Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Australia wants to jail infosec researchers for pointing out dodgy data

New law will make criminals of boffins who probe badly-anonymised data

Australia's proposed laws outlawing research into data de-anonymisation look set to proceed after a Senate Committee report landed yesterday complete with just one recommendation: that the bill be passed.

The Privacy Amendment (Re-identification Offence) Bill 2016 was proposed after researchers Dr Vanessa Teague, Dr Chris Culnane and Dr Benjamin Rubenstein warned that a supposedly-anonymised release of health insurance information to Australia's open data portal, data.gov.au, required trivial effort to associate with the individuals it described.

Upon learning of the researchers' efforts, attorney-general George Brandis immediately announced the government's intent to ban such research, unless authorised by his department. The intent of the ban, outlined in the bill's explanatory memorandum, is to safeguard the policy benefits of government data releases while hopefully deterring those who would use the data for ill.

But the language used in the bill does not explicitly protect researchers, instead requiring them to seek permission before probing data - an unusual requirement.

The proposed law is retrospective to the date of Brandis' response – 29 September 2016.

The government members of the Senate Committee – Ian Macdonald, David Fawcett and Linda Reynolds – are comfortable with that retrospectivity, as well as the bill's reverse burden of proof. The bill's reach into university research did not trouble them.

The dissenting report, by members of Australia's opposition Labor Party and the Australian Greens, (Louise Pratt and Murray Watt of the ALO, Nick McKim of the Greens) points out flaws in the bill identified by various submissions.

These include:

  • The NSW Privacy Commissioner pointed out that the law doesn't demand that government agencies do an effective job of de-identifying data: “it places a disproportionately high onus on external recipients to be aware which released datasets are considered to have undergone a de-identification process”;
  • The bill discourages research; and
  • They don't see merit in the reversal of the onus of proof.

Vulture South asked Dr Teague for her response to the committee report. She replied, by likening re-identification work to civil engineering: “If a bridge falls down, you wouldn't outlaw civil engineers inspecting other bridges, would you?," she asked.

“I think the government is confusing identifying a problem with exploiting a problem. Re-identification doesn't do harm, it indicates that there's a weakness that could be used to cause harm.”

Given the government's enthusiasm for data releases, she said everyone needs to understand “how to avoid publishing datasets with privacy weaknesses”, and if a data release exposes personal data, “how do deal with the harm that could be caused”.

“Cybersecurity problems are engineering problems. We can understand them if we think about maths. If there's a failure, we can respond to it, understand it, and try to avoid it.”

The bill will now be subject to horse-trading in Australia's Senate, where the government does not have a majority and therefore needs the support of independents and micro-parties who generally show little inclination to engage deeply with matters beyond their pet policies.

Thus we are governed. ®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like