Saturday, December 14, 2013

Australia’s Real Surveillance Scandal

It’s not SBY, or East Timor, or terrorist targets: it’s the warrantless snooping on ordinary Australians that can – and does – happen all the time, with very little oversight

Amid all the outrage about Australia’s foreign-intelligence spooks and their chums at the United States’ National Security Agency (NSA) apparently intercepting phone and email communications with abandon, there is a much greater and more credible threat to accountability and public freedom, almost totally overlooked in the Australian debate.

The real privacy scandal in Australia is that over the past few decades, as telecommunications data has become computerised and centralised, it has become routine for a plethora of government departments to access the private call data of any citizen without having to prove to a judge the need for warrant. This data reveals who someone has been calling, as well as who has been calling them, sending or receiving emails and SMS. It even allows for the location of a mobile phone to be disclosed. All of this extraordinarily powerful surveillance, I emphasise, can be carried out without a judge’s oversight and formal warrant.

This poses a far greater threat to any Australian’s personal freedom than the revelations from former NSA contractor Edward Snowden.

“There continues to be a lingering suspicion even at senior levels in our intelligence establishment that the NSA might be shafting Australia on trade deals and private contracts by giving its own industry a naughty peek at what they are seeing” 

As for the Australian Signals Directorate (ASD) – this country’s arm of the so-called Five Eyes UK/USA spying alliance at the centre of the Snowden leaks (formerly known as the Defence Signals Directorate or DSD) – my view is informed by time I spent, 14 years ago, as a journalist talking both officially and unofficially to a wide range of its employees for the Sunday program. That investigation spurred the world’s first admission that the global surveillance network Echelon was real; DSD’s then boss Martin Brady said DSD "does co-operate with counterpart signals intelligence organisations overseas under the UKUSA relationship". Nevertheless I came away more than convinced that the rigid Rules On Sigint And Australian Persons then in place to prevent the interception of Australian citizens’ communications were in fact robust protection against the huge potential for abuse of the the spy system. These rules forbid DSD spying on Australians, as well as disseminating any information about Australians – including even their names – that might be accidentally gleaned through foreign-intelligence collection; this is monitored by the Inspector-General. In specific, carefully defined circumstances involving the threat to life, safety or commission of a serious criminal offence, DSD could monitor and report foreign communications involving Australians.

(I have kept in touch with those sources, and their biggest concern about the UK/USA spying alliance is the attitude of American operatives, who have form for misusing their intelligence apparatus for the advantage of US business interests. There is a lingering suspicion, even at senior levels in Australia’s intelligence establishment, that the NSA might be shafting Australia on trade deals and private contracts by giving its own industry a naughty peek at the information it gathers.)

Compare the Snowden leaks with what has been going on in Australia under sections of Australia’s Telecommunications Act which place an obligation on telecomms providers to hand over information to numerous Commonwealth- and state-government departments and agencies on the mere assertion that the information is “reasonably necessary” for the enforcement of the criminal law and national security or – and this is where it gets contentious – on even much lesser justification: it also allows access to this private data for the enforcement of “laws that impose pecuniary penalties” or for “assisting the enforcement of the criminal laws in force in a foreign country”, and even merely for “protecting the revenue”.

Aside from requiring a declaration that the information is being sought for a law-enforcement purpose, there is no requirement to say, and therefore no public record of, exactly what crimes are supposedly being investigated using these powers.

The extent of use of these powers is surprising – and suggests that it is being used to shirk the hurdle of judicial oversight. No less than 40 government agencies made 293,501 warrantless requests for metadata from internet service providers in the 2011-12 financial year. Just 56,898 of those requests were made by the Federal Police, which has the primary criminal law-enforcement role. The RSPCA, Wyndham City Council, the Tax Practitioners Board and even the Victorian Taxi Directorate also have been allowed to access individual telecommunications data for a ‘law-enforcement purpose’. Why are we giving quangos and a taxi administrator the power to access often highly sensitive personal telecommunications data?

The Attorney General’s department offers very little explanation of what checks have been done to ensure that this extraordinary data-surveillance power is being used within the law. The department’s annual Disclosure of Telecommunications Data report lists which agencies have been allowed to access to the data, but outlines no oversight of the massive amount of data disclosure now being done without a warrant.

When an agency wants to access the actual content of stored communications it must seek a warrant, and this is under the oversight of the Federal Ombudsman. But what capacity does a Federal Ombudsman or Privacy Commissioner have to review the possible misuse of these broad powers by such a huge range of Commonwealth and state agencies and quangos? It does not appear that there is any actual checking or monitoring done by either the Privacy Commissioner or Ombudsman of the legitimacy of the hundreds of thousands of claims for this data made under the Act.

