Australian government cannot handle its own data securely, why give it yours?

Australia has performed an amazing act of self-leakage, selling a pair of locked filing cabinets of its own secret Cabinet documents.
Written by Chris Duckett, Contributor
(Image: Besjunior, Getty Images/iStockphoto)

It turns out the best way to get your hands on secret government documents in Australia is to head down to a furniture store and buy a locked cabinet or two full of them.

This sounds like the plot of a bad sitcom, but thanks to the reporting of Australia's ABC, we know it is the truth.

The gravity of this scenario cannot be overstated. These are some of the most secret documents that the Australian government creates, usually locked up for 20 years before being released to the public due to their sensitively and to put a bit of time between the actors and their actions, yet here they were, up for sale in suburban Canberra.

Scores of questions will be asked about how the cabinet in question came to make its way out of the governmental depths into the light of day, and deservedly so. It is worth keeping in mind that it comes at a time when Canberra is going through yet another round of national security legislation, where the latest thought bubble is to criminalise the holding of secret documents.

If this sounds familiar, it is. The government has form in wanting to criminalise the exposition of its stupidity, and it takes the shape of an amendment to the Privacy Act that would forbid the re-identification of de-identified datasets that are collected and published by the Commonwealth.

See also: UK mass surveillance powers ruled unlawful

Going further, the proposed Privacy Act amendments also toy with the fundamental approach of the legal system, and move the onus of proof from the prosecution to the defendant, such that the defendant must prove that one of the exemptions in the legislation that allow re-identification work -- such as being contracted by the Commonwealth for such work, or being employed by a university or other state government body -- apply to them.

Somewhere in Canberra, some poor sod reckons that if they criminalise something, it doesn't happen, and it comes during a period when the government is generating and keeping more data on citizens than ever.

Within that data are few opportunities to shrink your exposure to government ineptitude, but one is coming up in the very near future: The window for Australians to opt out of an automatic digital health record being created for them in mid-2018.

Despite the purported benefits of such a scheme, the simple fact is that is that Australian governments and computers do not mix. When they do, various shambles appear.

There was the omnishambles of the Australian 2016 Census, the fractalshambles of the Australian Electoral Commission and its dealings around the Senate ballot scanning solution, and now we have the adjective-defying shambles involving the cabinets sold at a second-hand store.

Quite simply, if the government cannot handle its own secret information properly in a paper data format it has used for over a century, why should it be trusted to handle any personal information involving systems it has repeatedly shown it cannot competently operate?

If you think the idea of a cabinet full of medical data being found is outlandish, we need only return to the story of Pound Road Medical Centre (PRMC).

Also read: Troops not at risk over Strava breach: Australian Defence Force

As the Office of the Australian Information Commissioner details: "[PRMC] stored medical records of approximately 960 patients in a locked garden shed at premises no longer operated or staffed by them."

The shed was subsequently broken into in November 2013.

Thanks to the documents from Cabinet handed on to the ABC, we also know the Australian Federal Police (AFP) lost almost 400 files from the National Security Committee over five years.

That's the same AFP that confessed it was unable to respect the one caveat in the metadata scheme when it admitted it had accessed a journalist's call records "mistakenly".

If this were a private enterprise, the government would ban itself from handling its own data citing repeated infractions.

Given the government cannot handle its own secrets securely, citizens should trust it even less to handle theirs. We need to keep data away from these butterfingers.

Related Coverage

NSW agencies struggle with security basics

Lack of privileged account monitoring, incomplete inventories of IT assets, and lack of a consistent cyber definitions leave NSW government agencies in the lurch.

Australians will trade privacy for security if you frame it right

If you want to invade the average Australian's privacy, tell them it will prevent terror and you will be on your way.

Facial surveillance on the cards in the name of Australia's national security

The federal government wants to add state and territory driver's licences to its database of passport and immigration information to allow authorities to more quickly identify people.

Australia's open data approach lands in a security and privacy minefield (TechRepublic)

Australia is charging headlong into a privacy disaster as government open data initiatives come online without considering how to properly implement privacy safeguards and data anonymity.

Australian bank allows iPhone X Face ID logins: User dream or security nightmare? (TechRepublic)

The Commonwealth Bank of Australia is first in the nation to allow customers to switch from fingerprint logins to facial recognition. But security concerns remain.

Editorial standards