Beleaguered Attorney-General George Brandis, under fire for attempting to personally control access to the country’s second law officer, has made another grab for power under the guise of amending Australia’s Privacy Act, handing himself the right to personally approve “white hat” hackers testing whether government agencies have sufficiently rigorously anonymised public data.
As Crikey reported two weeks ago, Brandis suddenly announced new laws aimed at deterring re-identifying individuals in de-identified public data — coincidental with the Health Department withdrawing a major database of public health information because it had been insufficiently anonymised. The ease with which census data could be re-identified was also a serious concern relating to the Australian Bureau of Statistics’ decision to turn the census into a lifelong individual data set.
A key problem with Brandis’ proposal was how academic researchers and “white hat” hackers concerned about privacy would be protected when they tested de-identified datasets: if they discovered, as University of Melbourne IT security specialist Vanessa Teague did about the health data, that it has not been sufficiently rigorously de-identified, they could find themselves in breach of the new laws — and even more so if they informed anyone.
The problem has partly been addressed in the bill unveiled this week by excluding people employed by bodies releasing data. And people who discover that information can be re-identified will be required to inform the relevant agency as soon as practicable (IT News‘s Allie Coyne has a good discussion of the bill). However, rather than provide an exemption for academics or good-faith researchers testing to see whether government departments have done their job of properly de-identifying data, Brandis has decided to give himself the power to decide who gets exempted and who does not:
“The Minister may determine that an entity, or an entity included in a class of entities, is an exempt entity for the purposes of one or more of sections 16D, 16E and 16F in relation to one or more purposes specified in the determination, if the Minister is satisfied it is in the public interest to do so.”
In effect, Brandis is establishing system in which academics or other researchers will have to approach him for personal vetting in advance to check if government departments have done their job properly. Almost inevitably, that information would be passed to the security officials, who could decide to place such people under surveillance. And who would trust the Attorney-General, for example, to exempt someone who expressed an intention to test data released by his own department?
It continues one of the themes of Brandis’ disastrous reign as Attorney-General, his attempt to garner power for himself wherever he can. His attempt to restrict access to the Solicitor-General on his personal authorisation has led to revelations he misled Parliament and has been shopping for legal advice. His response to criticism about the “Special Intelligence Operation” provisions of the government’s expansion of ASIO’s powers aimed at jailing journalists for reporting on intelligence activities was to order the Commonwealth Director of Public Prosecutions to obtain his personal permission to prosecute journalists. The Independent National Security Legislation Monitor called for a complete overhaul of the section to dramatically curtail the threat to journalists but, despite Brandis ostensibly committing to implement that recommendation in February, the section remains unamended.
Brandis’ mass surveillance legislation also gave him extraordinary powers in relation to data retention; the act gave Brandis the personal power to issue “journalist information warrants” for the interception of journalists’ metadata, rather than an independent judicial figure as is normally required for warrants. Brandis also gave himself the power to add agencies to the list of bodies that could access metadata.
It’s a vast amount of self-awarded power for a man who demonstrably understands virtually nothing about the internet.