<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

Harvesting and Sharing Of Personal Data Closer To Dumb

Michael O'Dwyer| August 21 2017

| security

Should governments and their departments secure data better than their company counterparts? Do the same risks of cyber-attack apply to them?

Disclaimer: The opinions expressed in this one are my own and those of quoted sources. If you believe that unmonitored state-sponsored citizen and company surveillance and data gathering is perfectly okay “if you have nothing to hide”, you should be very interested in the conclusions reached. You won’t agree but it’s a free country isn’t it? Clue: Do we even care at this point? 

I’d initially prepared a rant of epic proportions but what’s the point in getting aggravated about issues I cannot control? When I attained legal status as an adult in Ireland in the late 80s, I wasn’t too concerned about the use of my personally identifiable information (PII) as all it involved was my social insurance number, date of birth and address which were used for government functions such as tax payment, driving license and passport. My medical info was paper-based and stored in a filing cabinet at the doctor’s office. Simpler times.

australia-personal-data.jpg

The Internet as we know it began in 1982 and was based on the TCP/IP protocols still in use today. Its precursor, ARPANET, was funded by the Advanced Research Projects Agency (ARPA) of the United States Department of Defense in the late 1960s, with the aim of building a network capable of surviving a major loss to the underlying infrastructure. With the Internet, this goal was admirably achieved as we all know that once something goes online, it’s virtually impossible to remove it, as it’s shared, copied and disseminated amongst millions of users in disparate locations.

We now live in the Information Age and information is everywhere. Unfortunately, the quality and sensitive nature of this information varies widely while the methods used to store, share and (most importantly) secure it do not. Data privacy regulations are in place in many countries that do little to stem the tide of PII that is hacked or carelessly left online.

While much of the media has focused on issues relating to privacy in the U.S. and EU (whether GPDR or Internet Privacy Bill), citizens of Australia are also concerned about privacy and how their personal information is managed.

Should governments and their departments secure data better than their company counterparts? Do the same risks of cyber-attack apply to them?

FREE EBOOK: Brexit and the GDPR - What IT Teams Need to Know

A Dose of Reality

In any company or government agency, humans are a security risk. As a contracted employee, Mr. Edward Snowden managed to acquire quite a collection of documents from the National Security Agency (NSA). A malicious employee, granted, but other human risks are caused by lack of knowledge or carelessness.

“Let’s be frank - The bottom line is that people are the weakest link in security controls. Speak to any pen-tester and they’ll say that social engineering of people is what gets them the most information and the most access. This suggests that no one, and no organization, can be completely “secure”. If we start with this premise, any central database on the citizens of a town, state, or country, has the very real chances of being hacked,” said David Rudduck, managing director of Insane Technologies, an Australia-based IT Consultancy that focuses on cyber-security awareness training, managed IT & security services and disaster recovery solutions.

Is it fair to say that government mismanagement of citizen data is much more likely than companies?

“I don’t think government have done any worse or better than companies. I think they are just as susceptible to being breached, and the real problem here is that what they are trying to store is extremely sensitive information that if gotten into the wrong hands could ruin people’s lives. At the same time, government departments' employees don’t have a terrific track record of running projects well. Irrespective of whomever they blame at the end (usually the vendor), THEY designed the scope of works, THEY wrote the tender, and THEY awarded the contract. THEY should be responsible for that decision. The Australian Census ordeal[where an online census crashed due to DDoS attack from Singapore] is a prime example of that. Sure, IBM copped a flogging [a AU$30m penalty]for that, but what about the panel who awarded IBM the contract? Did they screw IBM down too much on price that IBM ended up hiring less experienced people and then wondered why the job got [let’s say screwed, despite the repetition] up?” said Rudduck, adding that responsible parties need to be punished.

Security Awareness Is A Big Problem in Australia

Rudduck is very concerned that Australian companies are unaware of security risks.

“A big challenge I face is that most business owners, managers and the like won’t accept that they could become a victim of a data security breach, until someone they know, or someone in their own industry gets hit. The problem here is, most the stats we hear about come from the USA. And whilst we do live in a global society and the hackers don’t really see any difference between our businesses and businesses in other countries (we’re all targets!), the targets seem to have their heads buried so far in the sand that it takes something very close to home for them to do something,” said Rudduck.

He believes that a major breach must occur, perhaps with loss of life, before circumstance change.

“I wholeheartedly expect there to be some serious fallout from a data breach before most people take this seriously. It’s a horrible thing to suggest, but average Joe needs a wakeup call, and it’s going to take someone dying or committing suicide because of a data breach for everyone to wake up,” he said.

Opt-in, Opt-out, Shake It All About

In August 2012, Australia introduced the personally controlled electronic health records (PCEHR) Act, designed to force transition from paper-based record keeping to a national shared and digitized system. It was originally an opt-in for patients.

