Does Optus facts breach spell the stop for paper ID checks?


In Optus’ scenario, it was necessary to gather this data by Australian law, to make confident the individuals accessing telecommunications solutions are who they say they are. It was also required by legislation to keep the data for a sure time. Other companies, these kinds of as financial institutions, are bound by related rules that mandate they dangle on to shopper knowledge.

Gledhill-Tucker states there is also lots of encouragement from the law enforcement companies, which rely on firms like Optus retaining as considerably knowledge as attainable, and quite a few organizations have produced small business styles that hinge on leveraging knowledge, even if it truly is dangerous to retain.

“At the instant, there is so minimal counterbalance to surveillance capitalism — this rampant details capture and storage with incredibly very little regard to how that data is handled. There’s so tiny laws to act as a counterbalance to the capitalistic benefit that organizations get from details,” she states.

“Australia at the second is quite powering the times when it comes to proficiently regulating corporations to make confident that they do the proper point.”

Previous 7 days, Legal professional-Typical Mark Dreyfus explained there was frequently no cause for providers to cling onto facts used for identification uses, even however the Privateness Act could be interpreted as expressing they should.

“We are all acquainted with the 100-level id check. If a firm suggests ‘we will need to see your driver’s license’ or ‘we need to have to see your passport number’, that is for the intent of establishing that you are who you say you are. But that must be the conclusion, a person may believe, of the business retaining all that data,” he claims.

“We will be possessing a appear at no matter whether or not businesses need to be permitted to go on preserving info when the purpose of accumulating it in the to start with spot may well have been no additional than creating someone’s identification … We need to have to have them recognize that Australians ‘ individual info belongs to Australians. It’s not to be misused, it completely has to be guarded, and if the Privateness Act is not acquiring us all those success, then we need to look at reforms to the Privateness Act.”

The 100-stage identification verify was instituted in 1988, extended ahead of any one could have imagined a distant details breach of the type observed at Optus.

On Thursday, the federal federal government introduced alterations to the Telecommunications Act that would allow providers mandated to retailer private ID information to share it with economical institutions in the case of a information breach. This would indicate, for case in point, a lender would get a checklist of exposed credentials supporting it block any tries to use the stolen information and facts to choose out credit history or a mortgage.

Whilst this could mitigate the damage wrecked by a breach, the alterations you should not address the core problem of corporations needing to acquire the details in the to start with location. And it would not help relieve the distress when just one is compelled to demonstrate their identity by permitting a person to photocopy their driver’s license.


In excess of time, the 100-place check will be phased out and replaced by a electronic process. In point, this sort of a procedure now exists. The Australian Electronic Id program presently allows you establish your identification to a services service provider, like MyGov or Australia Write-up, employing your paperwork, and it can move that verification on to other businesses on demand from customers utilizing things like facial recognition and QR codes. That way, the organization knows you are who you say you are, devoid of needing to see or choose a duplicate of your unique files.

The technique is nevertheless new and has some hurdles to triumph over. Definitely, it requires to be taken up by each and every enterprise that wants to see your ID, and it also needs mitigations in area for when provider vendors are inevitably specific by criminals. But in the meantime, some version of the technology could at the very least aid avoid some of the most unsafe breaches.

“At the pretty the very least, an corporation like Optus really should be capable to obtain your id paperwork, validate that they’re correct, and preserve a log of that verification instead than a log of the paperwork themselves,” states Gledhill-Tucker.

“That, to me, would be a privateness-preserving framework, alternatively than just trying to keep large amounts of sensitive info on just about every customer you’ve got at any time had.”

Get information and evaluations on know-how, gizmos and gaming in our Engineering publication every single Friday. Signal up in this article.

- Advertisement -

Comments are closed.