Protecting our privacy from criminals – and corporations
Most of us have heard the argument that “if you have done nothing wrong, you have nothing to fear” when it comes to online surveillance.
It’s regularly trotted out in defence of government monitoring and heavy-handed powers granted to law enforcement in the name of protecting us from terrorism and the worst kinds of criminality.
Over the last week or so, the Medibank breach saga has provided ample evidence as to where this argument fails.
Following ransom threats, the purported Medibank hackers published the personal medical information of 100 people – separated between “naughty” and “nice” categories. The “naughty” are those with medical histories some may find embarrassing – including drug dependencies and mental health conditions – while others whose medical histories the hackers decided were more prosaic were deemed “nice”.
Then things turned even nastier, with the hackers claiming to have released a data file called abortions.csv. Then came boozy.csv.
The Medibank hackers claim they demanded a $US9.7 million ransom not to release stolen customer information.
There is a lot to unpack here.
Firstly, the hackers are weaponising the fear of some of the most vulnerable Medibank customers to try to pressure the health insurer to renege on its promise not to pay any ransom demands. The depravity of this behaviour hardly needs stating.
Secondly, the overtones of moral judgement in the attackers’ actions are unmistakable – creating fear and anxiety over details in those health records.
But, more importantly, this tactic highlights how it’s those in society who are already the most marginalised and vulnerable that have the most to lose when their private information is made public without their consent.
Disability rights advocate Elly Desmarchelier spoke eloquently on ABC TV’s The Drum when she explained how people living with a disability must carefully control exactly what information about their disability they reveal and to whom.
This constant battle, she explained, is necessary to reduce the risk of victimisation and discrimination.
That makes perfect sense, as the ongoing Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability has made clear, discrimination against people with disabilities remains all too common in Australia today.
Think of any medical condition or medical treatment that is stigmatised, and you’ll have an excellent guide as to the kinds of people likely to find their name on the Medibank hackers’ “naughty” list.
The truth is that we all rightfully have something to hide. And those who society stigmatises or discriminates against have more to hide than most.
It has been less than four months since the US Supreme Court overturned Roe v Wade, which overnight criminalised abortion for a massive fraction of the US population.
A year ago, few American women would have been comfortable revealing whether they had had an abortion, with good reason given the virulence of the anti-choice movement in the US. For many, that choice now has criminal implications.
In a highly polarised society, there’s good reason to hide that you may have engaged in many legal activities that other people object to. When the line between legal and illegal can shift so quickly, hiding what you have done today lest it be criminalised tomorrow seems only prudent.
That the vulnerable and those already victimised have the most to lose from data breaches is not a new observation.
In the wake of the Optus breach, earlier this year many commented on how it was domestic violence victims, for instance, who might be most at risk for having their address details exposed. This is to say nothing of the dangers that might be posed by an abusive or malicious ex-partner who is able to impersonate you by having your identity document information.
More recently, the Medibank breach has highlighted how children face greater risks from having had their medical histories made public.
For the sake of society’s most vulnerable, we need to recognise that privacy is non-negotiable because breaches of privacy cause real harm.
We need legal mechanisms to allow people to seek compensation when companies breach their privacy, in addition to stronger penalties levied by government regulation. We also need stronger mechanisms to disincentivise the collection of sensitive information by companies and the government.
For instance, penalties for breaches should be scaled – not according to the size of the organisation – but to the volume of sensitive information it has collected.
All of us have secrets worth hiding.
Secrets that we necessarily entrust to corporations and the government as part of life in our modern society. In an age in which we can expect to see more data breaches, privacy laws must keep up.
This article was written by Associate Professor Toby Murray and Dr Suelette Dreyfus of the University of Melbourne. It was published by Pursuit.
Toby is a faculty member of the School of Computing and Information Systems at the University of Melbourne. His research explores the design of more secure computer systems using formal software verification and novel programming languages.
