Government officials have no idea where Australians’ metadata, compulsorily retained under its mass surveillance laws by communications providers, is being stored.
Officials of the Attorney-General’s Department made the extraordinary admission today in hearings of the Joint Committee on Intelligence and Security, which is examining the Telecommunications and Other Legislation Amendment Bill 2016. That bill establishes new notification requirements relating to Australian companies’ data security and requires them to “do their best to manage the risk of unauthorised access and interference to networks and facilities” as well as giving AGD and the Attorney-General additional powers of information-gathering and direction.
Committee deputy chair and former chair Anthony Byrne quizzed AGD officials about how much metadata retained under the government’s data retention laws is stored offshore by service providers. Officials said they didn’t know, despite an industry consultation process that commenced in 2012.
One of the key concerns expressed about the mass surveillance scheme — established by the Abbott government in 2015, allegedly in response to growing terrorist threats — was that the metadata of most of the population of Australia would be a highly attractive honey pot for organised crime and hackers. Data held overseas, rather than locally, was of particular concern, with a number of stakeholders such as the Victorian Privacy Commissioner, the Law Council of Australia and the Australian Information Industry Association complaining that the data retention bill did not prevent offshore storage of Australians’ data. The government at that time declined to address those concerns, but promised a mandatory data breach notification scheme — which, after years of waiting, was only just passed this week.
[Your guide to the data retention debate: what it is and why it’s bad]
Remarkably, however, despite years of industry consultation, the Attorney-General’s Department has no idea just what amount of data is stored offshore by companies since the scheme began. AGD is currently conducting an inquiry into whether data retention — originally promised by the government to be entirely confined to terrorism and major crime — should be expanded to civil litigants, which would enable organised crime figures suing for defamation, violent partners in Family Court litigation and copyright troll firms to obtain sensitive personal information.
Byrne labelled the department’s ignorance “ridiculous” and “unacceptable”. “So we don’t have any idea of how much data is stored offshore by major telecommunications companies or any companies?” he asked. “No,” bureaucrats replied. Byrne challenged them on whether the current bill would enable AGD to work out where data was being stored, with officials, after some hasty consultation among themselves, saying that it would.
However, the bill only requires notification of changes by services providers “that are likely to make the network or facility vulnerable to unauthorised access and interference”. That is, assuming providers admit that moving data offshore would make it vulnerable (an unlikely scenario — what company would tell its customers it’s moving their data to China and it might make it more likely to be hacked?) — it would only have prospective effect. All existing offshored data would not the subject of notification.
The admission by AGD comes not long after Fairfax revealed an Indian company was illegally purchasing Australians’ metadata sourced from Australian telcos for sale to private interests.
SALE ENDS MIDNIGHT
Australia has spoken. We want more from the people in power and deserve a media that keeps them on their toes. And thank you, because it’s been made abundantly clear that at Crikey we’re on the right track.
We’ve pushed our journalism as far as we could go. And that’s only been possible with reader support. Thank you. And if you haven’t yet subscribed, this is your time to join tens of thousands of Crikey members to take the plunge.
Editor-in-chief
Leave a comment
I know this has been a year of shocks but……..the whole point of metadata is apparently that it is some type of chain of evidence….if you don’t have the highest degree of control and trust in that chain of evidence….. surely it can not be used for any serious activity such as law enforcement…There is no such thing as evidence collected which may be accurate…. The times we live in are just extraordinary….. It is like nobody cares about anything serious anymore…….. while everyone still thinks they are entitled to be paid more than the next person, mainly on the basis of seniority………. I read about a professional photographer who displayed his images for sale on a sale sharing website…..Despite being a loyal customer for years and accruing significant ongoing income from the website, this man quit the website once he realised that his images were being housed in China…. I mean, it was business 101 for him….This other stuff is law enforcement!
“…..was that the metadata of most of the population of Australia would be a highly attractive honey pot for organised crime and hackers.”
And if a company that has ties to USA is holding the data, it is open slather to the FBI/CIA etc, which to me is a much greater risk to the population of Australia.
It’s ineptitude on an Olympian scale.
Is it ineptitude really? Can anyone truly be so stupid and still manage the intellectual demands on breathe in, breathe out?
Therefore, given that such incompetence can’t be the simple answer, we are left to imply other motives – none of which are reassuring.
From the very beginning, the whole idea of mass data retention was always going to be a clusterf*ck. But oh my goodness, how much worse is it going to get?
Sad, scary and bloody depressing stuff.
Priceless! And the government’s gushings about our metadata being perfectly safe & secure are now exposed as gross exaggerations (at best) or blatantly porkies (more likely).
Also, one wonders which foreign crims are currently sifting through our Census forms.
Well, at least 20% of households are safe from that.
A scare campaign about metadata being offshored? Sounds like the sort of retrograde “protectionism” that Bernard normally loathes…