Turnbull Government's data retention privacy blunder just rolls on and on...

“If data can be re-identified with no more than SQL, there's no "if" about a leak, and the "when" is history.” [Journalist Richard Chirgwin, Twitter 18 December 2017]

“But why are medical records so attractive? Well, it turns out that there’s a metaphorical holiday feast of enticing data served up in your average health record. Family history, demographic data, insurance information, medications, etc. means there’s enough information to completely steal an individual’s identity and commit medication fraud, financial fraud, insurance fraud and a wide array of other crimes. When this very private, unchangeable information gets into the wrong hands, devastation can ensue.” [Robert Lord writing in Forbes, 15 December 2017]

First the Australian general public were told that patient data was well protected and data breaches wouldn't happen as a result of government's drive to collect, cross-match and retain as much information about each and every Australian citizen/permanent resident as possible.

Then when the inevitable day came where poor data security was laid bare - as the personal histories of 550,000 blood donors were placed on an insecure computer and accessed, as Medicare details began to be offered for sale on the Internet's dark web and Medicare itself became careless with its encryption -  the public was told in the first instance that misuse was unlikely, in the second instance that personal medical information couldn't be accessed and that patients couldn't really be individually identified in the third instance where a billion line encrypted data set was publicly released.

After that the Turnbull Government assured the population that it would create legislation which would make it illegal for anyone to de-encrypt anonymised data and create a Notifiable Data Breaches scheme.

We were all going to be safe once more in the arms of the Turnbull Government.

Now the cat is out of the bag, because that billion-line 30 year's worth of personal health information about est. 3 million people just won't stay in the back of the ministerial cupboard where Greg Hunt shoved it.

 [Fairfax journalist Ben Grubb, Twitter 18 December 2017]

The Sydney Morning Herald, 18 December 2017:

One in ten Australians' private health records have been unwittingly exposed by the Department of Health in an embarrassing blunder that includes potentially exposing if someone is on HIV medication, whether mothers have had terminations, or if mentally unwell people are seeing psychologists.

A report, published on Monday by Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague from the University of Melbourne's School of Computing and Information Systems, outlines how de-identified historical health data from the Australian Medicare Benefits Scheme (MBS) and the Pharmaceutical Benefits Scheme (PBS) released to the public in August 2016 can be re-identified using known information about the person to find their record.

The study reveals unique patient records matching the online public information of seven prominent Australians, including three (former or current) MPs and an AFL footballer. While a unique match may not always be accurate, Dr Rubinstein said there was the possibility to improve confidence by cross-referencing other data.

"Because only 10 per cent of Australians are included in the sample data, there can be a coincidental resemblance to someone who isn't included," he said.

"We can improve confidence by cross-referencing with a second dataset of population-wide billing frequencies. We can also examine uniqueness according to the characteristics of commercial datasets we know of, such as bank billing data."…….

Privacy analyst and Lockstep consultant Stephen Wilson said the breach damaged public confidence in health policy makers and data custodians.

"It's a huge breach of trust," he said.

"Promises of 'de-identification' and 'anonymisation' made by health officials, and ABS too in connection with census data releases, have been shown to be erroneous.

"The ability to re-identify patients from this sort of public release is frankly, in my view, catastrophic. Real dangers are posed to patients with socially difficult conditions.

"It beggars belief that any official would promise 'anonymity' any more. These promises cannot be kept."

Computer security researcher Troy Hunt said re-identification of anonymised records was attractive to researchers and nefarious parties alike.

"In this case, clearly more work needs to be done to protect individuals' identities,' he said. "My hope is that the government embraces responsible research like this and strives to improve confidentiality rather than penalise those seeking to report deficiencies such as this."

The federal Department of Health was notified about the issue December last year.

"The Department of Health takes this matter very seriously and had already referred this to the Privacy Commissioner," a Department of Health spokesperson told Fairfax Media......

Meanwhile, the Office of the Australian Information Commissioner, which houses Australia's privacy commissioner, said it was investigating the publication of the datasets.

"The investigation was opened under section 40(2) of the Australian Privacy Act 1988 (Privacy Act) in late September 2016 when the Department of Health notified the OAIC that the datasets were potentially vulnerable to re-identification," a spokesperson said.

"Given the investigation into the Medicare Benefits Scheme (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets is ongoing, we are unable to comment on it further at this time.

However, the commissioner will make a public statement at the conclusion of the investigation."

The OAIC said it continued to work with Australian government agencies to enhance privacy protection in published datasets.....

Oh dear, is the Turnbull Government asking chickens to visit the digital fox's den?

