Revelations about surveillance activities by the National Security Agency (NSA) in the US may fuel fears among Australian businesses about offshoring data, according to privacy advocates.
"The arguments about data sovereignty have certainly been fired up again … but it was always there,” said Malcolm Crompton, a former Australian Privacy Commissioner who is now managing director of Information Integrity Solutions.
Recent reports have revealed the NSA, under a program called PRISM, is engaged in two types of data collection activities. First, the agency is collecting metadata about US phone calls, which includes information about a call—including time, duration and location—but not the content of the call itself.
Second, and perhaps more directly concerning to Australia businesses, the NSA is collecting data on Internet traffic from major American cloud companies including Google and Microsoft.
“We’ve always known about these risks—none of these are new,” said Crompton, citing a 2009 report in The New York Review of Books that the NSA was building a massive data centre to collect information. “Now we just have more evidence that they’re collecting everything.”
There had already been a fear that the US government could invoke the Patriot Act to collect Australian data hosted by American cloud providers, according to Civil Liberties Australia director, Tim Vines.
The reports about the US government's surveillance activities reveal “that in many instances it appears that these large cloud services have actually been willing to pass on information or to at least make available some of its users’ content to these agencies with minimal scrutiny,” he said.
“It certainly reinforces the existing concern that Australian companies had about hosting data in the United States where they felt that information could be accessible or handed over to the US government,” he said.
However, Australian businesses should carefully consider their situation before cutting ties with American cloud providers, said Vines.
“There’s certainly enormous capability and enormous potential in this PRISM scheme for invading privacy and for collecting huge amounts of data. Is it worth a company that is heavily service-based or on cloud services now jumping ship? I think it’s going to be up for each company to decide, and they’re going to have to go back and look at their risk management plan and how they handle client information.”
“If they have very sensitive commercial information, they may not want to host it in the cloud,” he said.
“Of course you need to do a risk assessment about offshoring data,” said Crompton. However, believing that “going to America is dangerous and leaving it here is safe is a very, very poor assumption.”
Even before news broke about PRISM, Australia had been debating collection of phone call metadata in the ongoing data retention inquiry in the Joint Parliamentary Committee on Intelligence and Security.
“This is a very live discussion in Australia,” said Crompton. Australia should discuss PRISM in the context of its own laws rather than just to “beat up on America,” he said.
Australian law enforcement has sought a requirement to require retention of the metadata, as well as a legal distinction between the content of a call and metadata about the call so as to make it easier for law enforcement to access the metadata.
Crompton disagreed there should be a distinction because he said “we’re now getting such density of data about the data that the insight that it reveals about the way people lead their lives is reaching the point where it’s more informative than the content of the calls.”
Vines said metadata could be used to piece together valuable insights about a business and its clients. “There’s really not a big difference there; the risk to a private company and the risk to a private individual are still the same.”
Crompton called for law enforcement to be more transparent about its use of metadata. “If they’ve got nothing to fear or nothing to hide, then they should be much more straightforward and clear with the people about what they’re doing.”
Senator Scott Ludlam for the Greens has also raised concerns about collection of metadata.
“Dozens of government agencies are vacuuming this material up, and there’s really no judicial oversight whatsoever,” Ludlam said last month at the CeBIT security conference in Sydney.
Smartphones “can place you anywhere at any time”, he said. “That is going to be very useful for law enforcement from time to time, but I am very, very concerned about a proposal that says every Australian citizen is treated as a criminal suspect until proven otherwise.”
The reveal of PRISM could have an impact on the Australian data retention debate, said Crompton. “I think it should because I don’t think there’s been enough engagement in it.”
Follow Adam Bender on Twitter: @WatchAdam