We have to hand over documents that identify us all the time, whether we’re scanning our ID to get into a club, or sending our birth certificates to apply to rent a house, or linking our passports with an airline account to get rewards points. But as the recent Optus data breach shows, mishandling of this information can cause chaos.
So, where do we go from here?
It can be hard to tell what happens to your data once you hand it over, even if you take the time to read privacy policies. Australia Post’s policy for example just says it collects and stores the data. My real estate agency’s policy says it will take reasonable steps to de-identify and destroy the data when it doesn’t need it anymore.
But it’s not like I have any idea if or when that’s done.
The Optus hack showed how scary a breach of ID documents can be.Credit:Brook Mitchell
On the other hand, most businesses genuinely have no use for these documents after they’ve verified your identity, and hanging onto the data is a risky move with little upside; specifically because it could make them a target for hackers and scammers.
“People used to call data the new oil, or the new gold. And now people are starting to say, well actually, it’s the new asbestos or the new uranium,” said Kathryn Gledhill-Tucker, vice-chair of digital rights non-profit Electronic Frontiers Australia.
“Data is something that needs to be treated with respect, that could have serious repercussions for individuals and for organisations if there is a breach.”
Optus’ woes highlight the worst-case scenario; bundles of data with everything criminals would need to fraudulently pass a 100-point identity check as someone else, finding their way out of a business’ stronghold.
Whether they need it or not, organisations do hang on to consumer data, and any reform on that front needs to set the boundaries on when this is actually necessary, and when it should be discouraged or outlawed.
In Optus’ case, it was required to collect this information by Australian law, to make sure the people accessing telecommunications services are who they say they are. It was also required by law to keep the data for a certain time. Other companies, such as banks, are bound by similar rules that mandate they hang on to customer data.
Gledhill-Tucker said there’s also plenty of encouragement from the law enforcement agencies, which rely on companies like Optus keeping as much data as possible, and many companies have created business models that hinge on leveraging data, even if it’s dangerous to keep.
“At the moment there’s so little counterbalance to surveillance capitalism. This rampant data capture and storage, with very little respect to how that data is handled. There’s so little legislation to act as a counterbalance to the capitalistic benefit that organisations get from data,” she said.
“Australia at the moment is pretty behind the times when it comes to effectively regulating organisations to make sure that they do the right thing.”
Last week Attorney-General Mark Dreyfus said there was generally no reason for companies to hang on to data used for identification purposes, even though the Privacy Act could be interpreted as saying they must.
“We are all familiar with the 100-point identity check. If a company says ‘we need to see your driver’s licence’ or ‘we need to see your passport number’, that is for the purpose of establishing that you are who you say you are. But that should be the end, one might think, of the company keeping all that data,” he said.
“We will be having a look at whether or not companies should be permitted to go on keeping data when the purpose of collecting it in the first place might have been no more than establishing someone’s identity … We need to have them appreciate that Australians’ personal information belongs to Australians, it’s not to be misused, it absolutely has to be protected, and if the Privacy Act is not getting us those outcomes then we need to look at reforms to the Privacy Act.”
The 100-point identity check was instituted in 1988, long before anyone could have imagined a remote data breach of the kind seen at Optus.
On Thursday, the federal government announced changes to the Telecommunications Act that would allow companies mandated to store personal ID data to share it with financial institutions in the case of a data breach. This would mean, for example, a bank would get a list of exposed credentials helping it block any attempts to use the stolen information to take out credit or a loan.
While this could help mitigate the damage wreaked by a breach, the changes don’t address the core issue of companies needing to collect the data in the first place. And it doesn’t help ease the discomfort when one is compelled to prove their identity by allowing someone to photocopy their driver’s license.
Over time the 100-point check will be phased out and replaced by a digital system, in fact, such a system already exists. The Australian Digital Identity system already lets you prove your identity to a service provider, like MyGov or Australia Post, using your documents, and it can pass that verification onto other companies on demand using things like facial recognition and QR codes. That way the company knows you are who you say you are, without needing to see or take a copy of your original documents.
The system is still new and has some hurdles to overcome. Obviously, it needs to be taken up by every company that needs to see your ID, and it also needs mitigations in place for when service providers are inevitably targeted by criminals. But in the meantime, some version of the technology could at least help prevent some of the most severely dangerous breaches.
“At the very least an organisation like Optus should be able to receive your identity documents, verify that they’re accurate, and keep a log of that verification rather than a log of the documents themselves,” Gledhill-Tucker said.
“That, to me, would be a privacy preserving framework, rather than just keeping massive amounts of sensitive data on every customer you’ve ever had.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Most Viewed in Technology
From our partners
Source: Read Full Article