29 June 2013

Land Registers, Privacy and the FIRB

The Australian parliamentary Rural & Regional Affairs & Transport References Committee has released its 174 page report on the foreign investment review regime, centred on the Foreign Investment Review Board (FIRB) 'national interest' test and reflecting anxieties about overseas ownership of Australian rural land.

Those anxieties have been evident in calls, for example, for a comprehensive publicly-accessible national land register and populist treatment of agribusiness statistics such as
  • 1.6% ($2.33bn) of foreign direct investment approvals in 2009/10 were in agriculture, forestry and fishing. 
  • half of the 23 licensed wheat exporters in Australia are foreign owned and since 2008 (with deregulation of wheat export arrangements) there has been an increased foreign investment interest in grain bulk handlers and exporters, e.g. Viterra (Canadian) acquiring ABB Grain and Cargill (US) now owning AWB Ltd. 
  • since 2000 (with deregulation of the diary industry) about half of Australian milk production is processed by foreign owned firms (e.g. Fonterra (NZ), Lion (Japan), and Parmalat (France)). 
  • three foreign owned milling groups make up almost 60% of Australia's raw sugar production (the foreign companies involved in sugar refining are Finasure (Belgium), Wilmar (Malaysia, Singapore) and COFCO (China, state owned).
  • around 40% of Australian red meat production is processed by foreign owned firms (based on throughput)
The Foreign Investment and the National Interest report is interest to UC students grappling with questions of access to public and private information, given disagreements about 'who owns what' (and 'how can we tell').

The regime under which foreign interests can invest in Australian businesses and acquire Australian real estate involves the Foreign Acquisitions and Takeovers Act 1975 (Cth) and Foreign Acquisitions and Takeovers Regulations 1989 (Cth), Australia’s Foreign Investment Policy (AFIP) and the Foreign Investment Review Board . The AFIP indicates that 'direct investment' in an enterprise or real estate by a 'foreign government investor' is subject to review by the FIRB. That investor might be a sovereign wealth fund or a state-owned enterprise, with direct investment representing 'investment of an interest of 10 per cent or more', subject to consideration of a stake under 10% where the foreign government investor is "building a strategic stake in the target, or can use that investment to influence or control the target".

Examination by the FIRB centres on whether the proposed investment "will be contrary to the national interest", a notion that is not statutorily defined and instead reflects assessment in relation to
  • national security; 
  • competition; 
  • impact on the economy and community; 
  • Australian government policies such as tax; and 
  • the character of the investor.
The report features 29 recommendations, offering something for almost everyone. The Committee criticised "a lack of transparency" regarding the FIRB national interest test and "information gaps" regarding the type and scale of foreign investment. The report calls for improved access by agricultural businesses to domestic finance, an Independent Commission of Audit into Agribusiness, “an independent and wide-ranging review of Australia's foreign investment regulatory framework” (including strengthening the national interest test) and a national agricultural land register.

In relation to agribusiness investment, the Committee calls for action to ensure that foreign investments in Australian agriculture are
  • genuinely commercial,
  • compete fairly with Australian agribusinesses and
  • do not distort the capital market or trade in agricultural products.
In its fifth recommendation the committee recommends that the Australian Bureau of Statistics not conduct future ABS agricultural surveys on foreign investment, as "the national register for foreign ownership of agricultural land should be the primary mechanism for collecting and publishing information about foreign investment in Australian agriculture".

The report comments that
The most promising development from the government to address the information gaps in foreign investment in agricultural assets was the commitment to, following consultation with stakeholders, establish a national register of foreign ownership of agricultural land. The committee strongly supports its establishment, based on the overwhelming evidence received through submissions and witnesses.
It goes on to state
In November 2012, a discussion paper for public consultation was released by the Treasury [noted in a post here]. The paper sought submissions on the following issues:
  • The scope of the register in terms of information collected and the definition of relevant terms such as agricultural land; 
  • The use of a threshold to exclude small transactions; 
  • The need for an initial stocktake of foreign investment; 
  • The monitoring of divestments as well as investments; 
  • Australia's international obligations; 
  • Compliance issues, including the timeframe for registration; and 
  • Public access to the information.
Submissions under the Treasury consultation process have closed. Treasury received 33 submissions and all but 6 (which remain confidential) are available on the Treasury website. The committee notes that these submitters indicated broad support for a register and that more information about levels of foreign investment would be beneficial. However, some submitters were also concerned about cost, administrative burden, privacy issues and potential disincentives to foreign investment. There were also varying views on the extent to which the information should be collected and made public.
Committee view
The committee strongly supports the development of the register for foreign ownership of agricultural land. The committee also believes that the register should be as streamlined as possible to avoid unnecessary costs and administrative burdens. Where appropriate, it should protect personal privacy and commercial confidentiality.
However, the committee also believes that if established properly, the register will not cause a disincentive to legitimate and commercially orientated foreign investment. Consistent with the issues outlined above regarding the agricultural survey and in later chapters regarding the definition of 'rural land' in the FATA, and the importance of transparent management of water entitlements, the committee recommends that the register incorporate the following recommendations.
Finally, the committee is mindful of the significant lack of information regarding foreign investment in agriculture (discussed in this chapter). The committee also considers that in addition to improving the knowledge of current circumstances, modelling of future circumstances is needed to inform the public debate. To this end, the committee considers that it is essential that the public is provided with modelling that shows the possible costs to the agricultural industry should current arrangements (including current regulation and barriers to domestic investment) regarding foreign investment in Australian agriculture remain unchanged. 
In response the Committee makes several recommendations -
R6  The committee recommends that when establishing the agricultural land register, the government conduct an initial stocktake of foreign ownership of agricultural land, agribusiness and water entitlements. In addition to numbers of businesses, land size and volume of water entitlements, the value of foreign investment acquisitions should be captured. The initial stocktake should be comprehensive, as far as possible consistent across states, and take into account complex company structures including foreign trusts, "shell companies", ownership of agricultural assets by foreign mining companies, and debt structuring and ultimate liability.
Furthermore, on the basis of this initial stocktake, the government should commission independent modelling of the level of foreign investment in Australian agriculture in 20 years' time if current trends and regulatory arrangements are assumed to remain. The modelling should also include estimated costs to the industry over the same period based on current constraints to domestic capital investment in Australian agriculture. Finally, the modelling should have regard to the future opportunities provided by the growing global food task over this period.
R7  The committee recommends that the ongoing information collected in the register include the information that the committee recommended be included as part of the stocktake of foreign ownership (as per recommendation 6).
R8 The committee recommends that the register include divestments as well as investments. This will ensure that the information from the register remains current and can reflect changes over time.
R9 The committee recommends that participation in the register be a legal requirement for foreign investors and that appropriate mechanisms for compliance apply in cases where such participation is avoided.
R10 The committee recommends that the register not use the current definition of 'rural land' in the FATA. Instead the definition adopted should be that which results from the update of 'rural land' as per recommendation 25. This would maintain consistency with the regulatory framework for foreign investment in Australian agriculture.
R11 The committee recommends that there be no minimum threshold for reporting and that all foreign investment should be captured in the agricultural land register. However, this data should be collected in a manner that can clearly delineate foreign investments in terms of value and business size. 3
Although the committee is mindful of privacy and the need for business transactions to be protected by certain levels of commercial confidentiality, it also considers that the information collected be as accessible to public and parliamentary scrutiny as possible. In general, the committee considers that the public debate on this issue will benefit greatly with the availability of significantly more information about the levels and nature of foreign investment in agriculture.
R12 The committee recommends that the register's data be held in a manner that is centralised and can provide comprehensive information about all foreign ownership that is recorded.
R13 The committee recommends that levels and trends of foreign ownership of land, agribusiness and water entitlements should be published annually by the national register for foreign ownership of agricultural land. Aggregate level data about the respective value and level of interest of foreign government investors and private foreign companies should be included. The data should also be made available in categories such as state, sub-industry (ANZSIC levels), water catchment areas, and local shires.
R14 The committee recommends that country of origin of all foreign government investors and specific foreign government investments should be published annually by the national register for foreign ownership of agricultural land.
R15  The committee recommends that, in order to prevent possible disincentives for foreign investment, the country of origin details for private foreign companies should be published by the national register for foreign ownership of agricultural land at aggregate levels only. However, country of origin details for specific private foreign investments should be made available to parliamentarians, parliamentary committees, and any relevant government agency upon request.

28 June 2013

FTC Reclaim Your Name initiative

From the 'Reclaim Your Name' speech [PDF] by US Federal Trade Commissioner Julie Brill at the 23rd Computers Freedom and Privacy conference -
Many consumers have been loath to examine too closely the price we pay, in terms of forfeiting control of our personal data, for all the convenience, communication, and fun of a free-ranging and mostly free cyberspace. We are vaguely aware that cookies attach to us wherever we go, tracking our every click and view. We tell Trip Advisor our travel plans, open our calendars to Google Now, and post our birthdays on Facebook. We broadcast pictures of our newborns on Instagram; ask questions about intimate medical conditions on WebMD; and inform diet sites what we ate that day and how long we spent at the gym. Google Maps, Twitter and Four Square know where we are. Uber, Capital BikeShare, and Metro’s trip planner know where we’re going and how we plan to get there.
We spew data every minute we walk the street, park our cars, or enter a building – the ubiquitous CCTV and security cameras blinking prettily in the background – every time we go online, use a mobile device, or hand a credit card to a merchant who is online or on mobile. We spend most of our days, and a good deal of our nights, surfing the web, tapping at apps, or powering on our smart phones, constantly adding to the already bursting veins from which data miners are pulling pure gold. That’s where the “big” in “big data” comes from.
We send our digital information out into cyberspace and get back access to the magic of our wired lives. We sense this, but it took Snowden to make concrete what exactly the exchange means – that firms or governments or individuals, without our knowledge or consent, and often in surprising ways, may amass private information about us to use in a manner we don’t expect or understand and to which we have not explicitly agreed.
It is disconcerting to face how much of our privacy we have already forfeited. But with that knowledge comes power – the power to review, this time with eyes wide open, what privacy means – or should mean – in the age of the Internet. I believe that’s what President Obama meant last week when he called for a “national conversation…about the general problem of these big data sets because this is not going to be restricted to government entities.”
I’d like to pose two questions that are key to getting this conversation going, and then spend some time today trying to answer them. First, what are the major challenges to privacy posed by big data, particularly in its use in the commercial arena? And second, what steps can we take to meet these challenges? ....
We are awash in data. Estimates are that 1.8 trillion gigabytes of data were created in the year 2011 alone – that’s the equivalent of every U.S. citizen writing 3 tweets per minute for almost 27,000 years. Ninety percent of the world’s data, from the beginning of time until now, has been generated over the past two years, and it is estimated that that total will double every two years from now on. As the costs of storing data plummet and massive computing power becomes widely available, crunching large data sets is no longer the sole purview of gigantic companies or research labs. As Schonberger-Mayer and Cukier write, big data has become democratized.
First Challenge: the Fair Credit Reporting Act
This astounding spread of big data gives birth to its first big challenge: how to educate the growing and highly decentralized community of big data purveyors about the rules already in place governing the ways certain kinds of data can be used. For instance, under the Fair Credit Reporting Act, or “FCRA,” entities collecting information across multiple sources and providing it to those making employment, credit, insurance and housing decisions must do so in a manner that ensures the information is as accurate as possible and used for appropriate purposes.
The Federal Trade Commission has warned marketers of mobile background and criminal screening apps that their products and services may come under the FCRA, requiring them to give consumers notice, access, and correction rights. We’ve also entered into consent decrees that allow us to monitor the activities of other apps and online services that have similarly wandered into FCRA territory. But while we are working hard to educate online service providers and app developers about the rules surrounding collecting and using information for employment, credit, housing, and insurance decisions, it is difficult to reach all of those who may be – perhaps unwittingly – engaged in activities that fall into this category.
Further, there are those who are collecting and using information in ways that fall right on —or just beyond —the boundaries of FCRA and other laws. Take for example the new-fangled lending institutions that forgo traditional credit reports in favor of their own big-data-driven analyses culled from social networks and other online sources. Or eBureau, which prepares rankings of potential customers that look like credit scores on steroids. The New York Times describes this company as analyzing disparate data points, from “occupation, salary and home value to spending on luxury goods or pet food, … with algorithms that their creators say accurately predict spending.” These “e-scores” are marketed to businesses, which use them to decide to whom they will offer their goods and services and on what terms. It can be argued that e-scores don’t yet fall under FCRA because they are used for marketing and not for determinations on ultimate eligibility. But what happens if lenders and other financial service providers do away with their phone banks and storefronts and market their loans and other financial products largely or entirely online? Then, the only offers consumers will see may be those tailored based on their e-scores. ...
Second Challenge: Transparency
The second big challenge to big data is transparency. Consumers don’t know much about either the more traditional credit reporting agencies and data brokers or the newer entrants into the big data space. In fact, most consumers have no idea who is engaged in big data predictive analysis.
To their credit, some data brokers allow consumers to access some of the information in their dossiers, approve their use for marketing purposes, and correct the information for eligibility determinations. In the past, however, even well-educated consumers have had difficulty obtaining meaningful information about what the data brokers know about them. Just yesterday, “the big daddy of all data brokers”, Acxiom, announced that it plans to open its dossiers so that consumers can see the information the company holds about them. This is a welcome step. But since most consumers have no way of knowing who these data brokers are, let alone finding the tools the companies provide, the reality is that current access and correction rights provide only the illusion of transparency.
Third Challenge: Notice and Choice
A third challenge involves those aspects of big data to which the FCRA is irrelevant – circumstances in which data is collected and used for determinations unrelated to credit, employment, housing, and insurance, or other eligibility decisions. We need to consider these cases within the frameworks of the Federal Trade Commission Act, the OECD’s Fair Information Privacy Principles, and the FTC’s 2012 Privacy Report, for it is within those contexts we can see how big data is testing established privacy principles such as notice and choice. ....
Fourth Challenge: Deidentification
The final big challenge of big data that I would like to discuss is one that I’ve been assured by many of its proponents I shouldn’t strain too hard to solve – that of predictive analytics attaching its findings to individuals. Most data brokers and advertisers will tell you they are working with de-identified information, that is, data stripped of a name and address. And that would be great if we didn’t live in a world where more people know us by our user names than our given ones. Our online tracks are tied to a specific smartphone or laptop through UDIDs, IP addresses, “fingerprinting” and other means. Given how closely our smartphones and laptops are associated with each of us, information linked to specific devices is, for all intents and purposes, linked to individuals.
Furthermore, every day we hear how easy it is to reattach identity to data that has been supposedly scrubbed. In an analysis just published in Scientific Reports, researchers found that they could recognize a specific individual with 95 percent accuracy by looking at only four points of so-called “mobility data” tracked by recording the pings cell phones send to towers when we make calls or send texts. NSF-funded research by Alessandro Acquisti has shown that, using publicly available online data and off-the-shelf facial recognition technology, it is possible to predict – with an alarming level of accuracy – identifying information as private as an individual’s social security number from an anonymous snapshot.
In response Brill says
So let’s turn to some ways to solve the challenges big data poses to meaningful notice and choice as well as transparency. A part of the solution will be for companies to build more privacy protections into their products and services, what we at the FTC call “privacy by design”. We have recommended that companies engage in cradle-to-grave review of consumer data as it flows through their servers, perform risk assessments, and minimize and deidentify data wherever possible. Mayer-Schonberger and Cukier have helpfully called for the creation of “algorithmists” – licensed professionals with ethical responsibilities for an organization’s appropriate handling of consumer data. But the algorithmist will only thrive in an environment that thoroughly embraces “privacy by design,” from the C-suite to the engineers to the programmers.
And unfortunately, even if the private sector embraces privacy by design and we license a cadre of algorithmists, we will not have met the fundamental challenge of big data in the marketplace: that is, consumers’ loss of control of their most private and sensitive information.
Changing the law would help. I support legislation that would require data brokers to provide notice, access, and correction rights to consumers scaled to the sensitivity and use of the data at issue. For example, Congress should require data brokers to give consumers the ability to access their information and correct it when it is used for eligibility determinations, and the ability to opt-out of information used for marketing.
But we can begin to address consumers’ loss of control over their most private and sensitive information even before legislation is enacted. I would suggest we need a comprehensive initiative – one I am calling “Reclaim Your Name.” Reclaim Your Name would give consumers the knowledge and the technological tools to reassert some control over their personal data – to be the ones to decide how much to share, with whom, and for what purpose – to reclaim their names.
Reclaim Your Name would empower the consumer to find out how brokers are collecting and using data; give her access to information that data brokers have amassed about her; allow her to opt-out if she learns a data broker is selling her information for marketing purposes; and provide her the opportunity to correct errors in information used for substantive decisions – like credit, insurance, employment, and other benefits.
Over a year ago, I called on the data broker industry to develop a user-friendly, one-stop online shop to achieve these goals. Over the past several months, I have discussed the proposal with a few leaders in the data broker business, and they have expressed some interest in pursuing ideas to achieve greater transparency. I sincerely hope the entire industry will come to the table to help consumers reclaim their names.
In addition, data brokers that participate in Reclaim Your Name would agree to tailor their data handling and notice and choice tools to the sensitivity of the information at issue. As the data they handle or create becomes more sensitive – relating to health conditions, sexual orientation, and financial condition – the data brokers would provide greater transparency and more robust notice and choice to consumers. The credit reporting industry has to do its part, too. There are simply too many errors in traditional credit reports. The credit bureaus need to develop better tools to help consumers more easily obtain and understand their credit reports so they can correct them. I have asked major credit reporting agencies to improve and streamline consumers’ ability to correct information across multiple credit reporting agencies.


