A group of security researchers who exposed flaws in the de-identification of government health data has called for changes to a proposed law that would criminalise re-identification.
Attorney-General George Brandis in late September suddenly announced that the Coalition would introduce laws to criminalise re-identification of supposedly de-identified data sets released by government departments and agencies.
The government’s announcement was made ahead of the release of University of Melbourne research that revealed data released by the Department of Health had been improperly de-identified.
As a consequence the department pulled offline datasets drawn from the Pharmaceutical Benefits and Medicare Benefits schemes (PBS/MBS) that were published on the government’s open data portal, data.gov.au.
The announcement by Brandis that the government would amend the Privacy Act to prohibit re-identification prompted concern over the potential chilling effect on cyber security research.
When the government unveiled its proposed amendments, they included provisions to exempt some research. However, it will be up to the responsible minister to set out what individual organisations or classes of organisations will be exempt from the ban on re-identification, and what conditions will be imposed on them.
In a submission to an inquiry into the government’s bill, Melbourne Uni researchers Chris Culnane, Benjamin Rubinstein, Vanessa Teague state that the “threat of criminal penalties” — the bill would make re-identification punishable by up to two years’ prison — “could inhibit open investigation, which could mean that fewer Australian security researchers find problems and notify the government”.
As a result, “Criminals and foreign spy agencies will be more likely to find them first,” the trio writes.
The researchers suggest that the bill should not focus on the act of re-identification itself but rather on any harmful acts involving the re-identification of data that are not currently illegal.
“The threat of jail time discourages law-abiding Australian researchers and journalists from making the simplest and most convincing demonstration that a de-identification method has failed,” the submission states.
“If the new rules had been in place in September, we would not have discovered the problem in the MBS/PBS dataset encryption, the dataset would probably still be up, and the government could be unaware it was insecure.”
“The best way to improve protections of anonymised datasets is to permit free and open re-identification combined with responsible disclosure,” the researchers argue.
The full submission is available online (PDF).