Details of FY21/22 Cybercrime reports
Dear Australian Federal Police,
The website "https://www.cyber.gov.au/acsc/report" permits Australians to report cybercrime directly to you with a button labelled "Report a cybercrime to the police".
In addition to police, ACSC (run by defence, and immune to FoI requests) produces diminishingly useful annual reports from this data, and as of this week, refuses to release any additional information regarding Australian cyber crime to citizens like myself when (as I did) we ask.
Accordingly, as I've exhausted my other options, I request the details of cybercrime reports submitted to "Police" between and including July 2021 to June 2022 for the purposes of "analysing cybercrime data" with the aim of
preventing this criminal activity through political consultation (educating elected representatives to the losses being suffered by their constituants, and proposing effective legislation to curb losses to these crimes).
I note that the policy under which this data was collected ( https://www.cyber.gov.au/acsc/privacy ) permits disclosure of this data, and I'm willing to amend this FoI request as you deem necessary to help ease any disclosure concerns (e.g. make my request through my organisation with its own privacy policy).
I prefer as much detail as possible, but at a minimum I'm seeking at least enough to identify victim electorates, victim types, crime types, and as much information about losses as possible. Loss data is being withheld in ACSC reports this year, which is the cause of my concern and this request, since a former AFP cyber officer (Nigel Phair) projected losses to be in the order of $42bn ( https://www.unsw.adfa.edu.au/newsroom/ne... ), up from the reported $33bn in FY20/21. It is wholly within the interests of the Australian public to understand what our cyber losses are (nobody can effectively address the problem, when it's scale is being covered up), and to draw attention to the ACSC decision to stop reporting it, and refusal to disclose it when asked!
I respectfully request you keep in mind your public AFP policy when considering my request (from your website): "the objective that information held by government is a national resource to be managed for public purposes." and please work to help provide access to this information, instead of try your hardest to prevent it (I'm sorry I have to ask, but this is not my first FoI, and FoI culture in most other government departments has proven so-far to be one absolutely dedicated to refusing requests - I hope the AFP is not another!)
Yours faithfully,
C Drake
Dear Australian Federal Police,
This is a reminder that you appear to have overlooked my Freedom of Information request within the legal time limit. Please promptly confirm receipt of my request, and please commence processing it without further delay.
A copy of my request is below.:
Yours faithfully,
C Drake.
Dear Australian Federal Police,
The website "https://www.cyber.gov.au/acsc/report" permits Australians to report cybercrime directly to you with a button labelled "Report a cybercrime to the police".
In addition to police, ACSC (run by defence, and immune to FoI requests) produces diminishingly useful annual reports from this data, and as of this week, refuses to release any additional information regarding Australian cyber crime to citizens like myself when (as I did) we ask.
Accordingly, as I've exhausted my other options, I request the details of cybercrime reports submitted to "Police" between and including July 2021 to June 2022 for the purposes of "analysing cybercrime data" with the aim of preventing this criminal activity through political consultation (educating elected representatives to the losses being suffered by their constituents, and proposing effective legislation to curb losses to these crimes).
I note that the policy under which this data was collected ( https://www.cyber.gov.au/acsc/privacy ) permits disclosure of this data, and I'm willing to amend this FoI request as you deem necessary to help ease any disclosure concerns (e.g. make my request through my organisation with its own privacy policy).
I prefer as much detail as possible, but at a minimum I'm seeking at least enough to identify victim electorates, victim types, crime types, and as much information about losses as possible. Loss data is being withheld in ACSC reports this year, which is the cause of my concern and this request, since a former AFP cyber officer (Nigel Phair) projected losses to be in the order of $42bn ( https://www.unsw.adfa.edu.au/newsroom/ne... ), up from the reported $33bn in FY20/21. It is wholly within the interests of the Australian public to understand what our cyber losses are (nobody can effectively address the problem, when it's scale is being covered up), and to draw attention to the ACSC decision to stop reporting it, and refusal to disclose it when asked!
