Late August news broke of the Senate passing the controversial Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020. This piece of legislation granted the Australian Federal Police and Australian Criminal Intelligence Commission new powers by requesting warrants for network activity, data disruption and account takeover.
With a warrant, the government can now completely take over all of your accounts without your consent to gather evidence – this includes freedom “to add, copy, delete or alter material to disrupt criminal activity and collect intelligence from online networks.” With this news, Australia’s progression towards a complete police state is all but complete.
Facial Recognition Trials: For Your Safety
Now, New South Wales and Victoria are now trialling facial recognition software (combined with geolocation data) to replace in-person police checks for people during covid quarantine.
Known as Genvis, the facial recognition software works by requiring individuals in quarantine to take selfies at their designated home address: the software verifies the photo with a facial signature. This pilot will last for about 4 weeks: 175 people will take part, completing seven-day home quarantine periods. No other democracies are reported as considering facial recognition in connection with covid containment procedures.
While it certainly will be more convenient (even physically safer, in the context of reduced exposure to visitors to homes), it isn’t simply a question of “if you’re prepared to give up a little bit of privacy”.
If there’s anything to know about convenience, it’s that it always comes at a price. Of course, the government isn’t all that concerned. The NSW government has confirmed that “the app will use the same mechanisms as the current Service NSW check-in regulations”.
It’s laughable how the spokesperson believed privacy could be addressed with one sentence: more so the fact that Service NSW already has a terrible track record concerning privacy.
Service NSW’s Historic 2020 Data Breach
Early last year, Service NSW exposed over 100,000 people’s personal details (initially thought to be over 180,000) during a security breach. These documents included handwritten notes, forms, scans, and records of transactional applications. The audit found that the full cost of the response to the breach is in excess of $30 million.
In this unprecedented security breach, it took the government over 4 months to start notifying victims. You want to know how they chose to notify those whose details were leaked? Registered post. Fast forward to March 2021, almost 55,000 of the 104,000 people affected still hadn’t been notified because their current residential addresses couldn’t be sourced.
How Did the Breach Happen?
The main practice leading to this data breach was Service NSW staff emailing personal data to partner agencies. The technical analysis report of the breach found that it likely resulted from two business email compromise attacks (phishing) between late March and early April:
“The malicious phishing campaign mimicked an Office 365 warning email, prompting Service NSW employees to visit a fake Office 365 login page which solicited the user’s Service NSW credentials.”
“Service NSW told to urgently improve data handling after cyber attack”, ITnews article
The attackers gained access to a Service NSW employee’s account to initiate the phishing attacks, resulting in 47 staff members’ emails accessed without authorisation and 736GB of data containing personal information.
During the parliamentary inquiry into their cybersecurity practices, Service NSW chief Damon Rees admitted that the practice is still ongoing, with drivers license information still being transferred via email.
In addition to data mismanagement, Service NSW had failed to enforce the bare minimum of enabling MFA (multi-factor authentication) on email access, as well problematic implementation of role-based access on their Salesforce CRM.
Public CCTV Facial Recognition: Darwin (and coming soon to the rest of Australia)
I’ve written about how facial recognition is used in China for their Social Credit System. This system is designed to promote better behaviour, fine offenders (like jaywalkers) and arrest criminals (like protestors).
It may surprise you to learn that similar surveillance systems have already been implemented in Australia. In 2019, Darwin adopted ‘smart city’ surveillance technology based on the CCP’s Social Credit System monitoring programs (originating from Shenzhen, aka “Asia’s Silicon Valley”).
This July 2019 article reported that at the time of reporting that “138 new CCTV cameras and 912 LED lights had been installed across Darwin’s CBD”. This also included “virtual fences”, which would monitor when people cross into areas they’re not supposed to be in. The new surveillance software also gave the government the ability to gather data on what people are doing on their phones.
Besides the obvious security vulnerabilities of using Chinese technology, there’s obviously privacy concerns of the government tracking its citizens – but not to worry, because Darwin council promised to not use the facial recognition features of their newly installed facial recognition CCTV cameras. Thank you Darwin council for putting our fears to rest, I’m sure your citizens are glad they can trust their government.
It’s unlikely that Darwin will stay the only state implementing facial recognition CCTV systems. Later in September 2019, reports surfaced of a system in development known as “The Capability”. According to the government, the technology will be primarily used to prevent terror attacks. The data in the system will be shared with “government agencies, police, security and anti-corruption agencies and even private organisations”.
While China may be the only country at the moment with a Social Credit System, Chinese tech based on the surveillance system that enforces it is being sold and used all over the world. As this practice grows in both acceptance and volume, we’ll only be able to grasp the consequences of these actions as time passes.
Make no mistake, the future is bleak – and will only become increasingly dystopian.
Tech Neck Nick 