Tales from the world of Information Technology
How safe is your privacy with government held data?

On March 22, 2020, the Prime Minister had just announced a national emergency response to the deadly global pandemic barreling straight for us.

Hundreds of thousands of Australians got the call to not come into work that morning. Queues outside Centrelink offices were being measured in blocks.

Then, Minister for Government Services Stuart Robert come out and ratcheted up the national stress level a few notches by announcing that government computer systems were suffering a crippling cyber attack from outside Australia.

All your base are belong to.....

"Foreign hackers" turned out to be an all too common go to for a government who isn't new to crippling cyber attacks from local and foreign players.

Thankfully Australians know to wait for the subsequent, inevitable correction before evaluating our need to panic.

Stop me if you've heard this one before

Was the 2016 census taken down by hackers, or users?
Australian census 2016: taken down by Hackers, or normal users?

If you cast your mind back to 2016, it was Michael McCormack from the same LNP government claiming that when all of Australia logged onto the nation's census website, right after dinner on August 9, just as we've been trained to do all out lives, so too did a bunch of international hackers to launch a Distributed Denial of Service (DDOS) attack on the census infrastructure.

For a government that outsources so much of our private data and infrastructure to unaccountable, foreign based, private companies, they're alarmingly well disposed to shunting the blame for things that go wrong to those very companies.

The Australian government has spent the past few decades linking computer systems across the nation for their own purposes, but in doing so they are opening up unexpected paths for hackers to get in.

It's not unheard of for a hacker to compromise a lower security system, (Eg: Aus Post) then use that qualification to get into higher systems (Eg: AFP).

Perusing a list of recent hacks shows an alarming number of vulnerabilities being exploited in all sorts of government systems.

Can they even count?

It was said the census system could handle a million censuses an hour. Any 9 year old could tell you 26 million is a lot more than 1 million, even if you divide it by the average household size. And when those millions log on right after dinner, very few of them are going to get through.

To be fair, our census setup was done by IBM. They would have definitely discussed things like network load, basic network security and primary school level arithmetic, and the only reason we would have skimped like we did is because the minister said no.

And back to the MyGov/Centrelink crash, and again being fair, in a country that didn't even bother to maintain the national stockpile of PPE, it would be unrealistic to think the Centrelink computer system was equipped to handle the unlikely influx of users on March 22.

R. E. S. P. O. N. S. I. B. I. L. I. T. Y. !

Foreignhackers are everywhere according to Australia's government
According to the 2016 census, Australia consists of 46 people in western Sydney, and a Linda and Michael Gainsborough in northern Tasmania. None of these people have yet been reached for comment on our inability to fend off foreign hackers

So a responsible administrator would have just reported "hey you know that big influx of users we got today? Yeah the system crashed. Don't worry we're fixing it. Apologies all around. If there's any discrepancies we'll fix them up when this is done"

Our government instead gave us "Foreign Hackers!!!!" And you know what? That still hasn't been sufficiently discussed.

CovidSafe (You knew I was getting here)

So then we got the CovidSafe app. Again with our heroes' finger prints all over it.

"It's going to be mandatory" was what we were initially told. And of course 26 million voices cried out "uh, no it's not"

So then the PM from Marketing had to try sell it to us. It wasn't a good product though.

Promises made

The immediate concerns about big government tracking us were addressed by the promises of utmost security and even legislation to protect that security.

Government departments were said to be lining up to get their little functions thrown into the app and they all had to be told "no".

To calm our fears, LNP Minister for Health, Greg Hunt put an amendment through parliament that made it a criminal offense to allow unauthorised access to the CovidSafe data.

So the data's safe, right?

Yes, except by contracting out the data storage to Amazon Web Services, they opened a massive back door to that data.

Amazon is based in the US and therefore subject to the CLOUD Act which requires them to hand over any and all data requested by government agencies, whenever they request it, and to keep quiet about the request or delivery.

Germany's Data Protection Watchdog (GDPR) has warned against exactly this.

But surely we're ok?

Given nature of Australia and the US's intelligence relationship, getting an illegal copy of that data would be easier than downloading it over the NBN.

Edward Snowden showed in 2013 that the US, UK, Australia, Canada & New Zealand are all in the habit of circumventing their own privacy laws by having their foreign counterparts acquire data and sharing it back.

And the data being sourced from the black market by a security agency sanitizes the acquisition of that data, and keeps the hands clean of any government agency that subsequently uses it.

It's, legally speaking, no longer protected data that has been stolen, but intelligence that has been picked up on the open market.

But, the Checks and Balances?

I've looked, and the legislation to secure our CovidSafe data covers this kind of "malfeasance", but no one seems interested in investigating the minister, charging him, prosecuting him, or executing a sentence. It just will not happen.

On the plus side, there apparently isn't too much interesting data to be harvested from CovidSafe because much of the country opted out.

But as an indicator of how our current politicians handle technological advancements, it shows we need to hold them to a much higher standard.

Now the spectre of biological warfare has been dragged over the horizon and our biological data has been centralised, we need to proactively demand safeguards for the information our governments collect on us and to be able to have a sense of security about it.

No thoughts on “How safe is your privacy with government held data?”