White hat efforts show up Govt’s proposed laws to criminalise research
Australian researchers have laid waste to the Federal Government’s plan to criminalise the decryption of anonymised state data sets, just a day after it was announced, by ‘easily’ cracking government-held medical data.
Federal attorney-general George Brandis yesterday announced that it would accept recommendations from the Senate Select Committee on Health and make it an offence to de-anonymise data
The law would be part of amendments to the Australia’s Privacy Act.
Before the announcement of the new law, University of Melbourne researchers Dr Chris Culnane, Dr Benjamin Rubinstein, and Dr Vanessa Teague discovered dangerous failings in the way the government had protected the service provider ID numbers in a sample set representing 10 percent of claims under the country’s Medicare Benefits Schedule dating from 1984 to 2014.
Dr Vanessa Teague told The Register she did not want to reveal the specific failings of the security controls in place fearing the same subpar defences are used to protect other sensitive data sets published online by the Federal Government.
She says the Government’s amendments to the Privacy Act should be binned.
“The Government should be doing exactly the opposite,” Dr Teague says.
“[It] should be encouraging Australia security researchers to learn and investigate the math, and let the Government know when security vulnerabilities are identified.
“It is the only way to understand failings and the only way to make data more secure.”
It took “a few days” to reveal the identifier numbers using basic PCs, she says.
The protection mechanisms guarding patient identifiers could not be ascertained and therefore broken by the time the work was reported.
Dr Teague says the Federal Government should apply its open data policies to security and allow its controls to be inspected.
She points out the laws could greatly hinder defensive efforts by preventing legitimate research while criminals continue to look for holes in data protect algorithms.
The most common failings in encryption lie in implementation, especially of custom crypto.
It appears some mash of security controls other than encryption was used, however.
Dr Culnane, Dr Rubinstein, and Dr Teague say in a report on their work that their cracking attempts were not decryption, and were only characterised as such to protect the mechanisms the Government used.
The Federal Government notes decryption research and even the encouragement of it will be considered an offence under the pending laws.
“The amendment to the Privacy Act will create a new criminal offence of re-identifying de-identified government data.
It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.”
+Comment: The amendments, as they currently stand, are so mind-bendingly out-of-touch they make your correspondent cry.
There appears no benefit to outlawing decryption research.
It directly undermines the security of the online economy, the internet more broadly, and the processes of open source research which produced the very tried-and-tested encryption tools Vulture South would hope the Government will use to protect citizen data.
The ideology of security-through-obscurity is one of the most agreed upon greatest myths of information security. Using it as a means to protect citizen data highlights gross failings with the Government’s grasp of information security. ®