“The Turnbull Government has welcomed the eSafety Commissioner’s announcement today about the delivery of the pilot for a new national portal for reporting instances of non-consensual sharing of intimate images (colloquially known as image-based abuse or revenge pornography).”  [Senator Mitch Fifield, media release,15 October 2017]

Given the dubious reputation Facebook Inc has managed to garner in relation to business ethics, transparency, consumer privacy, e-safety, data mining and data breach history, one wonders what the Minister for Communications and Liberal Senator for Victoria Mitch Fifield was thinking.

Facebook Newsroom, 9 November 2017:

Image Pilot

By Antigone Davis, Global Head of Safety

We don’t want Facebook to be a place where people fear their intimate images will be shared without their consent. We’re constantly working to prevent this kind of abuse and keep this content out of our community. We recently announced a test that’s a little different from things we’ve tried in the past. Even though this is a small pilot, we want to be clear about how it works.

This past week, in partnership with the Australian eSafety Commissioner’s Office and an international working group of survivors, victim advocates and other experts, Facebook launched a limited pilot in Australia that will help prevent non-consensual intimate images from being posted and shared anywhere on Facebook, Messenger and Instagram. Specifically, Australians who fear their intimate image may be shared without their consent can work with the eSafety Commissioner to provide that image in a safe and secure way to Facebook so that we can help prevent it from being shared on our platforms.

To be clear, people can already report if their intimate images have been shared on our platform without their consent, and we will remove and hash them to help prevent further sharing on our platform. With this new small pilot, we want to test an emergency option for people to provide a photo proactively to Facebook, so it never gets shared in the first place. This program is completely voluntary. It’s a protective measure that can help prevent a much worse scenario where an image is shared more widely. We look forward to getting feedback and learning.

Here’s how it works:

* Australians can complete an online form on the eSafety Commissioner’s official website.

* To establish which image is of concern, people will be asked to send the image to themselves on Messenger.

* The eSafety Commissioner’s office notifies us of the submission (via their form). However, they do not have access to the actual image.

* Once we receive this notification, a specially trained representative from our Community Operations team reviews and hashes the image, which creates a human-unreadable, numerical fingerprint of it.

* We store the photo hash—not the photo—to prevent someone from uploading the photo in the future. If someone tries to upload the image to our platform, like all photos on Facebook, it is run through a database of these hashes and if it matches we do not allow it to be posted or shared.

* Once we hash the photo, we notify the person who submitted the report via the secure email they provided to the eSafety Commissioner’s office and ask them to delete the photo from the Messenger thread on their device. Once they delete the image from the thread, we will delete the image from our servers……..

So troubled multinational Serco's staff are going to answer phone calls made to Centrelink in a Turnbull Government pilot program?

Multinational Serco Group plc registered in England and Wales, with revenue in 2016 of an est. $5 billion and an underlying trading profit of est. $139 million, has made the news again.

One of its subsidiaries, SERCO CITIZEN SERVICES PTY LTD¹ ABN:89 062 943 640, won this $53.75 million federal government contract commencing 7 September 2017:

CN ID: CN3460117

Agency: Department of Human Services

Publish Date: 11-Oct-2017

Category: Temporary personnel services

Contract Period:

7-Sep-2017 to 29-Oct-2019

Contract Value (AUD): $53,752,454.80

Description: Centrelink Call Centre Enhancements Initiative

On 11 October 2017 it was reported that the Minister for Human Services Alan Tudge stated this contract was for a pilot commencing in late October 2017 would help reduce Centrelink call wait times.

An est. 250 Melbourne-based Serco staff will take calls about welfare payments in the three-year pilot program.

The minister’s office stated: "Under the partnership arrangement, Serco's staff will be fully trained and will comply with all Commonwealth government privacy and security requirements".

Of course Serco will comply, Minister.

Just as it has on every single contract in the past......

Stolen Laptop Exposes Personal Data on 207,000 Army Reservists. Serco held the data on reservists as part of its contract with the U.S. Army’s Family and Morale, Welfare and Recreation division. As a result, Dahms said, some of the data on the missing laptop may belong to dependents and spouses of U.S. Army reservists, 13 May 2010

Serco's paper trailer raises accountability questions. Crikey has taken a closer look at the extent that Serco contracts outsources to other companies and can reveal that millions of dollars from the detention contract has ended up in some startling places, 1 November 2010

Serco employee suspected of Victoria Police breach. Man accused of adjusting 67,541 traffic infringement records, 15 April 2011

Contract breaches by the operator of Australia's detention centres are incurring 'unsustainable' fines, 13 July May 2011

