I have a decent grasp on privacy. I tend to give it to others as much as possible, moreover as I on average do not really care about their private lives. This sounds harsh, but consider the facts. When the person isn’t family, or directly connected to you, how much do you actually care? Some people do care to know everything, but that is another matter entirely. So when ZDNET and a few others published ‘61 agencies after warrantless access to Australian telecommunications metadata‘, I was initially in that mood of, ‘oh yea, whatever!’ You see, when I see names like ‘Australian Financial Security Authority’, I reckon financial planners will get jumpy, but is that about possible ‘dubious’ choices, or their need for privacy? You see, one implies the element of a transgression, as such it becomes debatable whether those actions are to be lauded with non-access.
With a player like Clean Energy Regulator we see an industrial access need, and I very much doubt whether they are interested in individuals. But what happens when we see that groups like Bankstown City Council, Racing Queensland, Office of the Racing Integrity Commissioner (VIC) and the National Measurement Institute, I start having questions (especially regarding levels of sanity).
Let’s consider the access: “warrantless access two years’ worth of customers’ call records, location information, IP addresses, billing information, and other data stored by Telco’s“.
Now, I will be the last one to questions access by ‘valid’ organisations and even looking that the ‘alphabetical’ list the locations of the redacted names does not seem to include ASIO and ASIS, who have a clear need for that access, but can anyone explain why Bankstown City Council needs that access? In that same line we can add both Racing Queensland and the Office of the Racing Integrity Commissioner (VIC). If there is an investigation, it should go via the police of the correct channels. I see zero, I say again, zero reason to give those three access. Before we know it, we see Waverly City Council and perhaps even Chatswood City Council. How long then until all that data becomes available ‘for a special price’?
There are a few others on that list that require scrutiny. Do you really think that industrial transgressors wanted by the Department of the Environment will use their own phones? How much wasted man-years will we face as those untrained individuals try to make sense of 23,644 burner phones, which is just Sydney. In all this it seems to me that those requiring access will after that have an issue with processing data, which means more software, more failed levels of security and even more data transgressions. This must be the heaven that Rupert Murdoch dreams of. Data all accessible behind a server guarded with the admin password ‘qwerty’ or perhaps even ‘password’.
Yes, there is a massive issue here and the magazines including ZDNET (at http://www.zdnet.com/article/61-agencies-after-warrantless-access-to-australian-telecommunications-metadata/) mention the names (minus the redacted ones), we see the additional quote “Of the agencies and departments given access to existing information or documents to enforce a criminal law over the 12-month period, and not included on either list released by AGD, or known to be an enforcement agency already“, we now see names like RSPCA Tasmania and The Hills Shire Council, when we look at one of the websites (http://www.rspcatas.org.au/ for example).
We see in the about section: “The RSPCA (The Royal Society for the Prevention of Cruelty to Animals) is the voice for the animals of Australia. We defend their dignity and fight to stop cruelty. We offer shelter, education, medical attention and love. We are animal protectors, carers and guardians. We bring solace to abandoned, surrendered and injured. We prosecute those who would harm them. And we fight for the humane treatment of all living things. Our job does not stop at animals. We believe behind every animal is a human being who is in need of guidance, encouragement and help“, which is a nice fluffy and caring text. Nothing wrong there. So explain to me, how a place like that has a decent level of cyber security, with in their office pool an IT person with CCSP certification or higher and a few other skills. You see, when these skills are absent your data will be up for grabs. Perhaps that is outsourced, meaning that additional people have access to all that data, have those places been properly vetted? So on an island of 515,000 we see this level of personal data access requirements? My initial follow up questions would than become, of all those funds required from the donations, how much ends up going to animals?
In the case of the Hills Shire Council we can have a lot more fun, their community profile (at http://profile.id.com.au/the-hills/population) gives us “The Census population of The Hills Shire in 2011 was 169,873, living in 57,205 dwellings“, why for the love of whatever is holy (or named Cthulhu) would THEY need that level of access to data?