I respectfully request you keep in mind your public AFP policy when considering my request (from your website): "the objective that information held by government is a national resource to be managed for public purposes." and please work to help provide access to this information, instead of try your hardest to prevent it (I'm sorry I have to ask, but this is not my first FoI, and FoI culture in most other government departments has proven so-far to be one absolutely dedicated to refusing requests - I hope the AFP is not another!)
Yours faithfully,
C Drake
OFFICIAL
Dear C Drake
I apologise for the delay in responding to your below email regarding Cybercrime reports.
The AFP does not possess all reports to Police for the 2012-2022 Financial Year. Report Cyber is operated by the Australian Cyber Security Centre with individual reports being referred to the relevant State and Territory law enforcement agencies. The AFP are not in possession of all Report Cyber data to assist in responding to this request.
The AFP could respond to the FOI detailing statistics of matters referred to the AFP by the Report Cyber system.
Based on the above, could you please advise how you would like to proceed? If a response is not provided by Friday, 16 December 2022, we will proceed to process your request on the basis of the statistics referred to the AFP.
Please contact this office if you have any questions.
Kind regards
AFP 24826
Writing to you from Ngunnawal Country
SENIOR TEAM MEMBER
FOI & PRIVACY
CHIEF COUNSEL PORTFOLIO
www.afp.gov.au
Hi,
Thanks for your informative reply. I note you wrote "2012-2022" which I assume is a typo? - I'm after the 21/22 financial year data only.
I'm confused by your line "he AFP does not possess all reports". What reports *do* you possess?, and over what timeframe?
You mentioned "statistics of matters" - could you let me know what kind of information is captured in these statics? e.g. if it's a database, what fields are available?
Do you know if those "statistics of matters" would be sufficient to accurately calculate reported loss values broken down by Australian electoral boundaries (or at least by postcode) ?
Assuming the above answer is "no":
The reporting system begins by clearly and specifically stating that it provides a receipt which is "proof that a report has been submitted to police". It also claims to be governed by a privacy policy, which reiterates the fact that the police are receiving this information, and sets out the purposes for which this collecting is being made, one being "analysing cybercrime data", which is the substance of this - my request.
Since the public who have submitted reports to your agency have been told, and rightfully expect, that police have collected this data as advertised, and they have consented to it being used for "analysing cybercrime data", please could you reach out to wherever those reports have ended up, and acquire them, for the purposes of fulfilling my request (and honoring your promise to all users who submitted reports on the website!). "Cybercrime is a key focus for the AFP" (as your website states) so I have no doubt that the ACSC will be happy to let you have this information, not least because they've already promised to all report receipt-holders that you will get it!
It's worth pointing out the purpose our "Freedom of Information" law (which you, but not the ACSC is subject to), because I'm drafting proposed new laws to better protect all Australians against cyber crimes, and the data captured in these crime reports is essential to my case: The FoI Act exists to facilitate and promote prompt public access to information, and clearly outlines that information held by you (part of our government) "is to be managed for public purposes, and is a national resource." and that FoI applicants have "right of access" to this information.
For what it's worth - I'm not "stupid" - it's reasonably clear "between the lines" here that, despite the promises, police are not in fact getting all these reports, so while I could say that I'll make identical requests to every state and territory police around Australia to obtain the complete list of reports - we both know that they, like you, won't have them either - so please try to honor the intent of the FoI act and help find me a way to produce my per-electorate report. I need "at least enough detail to identify victim electorates, victim types, crime types, and as much information about losses as possible", for the 2021-2022 Financial Year.
Yours sincerely,
C Drake
OFFICIAL
Dear C Drake
I refer to your below email.
The purpose of the FOI Act is to seek documents, it is not a mechanism to obtain information through asking questions.
Based on your below email, the AFP will process your request on statistics of matters referred to the AFP by the Report Cyber system.
Kind regards
AFP 24826
Writing to you from Ngunnawal Country
SENIOR TEAM MEMBER
FOI & PRIVACY
CHIEF COUNSEL PORTFOLIO
www.afp.gov.au
OFFICIAL
Dear Mr Drake
We refer to your request dated 10 November 2022, seeking access to
documents under the Freedom of Information Act 1982 (the Act) as follows:
“Statistics of matters referred to the AFP by the Report
Cyber system in regards to financial losses for the 2021-2022 financial
year.”
