Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts

Wednesday, 21 March 2018

The large-scale personal data release Facebook Inc didn't tell the world about

“Christopher Wylie, who worked for data firm Cambridge Analytica, reveals how personal information was taken without authorisation in early 2014 to build a system that could profile individual US voters in order to target them with personalised political advertisements. At the time the company was owned by the hedge fund billionaire Robert Mercer, and headed at the time by Donald Trump’s key adviser, Steve Bannon. Its CEO is Alexander Nix”  [The Guardian,18 March 2018]

Alexander James Ashburner Nix is listed by Companies House UK as the sole director and CEO of Cambridge Analytica (UK) Limited (formerly SCL USA Limited incorporated 6 January 2015). The majority of shares in the company are controlled by SCL Elections Limited (incorprated 17 October 2012) whose sole director and shareholder appears to be Alexander Nix. Mr. Nix in his own name is also a shareholder in Cambridge Analytica (UK) Limited.

Companies House lists ten companies with which Mr. Nix is associated.

NOTE: In July 2014 an Alastair Carmichael Macwillson incorporated Cambridge Analytica Limited, a company which is still active. Macwilliam stles himself as a management consultant and cyber security professional.

Nix's Cambridge Analytica was reportedly indirectly financed by leading Republican donor Robert Mercer during the 2015 primaries and 2016 US presidential campaign.

On 15 December 2017 The Wall Street Journal reported that:

Special Counsel Robert Mueller has requested that Cambridge Analytica, a data firm that worked for President Donald Trump’s campaign, turn over documents as part of its investigation into Russian interference in the 2016 U.S. election, according to people familiar with the matter.

Concerns about Cambridge Analytica and its relationship with Facebook Inc. resurfaced this month.

The Guardian, 18 March 2018:

The data analytics firm that worked with Donald Trump’s election team and the winning Brexit campaign harvested millions of Facebook profiles of US voters, in one of the tech giant’s biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box….

Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals.

Recode, 17 March 2018:

Facebook is in another awkward situation. The company claims that it wasn’t breached, and that while it has suspended Cambridge Analytica from its service, the social giant is not at fault. Facebook contends that its technology worked exactly how Facebook built it to work, but that bad actors, like Cambridge Analytica, violated the company’s terms of service.

On the other hand, Facebook has since changed those terms of service to cut down on information third parties can collect, essentially admitting that its prior terms weren’t very good.

So how did Cambridge Analytica get Facebook data on some 50 million people?
Facebook’s Chief Security Officer, Alex Stamos, tweeted a lengthy defense of the company, which also included a helpful explanation for how this came about…..

Facebook offers a number of technology tools for software developers, and one of the most popular is Facebook Login, which lets people simply log in to a website or app using their Facebook account instead of creating new credentials. People use it because it’s easy — usually one or two taps — and eliminates the need for people to remember a bunch of unique username and password combinations.

When people use Facebook Login, though, they grant the app’s developer a range of information from their Facebook profile — things like their name, location, email or friends list. This is what happened in 2015, when a Cambridge University professor named Dr. Aleksandr Kogan created an app called “thisisyourdigitallife” that utilized Facebook’s login feature. Some 270,000 people used Facebook Login to create accounts, and thus opted in to share personal profile data with Kogan.

Back in 2015, though, Facebook also allowed developers to collect some information on the friend networks of people who used Facebook Login. That means that while a single user may have agreed to hand over their data, developers could also access some data about their friends. This was not a secret — Facebook says it was documented in their terms of service — but it has since been updated so that this is no longer possible, at least not at the same level of detail.

Through those 270,000 people who opted in, Kogan was able to get access to data from some 50 million Facebook users, according to the Times. That data trove could have included information about people’s locations and interests, and more granular stuff like photos, status updates and check-ins.

The Times found that Cambridge Analytica’s data for “roughly 30 million [people] contained enough information, including places of residence, that the company could match users to other records and build psychographic profiles.”

This all happened just as Facebook intended for it to happen. All of this data collection followed the company’s rules and guidelines.

Things became problematic when Kogan shared this data with Cambridge Analytica. Facebook contends this is against the company’s terms of service. According to those rules, developers are not allowed to “transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetization-related service.”

As Stamos tweeted out Saturday (before later deleting the tweet): “Kogan did not break into any systems, bypass any technical controls, our use a flaw in our software to gather more data than allowed. He did, however, misuse that data after he gathered it, but that does not retroactively make it a ‘breach.’”….

