From: David Vaile To: Chris Cowper , Subject: Re: PIA - Draft Code of Practice - Chemicals of Security Concern Date: Thu, 23 May 2013 09:42:43 +0000 IIS Partners Hi Chris, Re: Draft Code of Practice - Chemicals of Security Concern The APF is concerned about the justification of the sort of costs and privacy intrusions proposed, given the apparent lack of incidence of a hazard, and the likely ineffectiveness of a sloppy system as proposed to reliably address what would be extremely rare events among millions of transactions. APF raises the question about whether the Code proposed a mechanism that is at its core so lax and potentially arbitrary in its application by untrained staff as to throw doubt on whether, if there is indeed a rare but extremely serious risk, it would be picked up. In this sense, if it is so sloppy that it is likely things would inevitably fall through, it raises the prospect that the scheme would offer a false sense of security. Doing this is a tempting thing for a politician; senator Conroy once famously was reported as saying to a certain industry body head that it did not matter whether certain technical measures actually worked, they had the political benefit of making people feel safer because they thought something was being done. The problem is that if the risk is real, then this false sense of security in a sloppy/leaky system is potentially dangerous, as well as misleading. A more robust, reliable, expensive, training- and checking- intensive system would be needed. This would pose even more burdens on staff and purchasers, so it would really need to be warranted by the sort of solid evidence of real risk that seems unlikely. If, alternatively, the risk is not high and real and based on solid evidence, merely a remote possibility conflated into a speculative risk that then cannot be ignored (in an hyperventilated world where events in other places are construed as if manifested here, so even a very remote risk is not able to be dealt with maturely), then it is just theatre. You'd have a substantial program set up, with untrained people being asked to cast suspicion on everyone they deal with as if suspects, collecting and storing data sets on people in a model inviting suspicion of the worst motives, apparently stored and handled by an industry, and using tools, not set up to deal with high value honey pots of 'hot' data like this. If there is credible quantitative evidence of risk, it would be interesting to examine, in terms of assumptions, numbers and conclusions drawn. I suspect the reality may be somewhere in the middle: the evidence of risk is not substantial enough to justify a fully effective, resourced system, but there is political pressure to be seen to be "doing something". This would suggest to me, if this was a fair assessment of the evidence base and motives, a form of deceptive policy failure, one justifying imposing a cost on business and the community, threat of misidentification or prejudice on individuals, and an erosion of privacy, only by discounting the importance and value of these matters, or inflating the significance of a vanishingly remote risk. Anyway, if there is any evidence of a serious risk (measured in say actually observed incidents of the type under concern per million), I would be interested to see it. If it wasÊpersuasive, it might change this response, but if it was marginal or speculative then they would stand. The other matter was that the Code apparently assumes a fixed list of predictable chemicals of concern, while the observable reported Êbehaviour and MO of actual terrorists seems to be to constantly adapt and change methods, tactics and tools. A slow, loose, weak surveillance program based on voluntary, untrained Êcompliance around a partly uncertain list of traditional chemicals is the sort of solution which would be easily bypassed by serious and creative malefactors using novel methods. The real terrorists we see often have these characteristics. If concern is only with "weapons of mass destruction"-type explosive chemicals, that may represent fighting the last battle, not the next: see for instance the appalling apparent terror attack today in London,ÊapparentlyÊdone by "lone wolves" using a variety of domestic and garden implements as well as firearms, switching targets from mass killings or injuries to individual physical attacks of soldiers on home soil. While with a lower death rate than past attacks, it appears the intent of causing widespread terror and fear (and widespread murderous reprisals and racial attacks) may have been achieved by this radically simpler and more personally brutal approach. If the target of this Code is abuse of chemicals by potentialÊÊterrorists, as it appears to be, then the constant mutation of tactics by real terrorists in other locations should (to the extent that risk profiling is done on the basis of actual attacks in other places, rather than apparently non-existent attacks in AU) cause a re-think about the extent and scope of the possibly relevant chemicals, since there are many more ways to kill and injure with chemicals than with traditional explosives. Extension of the list of dangerous chemicals of concern on this basis would either prompt a much wider surveillance program, or a rethink about its practical capacity to address the likely risks of from ALL potentially concerning chemicals. Failure to extend the list might suggest an even lower likelihood of effective detection of any real incident than if it could still be assumed that the only chemicals to worry about are the explosive precursors. My purpose in thinking through the risk assessment process is based on the idea that only an effective program against real risks could justify the sorts of expenses, risks and intrusions created here. An ineffective risk mitigation program, or one not directed at real risks, could not justify those substantial costs, risks and intrusions. Even if justified (if for example one side of the scales of balance was either realistically or artificially re-weighted), then the potentially serious hazards represented by untrained staff, insecure systems and non-obvious means of redress should be addressed. Regards, David Vaile As Chair, Australian Privacy Foundation