CNET también está disponible en español.

Ir a español

Don't show this again


Great news Australia: We've had our first metadata breach

Just two weeks after Australia's mandatory data retention scheme came into force, police have revealed one of their officers "illegally" accessed a journalist's call records.

CNET/Amanda Kooser

Chalk this one up for the security record books under the chapter titled, "We told you so."

Australia has its first (reported) metadata breach. And it came at the hands of an Australian Federal Police officer.

The AFP today revealed one of its officers "illegally" accessed the metadata of an Australian journalist's phone calls, "earlier this year."

"[The breach] was identified by the AFP as a result of our own review," said AFP Commissioner Andrew Colvin.

Commissioner Colvin said police destroyed all data once it was clear they had breached the laws, and that data did not form part of any police investigations.

"Put simply, this was human error. It should not have occurred."

Australia's mandatory data retention laws passed with bipartisan support in March 2015. Under the bill, internet service providers and telcos are required by law to store metadata about customer communications -- including names, addresses and the time, location and duration of communications -- for two years.

The laws also include provisions requiring police to get a warrant to access journalists' metadata. The provision of these Journalist Information Warrants was made to expedite passage of the metadata legislation, and to appease media organisations concerned about data retention encroaching on press freedoms and the confidentiality of sources.

However, under the warrant scheme journalists are not notified if their metadata is accessed.

Today, the AFP revealed it failed to secure a warrant in this case, resulting in Australia's first metadata breach being reported months after the fact.

But Commissioner Colvin rejected suggestions that the breach represented a failure of the system.

"It's extremely rare that we're interested in a journalist's metadata," said Colvin.

"We have breached in respect to a journalist's particular circumstances on this occasion," he added. "I don't think that gives cause to say that the public should have their confidence shattered in the system."

The spectre of a major data breach has been looming since the laws were first mooted, with critics warning that creating a trove of metadata on every single Australian with a phone or an internet connection was a recipe for a major data breach, or a major hack.

"The internet is a very busy place for people that choose to do harm," said Michael Burgess, the Chief Information Security Officer of Australia's largest carrier, Telstra, in 2015. "We would have to put extra measures in place... to make sure that data was safe from those that should not have access to it."

This "honeypot" of metadata not only represented a potential lure for hackers, but also left telecommunications companies open to potential data breaches coming as the result of human error.

Today's confirmed breach comes just two weeks after the laws officially came into effect. Originally introduced to parliament under the banner of national security concerns and curbing paedophilia and drug crime, critics of the policy were quick to frame the debate around questions of mass surveillance, access to the stored data and its use in civil cases, such as the prosecution of piracy.

The first such instance of scope creep occurred in May of 2015, when, after insistence from the Australian government the bill would limit the number of enforcement agencies with access to metadata, it granted access to the controversial Australian Border Force immigration body.

Life, Disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it? CNET investigates.

Does the Mac still matter? Apple execs tell why the MacBook Pro was over four years in the making, and why we should care.