These warrantless data searches are used, wholly justifiably, for criminal investigations – as the Australian Federal Police recently acknowledged was the case in an alleged terrorism arrest. But they have been used also for blatantly political purposes. Ministers have called in the Federal Police to find out how an embarrassing document ended up leaked to the media. While the AFP is an independent statutory authority, it is “guided by Ministerial direction ”, making it difficult for an AFP Commissioner to tell a government minister that it’s inappropriate for these data-surveillance powers to be used in a politically motivated leaks inquiry.

These powers can also be used to pursue government whistleblowers. While there is much ado about “open government”, the political culture in Canberra has over many years been about keeping public servants silent about what is actually happening in their departments. Warrantless data surveillance is a powerful way of hunting down and gagging a critic if he or she does dare to leak.

Just about everyone now uses a mobile phone or an email account, but few people consider how easy it is to track calls.

Journalists investigating allegations of dodginess in government have found themselves, and their sources, under investigation – little realising that their source had been compromised by a quick check of the journalist’s phone records. This warrantless data-disclosure power is a serious impediment to freedom of the press, and its potential for misuse is a serious threat to the public interest. Proponents of this warrantless power might argue that there is no evidence of abuse, but how can anyone monitor or complain about the use of this power if most people do not know when it is used? How much scrutiny really is done of the nearly 300,000 such requests for data annually, to test the merits of the public-interest and law-enforcement claims for disclosure?

I have seen how this happens; some years ago I was investigating a story involving alleged impropriety by a senior government official in a major federal government department. The multiple sources I was talking to (mercifully, off the phone) were providing me with leaked documents and information that raised serious questions of possible impropriety, if not corruption, which we subsequently broadcast. One source, it turned out, was tech-savvier than I am. He worked in the internal investigations unit of the department and knew what could be done to investigate any public servant who leaked information to the media. He told me it was likely there would be an inquiry into the source of the leak for my story, and that the minister would most likely order a Federal Police investigation into whom the leak had come from – and that the first thing the AFP would then do is access my phone records. We agreed never to call or email each other because that would lead investigators straight to him as my source. Surveillance of my phone and email data was all but inevitable, he said. “Surely they’d need a warrant to do that?’ I asked. Within hours of this conversation my savvy source – no doubt improperly – obtained a copy of my mobile-phone call data, showing the numbers I had called and which of those numbers belonged to a federal government public servant.

He told me no one had ever questioned him or any of his colleagues about the requests they made for phone-call data; if there was any kind of oversight, he’d never seen evidence of it. I can only hope the accountability checks have improved in the past 12 years, because both the Ombudsman and Privacy Commissioner are nominally the check on executive abuse of such private information. But it does strain credibility that every one of the 300,000 such annual requests for “law enforcement” purposes would be scrutinised.

In November, Federal Police Commissioner Tony Negus admitted his force had accessed the call data of “up to five” members of parliament. Negus made much of the judicial oversight, through the issuing of a warrant, for any interception of the contents of phone calls, emails or SMS messages – but the elephant in the room was his admission that up to five MPs had been the subjects of warrantless data-surveillance, and that no judge had any input at all regarding the propriety of this access. Negus did not say who the MPs were but, aside from the two MPs who have been the subject of criminal investigations, Craig Thomson and Peter Slipper, it is likely the requests also targeted leakers inside the public service.

Having been on the receiving end of at least one such AFP investigation I know AFP officers loathe being diverted from their serious criminal investigative work onto political leaks inquiries, for instance the now abandoned investigation into who in Prime Minister Gillard’s office allegedly leaked a damaging video of Kevin Rudd swearing at his staff. Such use, or abuse, of the data-surveillance powers is completely legal under Australian law; I am assured also that it is routine.

Earlier this year a Parliamentary Committee on Intelligence and Security recommended strengthening the safeguards and privacy protections in these telecommunications laws. The committee recommended changing the objectives of the Act to “protect the privacy of communications” and to “enable interception and access to communications in order to investigate serious crime and threats to national security”. It also recommended the use of a proportionality test that would take into account “the privacy impacts of proposed investigative activity; the public interest served by the proposed investigative activity, including the gravity of the conduct being investigated; and availability and effectiveness of less privacy intrusive investigative techniques”.

