Tech slips create illegal bugging headaches for Australia’s spy agencies

Legacy systems are causing governance headaches for Australia’s overseas spying agency, the Australian Secret Intelligence Service (ASIS) after the nation’s official watchdog for spooks pinged the foreign collection service over inconsistencies in identifying who is or isn’t an Australian citizen.

The annual report for the Inspector General of Intelligence and Security (IGIS), which probes agencies to make sure their operations are above board and legal, reveals old tech systems are causing the occasional mix up when it comes to privacy rules protecting Australians.

The report is the equivalent of an annual roadworthy check for spy agencies. To be fair, it catalogues their defects and failures (and why it's such a fun read).

And while privacy might seem like an abstract notion in the age of Trump, Facebook and Cambridge Analytica, it’s still a big deal for intelligence “collection” agencies who are tasked with bugging foreign targets but sworn off sniffing domestic ones (ASIO gets that job).

“Throughout the reporting period there were a small number of instances where the Privacy Rules were not applied prior to ASIS reporting on an Australian person or company,” the IGIS annual report notes.  

“While most were the result of human error, the effect of an ageing IT system and not identifying a person as an Australian citizen, the office found only one where reporting on an Australian person would not have been reasonable and proper had the Privacy Rules been applied at the time.”

The acknowledgement that ASIS’ IT systems are getting old and a crotchety is a rare and illuminating insight into what must clearly be an internal pain point for the agency, which falls under the Department of Foreign Affairs and Trade.

The calling out of ageing systems is also likely to be regarded as a signal to policymakers that existing infrastructure has probably been sweated as far as it can, not that details are likely to ever surface in public.

An acutely Australian problem

Other collection agencies are also struggling with issues surrounding the intersection of technology and citizenship.

With a raft of politicians having walked the plank or embroiled in controversy over their own citizenship status, the spy watchdog points out that the thorny issue isn’t always a straightforward binary proposition.

“Oversight of the activities of agencies governed by the Intelligence Services Act 2001 focused on the performance of their statutory functions and their compliance with ministerial authorisations and directions including Privacy Rules applicable to ASIS, ASD and AGO and, in this time of dual citizenship, the difficulty of determining who is an “Australian person” as defined in section 3 of the Intelligence Services Act 2001,” the IGIS noted.

Teething issues for ASD upgrade

At the Australian Signals Directorate (ASD) it was new software rather than old software tripping alerts in the compliance and oversight section.

The IGIS said ASD had fessed-up to four breaches of the Intelligence Services Act “which involved ASD producing intelligence on an Australian person without a ministerial authorisation.”

But who's counting the ministers.

“A breach occurred due to a failure of process following an update to an ASD user interface; IGIS staff reviewed ASD’s investigation, identified that the required paperwork for the Minister was unsatisfactory and recommended that ASD re-submit the relevant documents,” the IGIS report said.

In another citizenship slip, this one apparently human, the IGIS noted that “ASD had incorrectly overturned a presumption of nationality on the basis of citizenship status without proper regard to the residential status of an individual.”

The pressures the intelligence community faces when dealing with fast moving scenarios are also borne out in the IGIS report, albeit not without some empathy.

One of ASD’s breaches “occurred in the context of an emergency situation, lasted for a period of five minutes, and was identified and reported to this office within an appropriate time period,” the IGIS said.

The ones that got away

On the domestic front, the most revealing aspect of probing into the Australian Security Intelligence Organisation (ASIO) was two new inspection lines into bugging devices and social media activity had to be shelved by the IGIS due to a lack of cash and bandwidth.

The IGIS said that a “Devices” inspection project it initiated in 2016 “focusing on ASIO staff access to surveillance devices and other technical devices used for surveillance” had to be suspended “due to higher priority inspection activities and staffing shortages in this office.”

Inspection of ASIO’s Facebook, Twitter and Instagram snooping also fell by the wayside.

The IGIS’ “Online Investigations” inspection project, also from 2016, that had been slated to be “focused on ASIO’s online investigative activities” had to be “cancelled to make way for higher priority investigations”.

“The project did not arise in response to a specific concern or complaint, but was considered to be timely noting the proliferation of social media activity amongst the investigative targets and broader public alike,” the IGIS said.

We’re betting that with an Australian federal election looming, and Facebook in the dock overseas over what role it played in foreign governments trying to influence votes in the US, the latter is ripe for reactivation via a funding boost sooner rather than later.