IGIS says ASIO partner's 'accidental' data access not akin to a cyber attack

Comment flowed from concerns by Senators that there isn't much difference between a cyber attack from a foreign state and a foreign entity gaining access to data on an Australian citizen.

In its 2019-20 Annual Report, the Inspector-General of Intelligence and Security (IGIS) revealed a partner agency of the Australian Security Intelligence Organisation (ASIO) had "accidentally" taken possession of data related to an Australian citizen.

"ASIO notified IGIS of an incident where it had received a disclosure of information from a foreign partner service about an Australian citizen which could not have been collected lawfully by ASIO without a computer access warrant under s 25A of the ASIO Act," IGIS wrote in its report [PDF].

"IGIS reviewed the circumstances of this incident and concluded that ASIO's actions in relation to the disclosure could reasonably be argued to be lawful and proper."

Facing Senate Estimates on Thursday night, acting IGIS Jake Blight was questioned over the incident and said interception in a modern age has made it "very difficult and complex at times to understand where a device is".

"One of the challenges of the intel agencies … is that it's no longer easy to know exactly where a device is, so the types of activities ASIO undertakes under computer access warrants, which is set out in the legislation, to put it in lay terms, they'll grab data off a computer," Blight explained.

"It is not impossible for an Australian agency to act on what they believe is a device in Australia only to find out later that the device was in fact located overseas at the time they took the act.

"That happens. Devices move. It's not easy to know where they are. And I think it's reasonable to assume that occasionally the reverse is true."

See also: Scott Morrison cries 'Cyber wolf!' to deniably blame China

Independent Senator Rex Patrick was concerned that there isn't much difference between a cyber attack from a foreign state and a foreign entity gaining access to data on an Australian.

Blight argued that there were two main differences: Intent and disclosure.

"One is intention. There was no suggestion there was a deliberate intention to do something on Australian soil. The question is more around how difficult it is to know where a device is," he said. "And the second is around disclosure. The partner agency and ASIO had an open discussion. I don't think that's quite what happens in the foreign interference cases that ASIO is involved with, so I think there is quite a distinction there."

The IGIS is also helping the Office of the Australian Information Commissioner (OAIC) prepare a report on the use of COVIDSafe data by the agencies under its oversight  .

"Intelligence agencies may incidentally access COVIDSafe information, usually, I'll note, in an encrypted form, but nevertheless, even though it's encrypted, the rules still apply," Blight said.

"We agreed with the Information Commissioner that we would look at the agencies with our jurisdiction and provide her information. Her statutory obligation is to provide a report on the first six months of the operation."

The OAIC report is due around November 14.

RELATED COVERAGE