Centrelink hacking into fraudsters' phones
The agency says it uses the technology in strict accordance with the law and only when it has obtained a warrant when investigating cases of serious fraud.
The Department of Human Services, which oversees Centrelink, has spent $32,249 on Cellebrite products in the 2016 / 2017 financial year. Photo: Bradley Kanaris
But experts have warned the use of the 'Universal Forensic Extraction Devices' is jeopardising the communications security of Australians.
The welfare agency has joined other government outfits including the Australian Taxation Office and the Employment Department in using the extraction devices, which allow users to bypass security features on smart phones and extract data, including messages and call logs.
Centrelink and other agencies are not using the devices to listen in on their clients' telephone calls and investigators must have physical possession of the phone to be able to use the UFED.
The technology, developed by Israeli company Cellebrite, gained global attention in 2015 after it was believed to have helped the FBI crack the iPhone of San Bernardino terrorist attacker Syed Rizwan Farook.
"I would say that's a blatant misuse of this particular solution," Mr Molnar said.
The Cellebrite system can extract data from a variety of phones. Photo: Tessa Stevens
"I think this is a classic case of function creep.
"If Centrelink is using this technology then they should be forthwith about the specific circumstances under which they're using these sort of mobile hacking technologies."
The Cellebrite system has a cable for every phone on the market. Photo: Tessa Stevens
Do you know more? Get in touch via email@example.com or using the app Signal on your smart phone via 0437 464 126.
Centrelink's parent-department, Human Services, spent $32,249 on Cellebrite products in the 2016-2017 financial year.
I would say that's a blatant misuse of this particular solution. I think this is a classic case of function creep.A spokesperson for the department said Cellebrite devices had been used "less than 50 times" during the financial year.
Deakin University criminologist Adam Molnar
"The technology is only used for evidence collection during warrants for serious non-compliance and fraud cases," the DHS spokesperson said.
Warrants were issued under the Crimes Act and executed on the department's behalf by the Australian Federal Police, which also possesses Cellebrite technology, according to the department.
Australian Privacy Foundation chair David Vaile said the use of this technology, originally justified to fight terrorism or child pornographers, was becoming more routine and broader.
"If it's a boiling frog, at each stage the water is made warmer," Mr Vaile said. "The definition of what is a quote 'serious criminal offence', that's sort of a moving target."
"[Law enforcement] haven't understood the battle is being lost about IT security and they're contributing to it by normalising the idea."
Mr Molnar said Centrelink employees wanting to blow the whistle on misuse of Cellebrite technology faced jail time under the Crimes Act.
"To learn that you have additional government agencies, such as the ATO and Centrelink, relying on Cellebrite solutions, then I think it's time for a much more public debate about maintaining the security and integrity of our communications infrastructure as a whole," he said.
Mr Molnar said government agencies already had access to an incredible scope of information, including metadata.
"One wonders whether there's adequate attention being given to already existing powers or other solutions that might be less privacy invasive," Mr Molnar said.
The Department of Employment said they used Cellebrite technology to determine whether fraud has been committed against the government.
"We cannot comment on specific investigations," an Employment Department spokesperson said.
The ATO confirmed they have access to the technology but wouldn't comment on why they used it.
The Australian Securities and Investment Commission said they use UFED to copy smart phones obtained under warrant, produced voluntarily or given in response to a notice from ASIC.
"The kits are mobile and can be taken to warrant or forthwith notice sites for use on location, or used within ASIC offices," an ASIC spokesperson said.
Commonwealth Attorney-General George Brandis is looking to develop laws to allow device makers, internet-service providers and social media companies to voluntarily hand over user data to law enforcement.