Serco operates and maintains a surprisingly large and diverse range of services in both the UK and Australia, as well as in several other countries. Its website lists some examples of the scale of its operations including: traffic management systems covering more than 17,500kms of roads worldwide, managing 192,000 square miles of airspace in five countries, managing education authorities on behalf of local governments, and providing defence support services worldwide.[2] Serco also manages a number of hospitals, prisons and detention centres, and is involved in a host of other services.[3]…..Focussing on the company Serco, there have been numerous reports of instances where its service provision has been sub-standard, high-cost, has eliminated diversity, or has lacked accountability. Putting this focus on Serco’s faults is not to say that it is any more prone to failures than other corporations in this area, or that it is always unsuccessful in its service provision. Rather, the point is to show clearly the dangers of privatisation, and why it must not be accepted as a universal good, 7 March 2012

Computer security breach at Serco affects 123,000 Thrift Savings Plan participants, 25 May 2012

Gaol escapes blamed on Serco Pacific cost cutting on $1.8 billion Australian government contract, 29 May 2013

Sexual abuse allegations corroborated at Yarl's Wood immigration centre run by Serco, 22 September 2013

Sources in the justice system blamed the foul-up on staffing issues at Serco. One said: "This sort of thing happens every week." The seven-year PECS deal has turned into a horror show for Serco. It faces allegations that it doctored transfer records to flatter its performance, with five Serco staff under investigation by the City of London police. That is not its only problem contract. There are separate claims that, along with rival outsourcer G4S, it overcharged taxpayers on a deal to put electronic tags on criminals, 17 October 2013

Private contractors Serco has agreed to repay £68.5million to the taxpayer after over-charging for tagging criminals. The firm was investigated by the Ministry of Justice over claims that together with rival company G4S it over-charged for tens of thousands of criminals, including those who had left the country, been returned to prison or even died, 19 December 2013

Outsourcing giant Serco is embroiled in a fresh misuse of public funds scandal after a company it set up overcharged NHS hospitals millions of pounds, 27 August 2014

Serco is failing, but is kept afloat thanks to Australia's refugee policy. It’s a sign of the times that a company like Serco, with murky financial statements masking its true economic shape, is continually rewarded for failure by new and larger contracts, 11 November 2014

Serco turned 'blind eye' to corruption in UK immigration jail, court hears, 26 February 2015

Serco has brought a culture of profiteering, bullying, intimidation and corruption to Mt Eden prison, a Whangarei barrister says.The comments come as controversy surrounds the private company that operates the prison, and with Corrections boss Ray Smith revealing a third incident at the facility has left him no choice but to seek legal advice in regards to the contract, 24 July 2015

On Monday, Serco was fined $NZ500,000 ($A328,750) and was prohibited from overseeing operations at the correctional facility while an internal investigation took place. The fine came after six disturbing videos — shot on a smartphone and smuggled inside the prison — surfaced on YouTube earlier this month. The videos showed prisoners participating in organised ‘fight clubs’ as large groups of fellow inmates watch on. Inmates were also seen blatantly smoking and drinking alcohol in the videos, which were captured without the knowledge of staff. However, the NZ prison officers union said bosses knew about the fight club for up to 18 months, but did nothing about it, 29 July 2015

A GUARD at the Wickham Point Detention Centre in Darwin has been fired after it was found he was trying to coerce female detainees into having sex with him. Serco, the company contracted to run Australia’s immigration facilities, said in a statement to the NT News that a detainee services officer from Wickham Point was dismissed in late May following two separate complaints from female detainees, 6 August 2015

Fiona Stanley Hospital: dirty theatres, IT woes blamed on Serco, 23 September 2015

A Serco guard at a Melbourne immigration centre has been sacked following allegations he made inappropriate sexual advances towards a female detainee and sexually harassed female guards while on duty, 12 February 2016

High levels of violence and poor conditions in Serco-run UK prison, 9 March 2016

Corruption allegations at a Secro managed prison, 2 June 2016

The scandal of refugees housed in 'slum conditions' in Scotland by Serco sub-contractor, 12 June 2016

Serco shares slide as investor concerns mount over turnround. Revenues and profits fall after hit from lossmaking and terminated contracts, 23 February 2017

Serco officer fired for supplying drugs to Christmas Island detainees,18 July 2017

Serco targets further cost cutting as it seeks to keep its profits on track. Serco boss Rupert Soames has said the company still has costs to cut before it is trading at full strength, as the firm enters the middle stage of its five-year turnaround plan. He said that there were plans to further reduce overheads and make Serco’s processes more efficient, as well as bringing down some of its IT costs. “We’ve still got a lot of costs that we have to get out of the business,” he said, 3 August 2017.

Serco lost the Prisoner Transport contract, its contract to run Wandoo Prison won't be renewed in 2018 and prison will return to public hands, 27 August 2017

Clarence Valley residents may recall that Serco is part of a three-corporation consortium building the new $1.5 billion Grafton gaol.

