It has been almost two years since the Abbott government passed into law what became colloquially known as the “Data Retention Bill.” Since then, all Australian Internet Service Providers (ISPs) have slowly been building huge datasets of the internet activity of every Australian internet user. There are, however, significant security flaws in the policy, which leave large pools of sensitive personal information insufficiently secured. These severe oversights in the policy require urgent attention for the sake of Australia’s National Security.
At present, telecommunication service providers are required to collect and store the metadata of all users under the Telecommunications (Interception and Access) Act 1979. The current policy dictates that this data be encrypted and protected from unauthorised interference or access. However, it leaves the choice of encryption method, as well as the storage location, up to the individual private service providers. This results in significantly large pools of sensitive Australian metadata being insufficiently secured and at risk of cyber attack.
Australia needs to legislate an effective encryption standard to ensure all metadata stockpiles are adequately secured. Furthermore, legislation which ensures all Australian metadata is housed in data centers located on Australian soil ought to also be introduced, to ensure the integrity of the hardware itself and minimize the risk of security breaches.
Because the collection and storage of this metadata is non-discriminate, it includes the internet and communication records of individuals such as public servants, ministers, defense personnel, national security personnel, diplomats, infrastructure operators, senior advisors, and those in similar sensitive positions with national security implications. The potential threat to the metadata of these individuals should compel Australian policymakers to ensure all metadata stockpiles are secured to the same standards of similar information sensitive to national security.
The Risks
The informative potential of large volumes of metadata is immense. The former general counsel of the U.S. National Security Agency (NSA) Stewart Baker has stated that “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” The former NSA and CIA director General Michael Hayden has stated that this “… is absolutely correct. We kill people based on metadata.”
In aggregate, stored metadata can reveal highly sensitive information on particular individuals. As demonstrated by graduate students at Stanford University in 2014, individual profiles — including information such as friends and associates, financial situations, medical issues, purchases, planned travel locations, and relationship status — can be made from such metadata. That means metadata has the potential to be used, for example, to blackmail a politician or otherwise leverage political or industrial actors.
There is clearly a need to ensure that these stockpiles of Australian metadata are securely stored. Encryption technology and methodology vary wildly in effectiveness at securing information. As a definition, “encryption” refers to any method of ciphering data, in transit or at rest, to prevent unauthorised access. A number of differing methods and standards are in operation today, including Triple DES, RSA, MD5, Twofish, and AES, to name a few. All of these methods have varying degrees of effectiveness, with the popular 256-bit AES regarded by the Australian Signals Directorate (ASD) as a suitably effective current encryption method for highly sensitive data such as Top Secret material. Despite this, Australia’s current legislation leaves the method of metadata encryption completely up to the private service provider. This raises significant questions as to whether private companies are expending the extra time and money to ensure mandated data retention schemes are properly secured to best practice standards.
Hacks and data breaches both in the public and private sectors, resulting in classified and highly sensitive personal data being stolen and/or publicly revealed, are hardly uncommon. In 2009, 70 million U.S. veterans’ records were compromised from the U.S. National Archives and Records Administration, including personally identifiable information, due to mishandling of physical data center hard-drives. Between 2005 and 2012, a small number of Russian and Ukrainian hackers used sophisticated cyber attacks to steal over 160 million credit card numbers and 800,000 bank account details from poorly encrypted servers on the Nasdaq Stock Exchange. In 2014, state-sponsored Chinese hackers used a “zero-day” vulnerability to breach the U.S. Office of Personnel Management servers containing the personal data of around 4 million current and former U.S. federal employees. The relentless hunt by individual and state-based hackers for sensitive information is only increasing, and while Australian metadata remains improperly secured, the risk of a serious security breach increases by the day.
What Needs to Be Addressed
There is currently no oversight mechanism to ensure telecommunication service providers are encrypting and storing metadata effectively and securely. According to the current legislation, only reports concerning requests to access the stored data are required to be kept by the respective criminal law-enforcement agencies. Current legislation does not clearly state how telecommunication operators should encrypt their stored metadata. Encryption methods and strengths vary widely and an effective standard needs to be established and enforced to protect the integrity of this sensitive data.
Current legislation also does not clearly state where telecommunication operators should store their collected metadata. Storing such information in offshore commercial data centers poses some risk to the security of the data. The integrity of the physical servers and drives cannot be adequately addressed under these conditions. The Chinese government has been quick to recognize this threat, recently legislating that all personal information and business data of critical infrastructure operators be stored on servers located in China.
The information being collected and stored is of sufficient risk to Australian National Security to warrant addressing these concerns. The data includes personally identifying and potentially sensitive information on a number of high ranking and influential individuals. The potential for this information to be used maliciously by an enemy of the state is high.
It is only a matter of time before this data becomes compromised, and the fallout could be devastating. Despite boasting in the recently released Cyber Security Strategy that Australia will “better detect, deter, and respond to cyber security threats and better anticipate risks,” to date there has been no mention of addressing these glaring oversights in a key piece of cyber policy.
Byron Nagy is a Masters student of the National Security College at the Australian National University. He regularly writes on issues of cybersecurity policy and international relations.