Australian welfare recipient’s data released to counter public criticism
theguardian.comNo doubting the veracity of this occurrence, but it is baffling that it happened nonetheless - federal government departments here (Australia) are usually cautious to a paranoid level when it comes to people even looking at information. I remember cases when curious internal staff members at the tax and social security offices being sacked on the spot for merely doing searches on celebrity names without due reason.
Both my sisters work in law enforcement agencies, and tell me that their every action on their computer systems is tracked and logged. Once when my younger sister worked in the Traffic infringement section of the local police department, I asked her to check up if I was actually pinged by a remote speed camera that morning as I suspected I was. She refused, on the grounds that any such searches were tracked, and if it was found she did a search against a vehicle belonging to a close family member, it would trigger an internal investigation by the ethics team.
I'm an Australian who lived a couple of years in the Bay Area. The views people hold toward privacy was one of the most surprising cultural differences between our countries. As an outsider I was shocked to learn that privacy really is an afterthought for a lot of bay area residents.
US anecdote: a product I worked on had a feature which needs full access to a customer's email account to use. The feature scrapes their inbox and can send emails impersonating our customers' staff. I said there was no way I'd use that feature, but it proved to be super popular! People had no problem handing over access to their entire (work) email account to a startup.
Australia anecdote: When my uncle died we needed to hunt down his bank details. The banks (by law) weren't allowed to even tell us if he was one of their customers without seeing his death certificate and our documentation.
I'm now way more nervous about trusting US based startups with my data. Its not just that many of the engineers are inexperienced, and most startups don't have any security expertise. Its also that culturally I know they probably don't understand personal privacy. I can't trust that they'll protect my data if they might not bother protecting their own.
Fastmail is Australian. If you have a support issue and need to have an email examined they refuse to help unless you create a top level folder called "forwebmaster" and put the email there.
The first time I had to do this it solidified my trust in their services.
I worked on a financial product based on one of Intuit's. I was shocked to realize that this Intuit product was impersonating people (using their username and password) to log on to their bank accounts and download all transactions - which our product was then analyzing. I was sure nobody would allow that; who will give a third-party their bank username and password?
I was extremely surprised to find out that the answer was "at least tens of thousands of people".
> I was sure nobody would allow that; who will give a third-party their bank username and password?
Banks have been extremely reluctant to hop onboard with APIs. KeyBank wanted to charge me $20/month to turn on a Quickbooks export, for example.
Capital One has a neat ability to generate read-only credentials for use with stuff like Mint. Wish more banks would do that.
Banks don't tend to have APIs though. Either you give up your username and password, or you don't get centralized reporting. Those are your only options.
Anyway fraudulent bank transactions are relatively easy to undo, and they have really high penalties and are enforced by FBI agents who don't play around.
I wonder if people know how much their data is being accessed by 3rd parties? Maybe it starts with Intuit getting permission for something convenient and a few unread, auto opt-in "change of service agreements" later, they can share it with everyone.
cough Mint
cough cough Yodlee
The power corporations are accumulating with information on intimate customer behavior and the glacial response of society to this is a daily refrain on HN. Has anyone seen a comprehensive, or at least collected, list of canonical examples of strong arguments for:
* Raising awareness amongst non-technical folks that such incredible stocking up of PII can raise complicated ethical risks?
* Giving legislative representatives practical and defensible reasons to not just go with the flow and actually have a chance to offer smart legislative options without being shot down?
This particular example is alarming - I can picture plenty of corporations that wouldn't mind the idea of "customer service" representatives casually raising the prospect of releasing customer PII in order to "show their side of the story" as leverage in situations where a customer is threatening to go to an Ombudsman or other public forum.
On top of all the complete and utterly ... WRONG ... things that Centrelink have been doing lately, a billion dollar entity attacking a single, disadvantaged person furthers the depths of the inethical behaviours at display by the Australian government.
The list of wrong things include knowingly issuing pay-us-back-or-we'll-empty-your-bank-account legal notices incorrectly, when they clearly averaged e.g. a single high payment month over the whole period when the rules state this is not to be done. Then saying just call us, knowing the call wait lines are so horrid it is a whole day project just to get in touch with anyone.
I'm so over this government.
In this case, it's actually a government agency accumulating data on people who voluntarily choose to collect free money/free stuff from said agency.
https://www.humanservices.gov.au/customer/dhs/centrelink
I see no evidence that Centrelink collects any data on people who don't approach it with their hand out.
Centrelink is a government body; it is the public facing segment of the federal social security system in Australia.
