Metadata what could go wrong? AFP Accidentally Release Data
Friday 29 August 2014 @ 10.07 a.m. | Crime | IP & Media
As debate and confusion continues over the reach of the government’s proposed mandatory data retention scheme it has been reported by The Guardian that the Australian Federal Police (AFP) have apologised for mistakenly having published sensitive information, including metadata connected to criminal investigations.
In a report yesterday (28 August 2014), The Guardian revealed that the AFP had "mistakenly published highly sensitive information" which included metadata connected to criminal investigations, in what it described as a "serious breach of operational security". It appears that the AFP provided documents to the Senate that were then later made publicly available online at parliamentary websites and to other methods of distribution for several years, which it turned out accidentally disclosed information about the subjects and focus of criminal investigations and telecommunications interception activities.
Why the Revelations are a Cause for Embarrassment?
As we have reported in previous posts (see Metadata and Data Retention: Technical Terminology and Voodoo) there has been a level of confusion around what "metadata" is and what it does or does not include, especially for the purposes of the federal government's proposed new "data retention regime" which is very much supported by the security arms of government, such as ASIO, and the law enforcement authorities, such as the AFP. Given this, it is not a desirable thing at all for the AFP to have to admit to having mistakenly released data of the very type in question.
As The Guardian puts it:
"The revelations are an embarrassment for the law enforcement agency and the federal government, which are pushing for a mandatory data retention scheme to force telecommunications companies to retain personal data from phone and web users".
A scheme which has been attacked by critics for its potential to allow the very type of "mistaken publication" of sensitive information admitted to by the AFP to have happened.
Nature of the Material Disclosed?
Reports indicate the disclosed information included:
- the address of a surveillance target;
- the types of criminal investigations and offences being investigated;
- the names of several AFP officers that are not publicly available; and
- other information which included the phone number of an individual connected to an investigation.
The Guardian reports that the AFP has said that:
". . . it had self-reported the breach to the Australian Privacy Commissioner and apologised to 'relevant stakeholders associated with this matter'. . . [and had] immediately taken the appropriate steps to rectify the matter”.
The relevant information was said to be “hidden behind electronic redactions within the document” and “one phone number and an address could, under certain circumstances, be accessed”.
Reaction
On Thursday's PM program the ABC News reports Greens Senator Mr Scott Ludlam as saying:
"This [the AFP's revelation] is not a confidence building measure. The Australian Government is pressing ahead with proposals for mandatory data retention for the entire population to be accessed by dozens and dozens of agencies without so much as a single warrant being required".
The ABC PM program also contacted the Office of the Australian Information Commissioner (the OAIC) in which it was reported it was awaiting further information from the AFP and would then "assess the data breach in line with its normal processes".
In a previous media release on the proposed data retention scheme, the OAIC has indicated that it saw such a scheme increasing the risks to individual privacy and that there needed to be even more vigilance from organisations holding such information, saying:
"The retention of large amounts of personal information for an extended period of time increases the risk of a data breach. Organisations holding this information need to comply with all their obligations under the Privacy Act, including the requirements to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure."
While the "metadata" debate continues, the OAIC's further views on the matter, also expressed in a previous media release, appear to be most relevant:
"Key to this debate will be ensuring the ongoing privacy interests of Australians. It will also be important to consider whether a data retention scheme is effective, proportional, the least privacy invasive option and consistent with community expectations. Any scheme should also be transparent, accountable and have appropriate independent oversight". Emphasis added.
TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products.
Sources:
- Federal police mistakenly publish metadata from criminal investigations (The Guardian - 28 August 2014)
- AFP accidentally publish secret, sensitive information (ABC PM Program - 28 August 2014)
- Australian Government’s data retention proposal — statement (OAIC Media Release - 8 August 2014)
- Attorney-General George Brandis struggles to explain Government's metadata proposal (ABC News - 7 August 2014)