The problem here is that Facebook gives a lot of trust to the developers who use its software features. The company’s terms of service are an agreement in the same way any user agrees to use Facebook: The rules represent a contract that Facebook can use to punish someone, but not until after that someone has already broken the rules.

CNN tech, 19 March 2018:

Kogan's company provided data on millions of Americans to Cambridge Analytica beginning in 2014. The data was gathered through a personality test Facebook application built by Kogan. When Facebook users took the test they gave Kogan access to their data, including demographic information about them like names, locations, ages and genders, as well as their page "likes," and some of their Facebook friends' data.

There is some evidence that Cambridge Analytica is a bad actor according to a report by 4News on 19 March 2018:

Senior executives at Cambridge Analytica – the data company that credits itself with Donald Trump’s presidential victory – have been secretly filmed saying they could entrap politicians in compromising situations with bribes and Ukrainian sex workers.

In an undercover investigation by Channel 4 News, the company’s chief executive Alexander Nix said the British firm secretly campaigns in elections across the world. This includes operating through a web of shadowy front companies, or by using sub-contractors.

In one exchange, when asked about digging up material on political opponents, Mr Nix said they could “send some girls around to the candidate’s house”, adding that Ukrainian girls “are very beautiful, I find that works very well”.

In another he said: “We’ll offer a large amount of money to the candidate, to finance his campaign in exchange for land for instance, we’ll have the whole thing recorded, we’ll blank out the face of our guy and we post it on the Internet.”

Offering bribes to public officials is an offence under both the UK Bribery Act and the US Foreign Corrupt Practices Act. Cambridge Analytica operates in the UK and is registered in the United States.

The admissions were filmed at a series of meetings at London hotels over four months, between November 2017 and January 2018. An undercover reporter for Channel 4 News posed as a fixer for a wealthy client hoping to get candidates elected in Sri Lanka.

Mr Nix told our reporter: “…we’re used to operating through different vehicles, in the shadows, and I look forward to building a very long-term and secretive relationship with you.”

Along with Mr Nix, the meetings also included Mark Turnbull, the managing director of CA Political Global, and the company’s chief data officer, Dr Alex Tayler.

Mr Turnbull described how, having obtained damaging material on opponents, Cambridge Analytica can discreetly push it onto social media and the internet.

He said: “… we just put information into the bloodstream of the internet, and then, and then watch it grow, give it a little push every now and again… like a remote control. It has to happen without anyone thinking, ‘that’s propaganda’, because the moment you think ‘that’s propaganda’, the next question is, ‘who’s put that out?’.”

It should be noted that Cambridge Analytica has set up shop in Australia and the person named in the filing documents as the only shareholder was Allan Lorraine. Cambridge Analyitica is said to have met with representatives of the Federal Liberal Party in March 2017.

Despite denials to the contrary, It is possible that Cambridge Analytica has been consulted by state and federal Liberals since mid-2015 and, along with i360, was consulted by South Australian Liberals concerning targeted campaigning in relation to their 2018 election strategy.

Once the possibility of Australian connection became known, the Australian Information and Privacy Commissioner made preliminary inquiries. 20 March 2018:

Facebook could be fined if Australians' personal information was given to controversial researchers Cambridge Analytica, the privacy watchdog says.

Australian Information and Privacy Commissioner Timothy Pilgrim says he is aware profile information was taken and used without authorisation.

"My office is making inquiries with Facebook to ascertain whether any personal information of Australians was involved," Mr Pilgrim said on Tuesday.

"I will consider Facebook's response and whether any further regulatory action is required.".

Cambridge Analytica is facing claims it used data from 50 million Facebook users to develop controversial political campaigns for Donald Trump and others.

The Privacy Act allows the commissioner to apply to the courts for a civil penalty order if it finds serious breaches of the law......

UK Information Commissioner Elizabeth Denham is also investigating the breach, promising it will be "far reaching" and any criminal or civil enforcement actions arising from it would be "pursued vigorously".

The 'new' business model in politics

"It's no good fighting an election campaign on the facts because actually it's all about emotion."

Proof that a business model of election campaigning has come off the pages of a Hollywood screenplay and out onto the streets of everyday Australia (video at 5:54).

Wednesday, 7 March 2018

When it comes to human rights and civil liberties is it ever safe to trust the junkyard dog or its political masters?