One telecommunications provider, IINET, also complained to the committee that the scope of the law enforcement obligation, “to give such help as is reasonably necessary”, is “vague and uncertain”. The effect of this obligation is to unfairly put the onus of testing the validity of a surveillance request on to the employees of the telecommunications company that receives it.

Thus far the Committee on Intelligence and Security’s recommendations for a review have been ignored. Attempts to curtail warrantless spying are frequently opposed by government bureaucrats, who use the mantra that such constraint would seriously curtail national security and criminal investigations. Yet even the Attorney General’s Department, in its own submission to the committee, admits the need for reform, saying that, “As communications technology and use has changed, some data types have become more privacy intrusive. Access to the more privacy intrusive ‘traffic data’ could then be limited to those agencies that have a demonstrated need to access this information for undertaking their investigative functions. The less privacy intrusive category of ‘account-holder data’ would be available to the broader range of enforcement agencies.”

The most effective control on executive power is strict, open accountability on how power is being used – but since most Australians do not understand the capacity of this surveillance technology, nor can they find out what supposed offences it is being used to investigate, they are hardly in a position to complain about it.

As the AFP admitted in its submission to the Parliamentary Committee, the data it can obtain without warrant potentially includes a mobile phone caller’s location, their IP addresses and URLs. There is no doubt that such powers can be properly used to great effect in a criminal terrorism or corruption investigation, but should they be able to be used by any public-service investigator with a so-called law-enforcement purpose given the derisory accountability checks currently in place to stop their abuse?

As so often happens, accountability controls set up to protect privacy have not kept up with the pace of technological change. The capacity to log an individual’s call data, to cross-match that instantaneously with whom that person is calling or emailing would have been unthinkable decades ago, when these laws were first drafted. History shows such powers will eventually be abused.


