The federal government has not given up on passing legislation to criminalise the re-identification of Commonwealth datasets but says it is considering amendments in the wake of opposition from security researchers as well as Labor and the Greens.
In September 2016 then-attorney-general George Brandis announced he would introduce a bill to amend the Privacy Act to create a new criminal offence of re-identifying ostensibly de-identified government datasets released as part of open data programs.
The government, Brandis said, would make it a crime “to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.” Unusually, the legislation would be retrospective to 29 September 2016: The date of Brandis’ announcement.
The reason for the sudden announcement quickly became clear when Melbourne University researchers revealed that a trove of data released by the Department of Health had not been properly anonymised:
The researchers were able to re-identify a range of the data, which included Medicare data dating from 1984 to 2014 and PBS data from 2003 to 2014.
The Privacy Amendment (Re-identification Offence) Bill 2016, unveiled in October 2016, “responds to a gap identified in privacy legislation about the handling of de-identified personal information,” a spokesperson from the Attorney-General’s Department told Computerworld.
As it stands, the bill could see people who re-identify government datasets lumped with a two-year jail sentence.
“The bill strengthens protections for individual privacy by making it an offence to deliberately re-identify publicly released, de-identified government information, while also ensuring that exemptions for research will be available to allow legitimate analysis of de-identified government datasets and de-identification techniques to continue,” the spokesperson said.
However, despite a number of exemptions contained in the bill, concerns have been raised over the potential chilling effect on cyber security research.
Among critics have been the researchers who originally identified the vulnerabilities in the Department of Health’s de-identification process. In a submission to a Senate inquiry scrutinising the bill they warned that the legislation “could inhibit open investigation, which could mean that fewer Australian security researchers find problems and notify the government”.
The bill contains a number of categories of exemption: Government agencies, service providers to government agencies, and organisations operating under an agreement with a government entity are exempt from its provisions, providing the act of re-identification is conducted in conjunction with an agency’s functions or the act was part of meeting the obligations of a government contract or the terms of a government agreement.
However, for non-government researchers the situation is not clear cut — instead it is left to ministerial discretion to exempt an individual or organisation or class of organisations.
The bill currently allows the minister to determine that “an entity, or an entity included in a class of entities” may be exempted from the re-identification provisions for “research involving cryptology”, “research involving information security”, “research involving data analysis”, or for any other purpose that the minister considers appropriate.
“Researchers might well be left in the ridiculous situation of being unable to tell the government what they had discovered during the time that they thought the investigation was legal, for fear of going to jail over a misunderstanding,” the Melbourne University researchers — Chris Culnane, Benjamin Rubinstein and Vanessa Teague — warned in their submission to the inquiry.
“Criminalizing re-identification without a clear and explicit exemption for research or a defence on the grounds of public interest will be bad for privacy and information security,” the researchers said. “It will make the government far less likely to learn about a problem before criminals and foreign governments do.”
The report of the Senate Legal and Constitutional Affair Legislation Committee’s inquiry endorsed the bill. However, in a dissenting report Labor and Greens senators recommended the bill should not be passed — making its passage through the Senate unlikely.
The bill “adopts a punitive approach towards information security researchers and research conducted in the public interest,” the dissenting report states. The proposed legislation “penalises public interest research and discourages open investigation and discussion of potential issues relating to information security”.
In addition to the impact on research, concerns were raised during the inquiry about the reversal of the onus of proof — an individual or organisation would have to prove that a particular exemption applied — as well as the retrospective nature of the legislation
The committee majority’s report argued that researchers “employed by States and Territories (which includes most universities)” did not fall within the scope of the Privacy Act.
However, the government said that it is currently considering amendments to the bill to “respond to concerns raised in the Senate Legal and Constitutional Affairs Legislation Committee’s report on the bill.”
The bill is before the Senate and the Attorney-General Department’s spokesperson said that the government “will bring it on for debate when the government’s legislative priorities permit,” but did not commit to a specific timeframe when questioned.
A more-immediate priority of the government — and one that has already raised concerns among many of the same circles worried about the proposed Privacy Act changes — is legislation that is intended to help police and national security agencies counter the impact of the use by criminals of encrypted communications services.
The government is planning to introduce the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill in the spring sittings of parliament — which began yesterday. Although the government for quite some time has foreshadowed the introduction of the bill, details of how the proposed legislation will function remain scant.
The bill will “implement measures to address the impact of encrypted communications and devices on national security and law enforcement investigations,” a government document released last week states. “The bill provides a framework for agencies to work with the private sector so that law enforcement can adapt to the increasingly complex online environment.”