LEAN Times Ahead?
Roger Clarke
Australian National University
Published in Policy
© Australian National University, 1992
Introduction
The Federal Attorney-General's Department is spearheading a proposal to
establish a system called the Law Enforcement Access Network (LEAN). This
system, in addition to its potential benefits in relation to law enforcement,
represents a very serious threat to the information privacy of all Australians.
This paper outlines why.
What Is LEAN?
LEAN is "a function-specific computer system with capability to access, search,
analyse and match data, irrespective of the formatting of the data or type of
data base management involved, and to make that functional capability and
contents of public databases available to Commonwealth agencies with law
enforcement and revenue protection responsibilities" (RFT at 1.3.6).
What this means is that:
- one agency (the Attorney-General's Department) will establish a service
which other organisations will use;
- the service will acquire from many different sources copies of databases
about people; and
- it will provide its clients with powerful capabilities to retrieve data
from those databases, and analyse it in conjunction with those organisations'
own data.
What Databases About People Are Involved?
Initially, it is proposed that data will be acquired from:
- the Australian Securities Commission, relating to company
registration details, including directors' and other associated
people's names and addresses; and
- State government agencies in each State and Territory, relating to
land ownership and valuations. In some States, these would
come from many different agencies, including the Registrars of Land Titles,
district Water Boards, Valuers-General, etc. In some States, however, many of
these have already been merged into a single integrated service (e.g. in N.S.W.
the State Land Information Centre - SLIC).
It is claimed that it "requires only Government direction to extend it to other
databases" (A/G's, p.8). The proposal uses the term "publicly available
databases" (e.g. A/G'S, p.8), and it is reasonable to assume that the scheme
will be extended in due course to such databases as:
- Telecom White Pages;
- Telecom Yellow Pages;
- the Electoral Roll;
- driver and motor vehicle registration records in each State; and
- Births, Deaths and Marriages registry data in each State;
and perhaps also to:
- Water Board records;
- electricity authority records; and
- gas company records.
Size and Growth Path
In mid-1991, it was reported that 500-3000 terminals would be connected to the
system. The initial size of the system is already much greater than this, with
10 agencies involved, with a total of 6500 terminals to be connected.
Moreover, at peak times each day, 1500 terminals would be actually in use (RFT
at 5.2.1). The initial total storage being sought is very large, at 62.5
thousand million characters (RFT at 6.5.2).
The scope of the scheme is clearly intended to increase significantly, as the
following points show:
- the number of terminals connected in the original 10 agencies is expected
to grow to 10,500, and the number connected at any one time to 2200 (RFT at
5.2.1);
- an additional 6 agencies are already considering becoming users (Draft RFT
at 1.3.8);
- "it is anticipated that State and Territory Governments will request
access" (RFT at 5.2.2);
- tenderers are required to specify enhancements which would cope with
increases in transaction rates by factors of 2 and 5;
- tenderers are required to specify enhancements which would cope with
increases in data volumes by a factor of 2 (RFT at 6.7.1); and
- additional public databases may be added.
In addition, it is not clear whether there is anything to prevent the provision
of the service to companies.
What Justification Has Been Given For the System?
The origins of the proposal are traced to a 1987 Government Report entitled
'Review of Systems for Dealing With Fraud on the Commonwealth' (Fraud).
Despite the time spent in developing the proposal, there appears to be no
economic justification in any public document. Instead, the limited material
available depends on such assertions as:
- "the Attorney-General's Department is of the view that LEAN will assist
the Commonwealth in protecting its revenue and enhancing its law enforcement
capability" (A/G's, p.3);
- "having no such system ... is increasingly becoming thoroughly
unacceptable" (p.6); and
- "a shared facility ... presents a major cost-saving" (p.6).
The closest to an analysis of the means whereby benefits will be gained is "The
number of cases resulting in unsuccessful prosecutions will decline, with more
resulting in success ('penalty') or (for those which should not proceed)
appropriate termination. Termination decisions should also be made earlier in
the process... Recoveries of proceeds of crime should also increase" (p.8, and
PilotEval, pp.11-12).