ROSS COULTHART: It's getting impossible as a journalist to really guarantee a whistleblower's safety. If somebody comes to me and says “I've got information I really need to know about” – if they’ve rung me ... I’ve told people not to speak to me. I’ve told them never to call me again, they’ve just jeopardised their safety by ringing me.
CLARE BLUMER: That is Gold Walkley winner, investigative journalist Ross Coulthart, explaining how he protects his sources. Even, as he’s just explained, killing a story because his first contact has jeopardised their anonymity.
This might seem a little extreme. But it all has to do with a small section of a federal legislation inside the Telecommunications (Interception and Access) Act of 1979, section 313 to be precise, and I’ll let Coulthart explain the moment he was forced to changed his professional behaviour.
ROSS COULTHART: I didn’t know about this until I was doing a story investigating impropriety-slash-corruption in a major federal government department and one of my sources was a person who knew about this capacity where, without a warrant, without going to a judge and having to prove your case, people inside a government department who are authorised to do so are able to ask for phone records, records of the passage of email traffic, SMS traffic, even these days, the geographical location by mobile-phone tower, of a mobile phone.
It is an incredibly powerful surveillance tool and it is used to a massive extent by our law-enforcement agencies — which I don't so much have a problem with, I don’t have a problem with ASIO, ASIS, Feds, Defence Signals Directorate using this kind of information — what I do have a problem with is the fact that a plethora of government departments, both state and federal, because they are ostensibly law-enforcement agencies have been given this power to search your and my phone records for the investigation of things as minor as the “protection of the public revenue”. You could drive a truck through a clause like that and I know for a fact that’s being abused.
CLARE BLUMER: So, what circumstances?
ROSS COULTHART: What I saw was when I was doing an investigation: My source actually said to me, “Be very, very careful that you don’t ever directly contact me with SMS, email, phone, any kind of telecommunication.”
CLARE BLUMER: And was this a source inside a government department?
ROSS COULTHART: It was a source inside a government department. And I said, “Why?” And he said, “Because I will be able to track you.” And I just said, “Well you'll have to get a warrant for that, and why would they want to get a warrant for something as minor as a leak?” And he laughed and he said, “No they wouldn’t have to get a warrant.” He said, “You clearly don’t know about section 313.” And he showed me, he did it in front of me, he filled out a form that certified that he needed the information for a law-enforcement purpose, got my phone number, sent it off to my ISP, which happened to be Telstra, and within half an hour he had a record of every single phone call that I’d made, including some, or a lot, that I’d received within the preceding 12 months.
What it was, I don't know. They’d put it through some kind of software that essentially gave them some sort of printout of the identities of the public servants behind those public service numbers; so, for example, so if it was a federal public service-issued mobile phone, automatically it displayed the name of the public servant that was the holder of that phone.
I was mortified. There were the names of people who I had spoken to confidentially on stories numerous times going back in the previous 12 months. It changed from that date on, the way I operated in how I deal as a journalist, and a lot of my colleagues in journalism think I’m paranoid. [But] I’ve seen it. I’ve known they’ve been doing this for well over a decade and I wager it’s being abused.
That’s a tool that can be used as a powerful tool of intimidation of whistleblowers. One of my pet bugbears today is the way that journalism in Australia, investigative journalism, is being muted by terrorising of the public service by internal security departments who investigate leaks using this resource. I think it’s unfair, it’s not just bad sport, it’s grossly against the public interest, wide open for abuse, and it’s stopping the revelation of gross impropriety and corruption inside our government.
Because it’s getting really hard, it’s getting impossible as a journalist to really guarantee a whistleblower’s safety. If somebody comes to me and says “I’ve got information you need to know about .” If they've rung me ... I’ve told people not to speak to me. I’ve told them never to call me again, [that] they've just jeopardised their safety by ringing me. I’ve said, “Now that you've done that …” It happened to me recently.
I had a guy ring me from the immigration department and he was concerned that there was child abuse going on in an immigration centre that he wanted me to know about. And he was concerned that there was a reckless attitude taken by staff inside the immigration centre that children from Afghanistan were being abused by men in the same yard. He had information he wanted to give me. He’d rung me direct on my mobile because it had been given to him by somebody else. And I said, “I can’t run your material, because if I do, it will blow back on you because you’re ringing me on your mobile. What were you thinking?” And journalists don’t do this enough and I’ve seen so many whistleblowers burned.
So take this to its logical conclusion … So if you’re investigating, and I’m sure The Global Mail will be, many times, acts of appalling bastardry by a government department ... our federal police is essentially a political police force, they operate at the fiat of the minister. If he wants something he can order it, and they have done.
They’ve ordered leaks inquiries and I don’t think it’s proper for our federal police to be employed investigating these kind of spurious leaks investigations, but they are and the first tool they use to investigate those leaks is they do a warrantless metadata surveillance search on journalists that have run the story, and I know this because I’ve spoken to the police that do it.
CLARE BLUMER: So how do you protect your sources now?
ROSS COULTHART: I don’t use ... if I’ve got a hot source I use a dead-letter-drop email address that I access by Tor.
So I go to a Hotmail or Gmail address which is completely anonymous and I carry in my wallet a — it’s what spooks use, it’s what spies use. Essentially you have a login for an email address. Neither party ever sends email from that email address. All they’re doing is creating an email and saving it as a draft inside Hotmail or Gmail. And I give him the login, I have the login, and we correspond using an internet, online email address that we never send from.
I have about 50 of those. Keeping track of it is a nightmare, but essentially I have a logbook where essentially Joe Bloggs, my source in the federal police, he’s Joe Bloggs at Hotmail dot com. I have the login, he has the login and we routinely correspond. And I monitor that login every week or every two weeks and see whether he's been in touch.
