The biggest media story today should be Nick McKenzie and Richard Baker’s revelation that the metadata of Telstra, Vodafone and Optus customers is available for sale in India via call centre employees. It’s frightening, disturbing — and illustrates just how dangerous to Australians the government’s mass surveillance regime is.
Crikey warned repeatedly that data retention would create a vast trove of personal and highly revealing information about every Australian that would inevitably be targeted successfully by thieves. Last year we suggested such information might be hacked, but McKenzie and Baker have shown there’s no coding skill required — you just need to bribe an employee with the right access.
If it’s relatively straightforward for an Indian company to secure metadata on Australians — the three companies involved would cover nearly every adult and most teenagers in the country — then it would be equally straightforward for organised crime and state intelligence agencies of other countries to secure the same information. Almost certainly they already have. Looking for an Australian intelligence or Defence official to compromise? Looking for a witness in a criminal case? Their metadata will show you who they’ve called, when they called and how long the calls lasted, not to mention where they have been at all times the phone was on, enabling you to assemble a comprehensive picture of their medical, relationship and social circumstances.
These warnings were made at the time Malcolm Turnbull and George Brandis legislated the Abbott government’s mass surveillance scheme, but were unheeded. There weren’t even any requirements imposed on industry subject to the data retention laws about the security of retained data — and certainly no restrictions on offshore storage or accessing of data. And, in truth, it would be enormously difficult for retained metadata to be stored securely anyway — there is always the “insider threat” of employees who have access to the data passing it on, no matter how well stored the data is.
There’s only one truly effective way to securely protect data, and that’s not to store it at all. No one can steal what you don’t retain.
If we had a half-decent parliamentary intelligence committee, it would immediately launch an inquiry into this breach, its implications for national security and whether the data retention regime that it endorsed needs to be amended. Instead, we have a committee that’s incapable of initiating its own inquiries, and which is currently led by a junior MP with minimal parliamentary or life experience, Michael Sukkar, who seems to be too busy attacking “elites” and endorsing Donald Trump to do his committee chair job.
And remember, this is all for a mass surveillance scheme that has zero actual benefit for reducing crime or terrorism or improving crime clearance rates. The only people benefiting from data retention are the crooks like those exposed by McKenzie and Baker.