On 18 July 2017, Prime Minister Malcolm Bligh Turnbull announced the establishment of a Home Affairs portfolio that would comprise immigration, border protection, domestic security and law enforcement agencies, as well as reforms to the Attorney-General’s oversight of Australia’s intelligence community and agencies in the Home Affairs portfolio.

 On 7 December 2017, the Prime Minister introduced the Home Affairs and Integrity Agencies Legislation Amendment Bill2017 into the House of Representatives.

This bill amends the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, the Independent National Security Legislation Monitor Act 2010, the Inspector-General of Intelligence and Security Act 1986 and the Intelligence Services Act 2001.

The bill was referred to Parliamentary Joint Committee on Intelligence and Security which tabled its report and recommendations on 26 February 2018.

This new government department on steroids will be headed by millionaire former Queensland Police detective and far-right Liberal MP for Dickson, Peter Craig Dutton.

His 'front man' selling this change is Abbott protégéformer Secretary of the Department of Immigration and Border Protection and current Secretary of the new Department of Home Affairs, Michael Pezzullo. 

The question every Australian needs to ask themselves is, can this current federal government, the ministers responsible for and department heads managing this extremely powerful department, be trusted not to dismantle a raft of human and civil rights during the full departmental implementation.

It looks suspiciously as though former Australian attorney-general George Brandis does not think so - he is said to fear political overreach.

The Saturday Paper, 3-9 March 2018:

On Friday last week, former attorney-general George Brandis went to see Michael Pezzullo, the secretary of the new Department of Home Affairs.

The meeting was a scheduled consultation ahead of Brandis’s departure for London to take up his post as Australia’s new high commissioner. It was cordial, even friendly. But what the soon-to-be diplomat Brandis did not tell Pezzullo during the pre-posting briefing was that he had singled him out in a private farewell speech he had given to the Australian Security Intelligence Organisation on the eve of his retirement from parliament two weeks earlier.

As revealed in The Saturday Paper last week, the then senator Brandis used the ASIO speech to raise concerns about the power and scope of the new department and the ambitions of its secretary. Brandis effectively endorsed the private concerns of some within ASIO that the new security structure could expose the domestic spy agency to ministerial or bureaucratic pressure.

In a regular Senate estimates committee hearing this week, Pezzullo described his meeting with Brandis – on the day before The Saturday Paper article appeared – as Opposition senators asked him for assurances that ASIO would retain its statutory independence once it moves from the attorney-general’s portfolio to become part of Home Affairs.

“I had a very good discussion on Friday,” Pezzullo told the committee, of his meeting with Brandis.

“He’s seeking instructions and guidance on performing the role of high commissioner. None of those issues came up, so I find that of interest. If he has concerns, I’m sure that he would himself raise those publicly.”

Labor senator Murray Watt pressed: “So he raised them with ASIO but not with you?”
“I don’t know what he raised with ASIO,” Pezzullo responded. “… You should ask the former attorney-general if he’s willing to state any of those concerns … He’s a high commissioner now, so he may not choose to edify your question with a response, but that’s a matter for him. As I said, he didn’t raise any of those concerns with me when we met on Friday.”

The Saturday Paper contacted George Brandis but he had no comment.


Watt asked Pezzullo for assurance there would be no change to the longstanding provisions in the ASIO Act that kept the agency under its director-general’s control and not subject to instruction from the departmental secretary. The minister representing Home Affairs in the Senate, Communications Minister Mitch Fifield, said: “It is not proposed that there be a change to that effect.”

The new Department of Home Affairs takes in Immigration and Border Protection, the Australian Federal Police, the Australian Criminal Intelligence Commission, the Australian Transaction Reports and Analysis Centre, known as AUSTRAC, and ASIO.
ASIO does not move until legislation is passed to authorise the shift, and will retain its status as a statutory agency.

Pezzullo addressed the fears of those questioning his department’s reach. He said some commentary mischaracterised the arrangements as “being either a layer of overly bureaucratic oversight of otherwise well-functioning operational arrangements or, worse, a sinister concentration of executive power that will not be able to be supervised and checked”.

“Both of these criticisms are completely wrong,” he said.

Pezzullo had already described his plans, both to the committee and in a speech he made in October last year, in which he spoke of exploiting the in-built capabilities in digital technology to expand Australia’s capacity to detect criminal and terrorist activity in daily life online and on the so-called “dark web”.

But the language he used, referring to embedding “the state” invisibly in global networks “increasingly at super scale and at very high volumes”, left his audiences uncertain about exactly what he meant.

