Flamin' Galahs hand over drivers' data to drive The Capability
Only days after State and Territory leaders handed over driver license facial image data to federal authorities, the 2017 Australian Cyber Security Centre (ACSC) Threat Report has illustrated just how poorly those federal authorities can fumble the security of some of their most sensitive information.
When the IGA on identity matching services was signed earlier this month (because, terrorism) the state leaders gifting our data to (unspecified) federal agencies and 'certain organisations', made platitudes to 'robust privacy safeguards' and 'best practice security', while at the same time laying out protocols for private sector access to our facial image data.
This private sector access was highlighted as the weak point that allowed a hacker, code-named 'Alf' (after Home-and-Away's Alf Stewart no less) to access sensitive military information including restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and 'a few Australian naval vessels'.
The 2017 Threat Report from the Australian Cyber Security Centre (ACSC) describes how this signifcant trove was extracted from 'a small Australian company with contracting links to national security projects' - the same kind of private sector entity that the newly signed IGA forsees managing and operating on our sensitive facial image data.
After wading through the double-speak of the Agreement, perhaps the most interesting parts remaining are the state-specific schedules for each jurisdiction, outlining their financial contribution, and any specific provisions.
I live in the (sub-)tropical pardise of Darwin, and I note the NT made no particular demands to strengthen protection of the rights of Territorians. Unlike the other Territory, the ACT, who made a number of provisions in that direction, including this interesting clause:
"Any participation in the Capability by the Australian Capital Territory will be consistent with the human rights principles as set out in the Human Rights Act 2004 (ACT)."
Note that phrase I've emphasised. The Capability is the (otherwise unspoken) internal code name for what is the Federal Government's full intention for this data, and you know that's not just about protecting us from phantom terrorists. The National Facial Biometric Matching Capability is widely tipped to eventually be integrated with (increasingly everpresent) public CCTV monitoring.
Biometric data isn't like your credit card - if hackers get your credit card, you cancel it. You can't cancel your face, but it appears the state governments are only too happy to cancel your privacy.