Security Sense: Australia Just Showed the World the Problem with Mandatory Metadata Retention

Security Sense: Australia Just Showed the World the Problem with Mandatory Metadata Retention

Well, we got a couple of weeks out of it before it all started going wrong. That’s how long after our metadata retention laws became mandatory that one of the very reasons so many people were so adamantly against the idea was perfectly demonstrated. It turns out that one of our local federal police pulled a journo’s call data without going through the legal process that we were all assured would protect us. Only the week before this announcement, I’d written about both the negative and unintended consequences of the law and suggested the following:

“once information is captured and digitised such as metadata retention laws require, there's always the risk of disclosure to unintended parties”

This is far from some level of genius insight on my behalf, it was just common sense and now, here we are. But it gets worse…

Apparently, our info is so poorly protected that a lone police officer could “accidentally” access it. It's not clear precisely what checks and balances are in place in order to access our metadata, but by all accounts, it would be reasonable to say that “not enough” is a fair conclusion. And that's particularly concerning because there’s an awful lot of it on all of us these days.

It's also alarming that the cops went to pains to point out that the contents of the call weren’t recorded as though somehow, this lessened the impact. The problem is that metadata is arguably as important as the data itself, indeed the US government has famously said that they'd kill people based on metadata alone. Oh – and they also haven’t let the poor journo know about it either which is kind of odd because logic would dictate that one of the first things you should do when violating someone’s privacy is let them know about it, probably along with an apology too. But it gets worse…

The event in question dates back to “earlier this year” which implies some not-insignificant period of time passed between the illegal access of the data and the discovery and consequent disclosure. So in short, it sounds like someone accidentally pulled someone else’s personal data without even trying and we didn’t even know about until well after the event occurred. Because terrorism.

This is all a very unfortunate demonstration of what I wrote about only a couple of weeks ago. The poor journo (who as best we know, isn't a terrorist) has had their privacy violated whilst simply using the phone. Meanwhile, people who genuinely have nasty things to hide will just pick up any freely available encrypted communicated app and go about their business undetected.

If there’s a saving grace to all of this it’s that the story is newsworthy. If it had gone unreported or not publicly disclosed then that would be of far greater concern and we can only hope that’s not happening without our knowledge. But regardless of how much you argue the wrongs or rights of mandatory metadata collection, there is no disputing that once information like this is stored, there will always be a risk of unintentional disclosure and it could be much, much worse than what we’ve just witnessed. I just didn’t think it would happen this easily and this soon.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish