Security

The sensitive data of Australia's security personnel is at risk of being on-sold to foreign actors – ABC News


The personal data of Australia’s national security officials is at risk of being on-sold to foreign actors, according to a new report, and the federal opposition is demanding urgent action.

An investigation by the Irish Council For Civil Liberties (ICCL) reveals how the online ad industry is exposing sensitive personal information about Australian politicians and intelligence staff, leaving them susceptible to blackmail and hacking.

It outlines how the Real Time Bidding (RTB) system sells detailed, and sometimes compromising data to thousands of businesses around the world, including those with links to foreign states and non-state actors.

This might include whether a person has gambled in the past week, if they’re bankrupt, their sexual proclivities, whether they have depression, their health issues, their location data and the path they travel to work each day, just to name a few examples.

The ICCL research was led by Dr Johnny Ryan, and points out that both Google and Microsoft send Australian RTB data to many companies in China, which are bound by law to share it with their government if asked.

“Google has a public list of over 2,000 companies that it can send RTB data about Australians to, and on that list are 12 companies with the word ‘Beijing’ in their name,” Dr Ryan said.

A pro-China supporter holds a Chinese national flag.

The ICCL’s research points out that Google and Microsoft both send Australian RTB data to many companies in China, which are bound by law to share it with their government if asked. (AP: Kin Cheung)

“Now there are many other companies on that list that are Chinese, but it’s a sign of how overt this is.”

Google told the ABC it does not sell RTB data directly to thousands of companies, but a list of ‘authorised buyers’ it provided to the ABC does however contain a number of Chinese companies.

“These revelations are deeply disturbing, but unfortunately not surprising,” opposition Home Affairs spokesman James Paterson said.

“Our intelligence agencies have been warning us for some time that foreign interference and espionage are at record levels – and that the CCP (Chinese Communist Party) is the primary culprit.

“China’s ability to exploit the data brokerage ecosystem to conduct foreign influence operations against Australia is a serious national security risk that requires a serious response,” he said.

Prime Minister Anthony Albanese did not respond to Senator Paterson’s comments, but a spokesperson for Attorney-General Mark Dreyfus said it was incumbent upon the opposition to support proposed reforms to the Privacy Act.

ICCL report author Johnny Ryan said the findings reveal a disturbing reality in which “every consumer, every voter, every soldier, every leader and politician is exposed.”

Silhouette of man in front of green screen displaying a Linux command window.

The report’s authors say there should be an urgent review of the extent of the intelligence exposure in Australia. (ABC News)

“If you were a foreign power looking to blackmail an Australian official with a high level of security clearance, this is exactly how you would do it,” he said.

“This system is a gold mine for intelligence collection, and we know that foreign nations use this system, because it has been said by them that they do so.”

How personal secrets can become public property

The RTB system is responsible for determining which personalised ads you see whenever you go online.

Every time a person opens a webpage or app, it immediately triggers an automated auction for each advertising slot on their screen.

In order to personalise those ads, an intricate network of ad companies collects user details such as browsing history and precise location to create and sell a “Cambridge Analytica”-style psychographic profile of their preferences and personal circumstances.

“[The RTB system] is operating 24/7, and it will send information about what an Australian is reading or watching and where they are about 449 times a day,” Dr Ryan said, adding that the true figure was likely much higher because researchers weren’t able to analyse data from Meta and Amazon.

It classifies users into hundreds of thousands of “segments”, indicating everything from their political views, mental health, if they are survivors of sexual abuse, through to whether they prefer Fanta or Sprite.

“We were able to find that data available for sale to us when we masqueraded as a business that was trying to buy [it]” Dr Ryan said.

A graphic showing how a person's ad profile can be accessed by foreign players

Every time a person opens a webpage or app, it triggers an instantaneous automated auction for each ad slot on their screen. (ABC News)

As well as classifying internet users on their beliefs, backgrounds and preferences, RTB data also hones in on their profession.