Footnotes

1. Serco provides care and welfare services, on behalf of the Department of Immigration and Border Protection, to people living in Australian onshore immigration centres whilst their visa status is resolved. Since 2009, more than 61,000 individuals have been in our care, representing more than 20 different cultural and linguistically diverse communities. Within the Australian justice system, Serco operates three prisons: the Southern Queensland Correctional Centre (Queensland) with 400 beds, Acacia Prison (Western Australia) with 1400 beds and the Wandoo Reintegration Facility (Western Australia) with 80 beds.

See http://www.serco-ap.com.au/media/206689/serco_socialcare_4pp_a4brochure_may17_final.pdf

Facebook Inc continues to test the world's patience when it comes to privacy issues and US patience in relation to taxation matters

Worldwide Facebook Inc is estimated to have 2.01 billion monthly active users, with est. 1.7 billion of these users living outside of the USA and Canada.

Australian users comprised 17 million of these account holders in August 2017 - 12 million logging in daily.

In pursuit of profit this social media company is a ruthless data miner – collecting and collating information about every available aspect of the lives of all holders of Facebook accounts.

A fact that makes this company’s users a target of US federal government mass surveillance.

Given that Facebook Inc created a holding company Facebook Ireland Ltd in the low-taxing Republic of Ireland and it is this company which appears to legally possess the data of those est.1.7 billion users, it now finds itself before European Union courts.

Privacy activist @maxschrems, 3 October 2017:

Facebook operates its international business outside of the United States and Canada via a separate company in Ireland called “Facebook Ireland Ltd”. 85.9% of all worldwide Facebook users (everyone except USA and Canada) are managed in Dublin (Link), which is understood to be part of Facebook’s tax avoidance scheme.

Facebook currently sends all user data to its parent company, “Facebook Inc.” in the United States for processing. European law (Articles 25 and 26 of Directive 95/46/EC) requires that data can only be transferred outside of the EU if the personal data is “adequately protected”. This is in conflict with US mass surveillance laws, which “Facebook Inc.” in the USA is subject to.

Max Schrems: “In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that. As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”

The Data Protection Commissioner in Ireland is investigating a complaint made by Max Schrems, an Austrian student with a Facebook account. This complaint relates to the transfer of his data by Facebook Ireland to Facebook Inc. in the United States for processing - an act which is alleged to violate European fundamental rights under Articles 7, 8 and 47 of the European Charter of Fundamental Rights.

The Data Protection Commissioner had been previously taken to the Court of Justice of the European Union in relation to refusal to investigate a complaint made by Mr Schrems regarding the fact that Facebook Ireland Ltd (‘Facebook Ireland’) transfers the personal data of its users to the United States of America and keeps it on servers located in that country. 

The subsequent investigation by the Data Protection Commissioner has given rise to a High Court case in Ireland (3 October 2017 judgement). The Court has now referred the issue of the validity of the European Commission’s Standard Contractual Clause decisions to the Court of Justice of the European Union for a preliminary ruling.

History of the Case according to Max Schrems:

The case is based on a complaint, filed by Mr Schrems against Facebook in 2013:

* The case is based on a complaint [PDF] brought by Mr Schrems against Facebook Ireland Ltd. before the Irish Data Protection Commissioner (“DPC”) in 2013 (4 years ago).

* The DPC first refused to investigate the complaint, calling it “frivolous”, but Mr Schrems subsequently succeeded before the CJEU, which overturned the “Safe Harbor” (a EU-US data sharing system) in 2015 [case C-362/14] and ruled that the DPC must investigate the complaint.

* After the invalidation of “Safe Harbor”, Facebook used another legal tool to transfer data outside of the EU, called “Standard Contractual Clauses” (SCCs) [Facebook’s SCCs - PDF].

* SCCs are a contract between Facebook Ireland and Facebook USA, where Facebook USA pledges to follow EU privacy principles [official EU Info Page].

* The case subsequently continued with an updated complaint [PDF] in 2015. The Irish DPC joined Mr Schrems view that the SCCs cannot overcome fundamental problems under US surveillance laws, and specifically agreed that there is no proper legal redress in the United States in such cases. Other issues raised in Mr Schrems complaint have not been investigated yet.

* The DPC refused to use its power to suspend data flows of Facebook as asked by Mr Schrems.

* Instead of only prohibiting Facebook’s EU-US data transfers under Article 4 of the SCCs, the DPC took the unusual move of issuing proceedings against Facebook Ireland Ltd. and Mr Schrems before the Irish High Court. In the procedure the DPC aims to invalidate the SCCs entirely by referring the case to the European Court of Justice (CJEU) in Luxembourg.

*The case was heard for five Weeks in February 2017. The United States Government was joined as an “amicus” to the case, along two industry lobby groups and the US privacy non-profit “EPIC”.

Facebook Inc’s "Double Irish" tax avoidance scheme and other matters also saw it before a US court in 2016, having refused to comply with a number of IRS tax summons. The court case continues to date.