It is beyond bizarre that their own legal counsel approved the release, especially since they're also under the spotlight at the moment. I'm not sure how they expect to 'maintain public trust by showing their side of the story' when that involves violating privacy.
This is a good example of why the "I don't have anything to hide" argument is incorrect.
That way of thinking only works as long as your goals and positions are aligned with the entity collecting information about you to begin with. If they're not, or the situation changes, imbalances of information lead to disadvantages for you pretty quickly.
All it took was some bureaucrat feeling petty.
And this is how it looks in the 3rd world.[1]
On 31 October, Congress party officials provided assailants with voter lists, school registration forms, and ration lists.[49] The lists were used to find the location of Sikh homes and business, an otherwise impossible task because they were located in unmarked and diverse neighbourhoods. On the night of 31 October, the night before the massacres began, assailants used the lists to mark the houses of Sikhs with letter "S".[49] In addition, because most of the mobs were illiterate, Congress Party officials provided help in reading the lists and leading the mobs to Sikh homes and businesses in the other neighbourhoods.[46] By using the lists the mobs were able to pinpoint the locations of Sikhs they otherwise would have missed.[46]
... One man, Amar Singh, escaped the initial attack on his house by having a Hindu neighbour drag him into his neighbour's house and declare him dead. However, a group of 18 assailants later came looking for his body, and when his neighbour replied that others had already taken away the body an assailant showed him a list and replied, "Look, Amar Singh's name has not been struck off from the list so his dead body has not been taken away."[46]
1 - https://en.wikipedia.org/wiki/1984_anti-Sikh_riots#Use_of_vo...
And in the first world: https://en.wikipedia.org/wiki/IBM_and_the_Holocaust
"The 1933 census, with design help and tabulation services provided by IBM through its German subsidiary, proved to be pivotal to the Nazis in their efforts to identify, isolate, and ultimately destroy the country's Jewish minority. Machine-tabulated census data greatly expanded the estimated number of Jews in Germany by identifying individuals with only one or a few Jewish ancestors. Previous estimates of 400,000 to 600,000 were abandoned for a new estimate of 2 million Jews in the nation of 65 million.[15]"
The US Census provided names and addresses for the Japanese internment.
https://www.scientificamerican.com/article/confirmed-the-us-...
Not only in alignment with some entity collecting the information, in alignment with every entity that might ever look at the information -- for the rest of your life.
This is the strongest point. Not having anything you're ashamed of does not mean not having anything to hide - it's all too possible for completely harmless traits like ethnicity and sexuality to become targets for someone else.
Your actions may be legal now, but that may not always be the case. You may be protected from retroactive prosecution now, but that may not always be the case. Data doesn't just go away.
The most scary aspect is that if I know everything about you, I can frame you for a crime for which you will have no alibi, or threaten to in exchange for you doing what I ask.
The second was a tactic often used by the Stasi to create more operatives - call someone in for questioning, accuse them of a crime for which they have no alibi, such as spying, and when they protest their innocence, ask them to help the government with something to show their good faith. That something could easily be to provide a pretext for arresting the real target.
The Stasi is a good model for how quickly and badly this can go off the rails.
The way it's supposed to work is that you have some public event of importance: a crime, a person applies for a security clearance, or whatnot. Based on that event, the state then conducts and investigation to see if there are any data they can discover that might lead to a response.
The new way of working is that you collect all the data, on everyone, all the time. Then there's no more event. The only thing you do is pick out the person. Once you have the person, it's a simple data mining exercise (along with a lot of interrogation techniques) that takes care of the person. What's the old saying in communist countries? "You have a man. You have a problem. No more man, no more problem"
Functional societies focus on events. Dysfunctional societies focus on the people.
Australia Australia we love you Australia
In the event that this release was illegal, I really do feel for the people at the agency. Someone made public false allegations about them and they are legally forbidden from proving that person wrong. It's a tough position to be in.
I don't have a good solution to this, but I do think that there should be a legal way to prove a person is lying if they directly make accusations about you. After all, they are the one who made the situation public, not you.
Centrelink has all sorts of horrible things said about it, and recently in particular they've been doing some pretty unethical things around debt collection. But the thing is that they're a government department full of civil servants. It's their role to implement policy, not to defend government actions - that's for politicians to do. It's not a tough position at all; the correct response is "We don't comment on private matters", and you hear large entities say it every day.
