Sunday, 16 April 2023

Services Australia can no longer off its own bat crack welfare recipients' PC, mobile, email & social media passwords in order to spy - since 13 October 2015 its been obliged to use the Australian Federal Police, an even more indiscreet Commonwealth agency.

 

On 17 July 2015 Deputy Secretary of the Dept. of Human Services (now Services Australia) Malisa Golightly, of ‘Robodebt’ notoriety, wrote to the Deputy Secretary of the National Security and Criminal Justice Group in the Attorney-General’s Department, seeking the department's continued inclusion as an enforcement agency under the Commonwealth Telecommunications (Interception and Access) Act 1979.


At that time the Dept. of Human Services employed 295 investigators and 89 intelligence analysts who typically conducted 3,000 criminal investigation per year – using the full range of powers available to an “enforcement agency” in the 1 July 2015 version of the Telecommunications (Interception and Access) Act.


Here is a potted history of what happened after that.


ITNews, 4 April 2022:


Services Australia is using telecommunications metadata and password-bypassing software to investigate welfare recipients suspected of claiming single payments while in relationships.


The Centrelink administrator told the Attorney General’s Department (ADG) that metadata is used to detect “people who receive payments as a single person while in a marriage-like relationship,” according to documents obtained by iTnews.


Submissions to AGD in 2015 and again in 2022 [pdf], obtained through a freedom of information request, list types of fraud the agency uses welfare recipients’ telecommunications metadata to detect.


A Services Australia spokesperson told iTnews that both telecommunications metadata and password-bypassing technology from Israeli vendor Cellebrite are only used when fraudulent claims trigger criminal investigations.


This contrasts with the more common non-compliance investigations, which prevent and recover debts resulting from over-payments, such as the notorious robodebt scheme.


However, the spokesperson would not say how much money a person needs to be suspected of being overpaid before a non-compliance investigation is tipped into a criminal investigation, making it hard to estimate the extent to which the technologies are used to determine relationship-status.


Moreover, welfare recipients told iTnews, while Services Australia has said that Cellebrite is only used for criminal investigations, data may be extracted from their devices before charges have been laid; and Services Australia may continue to pursue the debt as a non-compliance investigation even if the suspect is not prosecuted…...


Metadata and relationship-status


It is not clear what types of metadata are used to glean if welfare recipients are single, however criteria listed on Services Australia’s website for “how we assess if you’re a couple” includes: “financial aspects of your relationship, the nature of your household, social aspects of your relationship, [and] if you have a sexual relationship.”


The Services Australia spokesperson told iTnews that "the key metadata we request enables us to identify records linked to telephone numbers or IP addresses to support criminal investigations.”


The spokesperson did not answer whether it includes geolocation data on a device’s connection to the internet or the sender-recipient records of a user's communications.


Services Australia was cut off from directly asking telcos for metadata in late 2015, after having had the power since 2009.


It now makes requests for metadata, "where required", through the Australian Federal Police.


Services Australia has asked the government at least twice to have its powers back.


According to the FoI, Services Australia requested AGD declare it an 'enforcement agency' under Section 176A of the Telecommunications (Interception and Access) Act (TIA) in 2015 and made the same request seven years later during a current review of electronic surveillance laws…...


In response to its 2015 application, AGD suggested “joint investigations arrangements with a criminal law-enforcement agency” as an “alternative means of accessing historical telecommunications data.” The welfare provider took the advice.


Since Services Australia started accessing telecommunications metadata indirectly through the AFP, it is unclear how many investigations involved fraud claims based on relationship-status.


According to its most recent annual reports, in 2021–22 Services Australia conducted 709 criminal investigations, 988 administrative investigations and made 203 referrals to the CDPP.


A quick look at the Commonwealth Ombudsman' views on the often erratic response of the Australian Federal Police to its requirement to comply with telecommunication data law:

https://www.ombudsman.gov.au/__data/assets/pdf_file/0021/112476/Report-into-the-AFPs-use-and-administration-of-telecommunications-data-powers.pdf


There were several important factors that informed my decision to commence an investigation, including:

the covert and intrusive nature of this power

the duration and potential scale of non-compliance with the TIA Act as a result of ACT Policing accessing telecommunications data outside the AFP’s approved process

the omission of the affected records from our Office’s regular compliance inspections

previous recommendations our Office has made to the AFP about non-compliance with the TIA Act. 


Like law enforcement Services Australia is not eager to advertise the shortcomings of its own errant staff, but the character of this bureaucracy which uses covert surveillance on welfare recipients is not above interrogation. 


Services Australia is a federal government department which includes Centrelink.


A brief Internet search reveals for the most part sparsely worded information. The following is a compilation from government and media sources.


In a two year period covering 2005 to September 2006 Centrelink investigated 790 APS Code of Conduct complaints, with 766 referred for investigation and 585 staff found to have accessed the private information of welfare recipients or entered into a conflict of interest situation in breach of the code. Sanctions for these breaches reportedly ranged from 19 dismissals, 92 resignations and, more than 300 salary reductions or fines. Another est. 134 staff were demoted, reprimanded and warned. Five cases were referred to the AFP or Director of Public Prosecutions.


