In this digital age, a growing challenge to our privacy is the rising number and scale of internet hack attacks, government data matching, and online identity theft and fraud.
This represents a modern application of Wendell Phillips' saying "eternal vigilance is the price of liberty”, with new meaning being given to the notion of "price" and who should be required to pay that price.
An article by Hannah Francis in The Age discusses the vital role of passwords in protecting the privacy of users in their interactions with the internet. In the article, Francis points out that, today, we each have upwards of 100 accounts online — a figure which has quadrupled since 2007, with the number of accounts we have doubling every five years. While this means people often recycle the same six or so passwords across accounts, the risk, as Francis explains, is that if one account is compromised by hackers, the rest are too. The Australian Government also gives this advice in its booklet, Protecting Your Identity: What Everyone Needs to Know.
Of course, the combined use of access controls or usernames, generally email addresses, in conjunction with passwords provides a measure of security — especially when using a wireless network. However, email addresses can be hacked, too, which is why experts recommend changing your passwords regularly and making them difficult to crack, perhaps combined with answers to secret questions. Enter the business of password and access managers, including the use of password management software and apps sold by companies, such as Dashlane, OneLogin, Lastpass and Symantec.
However, using and changing hard-to-crack passwords securely are not the only things we can and should consider doing to stay safe in cyberspace. Other online privacy protections include employing encryption, Virtual Private Networks (VPNs) and two-factor authentication, using effective security software and visiting only secure websites, including those starting with "https" or with the "closed padlock" symbol displayed.
For particularly sensitive types of transactions, such as banking, as well as other interactions, encryption may involve using Secure Sockets Layer (SSL), Transport Layer Security (TLS) or bcrypt to encrypt data as it travels across the internet. Encryption is most effective if it is end-to-end. Companies such as Wickr supply encryption apps, while VPNs enable Australians to bypass the Government’s metadata retention scheme and piracy website blocking, as Adam Turner pointed out in an article in The Age.
Another article by Nicholas Tufnell titled '21 tips, tricks and shortcuts to help you stay anonymous online', which appeared in The Guardian on 6 March 2015, describes VPNs – which hide your IP address – as "one of the most effective ways to protect your privacy online".
Even so, in 2014, Yahoo believes a "state-sponsored actor" hacked and stole information related to at least 500 million user accounts from its network, described by SBS News as “the biggest cyber breach ever”. The article quotes Yahoo as reporting the theft as including names, email addresses, telephone numbers, dates of birth and encrypted passwords.
The Office of the Australian Information Commissioner (OAIC), in its Australian Privacy Principles (APP) Guidelines (the Guidelines) on the Privacy Act 1988, includes ICT security steps and strategies – such as the ones just mentioned – among its ‘’reasonable steps” required to be taken by an entity to which the Act applies. This is in order for the entity to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure — the equivalent of 'Information Privacy Principle 4' in the Victorian Privacy and Data Protection Act 2014, dealing with data security. "Unauthorised access" and "unauthorised modification" are most likely to apply to instances of hacking by an external third party.
What constitutes "taking reasonable steps” in any particular situation will depend on five types of circumstances outlined in the guidelines, including 'the practical implications of implementing the security measure', which covers the time and cost involved.
However, the guidelines go on to state:
'...an entity is not excused from taking steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so.'
In other words, cost-shifting by an entity is not acceptable. Accordingly, where entities collect, use and store user data which effectively requires consumers to pay to acquire password management apps, rather than these entities investing in online security measures themselves, they arguably unreasonably shift the cost to those users.
In any event, the OAIC, where the allegation concerns a Commonwealth Government agency or private enterprise – or the Commissioner for Privacy and Data Protection, where it relates to a Victorian Government or local government body – are the bodies you can lodge a complaint with, in the event of a privacy breach, such as being the victim of online identity theft. However, you must first have tried to resolve matters with the agency, private entity or body concerned.
Gustav Lanyi is a lawyer specialising in public international law. You can read more from Gustav here.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia License
Monthly Donation
Single Donation
Be informed. Subscribe to IA for just $5.
