The Australian Federal Police (AFP) is billed as Australia’s primary federal law enforcement agency, responsible for keeping the community safe from harm.
With an annual budget of almost a billion dollars and close to 7,000 employees, the Australian taxpayer would be forgiven for assuming that the agency could be trusted not to endanger the community – but according to a series of documents obtained by The Guardian, the AFP is responsible for a series of major security breaches.
AFP Releases Details of Assault Victim to Perpetrator
One of those breaches involved the agency disclosing the personal details of an assault victim to the alleged attacker, who had requested documents from the AFP under freedom of information laws.
According to the Guardian, the AFP failed to redact (cross out) the first and middle name of the complainant, creating a “significant risk the FOI applicant will be able to identify the individual and also potentially make the connection that they are one of the alleged victims.”
An AFP officer conceded that the disclosure “creates a risk that…the information might cause harm to the third party and/or his family.”
A number of other breaches have also been documented, including:
- Publishing metadata connected with criminal investigations on several publicly accessible websites;
- Disclosing117 national police checks (i.e. a person’s name, date of birth, criminal record and in some cases licence number) to incorrect people;
- Sending the wrong documents to two individuals who had requested their AFP files;
- An ‘unknown person’ accessing sensitive information addressed to the Commonwealth Ombudsman;
- Sending a person’s criminal interview to the wrong person; and
- Naming two people involved in a criminal investigation when their names were ordered to be suppressed.
The AFP reported some of the incidents to the Privacy Commissioner (now known as the Office of the Information Commissioner) – but no action was taken in many cases.
Can We Trust the AFP?
As discussed in several blogs, Australian metadata laws introduced last year compel internet service providers to store customers’ private information for two years, and make that information accessible to several law enforcement, including the AFP, agencies without a warrant.
Many expressed concerns at the time that the data might be misused or mishandled. The astonishing act of publishing sensitive meta data onto publicly accessible websites suggests that those concerns were well-founded, raising questions about whether the AFP can be trusted with its unprecedented access to our personal information.
The security breach, which was uncovered in August 2014, involved the publication of information including the address of a person who was under surveillance, details of cases being investigated, names of AFP officers and phone numbers of people involved in criminal investigations.
According to The Guardian:
‘The failure to secure the data correctly may have jeopardised criminal investigations, and could have exposed that individuals were subject to police surveillance.’
Although the AFP says it took steps to rectify the breach, many believe it was a case of ‘too little too late.’ By the time the breach was discovered, some of the information had been publically available for over a year.
Access to Meta-Data – A Free for All
According to recent media reports, 61 ‘non-law enforcement federal and state agencies’ have applied to access metadata since the introduction of the new laws. These include a suite of local councils and state government offices which have little to no involvement with criminal investigations or security matters – despite the laws ostensibly being enacted to ‘protect against terrorism’.
Privacy Commissioner Timothy Pilgrim has expressed concerns about the widespread availability of metadata under the new laws, saying: ‘The retention of large amounts of personal information for an extended period of time increases the risk of a data breach.’
It may only be a matter of time before misused meta data leads to grave injustice or even tragedy.