Pilgrim, together with noted security and privacy professionals, have called for amendments to a Federal Government Bill that would criminalise the identification of Government-issued anonymous data sets claiming it will impinge legitimate research.

Federal Attorney-General George Brandis proposed the Bill as a means to safeguard the anonymised records of people the Government posts online in an effort to assist private and public sector data analysis.

It would place anyone who manages to identify people within those anonymised datasets at risk of criminal and civil penalties. Journalists and government staff appear exempt.

The Senate Legal and Constitutional Affairs Legislation Committee is due to report on the Bill on February 7th, 2017 next year.

This has irked many in the technology community who regard the ability to experiment with public data and report vulnerabilities as critical to ensuring ongoing security.

Indeed, security testing underpins much of the technology world, and has lead to the construction of the world's most resilient systems and organisations.

Submissions to the inquiry into the Privacy Amendment (Re-identification Offence) Bill 2016 closed last week. At the time of wiring the consultations page lists five submissions with at least two more already sent to the Senate Committee but not yet posted.

Most of the well-considered submissions take issue with the implementation of the Bill, but not its intent to protect citizen data.

Commissioner Pilgrim urged the Committee to consider amendments that would consider a holistic approach to data security reform that would focus on shoring up privacy controls in government agencies.

"I note that as currently drafted, it is not clear how an Australian Government agency will establish that information 'was published on the basis that it was de-identified personal information'," Pilgrim says.

"I believe that the introduction of new criminal offences and civil penalties, in and of itself, is unlikely to eliminate the privacy risks associated with the publication of de-identified datasets.

"Effective de-identification requires a careful consideration of all relevant contextual factors, to help ensure that the risk of re-identification, as well as other threats to privacy, are minimised."

Pilgrim's office will release de-identification guidelines early next year, he says.

Andrew van der Stock, director of the respected Open Web Application Security Project (OWASP) says the Bill as it currently stands cannot meet its objectives.

Van der Stock is a security boffin with more than two decades' experience in the security sector. Writing in his personal capacity says the Bill is likely to stymie independent security research.

He says "a researcher who absolutely sets out to re-identify data to ensure that the data set is properly protected by the chosen algorithm will be at risk of going to jail, adding that "the Bill’s sole objective cannot be met by the legislation as written, as it seeks to criminalise and severely punish all re-identification, regardless of intent, and regardless if any sensitive records were re-identified, transmitted or stored in a way that publicly exposes these records any more than the original de-identification process.

"Weak algorithms and processes, not disclosure, is the root cause and is not addressed by this Bill."

Van der Stock points out that cryptographic algorithm are deemed safe and effective only after extensively analysis by external parties, and adds further that publication of re-identification efforts should be permitted once data has been re-issued, something deemed an offence under the Bill. ®