The sole quantified estimate provided is "(One agency estimates its average
search time using LEAN is less than one-quarter of the time taken per search
without LEAN)" (PilotEval, p.12). No attempt appears to be made at any point
in the publicly available documents to estimate financial, other quantifiable
and qualitative costs, and match them against estimates of financial, other
quantifiable and qualitative benefits.
Moreover, there are significant causes for doubt about the system's value, even
within the documents provided:
- "The returns from such new capabilities are only beginning to be
predicted" (A/G's, p.6);
- "Many of the current and future agencies would be unable to justify even a
basic inquiry system in their own rights" (p.6); and
- "[there are] few things of which we are certain" (p.5).
What Privacy Issues Arise?
* New Threats in Old Bottles
The Attorney-General's Department claims that the scheme has very limited
privacy implications, because it involves only publicly available databases
(referred to in the Privacy Act 1988 as 'generally available publications').
This claim is spurious.
It is true that there has been a general right of access to the databases
involved. The form of access has been limited, however, to searches based on
very specific 'keys', such as the name of the company, or the property details.
Moreover, the time and cost involved in searches has been such that they were
seldom done frivolously.
Organisations using LEAN would have access to the databases it contains in a
manner utterly different from that which was possible in the past. Data may be
accessed using additional keys. For example a person's name may be used to
find out what companies he or she is associated with, or what other people he
or she is associated with by way of common directorships. Similarly, all
properties owned by any individual now or in the past can be quickly, easily
and cheaply discovered. This is identical to the capability offered by
Telecom's Electronic White Pages, whereby the registered subscriber and his or
her address can be discovered from their telephone number.
It is disingenuous for the Attorney-General's Department to suggest that LEAN
is merely automating 'publicly available databases'. The Department claims,
possibly correctly, possibly incorrectly, that the system is exempt from the
Privacy Act 1988, on the grounds that it is concerned with "law enforcement and
protection of public revenue". Whether or not it is exempt is in the end
irrelevant. It is a scheme which drastically alters long-standing arrangements
concerning personal data, has very significant implications for privacy, and
should be subjected to careful and public assessment prior to being
implemented.
* Mixed Purposes and Wide Availability
LEAN is targetted at two distinct populations:
- people of financial substance, with associations with
corporations, and significant real estate assets. In relation to such people,
LEAN is intended to support complex investigations using data "from a variety
of sources, having a variety of formats and data elements ... some of which
[are] obscure, incomplete or otherwise presented to conceal true ownership or
identity" (pp. 3,4); and
- the ordinary person, whose primary associations are with
taxation and social welfare agencies. For these purposes, LEAN is to support
routine verification of the accuracy of data supplied to government agencies by
benefits recipients and taxpayers.
The power provided by LEAN is arguably necessary for the first purpose, but is
frightening in the hands of inadequately trained staff dealing with large
numbers of routine cases involving many errors, misunderstandings and
forgetfulness on the part of members of the public (and sometimes errors,
misunderstandings and forgetfulness on the part of public servants).
* Many Additional Privacy Considerations
Additional factors which highlight the privacy significance of the system
include:
- data collection:
- the scheme involves use of personal data for reasons entirely different
from that for which it was collected;
- in general, the organisations which collected the data did not communicate
to people that the data would be used for such purposes;
- it appears that some of the data may be acquired under contract, implying
that at least some agencies intend trafficking for profit in data which was
supplied to them under compulsion of law (Draft RFT at 6.6);
- data storage:
- data about everybody is to be stored in a context associated with criminal
investigation;
- there are differences between the definitions of data used in different
systems, and some of these differences are both significant and subtle;
- some of the data is of "dubious quality" (p.2);
- some of the data is sensitive (p.7);
- there are considerable difficulties in comparing data definitions and data
quality among systems designed for different purposes;
- there is a potential and probable use of 'data scrubbing' techniques to
massage the data (Draft RFT at 5.3.6);
- data disclosure and use:
- the enquiry language proposed is enormously powerful, resulting in
enhanced scope for errors and misunderstandings, particularly by inadequately
trained staff;
- there is no overall resposibility for the quality and care with which the
facility is used: "individual user agencies will be responsible for monitoring
the specific activities of their staff members. Some agencies have decided to
maintain highly detailed audit trails of their use [which implies that some
have not decided to apply this basic control]" (p.7);
- the changed economics will clearly result in increased surveillance of
more people, e.g. the use of public databases as a locator device;
- there will be a temptation to extend the system to include facilitation of
the interchange of non-public data among participants.
