Explainer: what is differential privacy and how can it protect your data?

Posted on March 25, 2018 by admin

Explainer: what is differential privacy and how can it protect your data?

 

File 20180315 104639 1i36gmq.jpg?ixlib=rb 1.1

Tech companies can use differential privacy to collect and share aggregate data about user habits, while maintaining individual privacy.
Tim Snell/Flickr, CC BY-ND

 

Tianqing Zhu, Deakin University

It’s no secret that big tech companies like Facebook, Google, Apple and Amazon are increasingly infiltrating our personal and social interactions to collect vast amounts of data on us every day. At the same time, privacy violations in cyberspace regularly make front page news.

So how should privacy be protected in a world where data is gathered and shared with increasing speed and ingenuity?

Differential privacy is a new model of cyber security that proponents claim can protect personal data far better than traditional methods.

The maths it is based on was developed 10 years ago, and the method has been adopted by Apple and Google in recent years.



Read more:
How websites watch your every move and ignore privacy settings

What is differential privacy?

Differential privacy makes it possible for tech companies to collect and share aggregate information about user habits, while maintaining the privacy of individual users.

For example, say you wanted to show the most popular routes people take walking through a park. You track the routes of 100 people who regularly walk through the park, and whether they walk on the path or through the grass.

 

Marco Verch/Flickr, CC BY

 

But instead of sharing the specific people taking each route, you share the aggregate data collected over time. People viewing your results might know that 60 out of 100 people prefer to take a short-cut through the grass, but not which 60 people.

Why do we need it?

Many of the world’s governments have strict policies about how tech companies collect and share user data. Companies who do not follow the rules can face huge fines. A Belgian court recently ordered Facebook to stop collecting data on users’ browsing habits on external websites, or face fines of €250,000 a day.

For many companies, especially multinationals operating in different jurisdictions, this leaves them in a delicate position when it comes to the collection and use of customer data.

On the one hand, these companies need users’ data so they can provide high-quality services that benefit users, such as personalised recommendations. On the other hand, they may face charges if they collect too much user data, or if they try to move data from one jurisdiction to another.

Traditional privacy-preserving tools such as cryptography can’t resolve this dilemma since it prevents tech companies from accessing the data at all. And anonymity reduces the value of data – an algorithm can’t serve you personalised recommendations if it doesn’t know what your habits are.

How does it work?

Let’s continue the example of walking routes through a park. If you know the identities of those included in the study, but you don’t know who took which route then you might assume that privacy is protected. But that may not be the case.

Say someone viewing your data wants to ascertain if Bob prefers to walk through the grass or on the path. They have obtained background information about the other 99 people in the study, which tells them that 40 people prefer to walk on the path and 59 prefer to walk through the grass. Therefore, they can deduce that Bob, who is the 100th person in the database, is the 60th person who prefers to walk through the grass.

This type of attack is a called a differentiated attack, and it is quite hard to defend against as you cannot control how much background knowledge someone can obtain. Differential privacy aims to defend against this type of attack.

Someone deducing your walking route might not sound too serious, but if you replace walking routes with HIV test results, then you can see there is potential for a serious invasion of privacy.

The differential privacy model guarantees that even if someone has complete information about 99 of 100 people in a data set, they still cannot deduce the information about the final person.



Read more:
Why you might want to think twice about surrendering online privacy for the sake of convenience

The primary mechanism to achieve that is to add random noise to the aggregate data. In the path example, you may say the number of people who prefer to cross the grass is 59 or 61, rather than exact number of 60. The inaccurate number can preserve the privacy of Bob, but it will have very little impact on the pattern: around 60% people prefer to take a short-cut.

 

Apple emojis.

 

 

The noise is carefully designed. When Apple employed differential privacy in iOS 10, it added noise to individual user inputs. That means it can track, for example, the most frequently used emojis, but the emoji usage of any individual user is masked.

Cynthia Dwork, the inventor of the differential privacy, has proposed wonderful mathematical proofs on how much noise is enough to achieve the requirement of differential privacy.

What are its practical applications?

Differential privacy can be applied to everything from recommendation systems to location-based services and social networks. Apple uses differential privacy to gather anonymous usage insights from devices like iPhones, iPads and Macs. The method is user-friendly, and legally in the clear.



Read more:
You may be sick of worrying about online privacy, but ‘surveillance apathy’ is also a problem

Differential privacy would also allow a company like Amazon access your personalised shopping preferences while hiding sensitive information about your historical purchase list. Facebook could use it to collect behavioural data for targeted advertising, without violating a country’s privacy policies.

How could it be used in the future?

Different countries have varying privacy policies, and sensitive documents currently have to be manually checked before they move from one country to another. This is time-consuming and expensive.

Recently, a team from Deakin University developed differential privacy technology to automate privacy processes within cloud-sharing communities across countries.

The ConversationThey propose using mathematical formulas to model the privacy laws of each country that could be translated to “middleware” (software) to ensure the data conforms. Employing differential privacy in this way could protect the privacy of users and resolve a data sharing headache for tech companies.

Tianqing Zhu, Lecturer in Cyber Security, Faculty of Science, Engineering & Built Environment, Deakin University

This article was originally published on The Conversation. Read the original article.

Posted in Uncategorized | Leave a comment

What do the new data breach rules mean for SMEs?

Posted on March 22, 2018 by admin

What do the new data breach rules mean for SMEs?

Mathisha Panagoda

Most business leaders are now aware of the new mandatory data breach reporting rules, but understanding what they mean in practice is a very different story.

Data breaches are commonplace in an increasingly digital world and their consequences are about to become significant for thousands of SMEs across Australia.

Here’s what SMEs need to know about the new laws.

What is it?

The new Notifiable Data Breaches (NDB) scheme makes it mandatory for various organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a relevant data breach occurs.

When does the scheme commence?

The NDB scheme came into effect on 22 February 2018, and only applies to eligible data breaches that occur on or after that date.

Who does it apply to?

These new laws will have significant implications for SMEs with turnovers of more than $3 million annually.

Any agency or organisation already subject to the Privacy Act is captured by the new regulations – that means businesses and not-for-profit organisations, health service providers and more.

Those with turnover less than $3 million a year may also be affected if they meet certain criteria, for example if they operate a residential tenancy database, trade in personal information or are employee associations registered or recognised under the Fair Work Act to name a few. The full list of who is covered by the new rules can be found on the OAIC website.

What are the new obligations?

If a relevant SME suspects that an eligible data breach has occurred, it must take reasonable steps to complete an expeditious assessment within 30 days.

If it is determined that an eligible data breach has occurred, the SME must then do the following as soon as practicable:

  1. Prepare a statement containing the SME’s contact details, description of the breach, kinds of information concerned and steps recommended to affected individuals to mitigate any harm;
  2. Alert and provide a copy of the statement to the OAIC via an online form; and
  3. Notify individuals whose personal information is likely to result in serious harm due to the data breach.

What is an eligible data breach?

A breach in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is, from the perspective of a reasonable person, likely (more probable than not) to result in serious harm to any of the individuals to whom the information relates.

A “reasonable person” is a person in the SME’s position who is properly informed as to the data breach and not from the perspective of a person whose personal information was compromised.

Examples may include the hacking of a database containing personal information or personal information that is mistakenly provided to the wrong person.

What if I fail to report?

If an SME fails to report an eligible data breach, then civil penalties as high as $1.8 million can be applied.

Failure to notify affected individuals could also result in complaints to the OAIC.

How often do data breaches really occur?

Data breaches are common and sometimes unavoidable. In 2016, the Red Cross admitted that the personal information of 500,000 Australian blood donors might have been compromised.

It was revealed by Uber that in 2016 the personal information of 57 million customers and drivers had been compromised in a data theft.

How can you prepare your business?

  1. Firstly, determine whether your SME, business or organisation is subject to the NDB scheme.
  2. Check out the Information Commissioner’s Guide to securing personal information. Be aware of how personal information is stored and managed, and take necessary steps to implement adequate security measures.
  3. Have in place a data breach response plan. The OAIC has an excellent guide to help prepare such a plan.
  4. Ensure personnel are trained to understand the NDB scheme, including identifying when a breach has occurred and what the SME’s policies and procedures are.
  5. Seek legal advice at any step along the way to ensure that you are fully aware of your obligations.

Mathisha Panagoda is an associate with Carroll & O’Dea Lawyers.

Original article sourced HERE at MyBusiness.com.au

Posted in Uncategorized | Leave a comment

Hinch’s concerns prompt McDonald’s to revamp hiring policies but experts say SMEs should take care when checking employees’ criminal histories

Posted on March 18, 2018 by admin

Hinch’s concerns prompt McDonald’s to revamp hiring policies but experts say SMEs should take care when checking employees’ criminal histories

Emma Koehn / Thursday, September 15, 2016

Businesses are entitled to ask prospective employees about their criminal pasts, but should be careful when responding to the answers, according to employment law experts.

