See 6.4(5) in my email below, and then 4.5(1) and 4.5(2) - from everything I'm reading, it's only to verify them initially. The table mentioned in 4.5(2) was too large but a quick summary:
Approved methods for verification of the identity of a customer who is a service activator “Government online verification service” “Existing post-paid account” “White listed email service” “Real-time financial transaction” “Time-delayed financial transaction” “Existing eligible prepaid (other) account” (no direct debit arrangement in place) “Existing eligible prepaid (direct debit) account” (direct debit arrangement in place) “Visual identity document check” > On 28 Sep 2022, at 12:16, Giles Pollock <[email protected]> wrote: > > It would require far more time than I currently have to go digging through > the legislation, but I really wouldn't be surprised if there is conflicting > components in different laws which means you both need to retain the > information and also not retain it. I'd lean towards the laws relating to > AML/CTF and similar being the ones saying the information needs to be > retained for a specific length of time too. > > That said, the interesting bit of that statement is the "only for such time > as is reasonably necessary for the permitted purpose" bit. Every time you > call up Optus, or pretty much any other telco, they will do something to > attempt to verify your identity. Arguably this could constitute covering the > time for the permitted purpose, because they are required to verify identity > for the duration of the contract... > > That sounds like a game for lawyers to argue out though. > > On Wed, Sep 28, 2022 at 12:06 PM James Murphy <[email protected] > <mailto:[email protected]>> wrote: >> By "everyone", I don't mean everyone in this email thread - I mean everyone >> (e.g. the news, everyone at Optus (CEO etc), general public, etc) >> >>> On 28 Sep 2022, at 12:02, James Murphy <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> I'll stop referring to DOB because it seems valid and reasonable that it is >>> kept - so I'll just mention the license number / passport number - which is >>> what people really have an issue with. >>> >>> What I read in that law you linked to below (F2017L00399 - >>> Telecommunications (Service Provider — Identity Checks for Prepaid Mobile >>> Carriage Services) Determination 2017) actually says it's against the law >>> to "record and keep" either "the identifying number of a government >>> document" or "a category A document or category B document." >>> >>> They are allowed to "record or keep" the identification number for >>> "permitted purposes" (verifying someones identity) and "only for such time >>> as is reasonably necessary for the permitted purpose" >>> >>> Does anyone actually know where or how they are required by law to store a >>> license number or passport number?? Or does everyone just assume they need >>> to do this because others have said so, or they think the company needs to >>> keep X years of records for their business (of which those records do >>> currently include license number, but by law they don't need to include a >>> license number - and by some laws, it's even against the law to store the >>> license number) >>> >>> >>> 6.4 Restrictions on the recording and keeping of certain information >>> >>> (1) Subject to subsections (2) and (3), a carriage service provider must >>> not, in connection with a requirement imposed by this Determination, record >>> and keep: >>> (a) the identifying number of a government document; or >>> (b) a category A document or category B document. >>> (2) Subsection (1) does not prohibit the recording and keeping of >>> information or a document if that recording and keeping is required or >>> authorised by or under a law. >>> >>> (3) Subsection (1) does not prohibit the recording and keeping of the >>> identifying number of a government document where: >>> (a) the carriage service provider records the identifying number of a >>> government document for a permitted purpose; and >>> (b) the carriage service provider records the information only for such >>> time as is reasonably necessary for the permitted purpose; and >>> (c) immediately after the carriage service provider verifies the >>> service activator’s identity, the carriage service provider destroys the >>> number; and >>> (d) the recording is not otherwise prohibited by law. >>> Example If a customer has unsuccessfully attempted to verify their >>> identity online using a government online verification service, a carriage >>> service provider may use the identifying number of that customer’s >>> government document to assist that customer to verify his or her identity >>> >>> (4) A carriage service provider must not copy or reproduce any document >>> that contains the information which must not be recorded and kept because >>> of subsection (1). >>> Note A carriage service provider’s arrangements for recording and >>> handling personal information must comply with Commonwealth privacy laws >>> where applicable. >>> >>> (5) In this section: >>> permitted purpose means: >>> (a) the purpose of verifying the identity of a service activator in >>> accordance with section 4.5; or >>> (b) any other purpose that is ancillary or incidental to the provider’s >>> obligation to verify the identity of a service activator in accordance with >>> section 4.5. >>> >>> 4.5 Verification of the identity of a customer who is a service activator >>> (1) This section applies to the carriage service provider if the >>> customer is a service activator. >>> (2) The carriage service provider must verify the identity of the >>> service activator using an approved method of identity verification >>> specified in column B of Schedule 1 >>> >>> >>> >>> >>>> On 28 Sep 2022, at 09:44, Jeremy Chequer <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hi >>>> >>>> There are