SMH - Technology

‘The new asbestos’: Does the Optus hack spell the end for paper ID checks?
Posted: 2022-10-07 00:18:46
Original link: https://www.smh.com.au/technology/the-new-asbestos-does-the-optus-hack-spell-the-end-for-paper-id-checks-20221004-p5bn2h.html?ref=rss&utm_medium=rss&utm_source=rss_technology

In Optus’ case, it was required to collect this information by Australian law, to make sure the people accessing telecommunications services are who they say they are. It was also required by law to keep the data for a certain time. Other companies, such as banks, are bound by similar rules that mandate they hang on to customer data.

Gledhill-Tucker says there’s also plenty of encouragement from the law enforcement agencies, which rely on companies like Optus keeping as much data as possible, and many companies have created business models that hinge on leveraging data, even if it’s dangerous to keep.

“At the moment, there’s so little counterbalance to surveillance capitalism — this rampant data capture and storage with very little respect to how that data is handled. There’s so little legislation to act as a counterbalance to the capitalistic benefit that organisations get from data,” she says.

“Australia at the moment is pretty behind the times when it comes to effectively regulating organisations to make sure that they do the right thing.”

Last week, Attorney-General Mark Dreyfus said there was generally no reason for companies to hang onto data used for identification purposes, even though the Privacy Act could be interpreted as saying they must.

“We are all familiar with the 100-point identity check. If a company says ‘we need to see your driver’s licence’ or ‘we need to see your passport number’, that is for the purpose of establishing that you are who you say you are. But that should be the end, one might think, of the company keeping all that data,” he says.

“We will be having a look at whether or not companies should be permitted to go on keeping data when the purpose of collecting it in the first place might have been no more than establishing someone’s identity ... We need to have them appreciate that Australians’ personal information belongs to Australians. It’s not to be misused, it absolutely has to be protected, and if the Privacy Act is not getting us those outcomes, then we need to look at reforms to the Privacy Act.”

The 100-point identity check was instituted in 1988, long before anyone could have imagined a remote data breach of the kind seen at Optus.

On Thursday, the federal government announced changes to the Telecommunications Act that would allow companies mandated to store personal ID data to share it with financial institutions in the case of a data breach. This would mean, for example, a bank would get a list of exposed credentials helping it block any attempts to use the stolen information to take out credit or a loan.

While this could mitigate the damage wreaked by a breach, the changes don’t address the core issue of companies needing to collect the data in the first place. And it doesn’t help ease the discomfort when one is compelled to prove their identity by allowing someone to photocopy their driver’s license.

Loading

Over time, the 100-point check will be phased out and replaced by a digital system. In fact, such a system already exists. The Australian Digital Identity system already lets you prove your identity to a service provider, like MyGov or Australia Post, using your documents, and it can pass that verification onto other companies on demand using things like facial recognition and QR codes. That way, the company knows you are who you say you are, without needing to see or take a copy of your original documents.

The system is still new and has some hurdles to overcome. Obviously, it needs to be taken up by every company that needs to see your ID, and it also needs mitigations in place for when service providers are inevitably targeted by criminals. But in the meantime, some version of the technology could at least help prevent some of the most dangerous breaches.

“At the very least, an organisation like Optus should be able to receive your identity documents, verify that they’re accurate, and keep a log of that verification rather than a log of the documents themselves,” Gledhill-Tucker says.

“That, to me, would be a privacy-preserving framework, rather than just keeping massive amounts of sensitive data on every customer you’ve ever had.”

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.

View More
  • Share
  • 0 Comment(s)
  • Favorite

Read On:

AI hype, 3G shutdown drive bumper smartphone sales - 2024-10-06 13:01:00
‘God-like’ coding educator accused of harassment - 2024-10-04 19:00:00
We haven’t reinvented the wheel, so why the toilet flusher? - 2024-10-03 09:30:00
‘End of the world’: The Apple change that has flown under the radar - 2024-10-02 20:23:44
Seeing beyond the surface: digital trust emerges as key issue - 2024-10-01 02:30:00
Google’s first smartwatch, latest phones undercut Apple on price - 2022-10-06 20:13:58
GoPro HERO11 Black - Horizon Lock Showcase - 2022-10-06 10:35:39
Apple iPhone 14 Plus Review - 2022-10-06 05:37:34
Teenager arrested for alleged scam on Optus victims as government lets telco share data - 2022-10-06 05:08:22
A snippet from DOKU: Live Alone Die Alone – The Karma Circle - 2022-10-06 01:39:46
Report this news
Captcha Challenge
Reload Image
Type in the verification code above