By "everyone", I don't mean everyone in this email thread - I mean everyone (e.g. the news, everyone at Optus (CEO etc), general public, etc)
> On 28 Sep 2022, at 12:02, James Murphy <[email protected]> wrote: > > I'll stop referring to DOB because it seems valid and reasonable that it is > kept - so I'll just mention the license number / passport number - which is > what people really have an issue with. > > What I read in that law you linked to below (F2017L00399 - Telecommunications > (Service Provider — Identity Checks for Prepaid Mobile Carriage Services) > Determination 2017) actually says it's against the law to "record and keep" > either "the identifying number of a government document" or "a category A > document or category B document." > > They are allowed to "record or keep" the identification number for "permitted > purposes" (verifying someones identity) and "only for such time as is > reasonably necessary for the permitted purpose" > > Does anyone actually know where or how they are required by law to store a > license number or passport number?? Or does everyone just assume they need to > do this because others have said so, or they think the company needs to keep > X years of records for their business (of which those records do currently > include license number, but by law they don't need to include a license > number - and by some laws, it's even against the law to store the license > number) > > > 6.4 Restrictions on the recording and keeping of certain information > > (1) Subject to subsections (2) and (3), a carriage service provider must not, > in connection with a requirement imposed by this Determination, record and > keep: > (a) the identifying number of a government document; or > (b) a category A document or category B document. > (2) Subsection (1) does not prohibit the recording and keeping of > information or a document if that recording and keeping is required or > authorised by or under a law. > > (3) Subsection (1) does not prohibit the recording and keeping of the > identifying number of a government document where: > (a) the carriage service provider records the identifying number of a > government document for a permitted purpose; and > (b) the carriage service provider records the information only for such > time as is reasonably necessary for the permitted purpose; and > (c) immediately after the carriage service provider verifies the service > activator’s identity, the carriage service provider destroys the number; and > (d) the recording is not otherwise prohibited by law. > Example If a customer has unsuccessfully attempted to verify their > identity online using a government online verification service, a carriage > service provider may use the identifying number of that customer’s government > document to assist that customer to verify his or her identity > > (4) A carriage service provider must not copy or reproduce any document that > contains the information which must not be recorded and kept because of > subsection (1). > Note A carriage service provider’s arrangements for recording and > handling personal information must comply with Commonwealth privacy laws > where applicable. > > (5) In this section: > permitted purpose means: > (a) the purpose of verifying the identity of a service activator in > accordance with section 4.5; or > (b) any other purpose that is ancillary or incidental to the provider’s > obligation to verify the identity of a service activator in accordance with > section 4.5. > > 4.5 Verification of the identity of a customer who is a service activator > (1) This section applies to the carriage service provider if the customer > is a service activator. > (2) The carriage service provider must verify the identity of the service > activator using an approved method of identity verification specified in > column B of Schedule 1 > > > > >> On 28 Sep 2022, at 09:44, Jeremy Chequer <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi >> >> There are specific rules for prepaid regarding ID validation and documents >> which must be checked >> (https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). >> As a Credit Provider, they are also required to validate you are who you >> say you are before providing credit services. Additionally, telcos also have >> specific provisions for customer protection requiring credit checks to be >> run before certain services are provided. >> >> Providers also need to keep enough information to verify you are who you say >> you are when you make contact though and are required to ensure they don’t >> disclose information about your account to someone else, which is why many >> providers keep things like your Date of Birth on file. The requirement to >> hold PII is required to a degree and is even outlined in the TCP Code with >> Clause 3.7 covering the storage and security of said information. >> >> Hopefully, this attack will result in some changes not just in our industry >> but across the board. Maybe something like validating Licences, Medicare, >> etc against