Wednesday, March 18, 2015

I Think The Present Attorney General Is Just Rude! As a Blogger I Demand Protection Of My Metadata From Government Snooping!

This appeared yesterday.

No protection for bloggers from metadata laws rules George Brandis

Jared Owens

ATTORNEY-General George Brandis has rejected calls to introduce a US-style procedure for journalists to challenge efforts to access their metadata, stressing “media organisations are not the target of this law”.
Senator Brandis this morning also indicated individuals who partake in journalism outside their “profession” qualify for additional safeguards, potentially placing law enforcement officers in the difficult position of judging whether certain broadcasters, commentators and authors are journalists.
Labor and Coalition negotiators yesterday agreed to amend the tougher security regime to compel security agencies to obtain a judicial warrant before checking on a journalist’s phone and internet records.
Labor says it won’t pass the bill requiring telcos to store their customers’ phone and internet records for at least two years unless the safeguard is built into the legislation.
Senator Brandis rejected calls to allow media organisations to argue in court against the issuing of a warrant to access their reporters’ metadata.
“It has never been the case in our system that a party against whom a warrant is sought is given advance notice of the warrant. The warrant process is an application to the court or a tribunal, or in unusual circumstances the Attorney-General,” he told ABC Radio’s Michael Brissenden.
“Media organisations are not the target of this law,” he said, emphasising efforts to stop “criminals, terrorists and pedophiles”.
Asked how he defined a journalist, Senator Brandis said: “I wouldn’t consider bloggers as journalists.”
More here:
How dare he? How can I leak the interesting little documents that come my way if the Government can track the source of the documents?
How can I resist the previous DOH Secretary who bad mouthed me at Senate Estimates if I can be easily tracked and found?
How can we expose NEHTA paying bloggers to attack me on behalf of COAG (who funds NEHTA) etc. if I can be easily tracked on line?
I think I deserve an exemption from warrantless metadata tracking - just as anyone else who has sources, and publishes information, do. And I have a good few sources I want to keep very safe!
All this just confirms my view that Senator Brandis is a pretty hopeless AG! Hope I don’t get sued!
David.

6 comments:

Bernard Robertson-Dunn said...

There will be lots of people using Tor, VPN's and public terminals. It's not rocket surgery and they are in place today.

Considering Tor was created in the mid-1990s by U.S. Naval Research Laboratory in order for its personnel to use the Internet without being tracked back to home base (US Navy, originally), there's a good chance it will do what it says on the tin.

My guess is that all sorts of other mechanisms will spring up each run by multiple different people which will devalue the metadata.

It's a type of wicked problem. The solution put in place changes the behaviour of the people involved such that the solution a) doesn't solve the problem and b) creates a new, harder problem.

Trevor3130 said...

Bernard, suppose journalism is your trade and you are tracking some potentially contentious undertakings by a current servant of the Govt. You have armoured your data according to the tips supplied by Chris Soghoian and run Tor on a stick.
Then, you find yourself in the situation of Arthur Gerkis. If they discover the stripped USB stick (with Tor and an encrypted partition) in your sock, would you let them have a look?

Bernard Robertson-Dunn said...

I'm not suggesting journalists use Tor etc, I'm suggesting that whistle blowers and blog contributors use them to hide from the metadata vacuum pump.

Journalists face different challenges depending on what the spooks think they are up to. If it's claimed to be a national security matter, then there's not much the journalist can do, apart from maybe, move to another country.

IANAL so I don't know if it is a crime or suspicious to have the tools for encryption/anonymity and/or use them.

As an IT architect working for various government departments I would claim that I had such things for self education - which happens to be true.

Is that good enough? I don't know.

Trevor3130 said...

Bernard, you and the other IT specialists here would have an idea how Second health insurer reports data breach can occur. If it happened in Australia someone would be answering questions in Senate Estimates. It could be a software vendor with decades of experience. Scott Ludlam would, likely, ask about security issues in the design and implementation of Health IT. He could even drift into asking how the vendors protect their own data and private systems against intrusions.

Let me ask this - if you spotted what looked like exploitable code in someone else's software, what would you do?

Bernard Robertson-Dunn said...

Trevor

First, I do not consider myself an IT specialist. I trained as a systems engineer and I spend my time modelling and implementing Information Systems.

Information systems need IT but only in the same way that a taxi company needs cars. IT is important and costs a lot of money to buy and run, but the value primarily comes from how you use it, not what it is.

That's why I wish that people would talk about Health Support Systems, rather than Health Information Systems or, even worse, Health IT.

Re your question "if you spotted what looked like exploitable code in someone else's software, what would you do?"

As it stands, that's a difficult hypothetical question because it depends on the context.

First, you don't often get to look at someone's code without being in a privileged position.

Second, in order to make sense of it you need a lot of other information/ knowledge.

Third, even if it is suspicious code, it may not be a vulnerability because there could be systemic protections (firewalls, proxies, authentication processes, business processes, monitoring) that are used to ensure systemic security.

To answer your question, I reckon there is a moral obligation to inform someone who is in a position of responsibility for the system that s situation may exist that needs attention. This is standard procedure in the security research community. If they find a vulnerability in a product or system, they tell the vendor or system owner to give them a chance to fix it. After that, they may or may not go public - as usual it depends on circumstances.

The reports on the Premera Blue Cross Breach, which may have exposed 11 million customers' medical and financial data say that it is not known how the hackers accessed Premera’s IT systems.

That's a bit of a worry.

The fact that up to data on 11 million customers could have been leaked suggests more that exploitable code.

Anybody who designs a system that has the capability of dumping large scale chunks of data over the internet has not been thinking straight.

External access should be characterised by small transactions involving only one or a few customers.

This looks like bad architecture, either by those implementing the system or the vendor who supplied the system.

Unless of course it's an inside job (memory stick stuff) or privileged employee access to production data via the internet - which should not be allowed.

Whatever the real cause, it's not doing much to help the case for Health Information Systems. IMHO, they are too important to be left to the IT crowd.

Trevor3130 said...

Fair enough, Bernard. I'll sign off on this one with reference to So you want to be a whistleblower? A lawyer explains the process from the scientific research field, using research misconduct as analogy for bad code/architecture.

"Because of the complexity of scientific research and the restricted availability of raw data, whistleblowers are critically important in uncovering research misconduct. A potential whistleblower’s first and most important decision before moving forward is: How should I report my concerns?"

Before making an allegation of research misconduct, a potential whistleblower should consult with qualified counsel for several important reasons.