Australian authorities among world’s biggest requesters of personal data

Authorities are requesting personal data from major tech companies at three times the rate of a few years ago, according to new figures that found Australians are the world’s tenth most-surveilled populace. And the surveillance is only increasing, with multiple audits showing questionable access of citizens’ data by police and other authorities.

The most invasive countries in terms of social media requests

Australian authorities lodged 195 requests for user data per 100,000 people, according to a new Surfshark analysis of 3.1 million requests made by the governments of 66 countries to Google, Facebook, Microsoft, and Apple between 2013 and 2020.

That reflected an overall increase of 213% since 2013. And, while US authorities made 1.1 million of those requests—ranking fifth with 334 requests per 100,000 population—European countries actually dominated the Top 10 list, with Malta (765), Germany (353), the UK (336), France (315), Ireland (302), and Luxembourg (246) reflecting the surveillance culture on that continent.

Singapore, with 373 requests per 100,000, was ranked the second-most-intrusive government, while—in a likely reflection of a government that already collects massive volumes of information about its citizens directly—China ranked last, with just 362 requests over the eight-year period.

The rankings reflected growing worldwide adoption of physical and online surveillance tools, Surfshark CEO Vytautas Kaziukonis said of the new results, which were compiled based on the four tech giants’ own data-transparency reports.

“An increasing number of governments are deploying a range of surveillance technologies under the premise of maintaining order and public safety,” he said. “However, it is evident that the [desire] to track and monitor citizens can be far more overreaching and infringe people’s privacy.”

Despite rhetorical resistance to government authorities’ intrusions, the Big Four technology companies were still providing a fairly large volume of user data—with Facebook ceding to 76% of requests that have grown six-fold during the studied years. Microsoft provided user information in two-thirds of cases, with Google doing so in 58%. Apple was least likely to provide information when requested, but it still handed over user information in 55% of cases.

Australia’s slippery slope on data gathering

In the face of increasingly intrusive data-gathering, governments have walked a fine line between citizen privacy and authorities’ desire for more information.

Singapore, for one, was forced to fast-track guarantees that police would not be allowed to routinely access COVID-19 app data tracing its citizens’ movements.

Yet Australia’s position as one of the top ten most-intrusive governments—Surfshark’s analysis found authorities made 195 requests per 100,000 citizens, or 49,473 requests in total over the eight-year reporting period—reflects ongoing issues in the management of ever more-intrusive surveillance and data-access powers that have been given to authorities in recent years.

A recent Commonwealth Ombudsman report, for example, examined the use of data-access powers by the Australian Federal Police (AFP) ACT Policing unit under the Telecommunications (Interception and Access) Act 1979 after an internal audit identified about 800 requests for users’ location—known as location-based services—that had been carried out “outside the AFP-approved process”.

Close analysis of 135 noncompliant requests for data access showed that 119 had no record of the information that had been put before the authorised officer to support the determination that the request for data about users’ movements was authorised.

Blaming “internal procedures at ACT Policing and a cavalier approach to exercising the powers,” the ombudsman concluded, “resulted in a culture that did not promote compliance with the TIA Act.”

It’s not the only damning finding about Australian authorities’ use of special data-access powers: A recent Australian National Audit Office (ANAO) review, for example, identified “serious deficiencies” in the recordkeeping practices and processes used by the AFP to document its requests for search warrants.

With officers intentionally avoiding the AFP’s decades-old case management system, the ANAO advised the authorities to stop storing critical data in network file shares and to implement a proper document-management system capable of meeting documentation requirements.

Improper recordkeeping and scope creep have been consistent features of audits of Australian authorities’ data-requesting powers, with controversial telecommunications data-retention legislation found to have been used by dozens of non-law-enforcement agencies—including Australia Post and local councils seeking to enforce parking fines—in a dangerous case of scope creep.

Australian authorities have been so efficient at subverting privacy controls that they were engaged by the US FBI to provide decryption support for the recent Operation Ironside sting, in which more than 200 Australians were arrested for criminal activity based on their communications across a supposedly encrypted messaging app.

Australia’s “very weak” privacy laws—including the Encryption Act that gives police the power to forcibly decrypt private messages—have been flagged as the reason Australian authorities were included in the global operation.

Yet with these and other indicators continuing to suggest Australian authorities’ use of private data is continuing to increase, privacy advocates are closely watching reviews such as an ongoing enquiry into the data-retention legislation—which was the subject of a Parliamentary Joint Committee on Intelligence and Security (PJCIS) review published in late 2020.

As currently formulated, Law Council of Australia president Pauline Wright warned, the current legislation “has the potential to intrude on the privacy of all Australians, not just suspected criminals or people of national security interest. Steps must be taken to ensure that the current lack of proportionality is addressed.”