One of the more pernicious myths about sexual affinity is that "all" (or most) LGBT people are 'rich and hip' ... and thereby somehow undeserving of the rights and responsibilities enjoyed by their peers. It is thus refreshing to see 'New Patterns of Poverty in the Lesbian, Gay, and Bisexual Community' [PDF] by M.V. Lee Badgett, Laura E. Durso and Alyssa Schneebaum.

They comment that
As poverty rates for nearly all populations increased during the recession, lesbian, gay, and bisexual (LGB) Americans remained more likely to be poor than heterosexual people. Gender, race, education and geography all influence poverty rates among LGB populations, and children of same-sex couples are particularly vulnerable to poverty.
Yes, not all LGB people are rich, hip and echt californian.

The study draws on data from four datasets to estimate recent poverty rates for US LGB people in all walks of life: same-sex couples (2010 American Community Survey), LGB people aged 18-44 (2006-2010 National Survey of Family Growth), LGB adults in California (2007-2009 California Health Interview Survey) and single LGBT-identified adults (2012 Gallup Daily Tracking Poll).

Key findings include:
  • 7.6% of lesbian couples, compared to 5.7% of married different-sex couples, are in poverty. 
  • African American same-sex couples have poverty rates more than twice the rate of different-sex married African Americans. 
  • One third of lesbian couples and 20.1 % of gay male couples without a high school diploma are in poverty, compared to 18.8% of different-sex married couples. 
  • Lesbian couples who live in rural areas are much more likely to be poor (14.1%), compared to 4.5% of coupled lesbians in large cities. 
  • 10.2% of men in same-sex couples, who live in small metropolitan areas, are poor, compared with only 3.3% of coupled gay men in large metropolitan areas.
  • Almost one in four children living with a male same-sex couple and 19.2% of children living with a female same-sex couple are in poverty, compared to 12.1% of children living with married different-sex couples. African American children in gay male households have the highest poverty rate (52.3%) of any children in any household type. 
  • 14.1% of lesbian couples and 7.7% of gay male couples receive food stamps, compared to 6.5% of different-sex married couples.  
  • 2.2% of women in same-sex couples receive government cash assistance, compared to .8% of women in different sex couples; 1.2% of men in same-sex couples, compared to 0.6% of men in different-sex couples, receive cash assistance.

Surveillance Harms

'Addressing the Harm of Total Surveillance: A Reply to Professor Neil Richards' by Danielle Citron and David Gray in (2013) 126 Harvard Law Review Forum 262 comments
In his insightful article [PDF], "The Dangers of Surveillance," 126 Harvard Law Review 1934 (2013), Neil Richards offers a framework for evaluating the implications of government surveillance programs that is centered on protecting "intellectual privacy." Although we share his interest in recognizing and protecting privacy as a condition of personal and intellectual development, we worry in this essay that, as an organizing principle for policy, "intellectual privacy" is too narrow and politically fraught. Drawing on other work; we, therefore, recommend that judges, legislators, and executives focus, instead, on limiting the potential of surveillance technologies to effect programs of broad and indiscriminate surveillance. ...
Although we live in a world of total surveillance, we need not accept its dangers — at least not without a fight. As Richards rightly warns, unconstrained surveillance can be profoundly harmful to intellectual privacy. It would be wrong, however, to conflate symptom and cure. What is most concerning, for us is the rapid adoption of technologies that increasingly facilitate persistent, continuous, and indiscriminate monitoring of our daily lives. Although harms to intellectual privacy are certainly central to our understanding of the interests at stake, it is this specter of a surveillance state that we think ought to be the center of judicial, legislative, and administrative solutions, not the particular intellectual privacy interests of individuals.
The Richards article is noted here.

Citron and Gray state that
The ethos of our age is “the more data, the better.”1 In nearly every sector of our society, information technologies identify, track, analyze, and classify individuals by collecting and aggregating data. Law enforcement, agencies, industry, employers, hospitals, transportation providers, Silicon Valley, and individuals are all engaged in the pervasive collection and analysis of data that ranges from the mundane to the deeply personal.  Rather than being silos, these data gathering and surveillance systems are linked, shared, and integrated. Whether referred to as coveillance, sousveillance, bureaucratic surveillance, “surveillance-industrial complex,” “panvasive searches,” or business intelligence, total-information awareness is the objective. ...
The scope of surveillance capacities continues to grow. Fusion centers and projects like Virtual Alabama may already have access to broadband providers’ deep packet inspection (DPI) technologies, which store and examine consumers’ online activities and communications. This would provide government and private collaborators with a window into online activities, which could then be exploited using data-mining and statistical-analysis tools capable of revealing more about us and our lives than we are willing to share with even intimate family members. More unsettling still is the potential combination of surveillance technologies with neuroanalytics to reveal, predict, and manipulate instinctual behavioral patterns of which we are not even aware.
There can be no doubt that advanced surveillance technologies such as these raise serious privacy concerns. In his article, Professor Neil Richards offers a framework to “explain why and when surveillance is particularly dangerous and when it is not.” Richards contends that surveillance of intellectual activities is particularly harmful because it can undermine intellectual experimentation, which the First Amendment places at the heart of political freedom. Richards also raises concerns about governmental surveillance of benign activities because it gives undue power to governmental actors to unfairly classify, abuse, and manipulate those who are being watched; but it is clear that his driving concern is with intellectual privacy. We think that this focus is too narrow.
According to Richards, due to intellectual records’ relationship to First Amendment values, “surveillance of intellectual records — Internet search histories, email, web traffic, or telephone communications — is particularly harmful.” Richards argues that governmental surveillance seeking access to intellectual records should therefore be subjected to a high threshold of demonstrated need and suspicion be-fore it is allowed by law. He argues also that individuals ought to be able to challenge in court “surveillance of intellectual activities.” Richards further proposes that “a reasonable fear of government surveillance that affects the subject’s intellectual activities (reading, thinking, and communicating) should be recognized as a harm sufficient to prove an injury in fact under standing doctrine.” ... Although Richards aptly captures the dangers to intellectual freedom posed by technologically enhanced surveillance, we fear his policy prescriptions are both too narrow and too broad because they focus on “intellectual activities” as a necessary trigger and metric for judicial scrutiny of surveillance technologies. Our concerns run parallel to arguments we have made elsewhere against the so-called “mosaic theory” of quantitative privacy advanced by the D.C. Circuit  and four Justices of the Supreme Court in United States v. Jones. Our argument there supports our objection here: by focusing too much on what information is gathered rather than how it is gathered, efforts to protect reasonable expectations of privacy threatened by new and developing surveillance technologies will disserve the legitimate interests of both information aggregators and their subjects.
One reason we are troubled by Richards’s focus on “intellectual activities” as the primary trigger for regulating surveillance technology is that it dooms us to contests over which kinds of conduct, experiences, and spaces implicate intellectual engagement and which do not. Is someone’s participation in a message board devoted to video games sufficiently intellectual to warrant protection? What about a telephone company’s records showing that someone made twenty phone calls in ten minutes’ time to a particular number without anyone picking up? Would we consider the route someone took going to the library an intellectual activity? Is it the form of the activity or what is being accomplished that matters most?
Setting aside obvious practical concerns, the process of determining which things are intellectual necessarily raises the specter of oppression. Courts and legislators would be required to select among competing conceptions of the good life, marking some “intellectual” activities as worthy of protection, while denying that protection to other “non-intellectual” activities. Inevitable contests over the content and scope of “intellectual privacy” will be, by their nature, subject to the whims and emergencies of the hour. In the face of terrorist threats, decisionmakers will surely promote a narrow definition of “intellectual privacy,” one that is capable of licensing programs like Virtual Alabama and fusion centers. Historically, decisionmakers have limited civil liberties in times of crisis and reversed course in times of peace, but the post-9/11 period shows no sign of the pendulum’s swinging back. Given the nature of political and judicial decisionmaking in our state of perpetually heightened security, protection, even of “intellectual privacy,” is most likely to be denied to the very outsiders, fringe thinkers, and social experimenters whom Richards is most concerned with protecting.

CPTED in Victoria

The Victorian parliamentary Drugs and Crime Prevention Committee has released its 443 page final report [PDF] regarding its inquiry into the Application of Safer Design Principles and Crime Prevention Through Environmental Design.

