Week 9 – Part 2
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 9 – Part 2
Deakin University CRICOS Provider Code: 00113B
Privacy – A very brief overview
2
Topics,
Deakin University CRICOS Provider Code: 00113B
Privacy
• The interest that individuals have in sustaining ‘personal space’ free from interference by other
people and organizations
• Very different from Inaccessibility / Confidentiality / Secrecy / Non-Disclosure
3
Deakin University CRICOS Provider Code: 00113B
Categories of ‘Persons-at-Risk’
4
Organisational Contexts
• Corporate executives
• Government executives
• Undercover operatives
• Law enforcement and prison staff
• Mental health care prof’ls, counsellors
Legal Contexts
• Judges, lawyers and jurors, particularly in highly-
charged cases
• Witnesses, especially people in protected witness
programs
• Ex-prisoners re-integrating
with society
Social Contexts
• Celebrities and notorieties at risk
of extortion, kidnap, burglary
• Short-term celebrities such as
lottery-winners, victims of crime
• Victims of domestic violence
• Victims of harassment, stalking
• Individuals subject to significant
discriminatory behaviour
• People seeking to leave a former
association, e.g. ex-gang-members
Political Contexts
• Whistle-blowers
• Dissidents
Deakin University CRICOS Provider Code: 00113B
Privacy Protection
5
• Privacy is one interest among many
• Privacy may conflict with other interests:
o Personal conflict of interests
o Interests of another person
o Interests of a group or community
o Interests of an organisation
o Interests of society as a whole
• Privacy Protection is a process of
finding appropriate balances between privacy and multiple competing interests
Deakin University CRICOS Provider Code: 00113B
Data & Communications Privacy
6
• Data Privacy is the interest that individuals have in controlling the handling of data about
themselves
• Communications Privacy is the interest in communicating with others without
monitoring or interception by others
Google Location History!
Deakin University CRICOS Provider Code: 00113B
Harms arising from Privacy Breaches
• Physical
Discovery of identity or location –
(e.g., stealing, assault, etc.)
7
• Psychological
Closed doors, drawn curtains, ‘jumping for joy’;
loss of control over one’s life, image, and
respect, undermining social cohesion
Deakin University CRICOS Provider Code: 00113B
Harms arising from Privacy Breaches
• Economic
Stifling of non-conformist, risk-taking, inventive
and innovative behavior, undermining cultural,
scientific and economic change
• Political
Embarrassments, stigmas; self-repression (the
‘chilling effect’); political repression; a reduced
pool of political contributors
8
Deakin University CRICOS Provider Code: 00113B
Data Safeguards
9
• Organisational Safeguards
Policies, Procedures, Practices
Training
Incident response and Complaints Systems
• Legal Safeguards
Laws, Codes, Standards, Guidelines
• Technical
‘Privacy-Enhancing Technologies’ (PETs)
Deakin University CRICOS Provider Code: 00113B
Data Protection Laws
10
• Office of the Australian Information Commissioner
The Aust Privacy Principles (APPs)
• NSWIPC (NSW public sector)
Privacy and Personal Information Protection Act 1998 (PIPPA)
• VicPC / CPDP (Vic public sector)
Privacy Data and Protection Act
• OICQ (Qld public sector)
Information Privacy Act
• European Union
General Data protection Regulations (GDPR)
o made in 2016 and implemented in 2018
o profound impact internationally
Deakin University CRICOS Provider Code: 00113B
Data Protection Laws
11
The Australian Privacy Principles (APPs)
https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-
quick-reference/ [And that’s the shortened version!]
• “The law is full of designed-in loopholes” [ref: Australian Privacy Foundation]
• The law lacks specific guidance
e.g. OAIC ‘Guide to securing personal information’ provides limited assistance,
and sets no baseline
• The law is largely unenforced
https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference/
Deakin University CRICOS Provider Code: 00113B
Data Breach Notification
12
2018: Australian Laws
Privacy Act Part IIIC, ss.26WA-26WT
Applies to some organisations, some breaches
1: Contain the breach and do a preliminary assessment
2: Evaluate the risks associated with the breach
3: Maybe Notify affected individuals, the PC’er
4: Prevent future breaches
Deakin University CRICOS Provider Code: 00113B
13
PITs and PETs
Privacy-Invasive and Privacy-Enhancing Technologies
• PETs have been worked on since 1995
• Counter-PITs, incl. protections for data in storage data in
transit, authentication, …
• Savage PETs
for Persistent Anonymity
• Gentle PETs
for Protected Pseudonymity, and hence accountability as
well as freedom
Deakin University CRICOS Provider Code: 00113B
14
The Key Things to Obfuscate and Falsify
Data
If a person’s stored data could result in some organisation constraining their or any other
person’s freedom or privacy, the content of the stored data may need to be hidden
Messages
Re a person’s communications
Identities
Re visibility of the identity under which a person performs acts
Locations
Re visibility of the location at which a person performs acts
Social Networks
Re the associations that a person has with others
Deakin University CRICOS Provider Code: 00113B
15
Categories of PETs: Communication
• Email and Instant Messaging / Chat
e.g. Protonmail, Hushmail, Fastmail, Signal
• Handsets
e.g. Silent Circle BlackPhone
• Search-Engines
e.g. DuckDuckGo, Ixquick/Startpage
• Encryption
e.g. SSL/TLS and HTTPS Everywhere
• Browsers
e.g. Tor, …
• Social Media Services
e.g. Diaspora
https://blackphone.ch/silent-suite/https://silentcircle.com/
https://duckduckgo.com/
https://www.torproject.org/
https://diasporafoundation.org/
Deakin University CRICOS Provider Code: 00113B
16
Categories of PETs: Traffic Management
• End-Point Authentication, e.g. VPNs
• End-Point Obfuscation
Proxy-Servers, VPNs, ToR
• Meshnets (e.g., https://hyperboria.net/)
• Firewalls, Malware Filters, Cleansers
https://hyperboria.net/
Deakin University CRICOS Provider Code: 00113B
17
Categories of PETs: Data Management
• Stored Data Encryption
e.g. Veracrypt
• Secure Data Deletion
e.g. File Shredder, Eraser
• Secure Dropbox
e.g. SecureDrop, Podzy
Deakin University CRICOS Provider Code: 00113B
18
Australian Privacy Foundation (APF)
APF is the primary voluntary, non-government organisation in
Australia dedicated to protecting people’s privacy rights. We
focus public attention on emerging issues, in concert with civil
liberties councils, consumer organisations and other
community groups. Unfortunately, we often have to be critical
of privacy oversight agencies.
Accepting members:
Current Board: https://privacy.org.au/about/contacts/
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), and Prof.
Roger Clarke (The Australian National University).
19