Introduction
In recent discussions at Senate estimates, it was revealed that Services Australia, the administrator of Centrelink, has been sharing smartphone-hacking technology, specifically Cellebrite’s Universal Forensic Extraction Device, with the Department of Education and other undisclosed agencies. This move aims to assist in the investigation of suspected fraud committed against various government schemes and subsidies. While Services Australia insists the technology is only used for serious non-compliance investigations, not general customer compliance issues, concerns have been raised about privacy, data retention, and adherence to international agreements on spyware proliferation.
The Context and Purpose of Sharing Password-Crackers
Services Australia has justified the sharing of Cellebrite’s technology with the Department of Education and other agencies by highlighting the need to combat financial offences committed against the Commonwealth. Criminals defrauding multiple agencies’ schemes and subsidies often use complex tactics, making it crucial for government departments to collaborate and share resources in investigations. By using Cellebrite’s Universal Forensic Extraction Device, Services Australia aims to extract digital evidence from suspects’ smartphones to help fraudsters prosecute.
Department of Education’s Utilisation of Cellebrite
The Department of Education confirmed it has employed Services Australia’s digital forensics capabilities, including Cellebrite, for higher-end fraud and investigations. One specific example was the extraction of information from the phones of suspected individuals involved in childcare subsidy fraud. The data obtained can be used as evidence in legal proceedings, potentially revealing instances of collusion between parents and educators engaged in fraudulent schemes. However, the Department clarified that it had only utilised Cellebrite three times since 2018, suggesting its use is limited to specific cases, rather than a routine investigative tool.
Questions on Usage and Compliance
During the Senate estimates, Services Australia faced questions regarding the frequency of Cellebrite’s use, and the agencies granted access to this technology. Senator Janet Rice inquired whether Services Australia’s use of Cellebrite aligns with the joint statement signed by Australia, the UK, the US, and other countries, emphasising the need for stricter controls against commercial spyware proliferation. Services Australia’s deputy CEO, Chris Birner, rejected the notion, considering Cellebrite a legitimate investigation and law enforcement tool, rather than commercial spyware.
Differentiating Serious Non-Compliance and General Customer Compliance
To address concerns about the scope of Cellebrite’s application, Birner clarified the distinction between “serious non-compliance” and “general customer compliance issues.” He explained that Cellebrite is utilised solely in investigations classified as criminal, falling under the threshold for referral to the Commonwealth Director of Public Prosecution (CDPP). General customer compliance issues, however, pertain to eligibility and payment accuracy based on an individual’s circumstances. This delineation aims to ensure that Cellebrite is not used for routine compliance matters, but reserved for cases of significant non-compliance.
Data Retention and Further Usage
Senator Rice raised concerns about data retention after the conclusion of Services Australia’s investigations. She questioned whether Services Australia retains access to the data and if it is subsequently utilised for other compliance activities. While Birner stated it would depend on the particular evidence and circumstances, he committed to providing a more detailed response later. This issue raises important considerations regarding the privacy of individuals involved in investigations and the potential long-term use of their data beyond the initial purpose.
Transparency and Contracts with Cellebrite
Investigative journalist Anthony Lowenstein highlighted the existence of 128 contracts between Cellebrite and various Australian government agencies since 2011. This observation raises questions about the transparency surrounding the procurement and usage of Cellebrite’s technology. The publication of these contracts on AusTender provides insight into the extent of government reliance on Cellebrite’s solutions, and warrants further examination of the associated agreements and protocols.
Conclusion
The sharing of Cellebrite’s Universal Forensic Extraction Device between Services Australia and the Department of Education for fraud investigations raises important considerations about privacy, data retention, and compliance with international agreements. While Services Australia emphasises the targeted use of this technology for serious non-compliance investigations, concerns persist about its potential application beyond the intended scope. Transparency regarding the procurement and usage of such tools is crucial to maintain public trust and ensure the protection of individuals’ privacy. Further discussions and assessments are necessary to strike a balance between effective fraud detection and the safeguarding of civil liberties.