The inquiry reflects the state government's Safer Design Guidelines for Victoria - "the leading ‘designing out crime’ framework" on the basis of Crime Prevention through Environmental Design (CPTED) and embodying the following principles
1. Crime prevention is more effective when investing in a holistic approach to health, sustainability, community safety and ‘liveability’ rather than just law enforcement/ justice measures.
2. Safer design principles/CPTED needs to be implemented in conjunction with other crime prevention approaches.
3. Community capacity building and social capital are essential and integral aspects of addressing community safety issues in contemporary society.
4. In addressing crime prevention and community safety including safer design principles/ CPTED, evidence based strategies are essential.
5. A ‘one size fits all’ approach to applying safer design principles/CPTED does not address the specific issues, needs and requirements of individual local communities.
6. Effective crime prevention and community safety interventions including the use of safer design principles/CPTED measures require:
• An understanding of the causes and contributory factors leading to crime and antisocial behaviour
• Clear goals and vision that are directly linked to proposed strategies
• A unified service delivery model. Community safety interventions including the application of safer design principles are less effective when agencies and departments including those in local government authorities work in isolation from each other (silos)
• An applied commitment to evidence based practice research, evaluation, and performance measurement supported by up-to-date data
• A commitment to plan for the ‘long haul’. CPTED interventions including those based on the application of the Safer Design Guidelines for Victoria take time and will not result in ‘instant rewards’. Follow up, ongoing monitoring and evaluation of CPTED initiatives is crucial
• The empowerment and participation of local communities in decision making, such as through safer design/CPTED audits.
7. Effective crime prevention, including the use of safer design principles and CPTED, requires police to take a proactive community focused approach with regards to designing out crime, utilising specialist knowledge and training in this area.
8. Local government authorities are best placed to understand and reflect the particular needs and problems of their local community. This is largely due to the fact that most crime of immediate concern to communities is local (eg. property crime, antisocial behaviour, vandalism etc.) As such they are best placed to generate and deliver the most appropriate prevention interventions for their local communities including the application of the Safer Design Guidelines.
Recommendations in the report are as follows -
R 1 The Committee supports the recommendation made by the Legislative Council Environment and Planning References Committee in the Inquiry into Environmental Design and Public Health in Victoria, Final Report, that the Victorian Government, recognising that the work of all government agencies influence health, safety and wellbeing, adopts a whole of government approach to health and safety.
R 2 The Committee recommends the establishment of a Safer Design Unit within the State Government’s Department of Planning and Community Development (DPCD) which would coordinate a holistic approach to planning and its relationship to health, community safety and crime prevention and wellbeing initiatives across government.
R 3 The Committee supports the recommendation of the Legislative Council Environment and Planning References (EPR) Committee in the Inquiry into Environmental Design and Public Health in Victoria, Final Report: ‘That the Victorian Government amends section 4(1) of the Planning and Environment Act 1987 to include “the promotion of environments that protect and encourage public health and wellbeing” (or similar wording) as an objective of planning in Victoria.’
R 4 The Committee supports the recommendation of the EPR Committee i‘That the Victorian Government amends section 12 of the Planning and Environment Act 1987 to require planning authorities to conduct a Health Impact Assessment for key planning decisions, such as major urban developments or making or amending a planning scheme’. The Committee further recommends that: • A suitable and easy to use Health Impact Assessment tool be developed by the Department of Health and the Department of Planning & Community Development (DPCD), in consultation with the planning industry and local governments
R 5 The Committee recommends that Section 60 (IA) of the Planning and Environment Act 1987 be amended to include the words ‘including the effects and risk of crime’ as follows: ‘any significant social and economic effects of the use or development for which the application is made including the potential effects or risk of crime’.
Balancing regulation with non-prescriptive approaches 
R 6a The Committee recommends that the Victoria Planning Provisions be amended to ensure local planning schemes throughout Victoria utilise the Safer Design Guidelines for Victoria as part of the decision making criteria when assessing large scale commercial, industrial and residential developments and/or when a proposed development is considered to be a potential crime risk.
R 6b The Committee recommends that the Victorian Planning Provisions be amended to require a formal crime risk assessment and/or CPTED audit to be conducted, if in the opinion of the local government authority responsible for the relevant planning scheme, a proposed development would create a significant risk of crime. In making such a decision the local government authority should seek the advice and assistance of the Victoria Police in assessing the application and/or conducting the audit/risk assessment.
R 7 The Committee recommends that the Victorian Government amends the State Planning Policy Framework within the Victoria Planning Provisions to include a policy on planning for health, safety, crime prevention and wellbeing.
R 8 The Committee recommends that the Victorian Government requires Precinct Structure Plans to include consideration of safer design principles and guidelines in new developments throughout Victoria. Precinct Structure Plans (PSPs) are important aspects of the planning system particularly for new communities in growth corridor areas.
R 9 The Committee recommends that the DPCD includes and prioritises the Safer Design Guidelines for Victoria as part of the ongoing Melbourne Metropolitan Strategy.
R 10 The Committee recommends that as part of the Melbourne Metropolitan Planning Strategy the DPCD, should undertake a technical review of the Safer Design Guidelines for Victoria.
R 11 The Committee further recommends that the Strategy provides for a review of the implementation of the Safer Design Guidelines for Victoria every five years.
R 12 The Committee recommends that the Victorian Government reviews the Urban Design Charter to: • strengthen the role and function of the Charter in guiding Victorian urban design • ensure that design objectives which promote health and wellbeing, community safety and crime prevention are included in the Charter.
R 13 The Committee recommends that the DPCD co-ordinate with local government authorities to develop strategies and protocols to engage relevant stakeholders at the outset of a development project that may have an impact on community safety and wellbeing.
R 14 The Committee recommends that the DPCD coordinate with local government authorities to develop protocols that will ensure that planners, developers and planning applicants liaise with local police on site-specific design issues, particularly those pertaining to community safety and design.
R 15 The Committee recommends that local government authorities devise appropriate processes to ensure that planning development applications which impact upon community safety seek the input of all relevant council staff including planners, urban designers, community safety officers, crime prevention and health promotion officers. Designing out crime, particularly at local level, is an approach that requires input from a variety of professional disciplines including planners, architects, urban designers and crime prevention or community safety officers.
R 16 The Committee recommends that all local government authorities develop local Safer Design Policies that take into account specific local circumstances and conditions in conjunction with their application of the Safer Design Guidelines for Victoria.
R 17 The Committee recommends that the DPCD in conjunction with the Crime Prevention Unit within the Department of Justice develop an accompanying plain English compendium to the Guidelines, inc  case studies  and practical assessment tools 
Tertiary education
R 18 The Committee recommends that the newly formed Safer Design Unit within the DPCD liaise with tertiary institutions and encourage the introduction of education on safer design and CPTED principles and practices as a comprehensive part of tertiary education courses, both undergraduate and postgraduate, in architecture, town planning, urban design, community development and other appropriate disciplines.
R 19 The Committee recommends that as part of any course introducing safer design and CPTED concepts and theory, students should be encouraged to undertake practical work in the field including observing relevant on-site developments.
R 20 The Committee recommends that the DPCD in conjunction with the Planning Institute of Australia (Victoria) investigate the feasibility of developing an accreditation system for safer design/CPTED practitioners.
R 21 The Committee recommends that the DPCD in association with the Planning Institute of Australia continue to offer and extend its training in the Safer Design Guidelines for Victoria and CPTED.
R 22 The Committee recommends that LGPro Local Government Professionals develop and conduct ongoing CPTED and safer design training for relevant members, particularly council planners, crime prevention, community safety and community development officers.
R 23 The Committee recommends that the Victorian Government provide resources for people with expertise in CPTED and safer design to train local government officers, planners and developers in the principles and application of CPTED and safer design.
R 24 The Committee recommends ongoing safer design training/CPTED programs for other professionals working in the area of the built environment including architects, landscape architects, landscape designers, urban designers and urban planners.
R 25 The Committee recommends that Victoria Police continue to provide training in the application of the Safer Design Guidelines for Victoria for local government officers, through their Safer Community Unit. 
General education and information provision  
R 26 The Committee recommends that all local government authorities provide on their websites a hyperlink to the Safer Design Guidelines for Victoria.   
R 27 The Committee recommends that the DPCD in conjunction with relevant stakeholders and agencies introduce an award for exemplary developments that incorporate and promote safer design.
R 28 The Committee recommends that the DPCD develops a web based live resource hosted on a single site as a resource to promote the Safer Design Guidelines for Victoria and their application.
The need for research and evaluation
R 29 The Committee recommends that the Victorian Government, in partnership with universities, local government authorities and relevant stakeholders, commissions ongoing research to develop the evidence base with regard to Safer Design/CPTED and its relationship to community safety, health and wellbeing.
R 30 The Committee recommends that local government authorities in conjunction with developers, particularly those responsible for new housing estates, be encouraged to undertake regular resident surveys to gauge their perceptions of safety and wellbeing. The Committee believes that the provision of an independent statistics, data retrieval and research service such as BOCSAR is of great assistance to both police and local government not only in the area of safer design/CPTED but also in crime prevention generally. It repeats the call for a comparable unit to be developed in Victoria in order to inform practice with research based evidence.  
R 31 The Committee recommends that such an independent crime statistics agency  provide data and evidence to inform the development and implementation of crime prevention programs and initiatives including safer design/ CPTED audits and risk assessments and safer design/CPTED audits reports for planning permit applications.

Access and Suppression Orders

The Open Courts Bill 2013 (Vic) has been introduced in the Victorian Legislative Assembly by Attorney General Clark.

The Bill is "for an Act to reform and consolidate provisions for and powers relating to suppression orders and closed court orders, to make consequential amendments to various Acts and for other purposes".

The Explanatory Memo indicates that
in determining whether to make an order to prohibit or restrict the disclosure of information, a court or tribunal must have regard to a presumption in favour of disclosure. This means that in determining an application for a suppression order, including an order under Part 3 or 4 of the Bill or an order made by the Supreme Court in the exercise of its inherent jurisdiction, a court or tribunal must have regard to this presumption. Where the order being considered would prohibit or restrict the disclosure of a report of part or all of a proceeding or of any information derived from a proceeding, the presumption strengthens and promotes the principle of open justice. If the order being considered would prohibit or restrict the disclosure of other information not derived from a proceeding, the presumption strengthens and promotes the principle of free communication of information. (This distinction was made clear in News Digital Media Pty Ltd v Mokbel (2010) 30 VR 248.) 
Clause 5 "abrogates any existing common law power to make an order prohibiting or restricting the publication of information in connection with any proceeding and provides that there is no implied jurisdiction for a court or tribunal to prohibit or restrict the publication of information in connection with any proceeding. This provision does not affect the inherent jurisdiction of the Supreme Court".

Clause 6
preserves any jurisdiction or common law powers that a court or tribunal has to deal with a contempt of the court or tribunal,  provides that the Bill does not affect any order or decision by a court or tribunal regarding the admission of evidence or requiring the disclosure of information to a court or tribunal or party to a proceeding in the course of or in relation to a proceeding. For example, orders and decisions relating to whether to compel disclosure of information in the course of or in relation to a proceeding, including by discovery of documents, interrogatories or subpoena, are not affected by the Bill and are not subject to the presumption in favour of disclosure in clause 4. In addition, rules of law restricting the permitted use and further disclosure of such compulsorily disclosed information (such as the rule considered in British American Tobacco Australia Services Ltd v Cowell (2003) 8 VR 571) are unaffected by the Bill, including the presumption in clause 4. An order of a court or tribunal which restricts the way a person, event or thing may be referred to in open court (such as a requirement to use a pseudonym for a person) or an order prohibiting or restricting access to the court file will not be affected by the Bill.
 Clause 8 preserves the operation of any provision made under any other Act that prohibits or restricts, or authorises a court or tribunal to prohibit or restrict, the publication or disclosure of information for or in connection with any proceeding. A provision under any other Act that requires or authorises a court or tribunal to close proceedings to the public will not be limited.
Statutory provisions that restrict the publication of information, such as the prohibition on the reporting of any particulars likely to lead to the identification of a person against whom a sexual offence is alleged under section 4 of the Judicial Proceedings Reports Act 1958, are not limited or otherwise affected by the Bill. The discretionary powers of a court or tribunal to order a restriction on the publication or disclosure of information, such as the power provided in section 75 of the Crimes (Mental Impairment and Unfitness to be Tried) Act 1997 in relation to a proceeding under that Act, are also not affected by the Bill. A statutory prohibition on proceedings being conducted in open court, such as section 73 of the Criminal Organisations Control Act 2012, is not affected by the Bill. The discretionary power for a court or tribunal to conduct proceedings in closed court, such as that in section 68 of the Family Violence Protection Act 2008, will not be affected by the Bill.
Victoria has also seen adjournment of debate after the second reading of the Assisted Reproductive Treatment Amendment (Access by Donor-Conceived People to Information About Donors) Bill 2013 (Vic). The aim is "to ensure that all persons born as a result of a donor treatment procedure, regardless of when the gametes were donated, have access to identifying information about their donor and for other purposes". The amendment to the Assisted Reproductive Treatment Act 2008 (Vic) - the centrepiece of the Victorian ART regime - would thus override undertakings of anonymity provided to gamete donors in the past.

The Adoption Amendment Bill 2013 (Vic) meanwhile provides for amendment of the Adoption Act 1984 (Vic) to
remove the requirement for obtaining an adult adopted person's consent before giving identifying information to the adopted person's natural parent; and to provide for adult adopted persons to make contact statements about their wishes for contact with their natural parents. 
It will also enable a birth certificate to be issued for a child adopted in a Hague Convention country whose adoptionis recognised under section 69D of the Act.

27 June 2013

Hate Crime

The UK Law Commission - counterpart of Australia's ALRC - has commenced a public consultation on Hate Crime: The Case for Extending the Existing Offences.

The project reflects a reference by the Ministry of Justice after publication in 2012 of the Cameron Government’s three-year hate crime action plan, which centred on
  • preventing hate crime – by challenging the attitudes that underpin it, and early intervention to prevent it escalating;
  • increasing reporting and access to support – by building victim confidence and supporting local partnerships;
  • improving the operational response to hate crimes – by better identifying and managing cases, and dealing effectively with offenders.
The Commission notes that
At present, criminal justice agencies record as a “hate crime” any offence which is perceived by the victim or any other person to be motivated by hostility or prejudice based on a person’s race, religion, sexual orientation, disability or transgender identity. However, existing criminal offences dealing specifically with the problem of hate crime do not recognise the same five protected characteristics.
Its terms of reference encompass
a) extending the aggravated offences in the Crime and Disorder Act 1998 (UK) to include where hostility is demonstrated towards people on the grounds of disability, sexual orientation or gender identity;
b) the case for extending the stirring up of hatred offences under the Public Order Act 1986 (UK) to include stirring up of hatred on the grounds of disability or gender identity.
The Commission is also to explore the current sentencing regime applicable to cases where hostility is established (ie already covering all five groups, with similar elements to the aggravated offences (though it is applicable to a wider group of offences). The expectation is that the Commission will analyse the case for reforming the existing hate crime offences to "bring greater coherence and protection for all five groups".

It is asking for input regarding
  • Do existing criminal offences provide adequate protection against the types of wrongdoing occurring against members of the protected groups?
  • Do the Courts’ existing sentencing powers provide a sufficient response in all cases?
  • Would extending the offences create uncertainty or have other unintended consequences?
The consultation paper [PDF] is supported by appendices regarding
  • ECHR issues [PDF]
  • the history to the existing legislative provisions [PDF] and
  • a legislative impact assessment [PDF].
The consultation includes a paper [PDF] by John Stanton-Ife on theoretical arguments relevant to the extension of the existing offences

25 June 2013

US Patent Litigation Statistics and Trolls

From the brief PwC report on US patent litigation for 2012 [PDF], featuring observations to "help executives, legislators, and litigators assess their patent enforcement or defense strategies, as well as the impact"
  • The number of patent lawsuits filed spiked by almost 30% in 2012 to over 5,000, with some of that increase attributed to the AIA’s ‘anti-joinder’ provision. 
  • Annual median damages awards (in 2012 dollars) ranged from US$1.9 million to US$16.5 million between 1995 and 2012. The median damages award was approximately US$4.9 million over 2007 to 2012. 
  • The median damages award in the telecommunications sector was significantly higher than that of other industries. 
  • Biotechnology/ pharma, medical devices, and computer hardware/electronics also had higher relative median damages awards than did other industries.
  • Damages awards for nonpracticing entity (NPEs) averaged more than double those for practicing entities over the last decade. 
  • the median jury award amounted to nearly 45 times the median bench award between 2007 and 2012. 
  • 'Reasonable royalties' remain the predominant measure of patent damages awards, representing more than 80% of awards over the last six years. 
  • NPEs have been successful 24% of the time overall versus 34% for practicing entities, due to the relative lack of success for NPEs at summary judgment. Both have about a two-thirds success rate at trial. 
  • "While the median time-to-trial has remained fairly constant, averaging 2.3 years since 1995, we see significant variations among jurisdictions". Some federal district courts (particularly Delaware, Virginia Eastern,, and Texas Eastern) continue to be more favorable to patent holders, with shorter time-to-trial durations, higher success rates, and larger median damages awards.
  • The top five federal district courts (out of a total of 94) accounted for 39% of all identified decisions involving an NPE as the patent holder. The Eastern District of Texas accounted for 12% of NPE decisions. 
  • University/non-profit NPEs have the highest success rate among NPE litigants. 
  • Of currently-active judges, the ten most active on patent infringement cases generally have higher median damages and lower time to trial than the overall study medians.
The report comments that
Prior to 2012, only three patent infringement damages awards eclipsed the $1 billion mark. But last year alone, three cases, tried before juries in separate districts, resulted in awards of $1 billion or greater: Monsanto v. DuPont, Apple v. Samsung, and Carnegie Mellon University v. Marvell. The outcomes of these matters have varied so far. Monsanto v. DuPont settled for a ten-year $1.75 billion license; the $1.05 billion award in Apple v. Samsung was reduced by $450 million and likely will be modified further; and Carnegie Mellon v. Marvell remains in the post-trial phase. Similarly, two ‘stent wars’ verdicts of more than $500 million were overturned or settled for short dollars in 2013.
The 'Patent Assertion and US Innovation' report [PDF] from the White House  meanwhile states that
Some firms that own patents but do not make products with them play an important role in U.S. innovation ecosystem, for example by connecting manufacturers with inventors, thereby allowing inventors to focus on what they do best.
However, Patent Assertion Entities (PAEs, also known as “patent trolls”) do not play such roles. Instead they focus on aggressive litigation, using such tactics as: threatening to sue thousands of companies at once, without specific evidence of infringement against any of them; creating shell companies that make it difficult for defendants to know who is suing them; and asserting that their patents cover inventions not imagined at the time they were granted.
Suits brought by PAEs have tripled in just the last two years, rising from 29 percent of all infringement suits to 62 percent of all infringement suits. Estimates suggest that PAEs may have threatened over 100,000 companies with patent infringement last year alone.
While aggressive litigation tactics are a hallmark of PAEs, some practicing firms are beginning to use them as well. (“Practicing” firms use their patents to design or manufacture products or processes.)
PAE activities hurt firms of all sizes. Although many significant settlements are from large companies, the majority of PAE suits target small and inventor-driven companies. In addition, PAEs are increasingly targeting end users of products, including many small businesses.
PAEs take advantage of uncertainty about the scope or validity of patent claims, especially in software-related patents because of the relative novelty of the technology and because it has been difficult to separate the “function” of the software (e.g. to produce a medical image) from the “means” by which that function is accomplished.
A range of studies have documented the cost of PAE activity to innovation and economic growth. For example:
  • One study found that during the years they were being sued for patent infringement by a PAE, health information technology companies ceased all innovation in that technology, causing sales to fall by one-third compared to the same firm’s sales of similar products not subject to the PAE-owned patent. 
  • Another study found that the financial reward received by winning PAEs amounted to less than 10% of the share value lost by defendant firms, suggesting that the suits result in considerable lost value to society from forgone technology transfer and commercialization of patented technology.
History suggests that it should be possible to address these challenges. Similar cases occurred with patents for agricultural equipment and for railroad equipment in the late 19th century, in which there was great uncertainty about whether a valid patent had been infringed. Once these underlying conditions were changed, this business model was no longer profitable and litigation of this type fell dramatically.
Policies such as the following: fostering clearer patents with a high standard of novelty and non-obviousness; reducing disparity in the costs of litigation for patent owners and technology users; and increasing the adaptability of the innovation system to challenges posed by new technologies and new business models; would likely have a similar effect today.
Very similar statistics are provided in  the RPX report [PDF] -
1. NPEs sued nearly 2,500 different companies in 2012. NPEs filed 3,054 patent infringement cases against 4,351 defendants, which was over 80% more than the number of defendants in 2008. 2,465 unique companies were affected.
2. NPEs filed more than half (61%) of new patent litigation (measured by total defendants). This is the third straight year that NPEs were responsible for the majority of all new patent litigation.
3. Most companies sued by NPEs were small/private companies. Over half (63%) of unique defendants added in NPE cases in 2012 earn less than $100M in revenue, and 76% of unique defendants added in NPE cases in 2012 were private companies.  However, data collected in RPX’s separately released 2012 NPE Cost Study: High-Level Findings suggests that large companies still bear most of the economic burden of NPE activity.
4. NPE activity affected many industries not commonly thought to have an NPE problem. While companies were most commonly sued in E-commerce and Software cases (34% of total defendants added in NPE cases in 2012), NPE litigations targeted a diverse set of industries including Financial Services, Automotive, and Medical.
5. At the end of 2012, companies faced more than double the NPE litigation than they did only four years ago. The backlog of active NPE defendants, a proxy for the overall size of NPE activity, increased once again in 2012 and has grown 110% from year-end 2008 to year-end 2012.
6. Enactment of the America Invents Act (the AIA) in September 2011 affected the rate and timing of NPE assertions in 2012. While there was an increase in total cases filed (1,551 to 3,054), total defendants added—a better proxy for the volume of NPE litigation—decreased (5,329 to 4,351) from 2011 to 2012.
7. By year-end 2012, NPE assertions appear to have returned to a long-term growth trend, as the fourth quarter was one of the most active quarters in history with 1,069 cases filed and 1,445 total defendants added.
8. In 2012, NPEs targeted companies with significant activities in the mobile and consumer electronics sectors most frequently. Apple was sued almost once per week (51 new cases in 2012) and Samsung was targeted in more than 10 new suits per quarter (42 new cases in 2012).
9. NPE litigation was often carried out in the ordinary course of business as well-known and serial NPEs, Acacia and IP Navigation, topped the charts for 2012 NPE activity. Acacia filed 222 cases and added 317 defendants in 2012. IP Navigation filed 305 cases and added 357 defendants in 2012. The top 10 NPEs by cases filed accounted for 36% of all NPE cases filed in 2012.
10. More than half of NPE cases were filed in Eastern Texas and Delaware district courts with 985 and 740 cases filed in 2012 and 1,105 and 771 cases pending at year-end 2012 respectively, providing credence to industry perception that those venues are favorable for plaintiffs and/or NPEs. The Northern District of California was the most common venue for declaratory judgment actions against NPEs with 24 declaratory judgment cases filed in 2012.
11. The International Trade Commission (ITC) was a relatively popular venue for NPE activity for the second straight year. The ITC initiated 14 investigations in NPE cases in 2012 compared to five in each year from 2008 to 2010. While the ITC’s overall share of NPE litigation remains very small (less than 1% of cases filed), this suggests that NPEs may increasingly view the ITC as a strategic venue for assertions.
12. Patents asserted by NPEs in 2012 most frequently claim priority to the late ’90s technology boom. The four most common priority years for patents asserted in cases filed in 2012 were 1998 through 2001. The mean and median priority year was 1999.
13. The average NPE case ending in 2012 lasted less than a year. Cases ending in 2012 had a relatively short average duration as 53% completed within six months and 74% completed within a year. Terminated defendants in 2012 had similarly short periods of active litigation with 37% terminating within six months and 62% terminating within a year.
RPX has made a conscious effort to present the subject data in the most straightforward and objective manner and has withheld its own potentially subjective views and analyses. However, to the extent the reader is interested in an additional level of analysis, we encourage the reader to browse RPX’s website (www.rpxcorp.com) or reach out directly to RPX.

Privacy Breach Alerts

The Australian Senate Constitutional & Legal Affairs Committee has produced a quick response to the Privacy Amendment (Privacy Alerts) Bill 2013 (Cth), more accurately labelled the Data Breach Bill.

The Committee was seeking public input as late as last Tuesday, with a deadline of lunchtime Wednesday. (Disclaimer: I made a submission on that basis.)

