Why the AFP's metadata breach is actually a big freakin' deal
Australia's first reported metadata breach points to big problems with the whole data retention scheme.
- Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Last week, Australia had its first metadata breach.
The thing we all knew would happen, finally happened (despite us being repeatedly told it definitely would not happen).
What's that you say? Mandatory data retention has only been officially in place for two weeks? You have old takeaway in the fridge that has taken longer to spring a leak?
Well spotted, dear reader.
With warnings against creating a honeypot of data on every Australian, major concerns raised by privacy experts and telcos, and the looming spectre of state-sponsored surveillance, a breach has always been on the cards. It was not a matter of if, but when.
And after all that, the first reported breach came at the hands of the Australian Federal Police.
So why is it such a big deal?
I'll give you nine good reasons.
1. The highest law enforcement officers in the land don't know how the system works
We're told that police routinely need to access this kind of data to do their job, and that the new data retention scheme formalises a great deal of what was already happening legally in Australia. But two years after data retention laws were passed (amid much debate), some people in the Australian Federal Police still don't quite know how they work.
To access a journalist's metadata , police need a Journalist Information Warrant. But speaking at a press conference on Friday, AFP Commissioner Andrew Colvin said, "The investigator needs to understand that that's their requirement and on this occasion ... the investigator didn't."
2. There's nothing stopping police getting metadata without a warrant
There were no technical measures in place to prevent access to metadata without a warrant. While we assume this data isn't just sitting on an unlocked computer in the AFP tea room, it does raise the question about why it was easily accessible to investigators not following due process.
3. Breaking the law is now called 'human error'
Commissioner Colvin played down the breach, despite the fact the investigator in question broke the law.
"Put simply, this was human error," he said. "But I also want to say that there was no ill will or malice or bad intent by the officers involved who breached the Act. Quite simply, it was a mistake."
So I guess we're all good then.
4. 'Human error' is not a side issue. It's the issue
While we often think of data breaches being at the hands of hackers, the bigger threat often comes from basic stuff ups. Remember when the Department of Immigration accidentally leaked the details of 31 world leaders due to an email autofill error? Or when the same department accidentally published the personal details of 10,000 asylum seekers?
The most private and secure of information can be breached with a simple slip up.
"It's not good enough simply to say this was a case of human error," said Damian Kay, CEO of telco services company Inabox, speaking about the breach. "Ask any security expert, and they'll tell you that the weakest link in any security system is people. Human error will occur again and again."
5. We don't know who the affected journalist is
Journos get their own provisions in these laws because their communications have the potential to reveal the identity of whistleblowers and confidential sources. In fact, just last week UNESCO warned data retention had the potential to "chill whistleblowing" and undermine quality journalism.
Despite this, the AFP hasn't notified the journalist in question that their data was breached. Of course, under the data retention laws, notifying a person that their metadata has been accessed is also a potential offence. So, there's that.
6. We only know about the breach because the AFP admitted it screwed up
If the AFP had gone through due process, we'd be none the wiser. As Colvin said, "There is no impropriety in the fact that this information was relevant to the investigation. What was improper was that the right steps weren't taken to gain access to it."
So yes, police can trawl through journalists' metadata now to find whistleblowers.
7. No disciplinary action was taken against the officer in question
No harm, no foul... right?
8. The AFP officers can't 'unsee' that metadata
"Clearly they can't unsee it and they'll need to consider in terms of next steps of the investigation what weight they put on what they saw," said Colvin.
Even though it can't be used as their investigation, there's no telling what effect having access to that data will have on their work. A cynical person might ask what would stop the AFP from doing the same thing in the future? If the perceived benefit of accessing data outweighs the risk of breaking the law, and there's no concern about disciplinary action, could another breach occur?
But of course, that would be a cynical thing to ask.
9. We still don't know how the new data retention laws are playing out
Every year, the Attorney-General's Department releases a full report on how often metadata and stored communications have been accessed by law enforcement, how many applications were refused and who's seeking access. It's conventionally released at the start of the year, but we're still waiting for the 2016 report.
Only then will we know the full extent of Australia's new data retention scheme.
The AFP declined to comment.
Special Reports: CNET's in-depth features in one place.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.