The IRS 2008-2010 audit of Facbook Inc resulted in an assessment of the intangible assets transferred in those years having a value of US $13.8 billion, increasing Facebook's 2010 income by US $84.9 million and causing an income tax deficiency for the parent company.

Excerpt from United States Securities And Exchange Commission filing by Facebook Inc for the quarterly period ended June 30, 2016:

We are subject to taxation in the United States and various other state and foreign jurisdictions. The material jurisdictions in which we are subject to potential examination include the United States and Ireland. We are under examination by the Internal Revenue Service (IRS) for our 2008 through 2013 tax years. Our 2014 and subsequent years remain open to examination by the IRS. Our 2011 and subsequent years remain open to examination in Ireland. We do not anticipate a significant impact to our gross unrecognized tax benefits within the next 12 months related to these years. On July 27, 2016, we received a Statutory Notice of Deficiency (Notice) from the IRS relating to transfer pricing with our foreign subsidiaries in conjunction with the examination of the 2010 tax year. While the Notice applies only to the 2010 tax year, the IRS states that it will also apply its position for tax years subsequent to 2010, which, if the IRS prevails in its position, could result in an additional federal tax liability of an estimated aggregate amount of approximately $3.0 - $5.0 billion, plus interest and any penalties asserted. We do not agree with the position of the IRS and will file a petition in the United States Tax Court challenging the Notice. If the IRS prevails in the assessment of additional tax due based on its position, the assessed tax, interest and penalties, if any, could have a material adverse impact on our financial position, results of operations or cash flows. [my yellow bolding]

Trump administration seeking information on thousands of people who interacted with anti-Trump Facebook page

CNN Politics, 29 September 2017:

Washington (CNN)Trump administration lawyers are demanding the private account information of potentially thousands of Facebook users in three separate search warrants served on the social media giant, according to court documents obtained by CNN.

The warrants specifically target the accounts of three Facebook users who are described by their attorneys as "anti-administration activists who have spoken out at organized events, and who are generally very critical of this administration's policies."….

These warrants were first reported by LawNewz.com.

Facebook has not responded to a request for comment about whether it has, or plans to, comply with the search warrants.

The American Civil Liberties Union, representing the three Facebook users, filed a motion to quash the warrants Thursday.

"What is particularly chilling about these warrants is that anti-administration political activists are going to have their political associations and views scrutinized by the very administration they are protesting," said ACLU attorney Scott Michelman.

Facebook was initially served the warrants in February 2017 along with a gag order which barred the social media company from alerting the three users that the government was seeking their private information, Michelman said. However, Michelman says that government attorneys dropped the gag order in mid-September and agreed that Facebook could expose the existence of these warrants, which has prompted the latest court filings. Michelman, however, says all court filings associated with the search warrant, and any response from Facebook, remain under seal.

The Justice Department is not commenting on these search warrants, but government attorneys have issued a similar search warrant to the web provider DreamHost seeking wide-ranging information about visitors to the website disruptj20.org, which provided a forum for anti-Trump protestors. In that case, DOJ modified its initial search warrant seeking millions of IP address for the visitors who merely clicked on the disruptj20.org website. But DC Superior Court Judge Robert Morin largely granted prosecutors' request to collect a vast set of records from the company, which will include emails of the users who signed up for an account associated with the website, and membership lists……

American Civil Liberties Union DC, media release, 28 September 2017:

Overbroad Search Warrant Implicates Private Pages of Two Local Activists and First Amendment Rights of Thousands of Facebook Users

WASHINGTON – The American Civil Liberties Union of the District of Columbia (ACLU-DC) went to court today to block the enforcement of search warrants targeting three Facebook accounts as part of the government’s investigation and prosecution of activists arrested on Inauguration Day 2017 in Washington D.C.

Two of the warrants would require Facebook to disclose to the government all information from the personal Facebook profiles of local DisruptJ20 activists Lacy MacAuley and Legba Carrefour from November 1, 2016 through February 9, 2017. Although the warrants claim to seek only evidence in support of the government’s prosecutions of January 20 demonstrations, they demand—among other things—all private messages, friend lists, status updates, comments, photos, video, and other private information solely intended for the users’ Facebook friends and family, even if they have nothing to do with Inauguration Day. The warrants also seek information about actions taken on Facebook, including all searches performed by the users, groups or networks joined, and all “data and information that has been deleted by the user.”

The third search warrant was issued for the “DisruptJ20” Facebook page (now called “Resist This”), administered and moderated by Emmelia Talarico. Although the page is public, the warrant would require the disclosure of non-public lists of people who planned to attend political organizing events and even the names of people who simply liked, followed, reacted to, commented on, or otherwise engaged with the content on the Facebook page. During the three-month span the search warrant covers, approximately 6,000 Facebook users liked the page.

