Late last week, the commissioner of the Australian Federal Police revealed that an officer has accessed the personal metadata of an Australian journalist as part of an investigation into that reporter’s sources for a story about the AFP. While Commissioner Colvin put it down to "human error” there is far more to this. What we have seen in this specific case is a complete breakdown of the protections we deserve as private citizens.
Australian police have a poor track record when it comes to our data
Before getting into this specific case, I think it’s worth noting that police officers have a chequered reputation when it comes to playing nicely with our data. While it’s true the very vast majority of officers are honest, the trust relationship we have with police is asymmetrical. It only takes one breach by a single officer for our trust in the agency to be tainted.
And there are plenty of examples.
- Data pertaining to 400 people sent in error to the Office for Police Integrity in Victoria
- Documents from Wikileaks suggesting NSW police spent $2M on hacking tools
- A Queensland police officer accessed data to help a friend who was subject to a domestic violence order track down a former partner
- Cops in Queensland pulling phone records to find other cops faking sick days
The problem isn’t the retention of metadata - businesses need to retain metadata already. This was pointed out by Alastair MacGibbon, the Special Adviser to the Prime Minister on Cyber Security.
Checks and balances
Before the metadata retention legislation was passed, I had the opportunity to hear both sides of the argument presented at the 2015 Tech Leaders Forum. On the negative side was Scott Ludlam, an Australian Greens Senator who was the party's spokesperson for Broadband, Communications & the Digital Economy at the time. Law enforcement’s view was presented by Tim Morris, an Assistant Commissioner of the Australian Federal Police.
Morris’ argument rested on a few key issues.
- Metadata is crucial in criminal investigations
- Agencies would only access this data in limited circumstances
- Access to the data would require sign-off from a senior officer; there would be no unfettered access
But the accessing of the journalist’s data - no-one, including the writer whose data was accessed knows who it is - clearly shows the second two points are not being managed.
Every private citizen should be concerned about this. Put aside that a journalist was investigated. Imagine if you were involved in a messy custody battle or were being sued by a business partner and the other party had a friend in the AFP. Is your data safe?
What we have seen in this specific case is a complete breakdown of the protections we deserve as private citizens.
What about VPNs?
A VPN is an essential tool if you connect to the internet and transmit and receive confidential information. But a VPN doesn’t necessarily mask your metadata.
Last week, I reported on Wangle, an Australian-made VPN solution. The company’s CEO, Sean Smith, told me Wangle is considered a carrier service by the ACMA and, therefore, was required to retain metadata. They don’t hold the content of any communications.
There hasn’t been a test case, yet, where a VPN provider has been asked by an Australian agency (the list of who can request metadata is quite long - I hope you’re not in the bad books with Harness Racing NSW!) to provide communications metadata.
With so many VPNs around these days, it’s possible that overseas providers either won’t comply with requests or won’t have considered themselves a carrier service and, therefore, won’t be retaining the required metadata in any case. But as far as I can tell, this is a bit of crap-shoot as many VPN services are very opaque when it comes to revealing exactly how they operate.
In other words, obfuscating your metadata is not as easy as simply using a VPN.
Where does that leave us?
The voluntary admission by the AFP that an officer had accessed the information of a private citizen and that the processes for protecting our rights were flawed is a great concern. Fortunately, discussion about opening access of this data for use in civil cases has not resulted in an expansion to data access.
The real issue here, in my view, isn’t the retention of metadata. Telcos and other businesses routinely hold metadata. It’s needed for billing, managing service inquiries and other important functions.
The problem, I think is that there’s a lack of appropriate controls around the access of the data.
This includes legal controls, such as warrants, and logical controls that stop rogue officers from doing the wrong thing either intentionally or by accident.
What we need is a process that involves the judiciary or someone to represent the rights of private citizens.