specific rules for prepaid regarding ID validation and documents >>>> which must be checked >>>> (https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). >>>> As a Credit Provider, they are also required to validate you are who you >>>> say you are before providing credit services. Additionally, telcos also >>>> have specific provisions for customer protection requiring credit checks >>>> to be run before certain services are provided. >>>> >>>> Providers also need to keep enough information to verify you are who you >>>> say you are when you make contact though and are required to ensure they >>>> don’t disclose information about your account to someone else, which is >>>> why many providers keep things like your Date of Birth on file. The >>>> requirement to hold PII is required to a degree and is even outlined in >>>> the TCP Code with Clause 3.7 covering the storage and security of said >>>> information. >>>> >>>> Hopefully, this attack will result in some changes not just in our >>>> industry but across the board. Maybe something like validating Licences, >>>> Medicare, etc against DVS (already commonly done) but then just keeping >>>> the Pass/Fail result and Check ID instead of keeping the full details on >>>> file could be a way to minimise the amount of data available in a breach >>>> like this, but I’m not sure if that would be enough to comply with some of >>>> the obligations. >>>> >>>> - Jeremy >>>> >>>> From: AusNOG <[email protected] >>>> <mailto:[email protected]>> On Behalf Of James Murphy >>>> Sent: Tuesday, 27 September 2022 11:29 PM >>>> To: Serge Burjak <[email protected] <mailto:[email protected]>> >>>> Cc: AusNOG Mailing List <[email protected] <mailto:[email protected]>> >>>> Subject: Re: [AusNOG] Optus Hack >>>> >>>> Looking over the Privacy Act and oaic.gov.au <http://oaic.gov.au/>, I >>>> still can't see any laws about a telco (or any business other than a >>>> credit reporting body) storing this level of information - specifically a >>>> drivers license number or date of birth (passport number isn't mentioned) >>>> >>>> "identification information" is the term that includes a drivers license >>>> number and date of birth >>>> "Credit information" is the term that includes "identification >>>> information" about an individual (therefor includes drivers license number >>>> and date of birth) >>>> >>>> There are only laws about how long a credit reporting body stores this >>>> information. A credit provider (ie Optus) doesn't need to store it, but >>>> does need to provide it to the credit reporting body - so they need to >>>> collect it and share it but they don't need to store it. >>>> >>>> For the data a telco does need to store - which looks to be added in the >>>> "Telecommunications (Interception and Access) Act 1979", they all talk >>>> about "personal information" (which doesn't specifically include date of >>>> birth or drivers license number, so you would be complying with that law >>>> if you didn't store those pieces of data - provided you can reasonably >>>> identify a person with the data you do store) >>>> >>>> From the Privacy Act: >>>> >>>> personal information means information or an opinion about an identified >>>> individual, or an individual who is reasonably identifiable: >>>> (a) whether the information or opinion is true or not; and >>>> (b) whether the information or opinion is recorded in a material form or >>>> not. >>>> Note: Section 187LA of the Telecommunications (Interception and Access) >>>> Act 1979 extends the meaning of personal information to cover information >>>> kept under Part 5-1A of that Act. >>>> >>>> So the argument that they need to store this by law - to me (a software >>>> developer/techy who sometimes can spend hours reading shit like this >>>> trying to pick holes in it - so: not a lawyer) - doesn't seem valid. >>>> >>>> If this is required by law, I would love to understand how (ie which >>>> laws/acts cover it) >>>> >>>> >>>> >>>> >>>> On 27 Sep 2022, at 16:46, Serge Burjak <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> https://www.oaic.gov.au/privacy/the-privacy-act >>>> >>>> Covers it pretty well. >>>> >>>> On Tue, 27 Sept 2022 at 16:36, James Murphy <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> >>>> Does anyone know which laws cover the data they were keeping? >>>> >>>> Did a search for anything with "telecommunication" in the name (link), >>>> found 71 results and downloaded 73 PDF files (C2022C00170 >>>> Telecommunications Act 1997 had 3 files, all others had 1 file), and can't >>>> find anything that mentions keeping this level of data. >>>> >>>> The closest thing I found was in the following: >>>> >>>> C2022C00151 - Telecommunications (Interception and Access) Act 1979 >>>> C2015A00039 - Telecommunications (Interception and Access) Amendment (Data >>>> Retention) Act 2015 >>>> C2021A00078 - Telecommunications Legislation Amendment (International >>>> Production Orders) Act 2021 >>>> >>>> which contained the following two sections that seem to cover >>>> identification information - there doesn't seem to be anything that says >>>> they need to collect or store to the level that Optus seems to have done.. >>>> Almost reads like you could store name and address (without DOB?) and that >>>> would be adequate enough (but I'm not a lawyer so who knows).. Am I >>>> looking in the wrong place/at the wrong laws? >>>> >>>> 13 Identification of a particular person >>>> For the purposes of this Schedule, a particular person may be identified: >>>> (a) by the person’s full name; or >>>> (b) by a name by which the person is commonly known; or >>>> (c) as the person to whom a particular individual transmission service is >>>> supplied; or >>>> (d) as the person to whom a particular individual message/call application >>>> service is provided; or >>>> (e) as the person who has a particular account with a prescribed >>>> communications provider; or >>>> (f) as the person who has a particular telephone number; or >>>> (g) as the person who has a particular email address; or >>>> (h) as the person who has a particular internet protocol address; or >>>> (i) as the person who has a device that has a particular unique identifier >>>> (for example, an electronic serial number or a Media Access Control >>>> address); or >>>> (j) by any other unique identifying factor that is applicable to the >>>> person. >>>> >>>> >>>> and >>>> >>>> 187AA Information to be kept >>>> (1) The following table sets out the kinds of information that a service >>>> provider must keep, or cause to be kept, under subsection 187A(1): >>>> Item >>>> >>>> 1 >>>> >>>> Topic >>>> >>>> The subscriber of, and accounts, services, telecommunications devices and >>>> other relevant services relating to, the relevant service >>>> >>>> Description of information >>>> >>>> The following: >>>> >>>> (a) any information that is one or both of the following: >>>> >>>> (i) any name or address information; >>>> >>>> (ii) any other information for identification purposes; >>>> >>>> relating to the relevant service, being information used by the service >>>> provider for the purposes of identifying the subscriber of the relevant >>>> service; >>>> >>>> (b) any information relating to any contract, agreement or arrangement >>>> relating to the relevant service, or to any related account, service or >>>> device; >>>> >>>> (c) any information that is one or both of the following: >>>> >>>> (i) billing or payment information; >>>> >>>> (ii) contact information; >>>> >>>> relating to the relevant service, being information used by the service >>>> provider in relation to the relevant service; >>>> >>>> (d) any identifiers relating to the relevant service or any related >>>> account, service or device, being information used by the service provider >>>> in relation to the relevant service or any related account, service or >>>> device; >>>> >>>> (e) he status of the relevant service, or any related account, service or >>>> device. >>>> >>>> >>>> >>>> On 27 Sep 2022, at 11:12, Nathan Brookfield >>>> <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> They’re legally obligated to retain it but why it’s on the API and why >>>> it’s not encrypted. >>>> >>>> Looking at the data some fields are hashed and then repeated in the bloody >>>> clear :( >>>> >>>> On 27 Sep 2022, at 11:02, [email protected] >>>> <mailto:[email protected]> wrote: >>>> >>>> My understanding was that the data included the 100 points of ID info. >>>> Why are they retaining this? Surely after confirming the 100 points there >>>> only needs to be a record "100 points provided"=true and not retain the >>>> actual details. This goes back to only keeping the private data you need. >>>> >>>> regards, >>>> Glenn >>>> >>>> On 2022-09-27 10:49, Damien Gardner Jnr wrote: >>>> >>>> Personally, I find putting Authentication on my API endpoints to be a >>>> FANTASTIC first step towards API security. And then not even using >>>> public IP addresses in test environments is a pretty good second >>>> step.. </onlyhalfsarcasticherewhydoesthiskeephappening> >>>> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <[email protected] >>>> <mailto:[email protected]>> >>>> wrote: >>>> >>>> Hi everyone, >>>> Obviously a big week in telco and cybersecurity. As part of my work >>>> I am on the Australian Cyber Security Industry Advisory Committee as >>>> an industry representative. >>>> I am keen to look at opening up a dialogue with more and more telco, >>>> DC and Cloud CISO’s on what they are doing around this issue and >>>> looking to take a proactive step towards best practice on customer >>>> data and system security. >>>> There will be some pretty serious consequences of this hack on the >>>> industry and importantly we need to make sure we are as best placed >>>> to help each other continually increase in security posture through >>>> best practice, but also working with each other as an industry. >>>> Are people keen on having a online/VC session sometime in the next >>>> few weeks where like-minded industry participants get together and >>>> discuss security, retention, encryption, threat detection etc.? If >>>> so, just ping me directly and if there is enough interest I will >>>> send out an invitation to the list for a call. >>>> Cheers >>>> [b] >>>> _______________________________________________ >>>> AusNOG mailing list >>>> [email protected] <mailto:[email protected]> >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>>> >>>> -- >>>> Damien Gardner Jnr >>>> VK2TDG. Dip EE. GradIEAust >>>> [email protected] <mailto:[email protected]> - http://www.rendrag.net/ >>>> -- >>>> We rode on the winds of the rising storm, >>>> We ran to the sounds of thunder. >>>> We danced among the lightning bolts, >>>> and tore the world asunder >>>> _______________________________________________ >>>> AusNOG mailing list >>>> [email protected] <mailto:[email protected]> >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>>> >>>> _______________________________________________ >>>> AusNOG mailing list >>>> [email protected] <mailto:[email protected]> >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>>> _______________________________________________ >>>> AusNOG mailing list >>>> [email protected] <mailto:[email protected]> >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >>>> >>>> >>>> _______________________________________________ >>>> AusNOG mailing list >>>> [email protected] <mailto:[email protected]> >>>> https://lists.ausnog.net/mailman/listinfo/ausnog >> >> _______________________________________________ >> AusNOG mailing list >> [email protected] <mailto:[email protected]> >> https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ AusNOG mailing list [email protected] https://lists.ausnog.net/mailman/listinfo/ausnog
