As a hostage in the Medibank hack, here is my list of demands
2 years ago
Medibank #Medibank
So, the hackers have pulled the trigger, releasing the personal and health details of thousands of Medibank private customers, possibly including my own.
The health insurer has followed the government’s strong advice not to negotiate, and I’ve watched enough James Bond movies to understand the logic of that approach.
I have a list of five demands which must be met.
Personally, I’m not bothered whether I make my way onto the “good” or “naughty” list, but I do worry about those for whom the exposure of information could be distressing, or worse, dangerous. No one wants to create a seller’s market in hacked data, but we do need to recognise the cost that some of the victims will pay in standing up to the hackers.
So before we close the book on this hack and move on, as one of the hostages, I want to table my own list of demands to those we elect to protect us:
Increase the penalties for breaches of privacy now. Of course, the government is moving fast to strengthen the gates after the data stallion has bolted. Businesses need to factor in the cost of poor data handling into their business operations, and significant increases in the size of penalties are welcome.
Fund the data police. Stronger penalties only move the needle when we have authority with the resources to enforce the rules. Currently, the Office of the Australian Information Commissioner is less a crack enforcement team and more a cracked filing cabinet where complaints go to die.
Update our ageing and impotent privacy laws. Australian privacy laws have not had a significant redux in four decades, that’s before the internet really became a thing. We lag behind Europe and the US by not even recognising the scope of data collection and the myriad ways it can be used. A review of the privacy law is working its way through government, but these breaches need to turbocharge that passage, with reforms no later than early next year. Bipartisan support for broadening definitions for what our personal information is, requiring meaningful consent for its collection, removing exemptions that feed many businesses including, bizarrely, real estate agents, from data privacy are no longer tenable. We also need to create concrete rights for citizens to assert their right of privacy through the courts.
Press pause on facial recognition technology. This invasive industry is developing way ahead of our understanding of its impact, and we need guardrails and red lines that place the onus on developers to show no damage other than assuming they are working on a blank page. Former Human Rights Commissioner Ed Santow’s model to place a model law on FRT until these protections are in place must be acted on immediately.
Make platforms owned by billionaires responsible for the impact of their product. Around the world, we see how the models of surveillance capitalism are tearing democracies apart and pitting citizens against each other. These platforms are loaded weapons and their owners need to take greater responsibility.
Loading
We know that governments are great at acting after the event, particularly when the public has been damaged. Indeed, the first decade of the 21st century was profoundly shaped by governments expanding their powers over technology to deal with the threat of ideologically based terrorism.
Ironically, this move into monitoring web traffic and metadata provided the business template that has driven the rise of the major platforms where our behaviour is monitored, rendered, and repurposed.