The Coalition Senators on the Committee sensibly comment that
Coalition senators are, like a number of submitters to this inquiry, concerned with the lack of due process and time for scrutiny afforded to this bill through the committee. 
Coalition senators understand that the number and depth of analysis of submissions to this inquiry has been hampered by the restrictive timeframe. No explanation has been forthcoming from the government as to the reason for this extraordinarily foreshortened process. 
Given the importance of the nature of this matter, and the extensive criticisms which were levelled at the primary privacy legislation when it was examined by the committee last year, it is most unfortunate that thorough and detailed scrutiny should not have been afforded to this bill. ... Coalition senators believe that the concerns of key stakeholders should not lightly be set aside, where they are afforded an opportunity to be consulted. Coalition senators believe the concerns raised by those stakeholders should be better scrutinised, understood and acted upon by the relevant government agencies as this new privacy regime is rolled out.
The report features the majority comment, in endorsing the Bill, that
The committee supports enhanced privacy protection for individuals whose personal information has been accessed by, or disclosed to, a third party as the result of a 'serious data breach'. The committee notes the Commissioner's evidence that data breaches are under-reported and on the increase within Australia. 
The measures proposed in the Bill are supported by the ALRC, which specifically recommended such a reform to help resolve the situation of individuals being adversely affected by the compromise of their personal information. The Commissioner has also expressed unconditional support for the Bill, as did consumer advocates who participated in the inquiry. The committee agrees that the proposed reform is 'long overdue' and would benefit Australian consumers, as well as industry stakeholders, who would be simultaneously encouraged to effect and maintain high-quality data security practices. 
A public consultation paper was released by the Department in October 2012, seeking the community's view on whether a mandatory data breach notification law should be introduced in Australia and, if so, how the law should be framed. This was followed by a confidential targeted consultation in respect of a more detailed legislative model in April 2013. The committee considers that stakeholders have been afforded ample opportunity to comment on the proposals in the Bill, noting that the matters under consideration were first raised in 2008 by the ALRC. 
The trigger for mandatory notification concerned several submitters. While the committee acknowledges these concerns, the Department pointed out that this threshold has been implemented in the voluntary data breach guidelines since 2008, when the ALRC recommended the standard. The committee therefore accepts the Department's view that the threshold is familiar to stakeholders, and agrees that it is preferable for the Commissioner to continue to issue guidance on the meaning of a 'real risk of serious harm', as circumstances require. In this context, the committee notes that the Commissioner is already considering amendments to the OAIC guide, to account for the changes to be introduced by the Bill.
All in all neither the Bill nor the drumhead consultation are matters of which the Government can be proud

Spooks and Retention

The Australian Joint Committee on Intelligence and Security has released the report of its Inquiry into potential reforms of National Security Legislation, including consideration of mandatory data retention.

The Committee was asked to consider a package of changes to Australia's national security laws and agencies. Its inquiry centred on proposals for mandatory retention of telecommunications data (for up to two years) in the expectation that the data might be required by law enforcement or security agencies. In the tradition of a trial balloon - the approach adopted by successive Attorneys-General McClelland, Roxon and Dreyfus - the Government indicated that it wanted public feedback and did not necessarily endorse the proposals.

The Committee states that it "was faced with several difficulties. These included that the terms of reference were wide-ranging and canvassed some of the most complex and significant reforms to national security legislation ever to come before the parliament". The report features 43 recommendations.

In relation to mandatory data retention - explored in several committee reports over the past decade - the Committee notes that although a data retention scheme would be of "significant utility" to national security agencies there are fundamental privacy issues. The answer? The committee considers that a data retention policy must be a decision of government, and was not for the committee to recommend. "The actual option of a committee being asked to recommend the establishment of an intrusive power without draft legislation provided almost and existential moment for the committee."

