ACCforum: Unsecure website risks Ashley MoBIEson hack - ACCforum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Unsecure website risks Ashley MoBIEson hack

#1 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 27 August 2015 - 03:00 PM

Unsecure website risks Ashley MoBIEson hack
Wednesday, 26 August 2015, 4:38 pm
Press Release: New Zealand Labour Party

26 August 2015 MEDIA STATEMENT

Unsecure website risks Ashley MoBIEson hack

Experts have raised security concerns that vulnerabilities in MoBIE’s half million-dollar website could lead to a possible Ashley Maddison-style hack, says Labour’s Economic Development spokesperson David Clark.

“The real issue here is not what data is immediately available, but what connections this vulnerability opens up. Every security wall is critical. Once behind the veil, hackers can explore connections to other Government held-data.

“MoBIE has trusted IT connections into other Government agencies. Once inside the security perimeter, a hacker may roam around and explore other vulnerabilities undetected.

“New Zealanders need confidence that the private data they share with IRD is protected. The reality is that the Government can no longer be as confident of this as it once was.

“The new website uses SSL3 encryption as was done in the failed Ashley Madison website. That does not inspire confidence. Questions must also be asked about this and similar vulnerabilities in other parts of the MoBIE IT infrastructure.

“You would think $560,000 could buy a secure website. But as usual Steven Joyce’s MoBIE spend-ups raise more questions than answers. The Minister has failed to provide a detailed breakdown of his spend on the gold-plated site.
“This Government has form with privacy breaches including IRD, Winz and ACC.

“Skimping on security and pimping on bling sounds like another Ashley Madison tale. New Zealanders have the right to expect higher standards from a Government they entrust with their most valuable personal data,” David Clark says.

© Scoop Media

#2 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 10 September 2015 - 12:33 PM

Harmful Digital Communications Act: two months in Sam Grover
31 August 2015
HDCA blog image


For 37 million people, the Ashley Madison data breach is a nightmare scenario. Extremely sensitive, personal information is in the public domain to be perused and abused by anyone takes a mind to do so.

With that in mind, it’s worth considering the recently passed Harmful Digital Communications Act (HDCA), which was passed in July for situations like this one.

As with all new laws, there has been a significant amount of public debate. Is the HDCA just knee-jerk law-making, trampling on freedom of expression in response to high profile cases like Roastbusters and the online bullying of Charlotte Dawson? That’s the argument that some technology commentators have been levelling at the new cyberbullying law.

We don’t agree with that assessment. It is important to understand that the most criticised components, the criminal offences, and the safe harbour provisions, are intended to address the very worst cases of harmful digital communications. In order to really understand the HDCA, we need to look at the whole Act.
A bit of history

Digital communications facilitate both higher volume of content (everyone has a camera on their phone) and higher speed of distribution (it’s as easy as pressing ‘share’). This means that they also enhance peoples’ ability to harm one another. For example, publicly posting ‘revenge porn’ or an incriminating screenshot from the Ashley Madison data dump are both ways that lives can be ruined through digital means.

In 2012, the Law Commission recognised that existing law did not give sufficient options to victims of harmful digital communications. There were legal options under at the time, such as the Harassment Act, but these options were under a variety of laws and through a variety of agencies. The complexity made seeking redress a time-consuming activity, which is particularly relevant in a world where a few hours can be the difference between a problem that is nipped in the bud and a problem that goes viral and ruins your life.

With this in mind, the Law Commission gave reform recommendations which were accepted by the Justice Minister in 2013. The HDCA was the eventual result of these recommendations.
Keeping it civil

The bulk of the Act is made up of four civil components:

A set of communications principles
The creation of an approved agency to resolve disputes
New District Court powers to enforce the principles.

Here’s how it will work: if you feel like someone has negatively affected you by violating one or more of the communications principles, you contact the approved agency. The approved agency works with you and the person or organisation responsible for the content and tries to help you reach a settlement.

If the agency can’t help you reach a settlement, they may refer the matter to the District Court, which can order content takedowns, issue ‘cease and desist’ orders, mandate name suppression and more. It cannot make someone pay you; financially, the most the District Court can do under the HDCA is fine respondents for failing to comply with an order.
Safe harbour

The HDCA has a “safe harbour” provision, which lets content hosts avoid liability by following a clear process when they receive a complaint about a harmful digital communication.

It has been suggested that this could be abused by people flooding the host with spurious complaints to silence someone. While this does sound unpleasant, it would be a difficult caper to pull off. The HDCA doesn’t require content hosts to immediately remove material when they receive complaints. It only requires them to notify the author of that material and give them a chance to respond to the complaint. The content host only needs to remove the material when the author doesn’t respond within 48 hours.

Furthermore, the safe harbour provision only applies to complainants who are directly affected by a piece of harmful content. It’s not enough for content to be generally offensive or outrageous. It needs to be specifically harmful to the individual who complains about it. This means that any “flooding” would be able to be quickly triaged by the content host, and most of it dismissed out of hand.
Criminal offences

The main criminal offence in the HDCA is “causing harm by posting a digital communication”. In order to be covered by this section of the Act, a digital communication needs to cause harm, it needs to have been posted with the intent of causing harm, and the harm felt needs to be such that it would be felt by an ordinary, reasonable person in the same situation.

When you combine these three elements, the result is a narrow definition of the offence. This is fitting, because the offence is designed to curtail extreme cases of harmful digital communications.
Where to from here?

While the HDCA sets an ‘outside edge’ by defining the extreme cases, everything else is uncharted territory. The approved agency and courts will chart that territory on a case-by-case basis.

Critics of the HDCA have said that the Act limits free expression. And they’re right. While the Bill of Rights Act grants freedom of expression to New Zealanders, it also grants Parliament and the courts the right to limit speech where those limitations are demonstrably justified in a free and democratic society.

The Act should not be used to “chill” free speech, and should not be invoked just because one person does not like something another is saying, or is offended or has their feelings hurt by another person’s speech.

One of the founders of modern privacy law and an ardent defender of free speech, US Supreme Court Justice Louis Brandeis, was one of the first to articulate the “the remedy for bad speech is more speech, not less” principle:

To courageous, self-reliant men, with confidence in the power of free and fearless reasoning applied through the processes of popular government, no danger flowing from speech can be deemed clear and present, unless the incidence of the evil apprehended is so imminent that it may befall before there is opportunity for full discussion. If there be time to expose through discussion the falsehood and fallacies, to avert the evil by the processes of education, the remedy to be applied is more speech, not enforced silence.

This principle will ensure that the new law is not interpreted in a way which wraps those engaging online in cotton wool, but still provides a remedy to those for whom more speech is an insufficient remedy for the “evil apprehended” from the communication.

Image credit: Flickr Creative Commons

Share this topic:

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users