g20 data breach: putin on an act

One of the questions I’ve been asked most in recent months is whether members of parliament will have their metadata stored under the government’s mass surveillance regime. The answer? Absolutely.

Almost every Australian has skin in this game, including some people who really shouldn’t, given the government and opposition’s protestations that this regime is a vital issue of “national security”.

First published at the Guardian

During February’s Senate Estimates, we learned that Dennis Richardson, secretary of the Department of Defence, who works alongside the minister and the chief of the Australian Defence Force, doesn’t use an encrypted phone

It’s a fair bet that senior people in our defence and security organisations who work alongside him who will also be among the 23 million of us who have their metadata stored for two years.

You’d expect that regardless of its nature, the information of senior defence personnel (or say, world leaders) would be held under tight security by government and agencies that have access to it, to avoid the risk of it being compromised.

This risk was emphatically highlighted yesterday, when Guardian Australia broke the news that the immigration department had inadvertently disclosed the personal information, including passport and visa numbers, of 31 world leaders in Australia for the G20. Among the leaders whose details were leaked were Barack Obama, Vladimir Putin and Angela Merkel.

This is the same department that posted the disclosure of personal details of nearly 10,000 adults and children, including a third of all asylum seekers, a breach that could quite genuinely have put lives at risk.

The kicker to this story, beyond the fact that the information was compromised in the first place, is that it appears the immigration department recommended against telling the those leaders that the breach had occurred, because of the “low risk” it presented.

At the time of writing, the department haven’t said whether or not these leaders had been subsequently notified, a moot point, seeing as they’ll certainly be aware of it now.

You and I would like to be told when our data is breached. I’d wager that’s a view shared by the protection and intelligence agencies of countries like China or the USA when that data belongs to their political leaders. 

The Joint Parliamentary Committee on Intelligence and Security recommended in favour of the introduction of a data breach notification scheme, but this was not part of the data retention legislation that passed the Senate last week.

Such laws exist in nations including the UK, France and Germany, and they provide a fundamental level of transparency that is greatly needed, especially now that such a deeply intrusive approach such as data retention is imposed on the entire Australian population.

The federal government has committed to implementing this by the end of the year, but given the magnitude of data involved, it needs to happen a lot sooner. It’s no exaggeration to say that this won’t be the last of these stories we see reported.

In the case of the G20 leaders, it seems like Outlook automatically filling an email address is to blame. That’s a mistake we’ve all made, and even in the absence of malicious intent, it demonstrates how easy it is for data to be compromised once it is trapped and stored.

The third Australian privacy principle, relating to the collection of solicited personal information, essentially says that unneeded personal information should not be collected and stored.

It goes without saying that information that doesn’t exist can’t be accessed through a privacy breach. This is the reality of mandatory data retention. In the name of national security, it seems that policy making has fallen completely out of line with common sense.

Just like the adage that the act of observing a phenomenon changes it, the act of trapping and retaining data creates the potential for it to be compromised. While the government and opposition adopted a unity ticket on this issue, the Greens and cross-bench worked in the Senate to at least narrow the scope of this regime, including steps to limit it to three months, establishing processes for ensuring data was destroyed properly, and reducing the number of people able to access this information in the absence of a warrant. 

All of these measures were rejected. If you think data retention is a good idea, you need to brace yourself for further breaches of personal information. Breaches, it seems, that no one is immune from.