“We could find decision makers in political organisations, people who work in ‘aerospace and defence’, ‘defence, logistics and transport’ and ‘military spouses and families’,” he said.

The ICCL’s research focused on RTB data provided by Google.

Google said it does not provide or infer certain categories of sensitive personal information in RTB data, and its policy instructs buyers not to utilise any sensitive data that is provided.

A spokesperson for the company has criticised the ICCL’s findings as misleading and inaccurate.

“To protect people’s privacy, we have the strictest restrictions in the industry on the types of data we share in real-time bidding,” a spokesperson for Google said. 

“Our real-time bidding policies and technical protections simply don’t allow bad actors to compromise people’s privacy and security.”

Anonymous unless in the wrong hands

RTB data doesn’t include a person’s name or contact details, but researchers say that the existing data is so detailed that it’s easy for a skilled operator to identify someone.

“What makes it so acutely dangerous is that … [there’s] an ID code, a very long string of numbers and letters, and it’s totally unique to you as an individual,” Dr Ryan said.

The unique ID code allows RTB clients to conduct “long term monitoring and dossier building” on anyone captured in the dataset.

“Bear in mind that if you are disclosing your location several times a minute throughout almost your entire day, it is very clear where you go to sleep at night, where you work, which medical clinic you go to, which religious buildings, for instance.”

Signs ad data is already being used by foreign intelligence

There’s evidence that intelligence agencies already use RTB data.

A declassified report from the US Director of National Intelligence also outlines how US agencies utilise RTB data.

Another example cited in the report is the commercial surveillance tool “Patternz”, which claims to have profiled five billion people.

The company “helps national security agencies detect audience patterns and user behaviour using digital advertising, data mining, and analytics”, according to its marketing materials.

“It’s a surveillance system that promises to show you your target individual, their most frequent driving routes, and who their children are and who their colleagues are,” Dr Ryan said.

Liberal Senator James Paterson shown in a suit sitting at a desk during a Senate inquiry

Opposition Home Affairs spokesman James Paterson said he was not surprised by the contents of the report and the potential risk from China. (AAP: Lukas Coch, file)

Patternz creators also claim the “know-how of operating a real time bidding platform for the last five years”.

The report’s authors are calling for an urgent review of the extent of the intelligence exposure in Australia.

“We can suggest which companies almost certainly have done this, but it is for the government to now go to those companies and demand answers and shut that activity down,” Dr Ryan said.

“The Albanese Labor government must act immediately to restrict unwanted transfer of data to malicious actors, including through its forthcoming reforms to the Privacy Act and the new [cyber security] laws it is introducing,” Senator Paterson said.

How changing the Privacy Act could help

The federal government recently announced a number of proposed changes to The Privacy Act but tech policy advocates Reset Tech said the current proposal won’t address this issue.

“What we need to see are proactive obligations put on industry that set really clear limits for data collecting and data trading,” said the group’s Executive Director, Alice Dawkins.

She suggests introducing a long-contemplated “fair and reasonable” test, for how Australians’ data is collected and used – similar to protection afforded by EU regulations.

“Changes to the Privacy Act could limit unauthorised collection, sharing, sale and use of our personal data,” she said.

The federal government has foreshadowed further changes to the Privacy Act, including data privacy rules, further down the track, but there’s no firm timeline in place.

“It’d be great to see some commitments made by both parties before the next election, because Australia is starting to feel like one of the leakiest, most insecure places in the world,” Ms Dawkins said.

“It is high time to update and review the Privacy Act,” Dr Ryan said.

“Australians should be able to use the internet without their secrets being widely circulated and sold.”

A spokesperson for the Mr Dreyfus said “the government is committed to ensuring the Privacy Act … is fit for purpose in the digital age”.

“The Albanese government’s landmark legislation now before the parliament will strengthen privacy protections for all Australians, including a statutory tort for serious invasions of privacy,” the spokesperson said in a statement to the ABC.

Loading…



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.