Watt asked if there would be increased surveillance of the Australian people. “Any surveillance of citizens is always strictly done in accordance with the laws passed by this parliament,” Pezzullo replied.

In his February 7 speech to ASIO, George Brandis described Pezzullo’s October remarks as an “urtext”, or blueprint, for a manifesto that would rewrite how Australia’s security apparatus operates.

Pezzullo hit back on Monday. “Any suggestion that we in the portfolio are somehow embarked on the secret deconstruction of the supervisory controls which envelop and check executive power are nothing more than flights of conspiratorial fancy that read into all relevant utterances the master blueprint of a new ideology of undemocratic surveillance and social control,” Pezzullo said.

As for day to day human resources, financial management and transparent accountable governance, media reports are not inspiring confidence in Messrs. Turnbull, Dutton and Pezzullo.

The Canberra Times, 2 March 2018:

Home Affairs head Mike Pezzullo was one of the first to front Senate estimates on Monday.

It's been up and running for only weeks, but his new department is part of one of the largest government portfolios.

Having brought several security agencies into its fold, and if legislation passes letting ASIO join, the Home Affairs portfolio will be home to 23,000 public servants. 
Mr Pezzullo was also quizzed on the investigation into Roman Quaedvlieg, the head of the Australian Border Force who has been on leave since May last year, following claims he helped his girlfriend - an ABF staff member - get a job at Sydney Airport.

It was revealed the Prime Minister's department has had a corruption watchdog's report into abuse of power allegations for at least five months while Mr Quaedvlieg has been on full pay earning hundreds of thousands of dollars.

Monday, 12 February 2018

AUSTRALIA CARD MARK II: no national digital ID number will mean no access to any Australian federal government services

“When signing up to the platform for the first time, users will be asked to provide their name, email address, and phone number, and verify their details via email or SMS. They will then be asked to provide information from three identity documents, which goes through the exchange to the identity provider for verification. The exchange receives encrypted details back which it passes on to the government service the user wants to reach, which then grants the user access.”  [IT News, 20 March 2015]

IT News, 8 February 2018:

The Department of Human Services looks set to become the federal government's exclusive manager of digital identities after being selected to build the identity provider solution that will be used for the Govpass platform.

The Govpass framework is a decentralised identity model that allows individuals to choose their identity provider - an organisation that issues identity documents, like Australia Post or the ATO - and access a range of public and private sector services through a single digital identity credential.

There is no limit on the number of identity providers outside of the Commonwealth that can be accredited for Govpass; Australia Post has already indicated it will seek to become the first non-government identity provider, using its Digital iD platform.
Several state and territory government agencies and private sector entities are also expected to become identity providers over time.

However, the federal government last year made the decision that only one identity provider would operate for the entire Commonwealth.

The Digital Transformation Agency revealed the decision following meetings with existing Commonwealth identity service providers, DHS and the ATO. Its rationale for the move was to focus security efforts in one place and avoid complex administrative structures.

iTnews revealed in October that the DTA was yet to make up its mind up on which of the two agencies would serve as the federal government’s sole identity provider for GovPass, even as testing of the new platform was taking place with the ATO’s new online tax file number application service.

Instead the DTA said it was working closely with the ATO and DHS on the “next steps” for the platform.

But in response to questions on notice from recent estimates hearings, DHS revealed it had been instructed to develop the federal government’s single identity provider platform, to be known as myGov IdP.

“The department was commissioned by the DTA to build the identity provider (IdP) for the whole-of-government,” it said.

“The myGov IdP will enable citizens to verify their identity online and use it to apply for government services.”

iTnews has made several attempts to clarify the statements with the DTA and DHS, but both refused to comment on the build and DHS’ apparent position as the single government identity provider.

The ATO similarly redirected questions about its involvement with Govpass, including whether it had also been asked by the DTA to build an identity provider solution, to the DTA.

Selecting DHS as the sole government identity provider would be an obvious choice for the DTA - the agency is the government’s current defacto whole-of-gov identity provider through the myGov digital services platform.

A private beta release of myGov IdP is currently planned for later this month.

Identity providers on Govpass will use the DTA-built identity exchange – and in turn the document verification service (DVS) and facial verification service (FVS) – to verify an individual’s credentials without revealing their identity to service providers.
[my yellow bolding]

NoteThe Face Identification Service (FIS) is a one-to-many, image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity. FIS is also available to police, security services, Dept. of Immigration and Dept. of Foreign Affairs. [Australian Attorney-General's Department, October 2017]

Wednesday, 17 January 2018

Things you should know if you are logging on to a website using your Facebook account

Facebook for developers

The Daily Telegraph, 5 January 2018:

Ian Cox of said: “If you’ve ever pressed ‘Login with Facebook’ on a website, you’re giving Facebook permission to share sensitive data with the site you are visiting.

