Australia wants to jail infosec researchers for pointing out dodgy data
New law will make criminals of boffins who probe badly-anonymised data
Australia's proposed laws outlawing research into data de-anonymisation look set to proceed after a Senate Committee report landed yesterday complete with just one recommendation: that the bill be passed.
The Privacy Amendment (Re-identification Offence) Bill 2016 was proposed after researchers Dr Vanessa Teague, Dr Chris Culnane and Dr Benjamin Rubenstein warned that a supposedly-anonymised release of health insurance information to Australia's open data portal, data.gov.au, required trivial effort to associate with the individuals it described.
Upon learning of the researchers' efforts, attorney-general George Brandis immediately announced the government's intent to ban such research, unless authorised by his department. The intent of the ban, outlined in the bill's explanatory memorandum, is to safeguard the policy benefits of government data releases while hopefully deterring those who would use the data for ill.
But the language used in the bill does not explicitly protect researchers, instead requiring them to seek permission before probing data - an unusual requirement.
The proposed law is retrospective to the date of Brandis' response – 29 September 2016.
The government members of the Senate Committee – Ian Macdonald, David Fawcett and Linda Reynolds – are comfortable with that retrospectivity, as well as the bill's reverse burden of proof. The bill's reach into university research did not trouble them.
The dissenting report, by members of Australia's opposition Labor Party and the Australian Greens, (Louise Pratt and Murray Watt of the ALO, Nick McKim of the Greens) points out flaws in the bill identified by various submissions.
- The NSW Privacy Commissioner pointed out that the law doesn't demand that government agencies do an effective job of de-identifying data: “it places a disproportionately high onus on external recipients to be aware which released datasets are considered to have undergone a de-identification process”;
- The bill discourages research; and
- They don't see merit in the reversal of the onus of proof.
Vulture South asked Dr Teague for her response to the committee report. She replied, by likening re-identification work to civil engineering: “If a bridge falls down, you wouldn't outlaw civil engineers inspecting other bridges, would you?," she asked.
“I think the government is confusing identifying a problem with exploiting a problem. Re-identification doesn't do harm, it indicates that there's a weakness that could be used to cause harm.”
Given the government's enthusiasm for data releases, she said everyone needs to understand “how to avoid publishing datasets with privacy weaknesses”, and if a data release exposes personal data, “how do deal with the harm that could be caused”.
“Cybersecurity problems are engineering problems. We can understand them if we think about maths. If there's a failure, we can respond to it, understand it, and try to avoid it.”
The bill will now be subject to horse-trading in Australia's Senate, where the government does not have a majority and therefore needs the support of independents and micro-parties who generally show little inclination to engage deeply with matters beyond their pet policies.
Thus we are governed. ®
Sponsored: Becoming a Pragmatic Security Leader