Timeframe
Your request was received by the Australian Federal Police (AFP) on 10
November 2022, and the 30 day statutory period for processing your request
commenced from that date. The due date for your request was 10 December
2022.
I apologise for the delay in providing a decision to you regarding your
request, however your request is being processed as a priority.
Information irrelevant to the scope of your request
The AFP, in its management of FOI requests, excludes the following
information on the basis that is irrelevant to the scope of a request:
· duplicate documents, including duplicate emails (the AFP will only
provide emails where they form a final email chain and the
authors/recipients are contained within the final email); and
· information that is publicly available, for example, newspaper
articles, online publications including information available on the AFP
Information Publication Scheme and the AFP disclosure log.
Should you have any further questions at this time, please do not hesitate
to contact our office.
Kind regards
AFP 24826
Writing to you from Ngunnawal Country
SENIOR TEAM MEMBER
FOI & PRIVACY
CHIEF COUNSEL PORTFOLIO
Dear Mr/Ms AFP 24826,
Your comments about our FoI act are incorrect. I recommend you review the "Objects" section of the act itself, which can be found here: https://www.legislation.gov.au/Details/C...
In particular, the FoI grants me the right to access any government information of any kind, not just documents, over all departments the act applies to, which includes yours. Please see the extensive definition of what "document" includes in the act above to ensure you understand the scope of my rights to access your departments' information. To summarize the definition of the act - it says "document includes: any of, or any part of, any record of information"
I stated my purpose for requesting access in my original request - again - see the act itself, Part I section 3.2(a) and 3.2(b).
I do understand that the Cyber website appears to be actively misleading victims by making aparently false claims and providing fake receipts as "proof" that the information I seek has been reported to your department, when in reality, they are not reporting all this to your department. Since these claims have been made along with the evidence claiming that your department has received these reports (labelled as "proof") being supplied to victims who filed reports, I rightfully expect that your department actually reach out and get these reports which should have been submitted to you, for (at least!) the purposes of fulfilling my request and honoring your abundant website promises that "Police" (you) are getting these reports.
Please phone me on 0487 543210 if you need my help in any way to make this easier for you.
Please note that I always seek internal review of all FoI refusals I get, and I always escalate all the way to OAIC as well as Department heads and ministers. I never ask for anything I believe is unreasonable or exempt, so it's always unreasonable to deny my requests.
Yours sincerely,
C Drake
OFFICIAL
Dear C Drake
I have been liaising internally with relevant members in regards to your request.
A member has offered to give you a call to discuss the scope of your request. If you are agreeable to this, could you please provide your best contact number to forward on to the member.
Kind regards
AFP 24826
Writing to you from Ngunnawal Country
SENIOR TEAM MEMBER
FOI & PRIVACY
CHIEF COUNSEL PORTFOLIO
www.afp.gov.au
OFFICIAL
Dear C Drake
Please find attached correspondence in relation to your FOI request, LEX
1201.
Kind regards
AFP 24826
Writing to you from Ngunnawal Country
FOI & PRIVACY
CHIEF COUNSEL PORTFOLIO
[1]www.afp.gov.au
[2]Australian Federal Police
From: FOI <[email address]>
Sent: Wednesday, 18 January 2023 7:28 PM
To: C Drake <[FOI #9548 email]>
Cc: FOI <[email address]>
Subject: FOI Request LEX 1201 - Acknowledgement of Request [SEC=OFFICIAL]
[AFP-L.FID79340]
OFFICIAL
Dear Mr Drake
We refer to your request dated 10 November 2022, seeking access to
documents under the Freedom of Information Act 1982 (the Act) as follows:
“Statistics of matters referred to the AFP by the Report
Cyber system in regards to financial losses for the 2021-2022 financial
year.”
Timeframe
Your request was received by the Australian Federal Police (AFP) on 10
November 2022, and the 30 day statutory period for processing your request
commenced from that date. The due date for your request was 10 December
2022.
I apologise for the delay in providing a decision to you regarding your
request, however your request is being processed as a priority.