“This includes, for example, your personal email address, where you live, where you work, details about your relationship, places you have recently been and who you’re friends with.

“In today’s digital age, people are sharing just about everything on social media sites like Facebook. But most are unaware of just how much can be seen by brands, businesses and, in some cases, criminals.

“The best way to stay protected online is to only share what you would be happy with the whole world seeing.

“As tempting as it may be to rejoice about the fact that the whole family is going on a weekend away, keep in mind that you may be inadvertently letting criminals know that your house is empty during this time.”


* Your public profile (name, age, gender, location, profile picture, timezone)
* All your likes
* Your friends
* Where you are now
* Your email address
* Your photos
* Your “about me” section
* All your posts
* Your birthday
* Your relationship details
* Your education history
* Your religion/politics
* Events you’ve been to
* Your work history
* Where you are from
* Your phone number

Thursday, 11 January 2018

NSW Auditor-General not impressed by government agencies cyber security risk management

“Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.” [NSW Auditor-General, Report on Internal Controls and Governance 2017, December 2017]

On 20 December 2017 the NSW Auditor-General released the Report on Internal Controls and Governance 2017.

The Sydney Morning Herald reported on 28 December 2017:

Two-thirds of NSW government agencies are failing to properly safeguard their data, increasing the risk of improper access to confidential information about members of the public and identity fraud by cyber criminals.

The finding has emerged from an audit of dozens of government agencies, including those holding highly sensitive personal information collected from millions of citizens, such as NSW Health, the department of education, NSW Police Force, Roads and Maritime Services and the justice department.

While the report by auditor-general Margaret Crawford does not name the agencies failing to properly manage privileged access to their systems, it highlights the potential consequences.

"Personal information collected by public sector agencies about members of the public is of high value to cyber criminals, as it can be used to create false identities to commit other crimes," she says in the report.

"Despite these risks, we found that one agency had 37 privileged user accounts, including 33 that were dormant. The agency had no formal process to create, modify or deactivate privileged users."

Overall, Ms Crawford's report found 68 per cent of NSW government agencies "do not adequately manage privileged access to their systems".

In addition, she said, the audit determined that 61 per cent of agencies "do not regularly monitor the account activity of privileged users".

"This places those agencies at greater risk of not detecting compromised systems, data breaches and misuse," the report said.

The audit found 31 per cent of agencies "do not limit or restrict privileged access to appropriate personnel". Of those, just one-third monitor the account activity of privileged users.

It found that almost one-third of agencies breach their own security policies on user access.

The report warns that if agencies fail to implement proper controls "they may also breach NSW laws and policies and the international standards that they reference".

Read the full article here.

List of NSW Government Agencies Examined by NSW Auditor-General
Department of Education
Family and Community Services
Department of Family and Community Services
New South Wales Land and Housing Corporation
Finance, Services and Innovation
Department of Finance, Services and Innovation * Specifically identified in report
Place Management NSW
Property NSW
Service NSW
NSW Health
Department of Industry
Destination NSW
Forestry Corporation of New South Wales
Office of Sport
TAFE Commission
Water NSW
Department of Justice
Fire and Rescue NSW
Legal Aid Commission of New South Wales
NSW Police Force
Office of the NSW Rural Fire Service
Planning and Environment
Department of Planning and Environment
Essential Energy
Hunter Water Corporation
Office of Environment and Heritage
Office of Local Government
Sydney Water Corporation
Premier and Cabinet
Department of Premier and Cabinet
NSW Trains
Rail Corporation New South Wales
Roads and Maritime Services
Sydney Trains
Transport for NSW
WCX M4 PTY Limited
WCX M5 PTY Limited
Crown Finance Entity
Insurance and Care NSW
Lifetime Care and Support Authority
NSW Treasury Corporation
NSW Self Insurance Corporation

Some deficiencies were common across agencies

The most common internal control deficiencies were poor or absent IT controls related to:

user access management
password management
privileged access management
user acceptance testing.

The most common governance deficiencies related to:

management of cyber security risks
capital project governance
management of shared service arrangements
conflicts-of-interest management
gifts-and-benefits management
risk management maturity
ethical behaviour policies and statements.