The broad reaching nature of the Federal Government's data retention bill has serious ramifications for all Australians. In light of the recent FOI request that revealed more than 60 agencies, most having no role in national security or law-enforcement, have requested warrantless access to telco metadata it is critical that steps be taken in public to ensure that this access is not misused and where breaches of individual privacy occur they are reported and penalties applied. (see links below: Data Retention, Agency Access Requests) 

We must consider this in conjunction with the fact that the majority of Australian government agencies and businesses are incapable of protecting their own assets from cyber intrusions and therefore anyone with access to the metadata is themselves a potential attack vector for malicious third parties. (see links below: cyber preparedness scorecard & Target hack)

As this impacts on all Australian's it is critical that we have real time and unfettered access to information about groups who access that data, why they access that data and how they manage access and the data itself.

The complexities of the issue make it not acceptable to simply allow politicians to pledge to do the right thing. While denying some requests today is positive, we need oversight to ensure this continues in ALL future governments.

This petition calls for the Federal Government to participate in an open dialog and consultation process to discuss implementing oversight, including but not limited to the following:

1. The bar for who and why non-law enforcement bodies have access must be set by the people, not secretly by politicians with little comprehension of the risks.

2. Personal and organisational accountability: As liquor licensing laws have penalties for the organisation and the employee who breach rules the same must apply to non-law enforcement agencies who misuse access to metadata. Misuse includes deliberate misuse as well as unintentional misuse when the agency is a victim of cyber crime themselves. A high bar must be set for access to such sweeping data and must apply to bureaucrats, politicians, businesses and employees.

3. A public dashboard service showing which agencies are accessing metadata with drill-able histories of all requests for access (not the data itself or details of who is being surveilled but of who surveilled, how many records they saw and why).

4. Reporting regime: Every agency with access to data must be required to report (monthly or perhaps quarterly) on their access as well as metrics about the value gained from access. Breaches to rules must be reported in public where mishandling or misuse takes place.

5. An independent board, consisting of community leaders and experts with full oversight of access empowered with the ability to strip access rights from non-law enforcement accessors as well as the ability to classify accessors, acceptable use, approve or reject procedures and processes of those granted access and approval of individuals and organisations.

6. Most importantly exceptions from any rules must be explicitly described and agreed by an independent body.

 

Data Retention:

https://www.ag.gov.au/dataretention 

Agency access requests:

http://www.abc.net.au/news/2016-01-18/government-releases-list-of-agencies-applying-to-access-metadata/7095836

Cyber preparedness scorecard:

http://www.tenable.com/2016-global-cybersecurity-assurance-report-card

Target hack:

http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/