Late last week, the commissioner of the Australian Federal Police revealed that an officer has accessed the personal metadata of an Australian journalist as part of an investigation into that reporter’s sources for a story about the AFP. While Commissioner Colvin put it down to “human error” there is far more to this. What we have seen in this specific case is a complete breakdown of the protections we deserve as private citizens.
Australian police have a poor track record when it comes to our data
Before getting into this specific case, I think it’s worth noting that police officers have a chequered reputation when it comes to playing nicely with our data. While it’s true the very vast majority of officers are honest, the trust relationship we have with police is asymmetrical. It only takes one breach by a single officer for our trust in the agency to be tainted.
And there are plenty of examples.
- NSW police spent $2M on hacking tools
- A Queensland pulling phone records to find other cops faking sick days
The problem isn’t the retention of metadata – businesses need to retain metadata already. This was pointed out by Alastair MacGibbon, the Special Adviser to the Prime Minister on Cyber Security.
Checks and balances
Before the metadata retention legislation was passed, I had the opportunity to hear both sides of the argument presented at the 2015 Tech Leaders Forum. On the Tim Morris, an Assistant Commissioner of the Australian Federal Police.
Morris’ argument rested on a few key issues.
- Metadata is crucial in criminal investigations
- Agencies would only access this data in limited circumstances
- Access to the data would require sign-off from a senior officer; there would be no unfettered access
But the accessing of the journalist’s data – no-one, including the writer whose data was accessed knows who it is – clearly shows the second two points are not being managed.
Every private citizen should be concerned about this. Put aside that a journalist was investigated. Imagine if you were involved in a messy custody battle or were being sued by a business partner and the other party had a friend in the AFP. Is your data safe?
What we have seen in this specific case is a complete breakdown of the protections we deserve as private citizens.
What about VPNs?
A VPN is an essential tool if you connect to the internet and transmit and receive confidential information. But a VPN doesn’t necessarily mask your metadata.
Last week, I reported on list of who can request metadata is quite long – I hope you’re not in the bad books with Harness Racing NSW!) to provide communications metadata.
With so many VPNs around these days, it’s possible that overseas providers either won’t comply with requests or won’t have considered themselves a carrier service and, therefore, won’t be retaining the required metadata in any case. But as far as I can tell, this is a bit of crap-shoot as many VPN services are very opaque when it comes to revealing exactly how they operate.
In other words, obfuscating your metadata is not as easy as simply using a VPN.
Where does that leave us?
The voluntary admission by the AFP that an officer had accessed the information of a private citizen and that the processes for protecting our rights were flawed is a great concern. Fortunately, discussion about opening access of this data for use in civil cases has not resulted in an expansion to data access.
The real issue here, in my view, isn’t the retention of metadata. Telcos and other businesses routinely hold metadata. It’s needed for billing, managing service inquiries and other important functions.
The problem, I think is that there’s a lack of appropriate controls around the access of the data.
This includes legal controls, such as warrants, and logical controls that stop rogue officers from doing the wrong thing either intentionally or by accident.
What we need is a process that involves the judiciary or someone to represent the rights of private citizens.
Comments
9 responses to “Why The Police’s Metadata Screw Up Changes Everything”
The problem everyone in the media is overlooking (unsurprisingly) is that this was only an issue to begin with, because the person targeted was a journalist.
If this had of been joe blo walking down the street, everything would have been just fine. They can go crazy and look through my metadata without breaking any laws. But journalists get special protection, because they’re someone more important than others, here.
How about we champion for safeguards and protections for ALL private citizens, not just elite journalists.
I wonder what exactly the qualifications for a journalist are for the purposes of this rule. Do they have to work for a major newspaper? A minor one? Do Kotaku journalists count? Do I count if I run a blog that no one reads? What if 3 people read it, or 1000?
There are a number of things that are unclear under the metadata retention law. For example, the government actually has no clue as to how many companies in Australia are designated as carrier services that are required to retain the metadata. As for the definition of journalist – I’ve been in rooms of journalists who can’t agree. The best definition I have is someone who produces non-fiction that is published for broad consumption. At the event I was at last week, my media accreditation said “media/blogger”.
Given that definition, how do I go about getting my status changed to “Journalist” with the relevant authorities? And just who are the relevant authorities?
The whole thing is the mess it was always going to be.
Actually – I respectfully disagree. There have been many other instances of the data of private citizens accessed by law enforcement (I gave a few examples). The press was interested because, ironically, they were having a Press Freedom Dinner on Saturday night! And I’m pretty sure the article I wrote doesn’t say this is a big deal because it was a journalist. My last sentence says “What we need is a process that involves the judiciary or someone to represent the rights of private citizens”.
Actually – I respectfully disagree. There have been many other instances of the data of private citizens accessed by law enforcement (I gave a few examples). The press was interested because, ironically, they were having a Press Freedom Dinner on Saturday night! And I’m pretty sure the article I wrote doesn’t say this is a big deal because it was a journalist. My last sentence says “What we need is a process that involves the judiciary or someone to represent the rights of private citizens”.
I see what you did there…
I think in the interests of balance you should note in your article that this breach was detected by the AFP internally and self reported. We only know this occurred because they have been transparent about it. Doesn’t make it OK but it’s not like they tried to cover anything up here.
I don’t blame the police for the mistake, after all, human error is a reasonable explanation in this case and mistakes do happen.
I blame the Federal Government for the poorly implemented legislation that made this possible.
It was going to happen sooner or later and I’m glad it happened. Now let them argue that our data and privacy are safe.
https://staging.lifehacker.com.au/2015/02/how-to-see-if-your-vpn-is-leaking-your-ip-address-and-how-to-stop-it/