On Tuesday Victorian senator Derryn Hinch said in a Senate adjournment speech that he had previously urged McDonald’s Australia to implement compulsory criminal background checks to ensure the restaurant chain does not inadvertently hire individuals that had been convicted of child sex offences.

ADVERTISING

In response to Hinch’s concerns, McDonald’s Australia says it took “immediate action” and will amend its background check policies.

“We have made the decision to implement criminal background checks for all adult employees moving forward,” the company told SmartCompany this morning.

“We also have substantial existing protections in place, from hiring policies to ongoing training.”

Australian businesses are entitled to conduct police record checks on prospective employees but employment lawyers warn that SMEs should know how to use the results – and that the answers to questions might cause more problems.

“Employers do need to be conscious that there is spent convictions legislations in every state except Victoria,” employment lawyer Peter Vitale told SmartCompany.

“This means you cannot discriminate against someone for a less serious offence if it happened more than ten years ago.”

While recruiters can require applicants to consent to a criminal record check, asking questions about someone’s criminal record in an interview could cause more problems than it solves.

“You can’t just discriminate against someone on the basis of any record at all – you have to show that it will affect the job,” Vitale says.

“With job interviews, you have to be careful – some of the answers given could give rise to the idea that you have unlawfully discriminated against an applicant.”

This means some offences may not constitute a reason to refuse an applicant work – the offence must be a barrier to the individual performing the job.

“Think hard about what element of the job is affected by the conviction,” says McDonald Murholme principal lawyer Andrew Jewell.

“Try to marry up the crime with it actually being relevant to the job – you can’t just say, ‘they’re a criminal, we don’t want them’.”

“For example, convictions for traffic offences will really only be relevant for those going for driving jobs,” adds Vitale.

Asking about a criminal record in an interview can give an employee a chance to get ahead of any convictions and explain them. Jewell says that legislation in Victoria is more complex on this issue, but all employers should be wary that if they act on a disclosure of criminal history and it is not directly relevant to the role, these answers could play a part in unfair dismissal disputes later.

Employers should also be aware that a police check will not necessarily reveal all history.

“There are things like diversion programs out there and these can be applied to relatively serious crimes,” says Jewell. Where an individual has agreed to a diversion program or other measure to avoid conviction, this will not appear.

Taking a measured approach to interviews and keeping track of what is said may also help to avoid problems later, because while employees are protected from discrimination, they cannot lie about their history when asked.

“Probably this arises most when an employer says ‘we’re bringing in criminal checks’ – they get suspicious when any employees refuse them,” says Jewell.

But if an employee has been dishonest in the past about part or all of their past convictions, businesses can review that staff member’s employment, he says.

Original article found HERE at SmartCompany.com.au

Posted in Uncategorized | Leave a comment

Worker wins compo for being fired after failing to attend work, explaining to boss he’d “been feeling shit bro”

Posted on March 16, 2018 by admin

Worker wins compo for being fired after failing to attend work, explaining to boss he’d “been feeling shit bro”

Emma Koehn / Monday, October 16, 2017

A window and doors installation business that was found to have unfairly dismissed a worker for failing to show up on a job site says it doesn’t know what else it could have done after spending months trying to resolve a tenuous relationship with the employee.

On Friday the Fair Work Commission decided Architectural Project Specialists (APS) was wrong to summarily dismiss one of its installers on May 19 of this year. The employer contacted the worker via voicemail and text message on this date to inform him the business needed a company car and tools returned because “we’re moving on”.

The Commission heard the decision to dismiss the worker was made after he failed to attend work on May 17 and didn’t let the business know about his absence.

The employee told the Commission he had been struck down with food poisoning between May 17 and 19 and this was the reason for his non-attendance, and the company’s managing director said he received a text message from the worker on the the morning of May 18 that read: “Been feeling shit bro not going to make it. Sorry.”

The company says it had previously warned the worker about poor attendance “a hundred times”, and on May 19, after checking in with the employee to ask whether he was going to return to work but not receiving a response, the company sent notification that he was no longer employed by the business.

Fair Work Commission deputy president Susan Booth decided the worker was covered by the Small Business Fair Dismissal Code, as the business had nine employees at the time of dismissal.