“PCEHR was a fail. Changing its name and reversing the policy to make it “Opt-Out” is going to upset many people, but most people will be too lazy to bother. And ultimately that’s what they’re hoping for. The concept behind PCEHR and My Health Record have merit. We have been working with a major health provider on linking outpatient data from local hospitals to General Practice, as there’s no easy way for this information to be shared at the moment. But, the fundamental way in which the project we’ve worked on has been approached, is firstly requiring the individual to “Opt-In” before their data leaves their GP and enters the hospital (and vice versa),” said Rudduck.

Citizens want a choice.

“Look at the Windows 10 Upgrade fiasco Microsoft went through. That should give a bloody good example of the PR backlash that forcing people into something does not work,” said Rudduck, adding that, “If they aren’t opting in, then maybe we need to go back and work out WHY, then address that and try again? Who’s that’s forcing this mass Opt-In? That’s what I’d like to know. It makes no sense.”

Privacy! You Cannot Have It-Sorry!

Online privacy is a myth and users should exercise caution when posting online. However, as more and more governments share data to combat terrorism, your information is being shared without your knowledge and is subject to the same cybersecurity risks experienced by companies.

Would you personally agree to share your info with foreign governments?

“Of course not! But I bet it’s already happening without my consent!” said Rudduck.

Is it even possible to protect your data?

“I was sitting with a member of the US DoD at a recent cyber-security conference and we both lamented on the concept that “privacy” is an illusion. Governments have been monitoring their citizens since as far back as you can think. Telecommunications networks were built with monitoring in mind. Governments (even ours!) are now pushing to have backdoors into encrypted communications – because they are LOSING their ability to monitor their sheep, and they don’t like it!” said Rudduck.

Once data is uploaded, it’s available to those with the means to get it.

“The reality is, once data is recorded on an individual, it is at risk – and we really need to weigh up the benefit of that data existing, versus the risk of that data being exposed, before we even start recording the data in the first place. There really are no secure systems – just challenging puzzles for someone to break into,” said Rudduck.

Regulation and Abuse

In February 2017, Australia passed the Data Breach Notification Bill but it only applies to companies with more than AU$2.3m in annual revenue.

“The new mandatory breach notification laws are a good start, but they are vague and weak. I realize it’s a starting point, but until a few fines are dealt, not enough people will take this seriously. I’ve yet to see anyone fined for breaching the Australian Privacy Principles, yet we’ve had a few breaches that should have brought this into question already!” said Rudduck.

With any computer system, and especially those that store citizen data, user abuse is possible and a big concern, given the sensitivity of medical data in particular.

“I was sitting with a medical specialist the other day and he showed me how he could look up ANYONE’s X-Rays, by just knowing their name. I said, “I’m sure there’s some auditing involved”, but is there? These systems aren’t new, but for some reason they have very relaxed security protocols. We’ve [Australia]had numerous police officers getting busted for using the police database systems to stalk their exes, and look up information on people that they had no reason to look up. If we bring in a system that allows government officials, or medical practitioners, to look up any record, you can bet your life someone is going to be curious and start looking up records for their own benefit. And someone is going to have a crappy password or security credential that someone else gets access to – and we’re going to see a world of pain,” said Rudduck.

Once databases with citizen data are active, regardless of country of origin or intelligence arrangements, your data is not private any longer.

Try Our Industry-leading Managed File Transfer Software Start your free  no-obligation trial of MOVEit Transfer. Start Free Trial
“Once the cat is out of the bag, there’s no going back. If the Government proceed and every Australian’s personal medical history is stored in a centralized database, all it’s going to take to cause a data breach is one individual with more access than they should have. Then, something very horrible is going to happen,” said Rudduck.

In conclusion, I take comfort in the fact that I only add online data that I want others to see and even then I do my best to secure it, aware that any encryption or hardware used may have a backdoor or vulnerability to allow surveillance. Citizens of Australia and many other countries are already part of a giant surveillance program (including biometric data) that is often accelerated at a local level, under the guise of city planning. If you think this is alarmist, then have a look at the long list of Australian government agencies that want your internet data from Australian ISPs.

Big Brother and his extended family are all watching. Be aware. Be very aware. Data on that medical condition you’re embarrassed about is already at risk if in electronic form. I’m not recommending anarchy but surely if a government organization can fund the Internet, there is a way to develop another clandestine Internet (no, not the Dark Web) where citizen data can be managed in a way that prevents misuse. Sure, use our data but protect it in the manner supposedly guaranteed under the law.

Topics: security

Leave a Reply

Your email address will not be published. Required fields are marked *

THIS POST WAS WRITTEN BY Michael O'Dwyer

An Irishman based in Hong Kong, Michael O’Dwyer is a business & technology journalist, independent consultant and writer who specializes in writing for enterprise, small business and IT audiences. With 20+ years of experience in everything from IT and electronic component-level failure analysis to process improvement and supply chains (and an in-depth knowledge of Klingon,) Michael is a sought-after writer whose quality sources, deep research and quirky sense of humor ensures he’s welcome in high-profile publications such as The Street and Fortune 100 IT portals.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.