Surveillance laws driving companies to limit data collection, developers to boost security

Australia's increasing culture of data surveillance is reshaping conversations between software developers and clients working to minimise their data-security risk by implementing stronger security tools in a more user-friendly way, a prominent privacy advocate and developer has observed.

Much of this change has grown out of the government's recent passage of elecommunications data-retention legislation, ThoughtWorks lead technical consultant Tom Sulston told CSO Australia, who warned that scope creep was likely to see a significantly broader footprint for collection of personal and private data in the future.

“Data retention will have scope creep written all over it,” he explained. “We're collecting certain pieces of information and not others, but it will be trivial to collect more – and totally trivial to extend the period of retention from 2 years, to 5 years, to 10 years, to indefinitely.”

Given the potential exposure of customer data to such surveillance, Sulston said, it was important that businesses become more circumspect about the data they are collecting about their customers.

That data, after all, must legally be protected under newly amended Privacy Act 1988, which imposes strict penalties for loss of control over customers' personally identifiable information (PII).

This legislation had created an “increased sense of urgency” around data protection, with ThoughtWorks now engaging with many customers to discuss ways of managing that risk – and using suitable technology to protect it.

“We're having a lot of conversations with clients about whether they really need to know everything about their customers,” Sulston said.

“You see many services around the world hoovering up vast amounts of personal data. But when you have a responsibility to your customer, you think about why you need to do that. As soon as something is created, it's stored and retained forever and ever.”

Thankfully, he noted, along with the government's increased access to PII had come an official encouragement to use tools providing enhanced security. This came in the form of explicit approval for use of secure, encrypted communications by no less than communications minister Malcolm Turnbull – and that had set the pace for developers to more proactively integrate data-protection security into every aspect of their development.

Sulston, a software delivery consultant by day, joined business and political leaders – including NSA whistleblower Edward Snowden, Greens senator Scott Ludlam, human-rights barrister Julian Burnside and others – to share concerns about the new legislation at this month's Progress 2015 conference and admits that he had previously been “blasé” about the implications of the legislation. “But I'm trying to put things right and help people,” he added.

Turnbull's comments “expose data retention for what it is,” Sulston said. “It's not a security piece of legislation; people who are seeking to do criminal or terrorist acts are already using these things.”

“[The legislation] is about surveillance, and about suppressing legitimate political activity,” he continued, “and that is a huge concern. Developers need to explain to people that they have a human right to privacy and a right to use these tools – and that is endorsed by the minister for communications.”

While appropriate security tools are already available to provide adequate data protection, the challenge has come through integrating these into operational systems in a user-friendly way, Sulston said.

And while developers were already doing a “fairly decent job” in building secure systems, their application to large-scale data collection had proved to be a “weakness” in systems that were often designed and delivered at too low a level for broad usage.

“It's no longer good enough to be a technical tool,” he explained. “Developers of consumer-facing tools and applications have started picking this up in much more anger than previously, and there is a wave of momentum building.”

“Hopefully within a year or so we'll stop talking about secure privacy tools – and just go back to talking about tools. As demand grows, we will get to the point where security is no longer a feature, but a hygiene factor: you'll have to have it in your software or people won't use it.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: The week in security: Android apps collecting your location data, home routers hit by drive-by malware

Feeling social? Follow us on Twitter and LinkedIn Now!

Tags Malcolm Turnbulldata collectionThoughtWorksPrivacy Act 1988personally identifiable information (PII)data-retentionTom SulstonSurveillance laws

Show Comments