Unauthorised disclosure frustrates ATO despite revealing nothing untoward

By Stephen Easton

Friday July 14, 2017

The Australian Taxation Office is really not having the best run lately.

It was already struggling to explain the most recent down time of its online systems was a different and less serious problem to its previous IT breakdowns, and that the massive fraud investigation that destroyed former deputy commissioner Michael Cranston’s career was, on one hand, a win for the ATO’s criminal investigators.

Now the ATO has had to issue another statement assuring the public that those investigators are not some sort of secret police squad, keeping tabs on citizens through their digital devices, after one of its employees posted slides from a presentation on how to crack into a crook’s digital device on their LinkedIn page.

“The ATO does not monitor taxpayers’ mobile phones or remotely access their mobile devices,” said chief information officer Ramez Katf (pictured) in the statement yesterday. (A senior member of the secret police would say that, wouldn’t they?)

The agency only found out from the ABC reporter who broke the story and had the staff member swiftly remove the information.

It’s no secret that it is possible to get data out of locked, moderately broken or unpowered devices with equipment like that sold by the firm Cellebrite, or that certain government agencies do this, with warrants, when they have evidence of criminality.

And it had already been reported in June that the ATO had bought the Cellebrite equipment, along with the Federal Police and Australian Securities and Investments Commission. Maybe this was why the employee thought it was OK to list his experience.

But, like any regulatory agency, the Tax Office would still prefer to give away as little about their investigative techniques as possible. In this light, posting this information to LinkedIn seems somewhat naive.

That’s not to say it’s a particularly bad leak, or that what it revealed is a big surprise. The ABC reports the employee was simply “reminded of his responsibilities” as a public servant, which essentially include keeping mum about almost anything to do with work unless it’s your job to talk about it.

The information did not show the agency doing anything unethical or inappropriate; in fact it is just using the latest tools to do what it’s always done, and Katf isn’t apologising. He explained:

“Circumstances where the ATO uses technology such as the Universal Forensic Extraction software provided by Cellebrite, is to support criminal investigations. For example, where assets such as laptops or mobile devices may contain information about activity related to suspected organised crime or alleged large scale promotion of aggressive tax schemes.

“These assets would first need to be accessed following a court ordered warrant, where it is determined that material specifically relating to the court warrant is held on those assets. As this activity is conducted legally, and never involves remote access to a device, it is not correct to refer to it as ‘hacking’. Any use of software that may bypass the security lock of a phone, is conducted with the relevant legislative approval (primarily section 3E of the Crimes Act) or following written consent from the owner of the device.

“We will continue to work with other enforcement agencies in supporting criminal investigations, including through use of Universal Forensic Extraction software.”

But despite being entirely unsurprising, these kinds of stories are obviously popular. There are those who interpret such revelations as evidence that the power of governments over individuals is on the rise and that faceless bureaucrats are doing spooky things to keep tabs on citizens and peer into their private lives. Maybe they are, but this is not a very good example.

It was also revealed recently that the Department of Human Services uses the same technology from the same company, again with a warrant and when investigating serious fraud. This triggered claims of “function creep” and “overreach” from some commentators. (Nobody tell them DHS also buys in “optical surveillance” services from a range of private investigation firms.)

Today the latest installment in this series goes the other way, suggesting agencies including Australian Border Force are unprofessional because they have also purchased much cheaper, lower-grade tools of a similar kind that are aimed at consumers.

Such stories demonstrate that interesting tidbits from inside the bureaucracy are gold for news reporters, regardless of whether they actually demonstrate anything untoward, inappropriate or unexpected.

As commissioner Chris Jordan said recently, it is important to accept failures and address legitimate matters that draw public criticism because they cast the whole organisation in a negative light, and threaten to take the gloss off its positive achievements.

This week’s unauthorised disclosure demonstrates those same risks have to be managed even when nobody has done anything wrong and nothing has broken down.

About the author
Inline Feedbacks
View all comments

The essential resource for effective
public sector professionals