The Committee's recommendations are -
Telecommunications Interception
R1 The Committee recommends the inclusion of an objectives clause within the Telecommunications (Interception and Access) Act 1979, which:
  • expresses the dual objectives of the legislation – to protect the privacy of communications; to enable interception and access to communications in order to investigate serious crime and threats to national security; and 
  • accords with the privacy principles contained in the Privacy Act 1988.
R2 The Committee recommends the Attorney-General’s Department undertake an examination of the proportionality tests within the Telecommunications (Interception and Access) Act 1979 (TIA Act). Factors to be considered in the proportionality tests include the:
  • privacy impacts of proposed investigative activity; 
  • public interest served by the proposed investigative activity, including the gravity of the conduct being investigated; and 
  • availability and effectiveness of less privacy intrusive investigative techniques.
The Committee further recommends that the examination of the proportionality tests also consider the appropriateness of applying a consistent proportionality test across the interception, stored communications and access to telecommunications data powers in the TIA Act.
R3 The Committee recommends that the Attorney-General’s Department examine the Telecommunications (Interception and Access) Act 1979 with a view to revising the reporting requirements to ensure that the information provided assists in the evaluation of whether the privacy intrusion was proportionate to the public outcome sought.
R4 The Committee recommends that the Attorney-General’s Department undertake a review of the oversight arrangements to consider the appropriate organisation or agency to ensure effective accountability under the Telecommunications (Interception and Access) Act 1979. Further, the review should consider the scope of the role to be undertaken by the relevant oversight mechanism. The Committee also recommends the Attorney-General’s Department consult with State and Territory ministers prior to progressing any proposed reforms to ensure jurisdictional considerations are addressed.
R5 The Committee recommends that the Attorney-General’s Department review the threshold for access to telecommunications data. This review should focus on reducing the number of agencies able to access telecommunications data by using gravity of conduct which may be investigated utilising telecommunications data as the threshold on which access is allowed.
R6 The Committee recommends that the Attorney-General’s Department examine the standardisation of thresholds for accessing the content of communications. The standardisation should consider the:
  • privacy impact of the threshold; 
  • proportionality of the investigative need and the privacy intrusion; 
  • gravity of the conduct to be investigated by these investigative means; 
  • scope of the offences included and excluded by a particular threshold; and 
  • impact on law enforcement agencies’ investigative capabilities, including those accessing stored communications when investigating pecuniary penalty offences.
R7 The Committee recommends that interception be conducted on the basis of specific attributes of communications. The Committee further recommends that the Government model ‘attribute based interception’ on the existing named person interception warrants, which includes:
  • the ability for the issuing authority to set parameters around the variation of attributes for interception; 
  • the ability for interception agencies to vary the attributes for interception; and 
  • reporting on the attributes added for interception by an authorised officer within an interception agency.
In addition to Parliamentary oversight, the Committee recommends that attribute based interception be subject to the following safeguards and accountability measures:
  • attribute based interception is only authorised when an issuing authority or approved officer is satisfied the facts and grounds indicate that interception is proportionate to the offence or national security threat being investigated; 
  • oversight of attribute based interception by the ombudsmen and Inspector-General of Intelligence and Security; and 
  • reporting by the law enforcement and security agencies to their respective Ministers on the effectiveness of attribute based interception.
R8 The Committee recommends that the Attorney-General’s Department review the information sharing provisions of the Telecommunications (Interception and Access) Act 1979 to ensure: 
  • protection of the security and privacy of intercepted information; and 
  • sharing of information where necessary to facilitate investigation of serious crime or threats to national security.
R9 The Committee recommends that the Telecommunications (Interception and Access) Act 1979 be amended to remove legislative duplication.
R10 The Committee recommends that the telecommunications interception warrant provisions in the Telecommunications (Interception and Access) Act 1979 be revised to develop a single interception warrant regime. The Committee recommends the single warrant regime include the following features:
  • a single threshold for law enforcement agencies to access communications based on serious criminal offences; 
  • removal of the concept of stored communications to provide uniform protection to the content of communications; and 
  • maintenance of the existing ability to apply for telephone applications for warrants, emergency warrants and ability to enter premises. 
The Committee further recommends that the single warrant regime be subject to the following safeguards and accountability measures:
  • interception is only authorised when an issuing authority is satisfied the facts and grounds indicate that interception is proportionate to the offence or national security threat being investigated; 
  • rigorous oversight of interception by the ombudsmen and Inspector-General of Intelligence and Security; 
  • reporting by the law enforcement and security agencies to their respective Ministers on the effectiveness of interception; and 
  • Parliamentary oversight of the use of interception.
R11 The Committee recommends that the Government review the application of the interception-related industry assistance obligations contained in the Telecommunications (Interception and Access) Act 1979 and Telecommunications Act 1997.
R12 The Committee recommends the Government consider expanding the regulatory enforcement options available to the Australian Communications and Media Authority to include a range of enforcement mechanisms in order to provide tools proportionate to the conduct being regulated.
R13 The Committee recommends that the Telecommunications (Interception and Access) Act 1979 be amended to include provisions which clearly express the scope of the obligations which require telecommunications providers to provide assistance to law enforcement and national security agencies regarding telecommunications interception and access to telecommunications data.
R14 The Committee recommends that the Telecommunications (Interception and Access Act) 1979 and the Telecommunications Act 1997 be amended to make it clear beyond doubt that the existing obligations of the telecommunications interception regime apply to all providers (including ancillary service providers) of telecommunications services accessed within Australia. As with the existing cost sharing arrangements, this should be done on a no-profit and no-loss basis for ancillary service providers.
R15 The Committee recommends that the Government should develop the implementation model on the basis of a uniformity of obligations while acknowledging that the creation of exemptions on the basis of practicability and affordability may be justifiable in particular cases. However, in all such cases the burden should lie on the industry participants to demonstrate why they should receive these exemptions.
R16 The Committee recommends that, should the Government decide to develop an offence for failure to assist in decrypting communications, the offence be developed in consultation with the telecommunications industry, the Department of Broadband Communications and the Digital Economy, and the Australian Communications and Media Authority. It is important that any such offence be expressed with sufficient specificity so that telecommunications providers are left with a clear understanding of their obligations.
R17 The Committee recommends that, if the Government decides to develop timelines for telecommunications industry assistance for law enforcement and national security agencies, the timelines should be developed in consultation with the investigative agencies, the telecommunications industry, the Department of Broadband Communications and the Digital Economy, and the Australian Communications and Media Authority. The Committee further recommends that, if the Government decides to develop mandatory timelines, the cost to the telecommunications industry must be considered.
R18 The Committee recommends that the Telecommunications (Interception and Access) Act 1979 (TIA Act) be comprehensively revised with the objective of designing an interception regime which is underpinned by the following: 
  • clear protection for the privacy of communications; 
  • provisions which are technology neutral; 
  • maintenance of investigative capabilities, supported by provisions for appropriate use of intercepted information for lawful purposes; 
  • clearly articulated and enforceable industry obligations; and 
  • robust oversight and accountability which supports administrative efficiency.
The Committee further recommends that the revision of the TIA Act be undertaken in consultation with interested stakeholders, including privacy advocates and practitioners, oversight bodies, telecommunications providers, law enforcement and security agencies. The Committee also recommends that a revised TIA Act should be released as an exposure draft for public consultation. In addition, the Government should expressly seek the views of key agencies, including the:
  • Independent National Security Legislation Monitor; 
  • Australian Information Commissioner; 
  • Ombudsmen and the Inspector-General of Intelligence and Security.
In addition, the Committee recommends the Government ensure that the draft legislation be subject to Parliamentary committee scrutiny. 
Telecommunications security
R19 The Committee recommends that the Government amend the Telecommunications Act 1997 to create a telecommunications security framework that will provide: 
  • a telecommunications industry-wide obligation to protect infrastructure and the information held on it or passing across it from unauthorised interference; 
  • a requirement for industry to provide the Government with information to assist in the assessment of national security risks to telecommunications infrastructure; and 
  • powers of direction and a penalty regime to encourage compliance.
The Committee further recommends that the Government, through a Regulation Impact Statement, address: 
  • the interaction of the proposed regime with existing legal obligations imposed upon corporations; 
  • the compatibility of the proposed regime with existing corporate governance where a provider’s activities might be driven by decisions made outside of Australia; 
  • consideration of an indemnity to civil action for service providers who have acted in good faith under the requirements of the proposed framework; and
  • impacts on competition in the market-place, including: the potential for proposed requirements to create a barrier to entry for lower cost providers; the possible elimination of existing lower cost providers from the market, resulting in decreased market competition on pricing; and any other relevant effects.
Australian Intelligence Community Legislation Reform
R20 The Committee recommends that the definition of computer in the Australian Security Intelligence Organisation Act 1979 be amended by adding to the existing definition the words “and includes multiple computers operating in a network”. The Committee further recommends that the warrant provisions of the ASIO Act be amended by stipulating that a warrant authorising access to a computer may extend to all computers at a nominated location and all computers directly associated with a nominated person in relation to a security matter of interest.
R21 The Committee recommends that the Government give further consideration to amending the warrant provisions in the Australian Security Intelligence Organisation Act 1979 to enable the disruption of a target computer for the purposes of executing a computer access warrant but only to the extent of a demonstrated necessity. The Committee further recommends that the Government pay particular regard to the concerns raised by the Inspector-General of Intelligence and Security.
R22 The Committee recommends that the Government amend the warrant provisions of the Australian Security Intelligence Organisation Act 1979 to allow ASIO to access third party computers and communications in transit to access a target computer under a computer access warrant, subject to appropriate safeguards and accountability mechanisms, and consistent with existing provisions under the Telecommunications (Interception and Access) Act 1979.
R23 The Committee recommends the Government amend the warrant provisions of the Australian Security Intelligence Organisation Act 1979 to promote consistency by allowing the Attorney-General to vary all types of ASIO Act warrants.
R24 Subject to the recommendation on renewal of warrants, the Committee recommends that the maximum duration of Australian Security Intelligence Organisation Act 1979 search warrants not be increased.
R25 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended to allow the Attorney-General to renew warrants. 
R26 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended to modernise the Act’s provisions regarding secondment arrangements.
R27 The Committee recommends that the Intelligence Services Act 2001 be amended to clarify the authority of the Defence Imagery and Geospatial Organisation to undertake its geospatial and imagery functions.
R28 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended to create an authorised intelligence operations scheme, subject to similar safeguards and accountability arrangements as apply to the Australian Federal Police controlled operations regime under the Crimes Act 1914.
R29 The Committee recommends that should the Government proceed with amending the Australian Security Intelligence Organisation Act 1979 to establish a named person warrant, further consideration be given to the factors that would enable ASIO to request a single warrant specifying multiple powers against a single target. The thresholds, duration, accountability mechanisms and oversight arrangements for such warrants should not be lower than other existing ASIO warrants.
R30 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended to modernise the warrant provisions to align the surveillance device provisions with the Surveillance Devices Act 2004, in particular by optical devices.
R31 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 not be amended to enable person searches to be undertaken independently of a premises search. 
R32 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended to establish classes of persons able to execute warrants.
R33 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended to formalise ASIO’s capacity to co-operate with private sector entities.
R34 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended so that ASIO may refer breaches of section 92 to law enforcement for investigation.
R35 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended to clarify that the incidental power in the search and computer access warrant provisions includes entry to a third party’s premises for the purposes of executing those warrants. However, the Committee is of the view that whatever amendments are made to facilitate this power should acknowledge the exceptional nature and very limited circumstances in which the power should be exercised.
R36 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended to clarify that reasonable force can be used at any time for the purposes of executing the warrant, not just on entry, and may only be used against property and not persons.
R37 The Committee recommends that the Australian Security Intelligence Organisation Act 1979 be amended to introduce an evidentiary certificate regime to protect the identity of officers and sources. The Committee also recommends that similar protections be extended to ASIO in order to protect from disclosure in open court its sensitive operational capabilities, analogous to the provisions of the Telecommunications (Interception and Access) Act 1979 and the protections contained in the counter terrorism provisions in the Commonwealth Criminal code. The Committee further recommends that the Attorney-General give consideration to making uniform across Commonwealth legislation provisions for the protection of certain sensitive operational capabilities from disclosure in open court.
R38 The Committee recommends that the Intelligence Services Act 2001 be amended to add a new ministerial authorisation ground where the Minister is satisfied that a person is, or is likely to be, involved in intelligence or counter‐intelligence activities in circumstances where such an investigation would not currently be within the operational authority of the agency concerned.
R39 The Committee recommends that where ASIO and an Intelligence Services Act 2001 agency are engaged in a cooperative intelligence operation a common standard based on the standards prescribed in the Australian Security Intelligence Organisation Act 1979 should apply for the authorisation of intrusive activities involving the collection of intelligence on an Australian person.
R40 The Committee recommends that the Intelligence Services Act 2001 be amended to enable ASIS to provide training in self‐defence and the use of weapons to a person cooperating with ASIS.
R41 The Committee recommends that the draft amendments to the Australian Security Intelligence Organisation Act 1979 and the Intelligence Services Act 2001, necessary to give effect to the Committee’s recommendations, should be released as an exposure draft for public consultation. The Government should expressly seek the views of key stakeholders, including the Independent National Security Legislation Monitor and Inspector-General of Intelligence and Security. In addition, the Committee recommends the Government ensure that the draft legislation be subject to Parliamentary committee scrutiny.
Data Retention
R42 There is a diversity of views within the Committee as to whether there should be a mandatory data retention regime. This is ultimately a decision for Government. If the Government is persuaded that a mandatory data retention regime should proceed, the Committee recommends that the Government publish an exposure draft of any legislation and refer it to the Parliamentary Joint Committee on Intelligence and Security for examination. Any draft legislation should include the following features:
  • any mandatory data retention regime should apply only to meta-data and exclude content; 
  • the controls on access to communications data remain the same as under the current regime; 
  • internet browsing data should be explicitly excluded; 
  • where information includes content that cannot be separated from data, the information should be treated as content and therefore a warrant would be required for lawful access; 
  • the data should be stored securely by making encryption mandatory; 
  • save for existing provisions enabling agencies to retain data for a longer period of time, data retained under a new regime should be for no more than two years; 
  • the costs incurred by providers should be reimbursed by the Government; 
  • a robust, mandatory data breach notification scheme; 
  • an independent audit function be established within an appropriate agency to ensure that communications content is not stored by telecommunications service providers; and 
  • oversight of agencies’ access to telecommunications data by the ombudsmen and the Inspector-General of Intelligence and Security.
R43 The Committee recommends that, if the Government is persuaded that a mandatory data retention regime should proceed:
  • there should be a mechanism for oversight of the scheme by the Parliamentary Joint Committee on Intelligence and Security; 
  • there should be an annual report on the operation of this scheme presented to Parliament; and 
  • the effectiveness of the regime be reviewed by the Parliamentary Joint Committee on Intelligence and Security three years after its commencement.