A scathing report by the Queensland information commissioner has revealed the state's police service failed to consider the security and privacy aspects of its five-year-old Policelink app until it was audited.
The Office of the Information Commissioner audited [pdf] three mobile apps developed by the Education, Transport and Police agencies respectively to see how well they adhered to their privacy obligations.
While it found Education and Transport had designed their apps with privacy and security in mind from the outset, QPS had not, instead prioritising getting its Policelink app up and running.
The office was highly critical of QPS' approach to the app's development, revealing no action had been taken on either the privacy or security front until the office audited the agency - five years after the app was made operational.
QPS' first privacy impact assessment of the Policelink app - a tool for members of the public to report non-urgent crimes like graffiti and wilful damage of property to the police - was last month, at the conclusion of the OIC's audit.
The app was launched on Android and iOS app stores in October 2012. It collects personal information like name, date of birth, gender, and in some cases driver's licence, passport, and cultural details from the members of the public who report perceived crimes.
The project team assumed privacy was the responsibility of other QPS divisions, the OIC found.
As a result, no thought was given to why the personal information the app requests from individuals was collected, how it would be used, and how users felt about handing it over.
"... QPS acted on assumptions about the use or disclosure of information, for example: if police officers collected the information originally, they must use it for something, for example, 'investigative purposes'," the OIC wrote.
"QPS has not documented these assumptions which the project team put forward during our interviews. The team believed that its job was to achieve functionality – quickly, responsively and within budget – which it did. This view was consistent with executive management recognition of these achievements."
While the team deployed whole-of-goverment and QPS privacy statements for the app, both were far too generic and didn't include things like why the app seeks permission for location information, access to contact lists, device audio, USB storage, and video recordings.
"An agency should not collect personal information just because it thinks the personal information may be useful at some time in the future," the OIC said.
"Users who are not confident that a government agency handles their personal information appropriately may lose trust in the agency and may be less likely to seek contact with the agency."
The assumption about privacy being someone else's responsibility was also applied to security, meaning QPS did not test the Policelink app for vulnerabilities before deploying it.
It still has no testing regime in place, the OIC said, even after being alerted to - and quickly rectifying - a flaw by the Public Safety Business Agency.
"As a result, QPS cannot demonstrate how it is managing the security, access and use of personal information collected through the Policelink app."
The agency is "considering" implementing a framework of vulnerability and penetration testing, but hasn't provided the OIC details on the proposed cycle, what it will address, and when it will be established.
Who's in charge?
The privacy office attributed the massive oversights to poor governance.
"It is not clear who was ultimately responsible for overseeing the project. This means that, at the design and development stage, QPS did not ensure that the app met the legislative requirements for privacy and/or its own policies about privacy."
While it noted that QPS' July PIA was a "good first step" in addressing the problems, "more work" was needed for the agency to meet its privacy obligations, laying out a laundry list of recommendations.
In his response to the audit, QPS commissioner Ian Stewart denied the issues had stemmed from weak management.
He argued a privacy impact assessment had not been needed because the app had been intended only as a gateway to a secure system. Stewart conceded, however, that a PIA should have been performed as new functionalities like hosted forms were added.
The commissioner also said no security testing was done on the application because when it was launched it only provided links to QPS phone numbers and web pages. He admitted that testing should have been undertaken with the addition of new functionality.
QPS accepted the majority of the OIC's recommendations. Stewart said the force had already considerably redesigned the app following the OIC's findings to bring it into compliance, and laid out a timeline for the remainder of actions.