DVS (already commonly done) but then just keeping the Pass/Fail >> result and Check ID instead of keeping the full details on file could be a >> way to minimise the amount of data available in a breach like this, but I’m >> not sure if that would be enough to comply with some of the obligations. >> >> - Jeremy >> >> From: AusNOG <[email protected] <mailto:[email protected]>> >> On Behalf Of James Murphy >> Sent: Tuesday, 27 September 2022 11:29 PM >> To: Serge Burjak <[email protected] <mailto:[email protected]>> >> Cc: AusNOG Mailing List <[email protected] <mailto:[email protected]>> >> Subject: Re: [AusNOG] Optus Hack >> >> Looking over the Privacy Act and oaic.gov.au <http://oaic.gov.au/>, I still >> can't see any laws about a telco (or any business other than a credit >> reporting body) storing this level of information - specifically a drivers >> license number or date of birth (passport number isn't mentioned) >> >> "identification information" is the term that includes a drivers license >> number and date of birth >> "Credit information" is the term that includes "identification information" >> about an individual (therefor includes drivers license number and date of >> birth) >> >> There are only laws about how long a credit reporting body stores this >> information. A credit provider (ie Optus) doesn't need to store it, but does >> need to provide it to the credit reporting body - so they need to collect it >> and share it but they don't need to store it. >> >> For the data a telco does need to store - which looks to be added in the >> "Telecommunications (Interception and Access) Act 1979", they all talk about >> "personal information" (which doesn't specifically include date of birth or >> drivers license number, so you would be complying with that law if you >> didn't store those pieces of data - provided you can reasonably identify a >> person with the data you do store) >> >> From the Privacy Act: >> >> personal information means information or an opinion about an identified >> individual, or an individual who is reasonably identifiable: >> (a) whether the information or opinion is true or not; and >> (b) whether the information or opinion is recorded in a material form or not. >> Note: Section 187LA of the Telecommunications (Interception and Access) Act >> 1979 extends the meaning of personal information to cover information kept >> under Part 5-1A of that Act. >> >> So the argument that they need to store this by law - to me (a software >> developer/techy who sometimes can spend hours reading shit like this trying >> to pick holes in it - so: not a lawyer) - doesn't seem valid. >> >> If this is required by law, I would love to understand how (ie which >> laws/acts cover it) >> >> >> >> >> On 27 Sep 2022, at 16:46, Serge Burjak <[email protected] >> <mailto:[email protected]>> wrote: >> >> https://www.oaic.gov.au/privacy/the-privacy-act >> >> Covers it pretty well. >> >> On Tue, 27 Sept 2022 at 16:36, James Murphy <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> Does anyone know which laws cover the data they were keeping? >> >> Did a search for anything with "telecommunication" in the name (link), found >> 71 results and downloaded 73 PDF files (C2022C00170 Telecommunications Act >> 1997 had 3 files, all others had 1 file), and can't find anything that >> mentions keeping this level of data. >> >> The closest thing I found was in the following: >> >> C2022C00151 - Telecommunications (Interception and Access) Act 1979 >> C2015A00039 - Telecommunications (Interception and Access) Amendment (Data >> Retention) Act 2015 >> C2021A00078 - Telecommunications Legislation Amendment (International >> Production Orders) Act 2021 >> >> which contained the following two sections that seem to cover identification >> information - there doesn't seem to be anything that says they need to >> collect or store to the level that Optus seems to have done.. Almost reads >> like you could store name and address (without DOB?) and that would be >> adequate enough (but I'm not a lawyer so who knows).. Am I looking in the >> wrong place/at the wrong laws? >> >> 13 Identification of a particular person >> For the purposes of this Schedule, a particular person may be identified: >> (a) by the person’s full name; or >> (b) by a name by which the person is commonly known; or >> (c) as the person to whom a particular individual transmission service is >> supplied; or >> (d) as the person to whom a particular individual message/call application >> service is provided; or >> (e) as the person who has a particular account with a prescribed >> communications provider; or >> (f) as the person who has a particular telephone number; or >> (g) as the person who has a particular email address; or >> (h) as the person who has a particular internet protocol address; or >> (i) as the person who has a device that has a particular unique identifier >> (for example, an electronic serial number or a Media Access Control >> address); or >> (j) by any other unique identifying factor that