Surveillance laws driving companies to limit data collection, developers to boost security

Australia's increasing culture of data surveillance is reshaping conversations between software developers and clients working to minimise their data-security risk by implementing stronger security tools in a more user-friendly way, a prominent privacy advocate and developer has observed.

Much of this change has grown out of the government's recent passage of elecommunications data-retention legislation, ThoughtWorks lead technical consultant Tom Sulston told CSO Australia, who warned that scope creep was likely to see a significantly broader footprint for collection of personal and private data in the future.

“Data retention will have scope creep written all over it,” he explained. “We're collecting certain pieces of information and not others, but it will be trivial to collect more – and totally trivial to extend the period of retention from 2 years, to 5 years, to 10 years, to indefinitely.”

Given the potential exposure of customer data to such surveillance, Sulston said, it was important that businesses become more circumspect about the data they are collecting about their customers.

That data, after all, must legally be protected under newly amended Privacy Act 1988, which imposes strict penalties for loss of control over customers' personally identifiable information (PII).

This legislation had created an “increased sense of urgency” around data protection, with ThoughtWorks now engaging with many customers to discuss ways of managing that risk – and using suitable technology to protect it.

“We're having a lot of conversations with clients about whether they really need to know everything about their customers,” Sulston said.

“You see many services around the world hoovering up vast amounts of personal data. But when you have a responsibility to your customer, you think about why you need to do that. As soon as something is created, it's stored and retained forever and ever.”

Thankfully, he noted, along with the government's increased access to PII had come an official encouragement to use tools providing enhanced security. This came in the form of explicit approval for use of secure, encrypted communications by no less than communications minister Malcolm Turnbull – and that had set the pace for developers to more proactively integrate data-protection security into every aspect of their development.

Sulston, a software delivery consultant by day, joined business and political leaders – including NSA whistleblower Edward Snowden, Greens senator Scott Ludlam, human-rights barrister Julian Burnside and others – to share concerns about the new legislation at this month's Progress 2015 conference and admits that he had previously been “blasé” about the implications of the legislation. “But I'm trying to put things right and help people,” he added.

Turnbull's comments “expose data retention for what it is,” Sulston said. “It's not a security piece of legislation; people who are seeking to do criminal or terrorist acts are already using these things.”

“[The legislation] is about surveillance, and about suppressing legitimate political activity,” he continued, “and that is a huge concern. Developers need to explain to people that they have a human right to privacy and a right to use these tools – and that is endorsed by the minister for communications.”

While appropriate security tools are already available to provide adequate data protection, the challenge has come through integrating these into operational systems in a user-friendly way, Sulston said.

And while developers were already doing a “fairly decent job” in building secure systems, their application to large-scale data collection had proved to be a “weakness” in systems that were often designed and delivered at too low a level for broad usage.

“It's no longer good enough to be a technical tool,” he explained. “Developers of consumer-facing tools and applications have started picking this up in much more anger than previously, and there is a wave of momentum building.”

“Hopefully within a year or so we'll stop talking about secure privacy tools – and just go back to talking about tools. As demand grows, we will get to the point where security is no longer a feature, but a hygiene factor: you'll have to have it in your software or people won't use it.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: Google shows security questions are terrible for forgotten passwords

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags data-retentionpersonally identifiable information (PII)Privacy Act 1988ThoughtWorksMalcolm TurnbullsecuritySurveillance lawsdata collectiongovernmentTom Sulston

More about CSOEnex TestLabNSAThoughtWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts