Techdirt is off for the long weekend! We'll be back with our regular posts tomorrow.
Hours After Aussie Gov’t Greenlights Online Age Verification Pilot, Breach Of Mandated Verification Database For Bars Is Revealed
from the karmic-timing dept
It’s almost laughable that these two stories happened so close to one another. The Australian government has just announced a pilot program to test an online age verification system:
And then, just hours later, it was reported that law enforcement is investigating an apparent breach of club and bar patrons’ personal data, which the venues are required to collect by law for people entering such establishments.
When we talk about the privacy and data risks of age verification, this is exactly the kind of thing we’re talking about. When you’re collecting that much sensitive private data, you become a target.
As the article linked above notes:
It is a legal requirement in NSW for licensed clubs to collect personal information from patrons on entry, under the state’s registered clubs legislation.
The information is required to be stored securely under federal privacy laws.
Sounds kinda like the age verification requirements for websites. You have to collect the info and then pinky promise to keep it secure. And it works until this happens:
An unauthorised website claims personal information of more than 1 million customer records from at least 16 licensed NSW clubs have been released online in a potential data breach.
Cybercrime detectives are investigating the reported breach with the website claiming to have records and personal information of senior government figures, including Premier Chris Minns, Deputy Premier Prue Car and Police Minister Yasmin Catley.
IT provider Outabox said in a statement it had become aware of the potential data breach of a sign-in system used by its clients by an “unauthorised” third party.
Hilariously, government officials are trying to play this down because it was just a breach rather than a hack. As if that makes a difference?
Gaming Minister David Harris said the government and police first became aware of the potential breach on Tuesday.
“We know that this is an alleged data breach of a third-party vendor, so it wasn’t a hack,” he said.
But this is exactly the concern regarding online age verification. Someone has to collect that information and then whoever is collecting the sensitive info becomes an immediate target, no matter how the data is accessed.
Incredibly, you might recall that just a few months ago we were giving the Australian government kudos for recognizing that age verification was a privacy and security nightmare. So, they knew that just last summer.
And yet, here we are with the latest announcement:
Despite those concerns from late last year, the government is now pushing ahead with a pilot to try and test some of those ideas.
Look, maybe head down to the nearest club in NSW to see how it’s working out before moving forward “despite these concerns”?
Meanwhile, if you think this breach isn’t that serious, well, for the million or so folks who visited one of those bars and clubs, things don’t look great:
Creator of the data breach tracking website haveibeenpwned.com, Troy Hunt, said the creators of the website had not released all of the information they had collected.
“Inevitably they do have the entire thing.”
He said the Outabox technology used by clubs scans patrons’ faces and matches them with their licence details.
Mr Hunt said people whose data has appeared on the site may need to replace their drivers licences.
“There are physical addresses, there are date of birth, there are names. That’s not good,” he said.
That’s not good at all.
So maybe let’s not repeat the mistake online?
Filed Under: age verfication, australia, bars, data breach, privacy
Companies: outabox
Comments on “Hours After Aussie Gov’t Greenlights Online Age Verification Pilot, Breach Of Mandated Verification Database For Bars Is Revealed”
Inevitably, the people who have concerns that they voiced to the papers are a minority, primarily staff, with maybe a few office-holders.
The part of the government that votes, though, is inevitably jockeying for the next election and won’t want to appear “soft on crime” or “fails to protect the kids”.
Re:
Also, the last time a news station went against the nanny state, they got their offices raided.
Re: Re: Big Brother does not appreciate your BadThought stories
That doesn’t strike me as a ‘nanny state’ so much as… ah what’s the word, ah yes, dystopian.
This comment has been flagged by the community. Click here to show it.
This would never happen in America. Even if it did, God Emperor Trump would work day and night to ensure that ever man, woman, and child were forcefed a keg of moonshine to compensate for this disaster. Can I get an #amen? #MAGA #2024
It’s not really rare or surprising, though. Verizon just released a report on data breaches, and apparently they demand an e-mail address to get it. In 2022, Canadian grocery chain Freshco started pushing their new loyalty-card program heavily, right as they were cleaning up from a data breach. The produce department was pretty bare, its signs hand-written because the computers were unusable, while elsewhere in the store there were new “member price” signs—with regular prices raised, of course, and I’ve mostly stopped going there because of it.
Re:
And all this when we have TV ads running, telling us to use strong passwords bla bla, because of the amount of Australians falling victim to online scams.
One news outlet has taken one of the possible “solutions” and more or less stated that that is how the proposed system would probably work.
Fail.