In my view we should start asking a few questions regarding the mental health of whomever gave that level of access. I am guessing that this was Attorney General, George Brandis, which basically gets confirmed in the Guardian Article (at http://www.theguardian.com/world/2016/jan/18/dozens-of-agencies-want-warrantless-access-to-australians-metadata-again). As we see the quote “the government narrowed the definition of an “enforcement agency” that was eligible to access telecommunications data to a shortlist of law enforcement agencies, including the Australian federal police and state and territory police forces“, my initial thought was ‘that makes perfect sense’, yet in that light, how the flipping Divine Comedies did RSPCA Tasmania make that list?
The Guardian in light of all this ends with a comical quote “This method was taken to allow the Australian Border Force to gain access to telecommunications data without needing to gain approval from the Attorney General’s Department or the intelligence committee“, which is interesting as this implies that the Australian Border Force has less access than RSPCA Tasmania, which would make perfect sense if you are a golden retriever.
So apart of the access and the lack of insight here, has anyone considered how that data is to be read, analysed and processed? In addition, when we consider the access level of applications, the support and very likely (read: extremely likely) the levels of consultancy needed, what else is missing what will this cost the taxpayers in the end? I can tell you now that such solutions are not cheap, not easily implemented and did I mention the security needed for keeping that data safe? Even if this all goes through clouds and remote access, how long until a volunteer looking after cats will leave that password accidently out in the open, or even worse leave that system logged in and unattended?
As stated, I would never object to the actual law-enforcement agencies to get that access, but it seems to me that too large a group on that list is nowhere near that level and even (read: especially) when we consider groups like Greyhound Racing Victoria, why are they not going through police channels?
I see both articles and no one seems to be asking the questions that need to be asked. Questions that had to be asked extremely loud and very nearby after a mere 30 seconds of reading those articles. By the way, when reading the ZDNET article, it is the article that follows that is cause for even more questions.
One of the quotes is ‘the Many Layers and Tools of Digital Collaboration Today‘, which is nice when it is a mere graph of generic data. In that we might not care, but in the issue of ‘call records, location information, IP addresses, billing information, and other data stored by Telco’s‘, which includes all your personal data. Consider the following quotes “employees and departments are helping themselves to the tools they believe they really need. At the same time, companies are steadily dealing with what is now too many categories of communication and collaboration software to adequately manage and govern, much less individual apps” and “The issue itself is perhaps best demonstrated by the rapid rise of Slack, the current darling of team chat and wildly popular with its users. In many of my recent conversations with IT managers, I find that Slack is invading the workplace on many fronts, regardless whether it’s sanctioned or not” and finally “The top categories of apps today include VOIP, Web conferencing, e-mail, unified communications, IM/chat, file shares, file sync, CMS/DMS, intranets, discussion forums, enterprise social networks, relationship management platforms (including customer-facing CRM), and last but not least, online community“.
Now remember, the second article (on the same page) is not connected to the first, but consider the cloud and the explosive growth of so called ‘tool apps’ and the utter lack of in-depth security and access checking, how many back doors are organisations creating through such tools, with access to your data? Weirdly, I would never hold a bad thought for a volunteer organisations like the RSPCA, which is exactly why they should have never ever been given access to data like that. For the mere reason that cyber security cannot viably be maintained.
Whomever boasts on the security of places like Slack is in my view decently nuts. When we see interested players like Accel, Andreessen Horowitz, Index Ventures, KPCB, Spark, and Social+Capital, the first thing we will see fail is a pressure to release a new version and there will be the need of security patches (which is a reality), this also means that data would have been unprotected. The mere intense need for Common Cyber Sense is that boss who wants that new version, because the presentation looks cooler. Even when we ignore the issue of Slack, we still see an exponential growing app base, with access all over the place, which means danger to the data. Even when remotely accessed, even if that connection is secure, too many places get access to data they should not have access to.
When we hear people state that servers have access limitations and more of the mumbling, here is a simple word of caution, something I personally witnessed. There was a financial software program. It was a good and legitimate program. The small issue was that when the program accidently crashed, that person remained on the data server with rights of an administrator. It took them 2 weeks to figure out it was happening and another 3 weeks to repair their system. Consider something like that happening today and with the ‘upgrades’ Microsoft requires on a too regular a basis, can we even risk this level of access to the expanded group that has too limited a grasp (as I see it) on what constitutes Common Cyber Sense?
I wonder how long until we get a carefully phrased apology from certain high ranking IT elements, who will offer their resignation and walk away with a 7 figure handshake.