Imagine if the IRS released Trump's tax returns. Trump has been lying about them being held up by the IRS (all those years? seriously? can't release some old ones?), but the IRS refuse to be 'fair about it' because it's a matter of privacy. Even though they're being maligned and it's clearly in the public interest. This Centrelink issue is the exact same thing, except for the clear public interest.
Besides, Centrelink doesn't need a reputation, since they're not selling anything. People go there out of need, not desire.
Is there something wrong with the agency making a public statement refuting the allegations, citing the information they have (but without specifics for privacy reasons)? Surely that helps them without their having handed over information?
"She's wrong but we can't release any evidence proving it" doesn't seem very effective.
I'd say they have writers capable of doing a little better than that.
Virtually every PR statement omits detail and evidence that would back up their statements.
> there should be a legal way to prove a person is lying if they directly make accusations about you.
"about you"? Her article did not name or provide identifying information about any individual employee of Centrelink.
In my post, "you" refers to the corporate person that is the Centrelink government agency (and implicitly the humans behind that corporate person), about which false allegations were made.
Is there some meaningful distinction here that means false allegations about an organization of humans should go unrefuted, but false allegations about a single human should be refuted?
> Is there some meaningful distinction here that means false allegations about an organization of humans should go unrefuted, but false allegations about a single human should be refuted?
To me, false allegations against individuals are more serious than false allegations against organizations for a few reasons. First, I care about the well-being of organizations only to the extent they positively impact the well-being of humans (or, to a lesser extent, animals). Second, a single false allegation against an individual human seems to be able to have a much more damaging effect than one against an organization.
I suspect this is a well-worn topic and that I would consider many of the other objections to corporate personhood to be "meaningful distinctions".
In this case, the false allegations were spread with the implicit goal of getting the government to spend more money/resources fixing problems that may not exist. If successful, that would result in a huge amount of waste, which harms real humans.
Even if it were a private organization, such allegations could directly result in harm to the human owners. For example, false allegations about bad food at a restaurant would mean the human owners and employees lose money. In much the same way, false allegations about a human might result in them losing their job.
While all of these are possible and all of these are bad outcomes, I think that their probability of happening and the magnitude of the result is less bad than what would occur if allegations of cruelty or incompetence were made against an individual.
I don't think we're going to be able to settle this argument here, so I'll just leave it at that.
Doesn't Australian defamation law only apply to organisations below a certain size? (15 employees or FTE - something like that.)
Fewer than 10 employees and not related to any other corporation.
The relevant section: http://www.austlii.edu.au/au/legis/nsw/consol_act/da200599/s... (This is the New South Wales legislation but it's almost perfectly uniform in all states and territories.)
This story follows a pattern of coordinated attacks on public services in The Guardian and other left leaning media outlets. Usually with the agenda of demanding more money and funding.
No doubt, mistakes happen in large bureaucracies but the story is usually slanted as some evil agency trying to destroy certain 'marginalised' sections of society. Whereas the truth is probably nothing like that.
I cannot help but think it is agenda pushing, distortion of facts and playing on emotions. Read the woman's original article and see the emotional language and phrases used. I think it says a lot about the intent of these media pieces.
Read the linked Centrelinks response and several things are refuted, so why in these comments is there an automatic pile on one side?
I think I can't quite follow your argument. Did you mean that the Guardian is trying to demand funding from someone, and they think they'll get this through this story somehow ? Would you mind explaining ?
> No doubt, mistakes happen in large bureaucracies but the story is usually slanted as some evil agency trying to destroy certain 'marginalised' sections of society. Whereas the truth is probably nothing like that.
The truth is that as an individual, especially one from a marginalized section of society, you are up against a powerful bureaucracy that has the ability to completely screw up your life, by mistake or not. So we as a society depend on holding these bureaucracies to very high standards.
It is also true that in any large bureaucracy, mistakes inevitably happen from time to time. One would wish for a leadership of said bureaucracy to handle these mistakes with integrity and from a position of confidence. By, for example, contacting this women directly, quietly resolving this issue and then adding this problem to the yearly statistics to prove you run a good ship. Who knows, this woman might have written a blog post singing your praises, after you resolved her problem for her. Certainly the better PR strategy.
If, on the other hand, you resolve to attacking your clients in public, violating their privacy rights in the process, then maybe you're too close to running an evil, rather than a responsible agency.
> Read the linked Centrelinks response and several things are refuted, so why in these comments is there an automatic pile on one side?
Did you read the refutation of the refutation as well ? I found the article presents the different viewpoints quite well. Including that this sort of pressure is able to stir up strong emotions.