is applicable to the person. >> >> >> and >> >> 187AA Information to be kept >> (1) The following table sets out the kinds of information that a service >> provider must keep, or cause to be kept, under subsection 187A(1): >> Item >> >> 1 >> >> Topic >> >> The subscriber of, and accounts, services, telecommunications devices and >> other relevant services relating to, the relevant service >> >> Description of information >> >> The following: >> >> (a) any information that is one or both of the following: >> >> (i) any name or address information; >> >> (ii) any other information for identification purposes; >> >> relating to the relevant service, being information used by the service >> provider for the purposes of identifying the subscriber of the relevant >> service; >> >> (b) any information relating to any contract, agreement or arrangement >> relating to the relevant service, or to any related account, service or >> device; >> >> (c) any information that is one or both of the following: >> >> (i) billing or payment information; >> >> (ii) contact information; >> >> relating to the relevant service, being information used by the service >> provider in relation to the relevant service; >> >> (d) any identifiers relating to the relevant service or any related account, >> service or device, being information used by the service provider in >> relation to the relevant service or any related account, service or device; >> >> (e) he status of the relevant service, or any related account, service or >> device. >> >> >> >> On 27 Sep 2022, at 11:12, Nathan Brookfield >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> They’re legally obligated to retain it but why it’s on the API and why it’s >> not encrypted. >> >> Looking at the data some fields are hashed and then repeated in the bloody >> clear :( >> >> On 27 Sep 2022, at 11:02, [email protected] >> <mailto:[email protected]> wrote: >> >> My understanding was that the data included the 100 points of ID info. Why >> are they retaining this? Surely after confirming the 100 points there only >> needs to be a record "100 points provided"=true and not retain the actual >> details. This goes back to only keeping the private data you need. >> >> regards, >> Glenn >> >> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >> >> Personally, I find putting Authentication on my API endpoints to be a >> FANTASTIC first step towards API security. And then not even using >> public IP addresses in test environments is a pretty good second >> step.. </onlyhalfsarcasticherewhydoesthiskeephappening> >> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <[email protected] >> <mailto:[email protected]>> >> wrote: >> >> Hi everyone, >> Obviously a big week in telco and cybersecurity. As part of my work >> I am on the Australian Cyber Security Industry Advisory Committee as >> an industry representative. >> I am keen to look at opening up a dialogue with more and more telco, >> DC and Cloud CISO’s on what they are doing around this issue and >> looking to take a proactive step towards best practice on customer >> data and system security. >> There will be some pretty serious consequences of this hack on the >> industry and importantly we need to make sure we are as best placed >> to help each other continually increase in security posture through >> best practice, but also working with each other as an industry. >> Are people keen on having a online/VC session sometime in the next >> few weeks where like-minded industry participants get together and >> discuss security, retention, encryption, threat detection etc.? If >> so, just ping me directly and if there is enough interest I will >> send out an invitation to the list for a call. >> Cheers >> [b] >> _______________________________________________ >> AusNOG mailing list >> [email protected] <mailto:[email protected]> >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> -- >> Damien Gardner Jnr >> VK2TDG. Dip EE. GradIEAust >> [email protected] <mailto:[email protected]> - http://www.rendrag.net/ >> -- >> We rode on the winds of the rising storm, >> We ran to the sounds of thunder. >> We danced among the lightning bolts, >> and tore the world asunder >> _______________________________________________ >> AusNOG mailing list >> [email protected] <mailto:[email protected]> >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> _______________________________________________ >> AusNOG mailing list >> [email protected] <mailto:[email protected]> >> https://lists.ausnog.net/mailman/listinfo/ausnog >> _______________________________________________ >> AusNOG mailing list >> [email protected] <mailto:[email protected]> >> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> >> _______________________________________________ >> AusNOG mailing list >> [email protected] <mailto:[email protected]> >> https://lists.ausnog.net/mailman/listinfo/ausnog
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ AusNOG mailing list [email protected] https://lists.ausnog.net/mailman/listinfo/ausnog
