Bungles, leaks and lack of knowledge hurt data plans
Two stories this week suggest federal public servants may want brush up on their tech skills.
First, ASIC accidentally blocked access to 250,000 websites because staff did not understand internet protocol (IP) addresses.
Second and even more embarrassingly, the Australian Federal Police mistakenly posted highly-sensitive information from criminal investigations online.
The AFP’s serious breach of operational security saw them make the metadata of alleged criminals freely available online.
It is the kind of leak that measures such as mandatory data retention seek to stop.
An ongoing parliamentary inquiry is looking at which government agencies should be able to block access to websites, and in a hearing this week ASIC revealed that attempts to blacklist a small number of websites led to the blocking of many thousand.
ASIC regulators were trying to block some sites it said were offering fraudulent services to Australians. But staff did not realise that suspending access to the IP address of the sites would affect thousands of legitimate webpages coincidentally hosted on the same IP.
While the worst effect of ASIC’s slip may have been some lost business or communications, AFP’s techno-blunder could bring much more serious consequences.
Guardian Australia has revealed that documents provided by the AFP to the Senate, which disclosed information about the subjects and focus of criminal investigation, made their way online.
The confidentially information became publicly available on parliamentary sites and other sources for several years, reports say, and included details of telecommunications interception activities and metadata harvesting.
The address of a surveillance target, the style of investigations, the offences police were chasing, the classified names of several AFP officers, and even the phone number of an individual connected to an investigation were accessible online for several years.
Such a blatant failure to secure sensitive data does not bode well for an organisation seeking to expand its access and usage of such information.
The leak could easily have jeopardised criminal investigations, exposed subjects of police surveillance and put lives of the officers themselves at risk
The AFP has responded to the revelation of its revelations, saying it self-reported the breach to the Australian Privacy Commissioner and issued apologies to “relevant stakeholders associated with this matter”.
The Australian Information Commissioner, the nation’s privacy watchdog, has warned that an expanded data retention scheme would only increase the risk of exactly this kind of privacy breach.
“Organisations holding this information need to comply with all their obligations under the Privacy Act, including the requirements to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure,” Commissioner Timothy Pilgrim says.
“It will also be important to consider whether a data retention scheme is effective, proportional, the least privacy invasive option and consistent with community expectations. Any scheme should also be transparent, accountable and have appropriate independent oversight.”