Information irrelevant to the scope of your request
The AFP, in its management of FOI requests, excludes the following
information on the basis that is irrelevant to the scope of a request:
· duplicate documents, including duplicate emails (the AFP will only
provide emails where they form a final email chain and the
authors/recipients are contained within the final email); and
· information that is publicly available, for example, newspaper
articles, online publications including information available on the AFP
Information Publication Scheme and the AFP disclosure log.
Should you have any further questions at this time, please do not hesitate
to contact our office.
Kind regards
AFP 24826
Writing to you from Ngunnawal Country
SENIOR TEAM MEMBER
FOI & PRIVACY
CHIEF COUNSEL PORTFOLIO
[3]www.afp.gov.au
Hi Matt,
I'm obviously disappointed that you found a reason to prevent me getting any information at all, (plus never phoned me, after asking for my number!) especially as you already know that the ACSC themselves also refused.
I know it's embarrassing how extreme this crime is, and how little any police (or government or anyone) in Australia are doing about it (every year, 76,000 crimes but only 7 prosecutions on average!), but coving up the extent of these losses by denying us access to our own report statistics is clearly just *exacerbating* the problem.
I'm finding it crushingly difficult to get ANYONE to care or do anything effective whatsoever about cyber crime in Australia, and your response simply continues to confirm this problem. In fact - it's a direct slap-in-the-face to every victim who wasted their time filling in a report, which clearly and specifically told them that their report would be used precisely for the purpose I requested this data - but in reality, you're literally trying as hard as you can to prevent anyone solving this problem.
Would you please get me as much data as you can. I'm happy to receive it OUTSIDE of the FoI system if that make it easier (you have my phone number, plus I have defence security clearance, and it's not classified material anyhow). Keep in mind that a written *contractual commitment* has been made to every one of those 76,000 victims that their data would be used for the purpose I'm requesting it. If you're wondering about the outcome - my draft bill, which I'm needing statistics for MP electorates to gather their support, is here: http://chrisdrake.com/for_gai/Social_Res...
Thanks in advance if you can find any way to help me and all those victims. Fun fact - this year, our losses to cybercrime are going to exceed out entire countries defence budget. It's up to you to decide how proud you want to be of that: part of the cause of that loss, or finding ways to work with activists like myself to actually curb it.
Yours sincerely,
C Drake
OFFICIAL
Dear C Drake
Thank you for your email.
I apologise for the overlap in our correspondence in regards to contacting
you to discuss the scope of your request.
We have explored the possibility of releasing this information to you
administratively, and spoken to both AFP Cyber Command and the Australian
Signals Directorate. Ultimately, it is ASD’s information, and the AFP will
not administratively release another agency’s information.
Kind regards
Matt
Hi Matt,
I've not heard from AFP or ASD - what was the outcome of trying to get me some information?
Could you use the fact that the information is NOT "another agency's information", because the information itself came from and belongs to the public who provided it, and they (we) provided that information into a website which clearly and specifically said that this information was being submitted to you (police, not to defence)?
Just because it passed through the hands of someone else on its way to you, doesn't make it their information of course!
I also am becoming *seriously* concerned about the stonewalling that is going on here? The hundreds of thousands of crime victims who took their time to provide their information to "police", did so on the understanding that the information they provided would be used for the purposes disclosed on the website they typed it in to: which is EXACTLY the purpose I'm requesting it for now.
In case you're not aware about the significance of my request: the scale of this loss to the Australian public is about $42bn annually, and at the rate it's increasing (15% YoY) it's going to EXCEED our entire defence budget in the next 12 months. Next time your kids, parents, friends, or colleagues get taken in by fake facebook ads, ripped off by fake ebay listings, hit with crypto or investment scams, infected by banking malware, pay counterfeit invoices, or any of the thousands of other ways that $42bn floods out of our economy: please be reminded of now - this request of mine - needing the raw information about the per-electorate impact of these crimes to convince the politicians in a position to solve this problem, to take the action they need to cure it
I look forward to any kind of help you can provide!
Yours sincerely,
C Drake
Phone: 0487 543210