She considered whether the actions of the worker made a summary dismissal appropriate, but found under the circumstances, failing to attend work and not being contactable for 24 hours was not serious enough behaviour for an automatic firing.

Booth observed that while the business said the worker’s non-attendance had been a pattern of behaviour over some time, the company was not able to provide evidence of warnings to the employee or instances where his wages were affected by non-attendance.

“It would have been a simple matter to produce time and wages records to substantiate this contention, however, despite APS being given an opportunity to provide more information to the Commission after the hearing, nothing was provided,” she said.

As a result, the Commission found there was “no valid reason” for the dismissal, which she said was “harsh, unjust and unreasonable and therefore unfair”.

Booth decided reinstatement in the role was inappropriate and will now consider the amount of compensation APS will have to pay the worker.

Speaking to SmartCompany this morning, a spokesperson for APS says the business had done everything it could to support the employee, and is disappointed that despite sending “so many warnings”, the decision to dismiss the worker will lead to the company paying compensation.

“From around the start of this year, we thought, ‘this is not going to work out’,” the spokesperson says.

The business says it will take more care in hiring people in future, with the spokesperson claiming the business spent significant time trying to help the worker in his personal life.

“I don’t know what else we could do. I think you just can’t get personal with these things,” says the spokesperson.

SmartCompany was unable to contact the worker for comment this morning.

Keeping records is key

Rachel Drew, a partner at law firm Holding Redlich, says small businesses often face challenges when giving warnings to staff, because it’s typical for the bulk of their communications to be done in person, rather than through formal human resources channels.

“It is more common for warnings and discussions to be had very informally,” she says.

“But when it comes to the Commission, and providing evidence around communications to do with performance, the employer needs to be able to show concrete evidence.”

If an employer in a small business finds they need to communicate a warning to a staff member about an issue like attendance, emails are your best bet, Drew says.

“Emails include proof that they have been sent as they are marked with the date and time,” she advises.

“Text messages are also okay, but worst case scenario, a business should still be keeping a calendar record that says, ‘we had a conversation [with a worker] about this issue, on this date’.”

Drew reminds businesses that no matter the size of the company, summary dismissals are reserved for the most serious conduct breaches, like fraud, theft or assault in the workplace.

When it comes to absences from work, Drew says previous decisions from the Fair Work Commission suggest an employer must inform a worker that their non-attendance could result in termination before they actually take this step.

“It is a very difficult scenario, but you do have to make sure that absent employee is aware and that they appreciate you are considering a termination,” she says.

Original article found HERE at SmartCompany.com.au

Posted in Uncategorized | Leave a comment

More than 20,000 workers have made anonymous tip-offs about their employers to the Fair Work Ombudsman since 2016

Posted on March 13, 2018 by admin

More than 20,000 workers have made anonymous tip-offs about their employers to the Fair Work Ombudsman since 2016

Caleb Triscari / Friday, February 23, 2018

Small businesses have been put on notice to obey their obligations to staff, with the Fair Work Ombudsman revealing over 20,000 anonymous tip-off claims have been made about dodgy workplaces over the past 18 months.

Since being launched in 2016, the anonymous tip-off service has been providing information to the ombudsman’s office about where to focus its resources and have the most likelihood on cracking down on non-compliant businesses.

Of the complaints, 10,000 were received within the first 11 months of the program’s launch. That number doubled to 20,000 in the following eight months, indicating an increase in the program’s use.

The tip-off service was updated in July to allow workers to report to the Fair Work Ombudsman (FWO) in 16 languages. Nearly 800 tip-offs have been made in a language other than English, the majority of them in Chinese and Korean.

Hospitality businesses made up 36% of all tip-offs, with complaints in the retail industry the next most-reported.

In a statement, Fair Work Ombudsman Natalie James said the anonymous reporting tool provides workers the ability to report potential workplace breaches without the risk of backlash from employers.

“We always urge employees to come forward if they have concerns in the workplace, but we appreciate that it can be a hard thing to do,” said James.

“With our anonymous report tool, workers can come to us and tell us what is happening now without the risk of being identified.”

When contacted by SmartCompany, a spokesperson for the Fair Work Ombudsman declined to reveal how many businesses have been investigated as a result of the tip-off service, but said each tip-off is examined.

“Tip offs have led to both audits of specific businesses as well as broader campaigns targeting specific regions, locations and/or industries, securing positive outcomes for workers,” the spokesperson said.

Original article found HERE at SmartCompany.com.au

Posted in Uncategorized | Leave a comment