If a system for age verification is implemented,it will only be far worse, not better. Where does it stop? I was actually shocked to find out about the requirements for facial scanning. Seriously? Just so you can have a steak and a beer?
We no longer have to speculate about what dystopia looks like. We’re standing in it.
But that won’t happen here because…
Re:
… because nobody would care to report it.
Re: Re:
or otherwise would be chilled by the CFAA.
This comment has been flagged by the community. Click here to show it.
Re:
because we’re not a nanny state that requires our citizens to register with momma government’s database before we can drink lmao
Re: Re: "Bars" =/= "Clubs"
Just to clarify something which could cause confusion for non-Australian readers (and clearly has in the case of the above reply): the mandated verification only applies to licensed Clubs which serve alcohol on the premises; it doesn’t apply to every single pub/bar in NSW.
The term “Club”, while often used as verbal shorthand for “nightclub” by anyone under 60, generally refers to large multipurpose venues operated by local sporting organisations/teams e.g. [lawn] bowling clubs and football clubs, or community organisations such as the Returned Servicemen’s League (“RSL clubs”). These venues typically offer a bistro/restaurants/cafes (sometimes more than one) alongside multiple bars and gaming/gambling spaces, meeting/conference/event spaces, outdoor eating/drinking/smoking areas, a kids playground, etc.
The food and drink offerings are usually of fairly decent quality/value, are often quite competitively priced compared to most privately owned restaurants and pubs, and always include a Kids Menu. So they’re a popular option for “financially challenged” families to have a night out without needing to pay for a babysitter. I believe that the increased presence of underage patrons in such venues was a big driver in introducing the mandatory ID verification system.
But yeah, if I want a drink but don’t want to have my face scanned I can go to any drinking establishment without “Club” in the venue name and just order a beer.
… But this time we will get it right!
Maybe they see it like they saw the pandemic and herd immunity. Once everyone’s personal details are out there, we wont need to worry about security at all.
I don’t understand why there has to be an online verification system for bars or clubs what was wrong with the old system ,bar staff simply ask for Id if they think someone is not over the age of 18
It’s completely obvious that any online form of age verication is a privacy nightmare and a prime target for hackers
Re:
The privacy nightmare is the entire point, by design. This is just a case of a bunch of human filth being pissed that a group of human vermin other than themselves now also possess said data.
Not surprisingly, the data includes at least one club within the Australian Capital Territory, which is surrounded by (but officially separate from) the state of New South Wales.
Meanwhile the Australian Liberal–National Coalition is calling for age verification on social media to block children from using it with the Shadow Communications Minister David Coleman claiming “there’s no question that social media is damaging for the mental health of children.”
https://www.abc.net.au/news/2024-04-24/coalition-push-for-age-verification-laws/103762290
The baffling and scary thing is that the people pushing for age verification do see data breaches like this as a cost worth paying. It’s debatable how convincing it really is as a counter-argument, especially in contrast to the weight of ‘protecting the children’ – or that of the fat bag of cash provided by verification companies.
OMG!! The things they told us would happen DID!!
One can only hope that the dildo of consequences will arrive to show them the error of their ways….
UPDATE to the hacking story
(I won’t put a link up, because it’s actually the very first link in the article)
About 24 hours after the hack was announced, a man’s been arrested over it and is expected to be charged with blackmail.
For all the security
That can be had, Could be done, HASNT been used.
For all those groups GATHERING OUR DATA, esp when its NOT REALLY NEEDED.
They gather to much and dont secure Much of anyting in the long or SHORT OF IT.
And Computer Security CAN be Fairly simple. The CLub verification system(?) was probably a central location, easy to use a DONGLE to protect it local. But over the net or remote access you could require ONLY verified computers to connect, and LIMIT the number of verification, PER DAY/WEEK or need to have MORE verification with a PHONE CALL.
90% of all of this is simple procedures, that could be done in seconds.
A quick tip for you:
If you want to emphasise certain words in your posts you can enclose the words in single underscores, like _ this _ (but remove the leading/trailing spaces): italics.
Or you can bold a word by using double underscores, like __ this __ (again, remove the spaces): bold.
Using either of these options rather than randomly peppering your posts with ALL CAPS can provide emphasis while avoiding the unfortunate side effect of making the text read as though you’re inexplicably shouting random words or your keyboard is faulty. Hope this is helpful!
What IS social network?
What IS social network?
Is Fortnite social network?
What about SecondLife?(which do have age gate but it’s used for other things and not flat-out deny)
What about WoW?
What about social networks who do have English UI but also likely to show middle finger to Australian Goverment requests (like Russian VK)?