The ACLU-DC filed a motion to intervene on behalf of the Facebook users whose accounts are targeted, and a motion to quash or modify the search warrants, arguing that the warrants are overbroad under the Fourth Amendment (which protects personal privacy) and are particularly problematic because the lawful political associations and activities of the users and thousands of third parties will be revealed. The ACLU filing asks the court either to void the warrants outright or to appoint a “special master” who is not part of the prosecutor’s office, to review the Facebook information before providing to the prosecutor only the material—if there is any—relevant to their criminal prosecutions.

“Opening up the entire contents of a personal Facebook page for review by the government is a gross invasion of privacy,” said Scott Michelman, Senior Staff Attorney, ACLU-DC.  “The primary purpose of the Fourth Amendment was to prevent this type of exploratory rummaging through a person’s private information. Moreover, when law enforcement officers can comb through records concerning political organizing in opposition to the very administration for which those officers work, the result is the chilling of First Amendment-protected political activity.”

None of the ACLU-DC’s clients in today’s filing has been charged by the U.S. Attorney with any Inauguration Day-related crimes.

The public first learned of this case when Facebook revealed it had received the warrants and challenged a gag order attached to the warrants that prevented the company from notifying its customers that their information was sought by federal law enforcement. Public interest groups including the ACLU, ACLU-DC, Electronic Frontier Foundation, and Public Citizen, as well as internet companies including Google, Apple, and Microsoft, filed friend-of-the-court briefs arguing that the gag order should be lifted so the Facebook users could challenge the constitutionality of the search warrants under the First and Fourth Amendments. On the eve of the hearing on the gag order before the D.C. Court of Appeals, the government abruptly withdrew the order. Facebook then notified MacAuley, Carrefour, and Talarico of the warrants and the threats to their privacy.

“My Facebook page contains the most private aspects of my life—and also a frightening amount of information on the people in my life. There are intimate details of my love life, family, and things the federal government just doesn’t need to see,” said MacAuley, one of the ACLU-DC clients challenging the enforcement of the warrants. “Jeff Sessions doesn’t need to see my family photos.”

"This is part of a pattern of prosecutorial overreach in the repression of Inauguration Day protestors," said Carrefour. "This warrant is more than just a violation of privacy. It is a direct attack on D.C.’s grassroots organizing community," said Talarico. "In a city rife with inequities and injustices, the deck is already stacked against us. This overreaching warrant would strike a devastating blow to organizers working every day to make this city a better place."

This is second known attempt by the government to conduct unlawful dragnet searches of the internet and social media in search of evidence against activists arrested on Inauguration Day. In a similar case of government overreach, the government had issued a warrant to website hosting provider Dreamhost for the IP addresses of the 1.3 million people who ever visited the DisruptJ20.org website. Dreamhost, supported by several amici and intervenors, challenged the scope of the warrant and went public with the government’s overbroad request. Amidst public outcry, the government asked the D.C. Superior Court to narrow the time frame of the warrant and eliminate the request for IP addresses. The court agreed and went further by demanding strict safeguards for privacy before the warrant may be executed. The government is now litigating the scope of these additional protections. 

Today’s motions to intervene and to quash were filed in D.C. Superior Court. The case is formally titled In the Matter of the Search of Information Associated with Facebook Accounts disruptj20, lacymacauley, and legba.carrefour That Is Stored at Premises Controlled by Facebook, Inc.

Today's legal documents can be found at:
https://www.acludc.org/en/cases/matter-search-information-associated-facebook-accounts-disruptj20-etc

BACKGROUND

The New Yorker, 21 June 2017:

On the morning of January 20th, the day Donald Trump was inaugurated, in Washington, D.C., a large group of anti-Trump protesters, dressed in black, roamed through the city for close to an hour. Some chanted, some dragged newspaper boxes into the street, and some smashed the windows of various stores. In response, the police arrested more than two hundred people, setting in motion a complex legal saga that, months later, is far from over.

On Wednesday, the American Civil Liberties Union of the District of Columbia filed a federal lawsuit accusing the police of violating the rights of several people by using pepper spray and explosive devices without warning or justification; by making a mass arrest without differentiating between those who had broken laws and those who hadn’t; and by holding detainees for hours without food, water, or access to toilets, and subjecting some to “humiliating and unjustified” invasive searches.