An additional concern is that most of the data involved in this first phase of
LEAN is to be sourced entirely from State Government agencies, and none of
those agencies are themselves subject to privacy regulation. This raises
doubts about the conditions of collection, storage, use and disclosure, and the
quality of the data which will be provided.
The appreciation of the concept of privacy shown in the publicly-available LEAN
documents is slight. The terms 'privacy' and 'security' are used in close
association throughout, and the only 'privacy safeguards' mentioned are
security measures (pp.8-9). In fact, security represents only one of a dozen
aspects of privacy protection, and one of the few in which the interests of
data users and data subjects coincide.
A Tool of Mass Surveillance
Of especial concern is the intention to use the data for computer matching (RFT
at 6.1.3, 6.6.3, 7.2(h)). Computer matching's primary purpose is as a mass
surveillance technique, which is a means of 'trawling' or 'drift-net fishing'
in order to discover people about whom to be suspicious.
Data matching is distinctly different from investigative techniques which begin
with a person or persons about whom suspicion already exists. For this reason
the Privcy Act 1988 drew especial attention to the technique, and the Privacy
Commissioner has invested considerable effort in developing Guidelines
constraining its use. It is vital that all agencies using matching be subject
to these Guidelines, yet some of them, and perhaps even the whole of LEAN, may
be outside the jurisdiction of the Act, the Guidelines, and the Privacy
Commissioner.
Conclusions
LEAN represents a substantial reduction in the privacy of Australians:
- it centralises data never centralised before;
- it accumulates a historical database never available before;
- it provides retrieval capabilities never available before; and
- it is accessed by directly linked networks, to facilitate high-volume
usage.
LEAN should not proceed on the present basis. Implementation should be
deferred pending the following:
- consultation with privacy interests, including not only
the Privacy Commissioner, but also privacy advocacy organisations, civil
liberties organisations, and the professionl body of information technology
practitioners;
- amendment to the Privacy Act 1988 to remove the many
clauses which exempt some agencies and some systems from privacy regulation,
and especially those which exempt data which have been in 'generally available
publications';
- restriction of access to LEAN in the following ways:
- only to those agencies which have an explicit
responsibility to undertake investigations into criminal matters, and which
have appropriate hiring and training policies in place in relation to staffing
such investigations;
- only to those individuals within such agencies as have
explicit responsibilities to undertake criminal investigation and have
appropriate educational and training backgrounds;
- only in those circumstances in which:
- reasonable grounds exist for suspicion that a crime has been committed or
is being prepared, of a type which that agency and that individual are
responsible for investigating;
- a specific identified individual or group of identified individuals is
under investigation; and
- explicit legal authority exists for the data to be accessed, in such form
as a search warrant issued by an independent authority.
References
A/G's 'Law Enforcement Access Network' Fraud Policy and Prevention Branch,
Attorney-General's Department, December 1991, 9 pp. plus 10 pp. of
Attachments
Fraud 'Review of Systems for Dealing With Fraud on the Commonwealth' Austral.
Govt. Publ. Serv., 1987
PilotEval 'A Report on the Evaluation of the LEAN Pilot' Fraud Policy and
Prevention Branch, Attorney-General's Department, October 1991, 12 pp. plus 11
pp. of Attachments
RFT 'Request for Tender for Supply of Hardware, Software and Services to
Implement a Law Enforcement Access Network (LEAN) for the Attorney-General's
Department' Request No. A00025, December 1991, 127 pp.
Navigation
Go to
Roger's
Home Page.
Go to
the
contents-page for this segment.
Send
an email to Roger
Last Amended: 13 October 1995
|
These community service pages are a joint offering
of the Australian National University (which provides the infrastructure), and
Roger Clarke (who provides the content). |
|