encryption

The hacking of Parliament’s IT system — the second major intrusion since 2011, when the parliamentary email accounts of Julia Gillard and senior ministers were accessed — and the fact that Australia’s major political parties were also attacked, confirms the fact that whenever a politician or bureaucrat assures you that governments can hold your personal information safely, they’re ignorant or lying.

They can’t even protect their own information.

Parliament contracts out its IT services and buys or leases hardware and software to provide the IT systems that all politicians and staff use. Ministers and their staff also have access to departmental systems, many of which are hard-wired into Parliament House, meaning successive ministers often end up in the same office. But everyone has a parliamentary log-in and email, even if ministers don’t use them much. It was those accounts that were accessed, almost certainly by China, in 2011. 

We were told yesterday that the Australian Signals Directorate is continuing to investigate the penetration. But ASD is part of the problem. Along with its counterpart agencies in other Five Eyes countries, ASD isn’t merely charged with protecting Australian governments from hacking, but breaking into the IT systems of other countries. And not just governments but corporations as well, because much of what ASD does is corporate espionage rather than the brave fight against terrorism or the resolute holding of the virtual line against Chinese or Russian e-aggression that we’re told about.

And they do that by exploiting weaknesses in commercially available software of the kind that companies, government departments and ordinary consumers the world over use every day. According to a former senior NSA figure, agencies like the ASD and the NSA hang on to about 10% of exploitable weaknesses for their own use. That is, instead of picking up the phone to Microsoft or Apple and warning that they’ve discovered a flaw that can be exploited by malicious actors, they store it away, along with the code that can exploit it, for their own use.

It’s unclear, and we’ll never be told, how hackers accessed Parliament’s system or those of the major political parties, but it’s quite possible it was done by exploiting an identified weakness that agencies like ASD themselves know and use.

This is another reason why government’s can’t be trusted any more than corporations can when it comes to protecting your personal data. It doesn’t matter how forthrightly an agency, like the Australian Bureau of Statistics or health agencies or Human Services, insist that your data is safe, the government’s heart really isn’t in it.

Within the government, operating with little accountability, or media or parliamentary scrutiny, are intelligence officers who rather than help fix weaknesses in the IT systems we all use, keep them to exploit for themselves in the furtherance of the interests of Australian companies and those of our allies. What’s more, these officers have just been given the power to order Australian companies to create weaknesses in their own software as well.

The only way to protect your information from such people, or their Chinese counterparts, or criminal organisations that can exploit such weaknesses as readily as intelligence agencies, is not to provide it at all.

At least government agencies are subject to a privacy regulatory regime. Political parties are not. Politicians have exempted themselves from privacy regulations, meaning — funded by taxpayers — they have accumulated vast troves of data on every voter in Australia, data you and I are never allowed to see, data the use of which is unregulated and, as we’ve now seen, stored in poorly secured IT systems.

It’s one thing to warn against handing your personal information to a government agency, but political parties don’t give you an option — they accumulate, and buy, information about us without ever giving us an option.

There was much talk about democracy yesterday. In a proper democracy, political parties wouldn’t get to systematically violate voters’ privacy without having to worry about accountability.