The four plaintiffs in the A.C.L.U.’s lawsuit include Shay Horse, a twenty-three-year-old whose Twitter account identifies him as a photojournalist and “scrumptious/rambunctious anarchist.” According to the lawsuit, Horse broke no laws on the day of the protest but was doused with pepper spray, trapped between police lines for several hours, and then arrested and subjected to a rectal probe. In February, prosecutors dropped all charges against him. The other plaintiffs are Milo Gonzalez, a protester who, the lawsuit says, was also subjected to a rectal search after his arrest and was denied access to a bathroom for nine or ten hours; Elizabeth Lagesse, who, according to the suit, did not break any laws before being arrested but was handcuffed so tightly her wrists bled; and a lawyer named Judah Ariel, who said that he was among a group of people on a sidewalk who were pepper-sprayed without cause but not taken into custody…………

While it seemed clear on the day of the protest that the vandalism and property damage were committed by a small number of people, a superseding indictment handed down in late April charged two hundred and twelve people with rioting, inciting a riot, and engaging in a conspiracy to “damage, destroy, or deface property.” Because participants in a conspiracy can be held responsible for an offense committed by a co-conspirator, the defendants were all charged with breaking the windows of a Bank of America branch, a McDonald’s restaurant, a café, and two separate Starbucks stores. All of them faced the possibility of lengthy prison sentences.

According to defense lawyers, there appears to be no modern-day precedent for charging everyone arrested during a particular protest with conspiracy, and, in May, thirty of the accused filed a motion saying that those charges lacked merit and asking that the superseding indictment be dismissed. Lawyers from the Georgetown Criminal Justice Clinic, white-shoe firms like Arnold & Porter Kaye Scholer, and D.C.’s Public Defender Service joined in the motion, which argued that the indictment had attributed crimes “collectively and indiscriminately” to defendants without offering evidence of individual culpability.

Some of the defendants have said that they believe they are being targeted for their perceived political identity. Calls for an “anti-capitalist anti-fascist bloc” on Inauguration Day had begun circulating soon after the election in November. Social-media messages included a photograph of a group of black-clad figures brandishing flags and what appear to be flares along with the hashtag #disruptJ20 and the words “wear black.” A communiqué on the Web site CrimethInc read, “If Trump is to be inaugurated at all, let it happen behind closed doors, showing the true face of the security state Trump will preside over. It must be made clear to the whole world that the vast majority of people in the United States do not support his presidency or consent to his rule. . . . We must take to the streets and protest, blockade, disrupt, intervene, sit in, walk out, rise up, and make more noise and good trouble than the establishment can bear.”

The authorities seemed aware of the political leanings associated with the protest. Charging documents said that police officers had been “monitoring a planned assembly of individuals that were known to be associated with an anarchist group” and that intelligence-division officers knew that they would be gathering “with the express intent to disrupt Inauguration-related activities.”

Prosecutors in D.C. now face a potentially daunting number of cases, and whether they will be able to come up with individual evidence for each defendant’s case remains to be seen. So far, according to court documents, they have looked at photographs taken by police officers, reviewed video footage, and obtained a judge’s permission to search more than a hundred cell phones seized from those who were arrested. In March, they obtained a warrant to search the home of a man described as a protest organizer and to take computers, cell phones, tablets, and any material documenting the planning of a “riot or ‘Black Bloc’ march” or the planned destruction of property.

Are banks and insurance companies misusing personal health information and medical files?

“After an insured has made a claim against their policy, the insurer obtains access to and reviews the insured’s medical records. PIAC has seen instances of insurers obtaining an insured’s complete medical history, including from doctors that treated the insured during childhood, before deciding a claim.

PIAC has found that insurers often rely on matters ‘discovered’ during the review of the insured’s medical records to allege that the insured has breached their duty of disclosure.

Often the conclusions drawn by the insurer from the insured’s medical record about their experiences of mental health are inconsistent with the insured’s medical record and the opinions of their treating medical practitioners.

PIAC has represented individuals who have had a policy avoided because the insurer has relied on medical records to impute a medical condition that either did not exist or that the insured did not know existed at the time of applying for insurance.

In PIAC’s experience, it appears that consumers are being disadvantaged by the reforms to the remedies available to insurers (as set out above), or at the very least, are not seeing any benefits flowing from the increased flexibility.” [Public Interest Advocacy Centre, 18 November 2016]

Parliament of Australia, Inquiry into the life insurance industry:

On 14 September 2016, the Senate referred an inquiry into the life insurance industry to the Joint Parliamentary Committee on Corporations and Financial Services for report by 30 June 2017.

The committee welcomes individual stories that may identify widespread issues and recommendations for reform. The committee is not able to investigate or resolve individual disputes.

If you make adverse comment about people in your submission, the committee may reject such evidence or offer a right of reply.

Submissions close on 18 November 2016.

On 29 March 2017, the Senate extended the reporting date from 30 June 2017 to 31 October 2017.

Submissions received by the Committee can be found here.

ABC News, 8 September 2017:

Doctors are pushing back against insurance companies asking them to send them their patients' entire health records as they make decisions about life insurance.

