Australian Federal Police Redaction Failures Expose Targets, Officers And Investigations

from the and-it-still-wants-more-data dept

Australian intelligence and law enforcement agencies are pushing for access to more personal data and other records with a minimum of court oversight. The most recent development tells us they should be trusted as much with this additional info as the guy standing in front of an empty barn asking for more horses. If they can't keep what they already have safe and secure, why on earth would you give them access to more?

The Australian federal police mistakenly published highly sensitive information – including metadata – connected to criminal investigations, in a serious breach of operational security.

Guardian Australia can reveal that the AFP provided documents to the Senate, which were then made publicly available online on parliamentary sites and other sources for several years, and which accidentally disclosed information about the subjects and focus of criminal investigations and telecommunications interception activities.

Not only did the AFP reveal targets (something deemed incredibly sensitive because exposure means targets will change methods, route around surveillance, etc.), thus jeopardizing the safety of the public (or so they say), but they also revealed the names of operatives, thus jeopardizing the always-paramount safety of police personnel.

This apparently happened because the AFP doesn't understand proper redaction techniques.

The spokesman said the information was “hidden behind electronic redactions within the document” and “one phone number and an address could, under certain circumstances, be accessed”.

The actual exposed information was far more extensive than this understatement-delivered-with-an-apology tries to present it.

The information that police disclosed included the address of a target subject to surveillance, the types of criminal investigations and offences being investigated, the names of several AFP officers that are not publicly available and other identifying information including the phone number of an individual connected to an investigation.

The AFP is "truly sorry" about the self-inflicted breach and says it has apologized to "relevant stakeholders" (does this include the target?) but as one senator notes, this doesn't really instill a whole lot of confidence in an agency that is "arguing strenuously for data retention."

The agencies collecting the data can't seriously claim it will always be 100% secure, but most arguing against expanded collections conjecture the exposure will come from the outside, rather than from those collecting it. This shows that the AFP is more infatuated with its surveillance tools than its operational security, as are most agencies in the data collection business. (See also: NSA, Snowden, multiple new leakers.)

Sure, mistakes will happen, but that's one of the many reasons why law enforcement and intelligence agencies need fewer collections and more oversight. Apologizing for exposing targets and officers doesn't really do anything to fix the underlying issue: collecting for collecting's sake and the unearned swagger that accompanies it. These agencies think they can handle more because they've got the ability and the storage, but while strutting around secure in their technical superiority, they're failing Redaction 101 or allowing contractors to head out the door with thousands of sensitive documents.

Filed Under: australia, australian federal police, failures, investigations, privacy, redaction, security