Talking about hashing and so on, there are some quite interesting developments around being able to disclose with confidence to a consuming entity some information about you without actually sharing the data. For example one was being able to prove your age is greater than say 18 (at a pub or club) but without actually disclosing your birthday. Others were whether you had met some certification or other obligations. I know this sometimes gets sucked into the whole cryptocurrency/blockchain thing but I don't think it has to be fully tied to that.
Anyway, the two podcasts I listened to on this have stimulated me to looking into it a bit deeper - https://twit.tv/shows/floss-weekly/episodes/685 (Sam Curren on DIDs and DIDcomm) and https://twit.tv/shows/floss-weekly/episodes/686 (Dave Huseby on Authentic Data) Regards, Martin [email protected] On Wed, 28 Sept 2022 at 09:45, John Edwards <[email protected]> wrote: > It's within the industry's living memory that Australia's biggest telco > used to publish a physical book with everyone's personal information in it. > > Most of our telco privacy legislation evolved from how things got in this > book, which was an "open by default" model. > > The very first Optus retail customers were those who dialled an override > code on a Telstra phone line for cheaper STD rates. Telstra then provided > personal details for billing, even though no-one had an existing > relationship with Optus.. > > John > > > > > On Tue, 27 Sept 2022 at 22:59, James Murphy <[email protected]> wrote: > >> Looking over the Privacy Act and oaic.gov.au, I still can't see any laws >> about a telco (or any business other than a credit reporting body) storing >> this level of information - specifically a drivers license number or date >> of birth (passport number isn't mentioned) >> >> "identification information" is the term that includes a drivers license >> number and date of birth >> "Credit information" is the term that includes "identification >> information" about an individual (therefor includes drivers license number >> and date of birth) >> >> There are only laws about how long a credit reporting body stores this >> information. A credit provider (ie Optus) doesn't need to store it, but >> does need to provide it to the credit reporting body - so they need to >> collect it and share it but they don't need to store it. >> >> For the data a telco does need to store - which looks to be added in the >> "Telecommunications (Interception and Access) Act 1979", they all talk >> about "personal information" (which doesn't specifically include date of >> birth or drivers license number, so you would be complying with that law if >> you didn't store those pieces of data - provided you can reasonably >> identify a person with the data you do store) >> >> From the Privacy Act: >> >> *personal information* means information or an opinion about an >> identified individual, or an individual who is reasonably identifiable: >> (a) whether the information or opinion is true or not; and >> (b) whether the information or opinion is recorded in a material form or >> not. >> Note: Section 187LA of the Telecommunications (Interception and Access) >> Act 1979 extends the meaning of personal information to cover information >> kept under Part 5-1A of that Act. >> >> >> So the argument that they need to store this by law - to me (a software >> developer/techy who sometimes can spend hours reading shit like this trying >> to pick holes in it - so: not a lawyer) - doesn't seem valid. >> >> If this is required by law, I would love to understand how (ie which >> laws/acts cover it) >> >> >> >> On 27 Sep 2022, at 16:46, Serge Burjak <[email protected]> wrote: >> >> https://www.oaic.gov.au/privacy/the-privacy-act >> >> Covers it pretty well. >> >> On Tue, 27 Sept 2022 at 16:36, James Murphy <[email protected]> wrote: >> >> >> Does anyone know which laws cover the data they were keeping? >> >> Did a search for anything with "telecommunication" in the name (link), >> found 71 results and downloaded 73 PDF files (C2022C00170 >> Telecommunications Act 1997 had 3 files, all others had 1 file), and can't >> find anything that mentions keeping this level of data. >> >> The closest thing I found was in the following: >> >> C2022C00151 - Telecommunications (Interception and Access) Act 1979 >> C2015A00039 - Telecommunications (Interception and Access) Amendment >> (Data Retention) Act 2015 >> C2021A00078 - Telecommunications Legislation Amendment (International >> Production Orders) Act 2021 >> >> which contained the following two sections that seem to cover >> identification information - there doesn't seem to be anything that says >> they need to collect or store to the level that Optus seems to have done.. >> Almost reads like you could store name and address (without DOB?) and that >> would be adequate enough (but I'm not a lawyer so who knows).. Am I looking >> in the wrong place/at the wrong laws? >> >> 13 Identification of a particular person >> For the purposes of this Schedule, a particular person may be identified: >> (a) by the person’s full name; or >> (b) by a name by which the person is commonly known; or >> (c) as the person to whom a particular individual transmission service is >> supplied; or >> (d) as the person to whom a particular individual message/call >> application service is provided; or >> (e) as the person who has a particular account with a prescribed >> communications provider; or >> (f) as the person who has a particular telephone number; or >> (g) as the person who has a particular email address; or >> (h) as the person who has a particular internet protocol address; or >> (i) as the person who has a device that has a particular unique >> identifier (for example, an electronic serial number or a Media Access >> Control address); or >> (j) by any other unique identifying factor that is applicable to the >> person. >> >> >> and >> >> 187AA Information to be kept >> (1) The following table sets out the kinds of information that a service >> provider must keep, or cause to be kept, under subsection 187A(1): >> Item >> >> 1 >> >> Topic >> >> The subscriber of, and accounts, services, telecommunications devices and >> other relevant services relating to, the relevant service >> >> Description of information >> >> The following: >> >> (a) any information that is one or both of the following: >> >> (i) any name or address information; >> >> (ii) any other information for identification purposes; >> >> relating to the relevant service, being information used by the service >> provider for the purposes of identifying the subscriber of the relevant >> service; >> >> (b) any information relating to any contract, agreement or arrangement >> relating to the relevant service, or to any related account, service or >> device; >> >> (c) any information that is one or both of the following: >> >> (i) billing or payment information; >> >> (ii) contact information; >> >> relating to the relevant service, being information used by the service >> provider in relation to the relevant service; >> >> (d) any identifiers relating to the relevant service or any related >> account, service or device, being information used by the service provider >> in relation to the relevant service or any related account, service or >> device; >> >> (e) he status of the relevant service, or any related account, service or >> device. >> >> >> >> On 27 Sep 2022, at 11:12, Nathan Brookfield < >> [email protected]> wrote: >> >> They’re legally obligated to retain it but why it’s on the API and why >> it’s not encrypted. >> >> Looking at the data some fields are hashed and then repeated in the >> bloody clear :( >> >> On 27 Sep 2022, at 11:02, [email protected] wrote: >> >> My understanding was that the data included the 100 points of ID info. >> Why are they retaining this? Surely after confirming the 100 points there >> only needs to be a record "100 points provided"=true and not retain the >> actual details. This goes back to only keeping the private data you need. >> >> regards, >> Glenn >> >> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >> >> Personally, I find putting Authentication on my API endpoints to be a >> FANTASTIC first step towards API security. And then not even using >> public IP addresses in test environments is a pretty good second >> step.. </onlyhalfsarcasticherewhydoesthiskeephappening> >> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <[email protected]> >> wrote: >> >> Hi everyone, >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO’s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> Cheers >> [b] >> _______________________________________________ >> AusNOG mailing list >> [email protected] >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> -- >> Damien Gardner Jnr >> VK2TDG. Dip EE. GradIEAust >> [email protected] - http://www.rendrag.net/ >> -- >> We rode on the winds of the rising storm, >> We ran to the sounds of thunder. >> We danced among the lightning bolts, >> and tore the world asunder >> _______________________________________________ >> AusNOG mailing list >> [email protected] >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> _______________________________________________ >> AusNOG mailing list >> [email protected] >> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> [email protected] >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> _______________________________________________ >> AusNOG mailing list >> [email protected] >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> _______________________________________________ >> AusNOG mailing list >> [email protected] >> https://lists.ausnog.net/mailman/listinfo/ausnog >> > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list [email protected] https://lists.ausnog.net/mailman/listinfo/ausnog