CLARE BLUMER: In 1999, Coulthart was reporting for Channel Nine’s Sunday program. He was the first to reveal that a secret spy and intelligence-sharing alliance was operating between the United States, Australia, the United Kingdom New Zealand and Canada. Nicknamed the Five Eyes, they’d co-operated behind the scenes since the end of World War II. He spoke to many staffers from America’s National Security Agency or NSA as deep background or off-the-record as it’s known. The 1999 program hinted at what was to come when American contractor Edward Snowden in June 2013 leaked thousands of documents showing just how deeply the Five Eyes countries were involved in surveilling all telecommunications in the world. Coulthart was not surprised.
ROSS COULTHART: UKUSA, as it was known, was set up post war, post the second world war, as a co-operative spying alliance between the Brits, the Australians, the Canadians and the New Zealanders and the US, in order to search communications. The reality with conventional espionage is that most spying isn’t done by men in black raincoats going around meeting sources on streets. In the very early days of comms spying, especially when we first started developing microwave-sent communications, a lot of it was placing a receiver at the point where there was a spill from a microwave phone transmitter and just collecting that spill. And they realised pretty soon that they could sift through all of those communications, so they then started intercepting satellites and that’s why in New Zealand there’s a base called Waihopai, in Australia there’s a base called Shoal Bay up in Darwin, and over in Geraldton in Western Australia there’s a base that intercepts satellite communication over the Indian ocean.
More recently, as countries around the world have moved to internet telephony and cable connections between countries there’s been an intensification of that kind of spying by essentially formalising links inside ISPs – internet service providers – and telecommunications companies, to essentially make it a requirement by the national law of these various countries that these ISPs have to provide a backdoor, a trapdoor access, to their communications.
And a few years ago … This was why a lot of Snowden’s revelations, to those of us who are looking at the subject, it’s not a huge story in terms of its newness because we’ve known that they’ve been doing this kind of communications interception for many years. There was a revelation a few years ago that all the major telecommunications providers in the US were indeed providing these backdoor trapdoors that were essentially sending fibre optic cables straight back to the national-security agency in Fort Meade Maryland.
Essentially what you’re seeing with revelations in our original story is essentially just a continuation of the same thing. As communications have spread from basic telephony to email, SMS, messaging systems like Skype and other protocols, they’ve then moved to make sure that they can intercept them. I don’t find that surprising.
CLARE BLUMER: Do you think that Snowden’s revelations should be published?
ROSS COULTHART: I’m going to stick my neck out here and say I do question, not the fact of the leak, but the fact of the revelation of the breadth of this kind of spying I think is significant and important. I think it’s important that the public know officially for the first time the extent of the kind of surveillance capacity that now exists with cross-referencing databases and the kind of clever systems analysis that the NSA has clearly developed with some of its programs.
What I have an issue with is the decision by The Guardian and indeed the ABC to willy nilly publish almost in their entirety a lot of these documents unredacted, in a way that basically tells the bad guys the extent to which they now provide a backdoor way of avoiding interception.
What I fear is that, okay, the general public now will become more aware of the fact of mass surveillance, and that’s a good thing, but with the specificity of detail that The Guardian and the ABC has chosen to publish, I fear that the bad guys now know more about how to avoid being intercepted, and if you’re a clever terrorist that’s plotting an attack on Australia, you now know for sure not to send an open email. You now know for sure not to discuss on a telephone call or even cryptically in some kind of messaging system, because the scale of the mass surveillance that’s revealed by the Snowden leak/revelations, shows they are actually at a capacity to intercept communications that is just truly mind boggling.
CLARE BLUMER: Does this mean we're actually back at the point where the black raincoats meeting in dark alleyways is one of the few ways we can have a private conversation?
ROSS COULTHART: Well the irony is the intelligence services have been undone by the most basic piece of espionage of all – it's a source on the inside that basically downloaded data.
It's exactly what happened with the Manning-WikiLeaks download and it is now the worst nightmare of every IT controller around the world in every government and corporation. The reality is that anybody who thinks that their data is secure in a telecommunications system is naive.
CLARE BLUMER: One of the things it has revealed is the many ways the Five Eyes are going about their surveillance isn’t actually illegal, so countries are buddying up with each other when necessary, to sort of skip over, maybe, their national regulation of something.
ROSS COULTHART: This is ... this is where I do agree to some degree with the concern about this power of mass surveillance that is represented by this Five Eyes alliance, because as Edmund Burke said, “The greater the power, the more likely the abuse.”
In 1999 I interviewed a man from the Canadian equivalent of DSD, called Mike Frost, who revealed to me that he had been sent to London by his CSIS, which was the Canadian equivalent of DSD, and used to — quite improperly, and I would argue, quite illegally — monitor the telephone calls of ministers in Margaret Thatcher’s cabinet to find out which one of them was leaking. This was never revealed because it was a plausible deniable favour that was provided by the Canadians to the Brits, and this is where, historically and now, I have huge problems with the capacity for the system of UKUSA to be abused, because it has been abused in the past.
Australia in espionage, historically, has done ... It has a history of doing plausibly deniable favours for its allies. The best example of all is the way that the Australian service helped the CIA keep in touch with its operatives inside Chile when the Allende socialist government took power in the 1970s. It was revealed when the Whitlam government came into power that we had been providing a service to the Americans, which essentially gave the Americans plausible deniability, where we serviced their intelligence agents inside Chile. And I tried, unsuccessfully, to get access to the files on this from the Australian secret service a few years ago and we were resisted at a very, very high level by the Australians that did not want this story told.
CLARE BLUMER: Coulthart continues to secretly communicate with dozens of sources. He’s completing a book on First World War historian Charles Bean and is the investigative reporter on Channel Seven’s Sunday Night program. You can read his article on the surveillance powers of the Australian government at This is Clare Blumer, thanks for listening.

By Ross Coulthart ‘The Global Mail’

No comments:

Post a Comment