"I am very alarmed that there might be tens of thousands of people's entire health record across the country now stored with insurance companies," Labor Senator Deborah O'Neil told Parliament's joint committee on corporations and financial services.

Edwin Kruys from the Royal Australian College of General Practitioners told the committee doctors do not believe it is appropriate to send entire files to insurance companies.

"It contains information that is often not relevant to the claim, it is all sorts of information that patients have shared with their doctor over the years and they may not even remember what they have shared," Dr Kruys said.

Anne Trimmer from the Australian Medical Association (AMA) told the committee it is challenging for a doctor to determine which parts of a file are relevant.

"And you overlay that with doctors who are time poor with busy practices, it is really hard to make the determination of what is really relevant," she said.

Helen Troup who is managing director of the Commonwealth Bank's Life Insurance arm, CommInsure, told their insurance customers agreed to let doctors provide the files.

"We do get a full authority," Ms Troup said.

She said the company keeps the files but could not say how many it had.

"Our claims principle is to ask for information that is relevant to the claim assessment," she said.

But she said it sometimes meant the company received the full file.

"We of course take due care with that information," Ms Troup said.

But Dr Kruys said he did not take a tick in a box on a form as true consent from his patients to hand over their records, so he contacted them and checked.

He told the committee that they often then withdrew that consent and he would instead send a much more specific report.

Associate Professor Stephen Bradshaw of the Medical Board of Australia told the committee that the request for medical records could come months or years after the doctor had seen the patient.

Is the self-inflicted reputational loss suffered by the Australian Bureau of Statistics having a negative impact on the same-sex marriage voluntary postal survey?

 “An Australian Marriage Law Survey Form will be sent by post to every eligible Australian. It will be sent to the address on the Commonwealth Electoral Roll.” [www.abs.gov.au, 8 September 2017]

A reader recently contacted North Coast Voices stating that:

“Two weeks ago I rang the ABS to ask whether I could send my marked postal survey back to them in a plain envelope because as I said to them, I don't trust them. They told me that my survey form would not be counted. I also spoke to my Federal Parliamentarian about this.”

I suspect that this question has been asked a number of times by concerned citizens.

Which raises a question - Is the self-inflicted reputational loss suffered by the Australian Bureau of Statistics in 2016 having a negative impact on the same-sex marriage voluntary postal survey?

The Bureau declares that survey respondents will have their privacy protected and that no-one will be able to identify an individual with their response on the survey form.

However, these survey forms come with a barcode which apparently identifies Commonwealth Electoral Roll eligibility of the recipient and the electoral division in which an individual lives.

So a plain envelope return of the survey form will not hide the survey respondent's identity.

The Bureau has anticipated widespread mistrust in its ability to conduct this national survey without a monumental blunder à la Census 2016. 

Accoding to its website a survey response will be considered invalid if; The printed barcode on the form is missing or altered.

It seems the only individuals with some form of privacy protection are those who are registered as ‘silent voters’ on the electoral roll - they at least will allegedly have their residential address hidden from the ABS and survey forms mailed out by the Australian Electoral Commission in an AEC envelope.

Digital Transformation Agency: of all the stupid ideas.....

Of all the stupid ideas this has to be one of the worst…….

The Courier Mail, 5 August 2017:

ONE super ID logon that will allow Australians to interact with Medicare, pay their car registration, help switch banks and buy groceries and clothes online is being developed by the Turnbull Government.

In a bid to stop identity fraud and increase competition, Digital Transformation Assistant Minister Angus Taylor revealed the blueprint centred on one user name and one password for government and private use.

Within five years, Australians may be able to order a pair of jeans online or update their address for Centrelink, their bank or energy providers by using the streamlining technology provided by the government.

The opt-in plan will give people the ability to have one logon and password, which will not be stored centrally to ensure security.

It will likely have a twostep verification process, including a text of a code being sent to a mobile phone.

He said the first step was a logon for all government agencies, which could happen reasonably quickly, and then expanding it to the private sector.

Mr Taylor said conversations were being held with states and territories and some significant private companies.

“It’s opt-in, that’s the crucial principle. Mistakes of the past were forcing people down a particular track,” he said, stressing that there would be no “number” given to Australians and it was not a version of dumped policy of an Australia Card.

He said the measure would also make it easier to change banks or open bank accounts because the Government logon would eventually be considered one of the best identification systems.

“If you update your address, you’ll only have to do it once (and it will go to all government agencies and online retailers).”

He called it the “tell us once” principle.

Yes indeed; one phishing email, re-direct hack, one malicious website or insecure mobile phone and in the space of five minutes your identity is not your own, money leaves your bank accounts or money is borrowed against your assets and your credit card notches up thousands of dollars in goods that someone else receives.

What a brill idea, Angus! Did Malcolm suggest it?