Oz gummint's de-anonymisation crime is as mind-bendingly stupid as we feared

Disclosure is a lesser crime than research; government agencies are exempt; and don't Google your own key

The text of the government's proposed bill outlawing data re-identification looks worse than researchers feared.

Apart from the legislation's maximum two-year stretch for anybody that cracks whatever key an agency applies to the data, there's also the points that government agencies are exempted from the bill (giving them what looks like permission to discover identities from datasets), and there's no exemption for academic research.

The best researchers can hope for is that if they apply to the Attorney-General George Brandis, he might issue a determination that it's okay to carry out research; or that after being subjected to an investigation, the researcher might be cleared by the Privacy Commissioner.

In other words, academic research is within the personal gift of a ministerial determination, unless the researcher has a vast appetite for risk and uncertainty.

Oh, and if Vulture South reads this part correctly, the law reverses the usual burden of proof in criminal matters: “Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (2) (see subsection 13.3(3) of the Criminal Code).”

Since agencies are allowed to re-identify data (as the ludicrous law says, the law doesn't apply if an agency really wants identities “the act was done in connection with the performance of the agency’s functions or activities” or there's a court order, the law lends the same exemptions to contractors to agencies.

As well as two years contemplating the prison cell wash-basin, the law provides for civil penalties of up to AU$144,000 (800 penalty units, which currently stand at $180 apiece).

A second offence under the law would be reasonable, if the rest of the law wasn't such a mess: if you re-identify data (unless you're doing so inside a government agency because why shouldn't the Tax Office strip away the anonymity of medical records?) you must not disclose the data to anybody but the originating agency.

Again, government agencies (and their contractors) are exempted from this clause – was this drafted by George Brandis' press secretary after the Parliamentary Midwinter Ball or something? – so not only can the Australian Taxation Office re-identify medical data, it seems to be allowed to publish that data.

The penalty for disclosing data is two years, but only $108,000 (600 penalty units) – that is, disclosure is less serious than researching the strength of the anonymisation.

As well as the Kafkaesque construction of the legislation, the bill suffers the same potential for abuse as laws that protect digital rights management schemes: it doesn't matter if the anonymisation applied is weak.

Let's take the standard Statistical Linkage Key 581 (described here), under which I am:


If an agency chooses, it now has license to use this very weak key as its “anonymisation” with the protection of the law. If I used Google to identify myself in a published data set, I've broken the law.

As my colleague Darren Pauli previously wrote:

The amendments, as they currently stand, are so mind-bendingly out-of-touch they make your correspondent cry.

There appears no benefit to outlawing decryption research. It directly undermines the security of the online economy, the internet more broadly, and the processes of open source research which produced the very tried-and-tested encryption tools Vulture South would hope the Government will use to protect citizen data.

Our hopes were misplaced. ®

Keep Reading

In 2016 Australia's online census failed. Preparations for the 2021 edition have been rated 'partly effective'

Devs can make unauthorised changes, data integrity is a work in progress, security is not there yet ... and there's just nine months to go

Huawei mobile mast installed next to secret MI5 data centre in London has 7 years to do whatever it is Huawei does

Which is, y'know, telecoms stuff

Shocking revelations from Huawei-commissioned report: Huawei is good for the UK's economy so don't ban them

It might need a new angle since the government already has form for shafting the economy

Australia sues Facebook for slurping user data from Onavo Protect VPN app

Promised it was free and safe, but Facebook’s promises about privacy aren’t worth the mouse you click ‘em with

UK, Canada could rethink the whole 'ban Huawei' thing post-Trump, whispers Huawei

Analysis Veep needles British government: Without us, you'll 'widen the north-south digital divide'

Huawei sells low-end Honor handset business due to 'tremendous pressure' in supply chain

Consortium of dealers and resellers buys 70-million-a-year handset-maker

Will there be no end to govt attempts to break encryption? Hand over your data or the kiddies get it, threaten Five Eyes spies

Column The Great Unicorn Prayer of security services: Stay secure, but - ya know - give us backdoors

Sunday: Australia is shocked UK would consider tracking mobile data to beat pandemic. Monday: Australia to deploy drone intimidation squads

Updated Bloody poms are full of great ideas

Biting the hand that feeds IT © 1998–2021