In 2006–07 Centrelink staff breached the information privacy principal in 367 instances, including 108 unauthorised access, 4 unauthorised disclosure and 10 unauthorised use. Another 17 new cases were opened with the Office of the Privacy Commissioner, bringing the total to 20 cases for the year. Centrelink finalised six cases with the office and as at 30 June 2007, 14 cases were still open.


By the next financial year 2007-08, Centrelink recorded 355 privacy breaches of which 100 were unauthorised access, 13 unauthorised disclosure and 1 unauthorised use. The remainder of breaches said to be primarily mailing errors.


In 2008-09 Centrelink found 368 proven privacy incidents of which 85 were unauthorised access of information, 14 were unauthorised disclosure and 1 was unauthorised use.


Financial year 2009-10 saw Centrelink admitted to 465 proven privacy incidents and it appears to have undertaken 286 staff code of conduct complaints investigations in which 187 staff member were found to have breached the code of conduct.


The following financial year 2010-11, Centrelink undertook 197 staff code of conduct complaints investigations, including 25 investigations of improper use of internet or email, and 67 investigations of ‘improper access to personal information’. The latter occurring when employees accessed records either without a business reason, or despite being directed not to do so, for example if the records belonged to themselves, family or friends. A total of 128 Centrelink staff members were found to have breached the code of conduct.


In 2011 Centrelink & Medicare were integrated into the Dept. of Human Services.


In 2011-12  the Dept. of Human Services finalised 205 staff breaches of the APS Code of Conduct, including:

  • 68 instances of improper access to personal information;

  • 5 unauthorised disclosure of information;

  • 10 conflict of interest;

  • 48 inappropriate behaviour other than bullying or harassment;

  • 17 harassment and/or bullying;

  • 8 fraud other than theft;

  • 1 theft;

  • 8 improper use of resources other than email;

  • 25 improper use of internet or email;

  • 8 inappropriate use of government vehicles;

  • 7 improper use of position or status;

  • 4 behaviour of the employee outside of work;

  • 2 misuse of drugs and/or alcohol, and

  • 2 other.


The next year 2012-13 the Dept. of Human Services finalised 165 matters involving 214 breaches of the code of conduct - across the gamut of human behaviour displayed in the workplace including 82  instances of improper access to personal information, 5 unauthorised disclosure of information and 26 conflict of interest. 


In 2013-14 the Department of Human Services reported there were 472 matters involving staff breaches of code of conduct of which 234 were finalised, including 118 improper access to personal information, 4 unauthorised disclosure, 181 conflict of interest and 66 fraud. 


The next financial year 2014-15 saw reports of 1,939 substantiated privacy incidents from which there were officially 268 findings of staff breaches of the code of conduct.


In 2015-16 there were 368 findings of a breach of the code of conduct.


Note: From 21.9.2015 to 18.2.2016 Stuart Robert was the Minister for Human Services.


In 2016-17 there were a reported 304 staff breaches of the code of conduct.


NOTE: From 21.9.2015 to 18.2.2016 Stuart Robert was the Minister for Human Services.


In 2017-18 a total of 235 staff code of conduct investigations were completed and 224 findings of a breach were made.


In 2018-19 the Department of Human Services reported a total of 249 staff code of conduct investigations were completed, with 241 findings of a breach of the code.


NOTE: From  29.5.2019 to 30.3.2021 Stuart Robert was Minister for Government Services, which included the Dept. of Human Services in his portfolio.

In May 2019 the Dept. of Human Services had a name change, becoming Services Australia.


From July 2017 to end June 2019 almost half of the breaches arose from unauthorised access to information, where staff had inappropriately accessed customer records. Almost a quarter of all breaches allegedly related to incorrect reporting of income by staff who were also in receipt of Centrelink benefits.


The Commonwealth Ombudsman's Report of 2019-20 mention that;  We received more complaints about Services Australia than any other agency (11,222), although this was a decrease of 3.7 per cent compared to last year


In one case; A complainant’s disability support pension (DSP) was cancelled as a result of a staff error and while seeking a review of this error they received an inheritance.

A trustee acting on behalf of the complainant contacted Services Australia however was unable to have the DSP payments reinstated, despite payments not being made in excess of 12 months.

As a result of the Office’s engagement with Services Australia during an investigation, the complainant’s circumstances were reviewed and they were back-paid over $45,000 for the entire period since their DSP was cancelled. Additionally, Services Australia provided feedback to the officer who made the initial error to improve future service.


In his following 2020-21 annual report the Commonwealth Ombudsman placed Services Australia in; the number of disclosures assessed meeting the criteria under s 26 of the Public Interest Disclosure Act 2013 and alleged kinds of disclosable conduct to which the disclosures relate. 


This involves 8 instances of:

Contravention of a law of the Commonwealth, state or territory (5)

Maladministration (2)

Abuse of public trust (2)

Wastage of public money (2)

Conduct that results in, or that increases, the risk of danger to the health or safety of one or more persons (3)

Abuse of public office (3)

Conduct that may result in disciplinary action

(6) 


In 2021-22 the Commonwealth Ombudsman reported that 52% of complaints it received from the public involved Services Australia-Centrelink.


No comments: