Gamma International's FinFisher
Dear Australian Federal Police,
I request access to any document that shows how much it cost the Australian Federal Police to use Gamma International's Finfisher in the years 2011, 2012, 2013 or 2014.
Yours faithfully,
Mark R. Diamond
Thank you for your email.
Please note that this is an automated response to confirm that your email was sent to the Australian Federal Police Freedom of Information (FOI) inbox.
This FOI inbox is monitored between 8am and 4pm Monday to Friday, excluding public holidays and the period from 27-31 December.
If you wish to lodge a request for access to documents under the Freedom of Information Act 1982 (FOI Act), please ensure that your request is in writing, states that it is an application for the purposes of the FOI Act and provides sufficient detail describing the documents you wish to access.
If you are requesting personal information about yourself then please ensure you enclose a copy of your photographic identification.
Further details on how to make a valid FOI request can be found on the Australian Federal Police’s website at: http://www.afp.gov.au/about-the-afp/foi-...
The Australian Federal Police will acknowledge your request in accordance with the legislative requirements of the Act.
The FOI Team can be contacted on 02 6131 6131
**********************************************************************
WARNING
This email message and any attached files may contain information
that is confidential and subject of legal privilege intended only for
use by the individual or entity to whom they are addressed. If you
are not the intended recipient or the person responsible for
delivering the message to the intended recipient be advised that you
have received this message in error and that any use, copying,
circulation, forwarding, printing or publication of this message or
attached files is strictly forbidden, as is the disclosure of the
information contained therein. If you have received this message in
error, please notify the sender immediately and delete it from your
inbox.
AFP Web site: http://www.afp.gov.au
**********************************************************************
UNCLASSIFIED
Good Morning Mr Diamond,
Your Freedom of Information Request re: Gamma International's FinFisher
I refer to your application of 5 January 2016 in which you seek access to
documents under the Freedom of Information Act 1982 (the Act) as follows:
I request access to any document that shows how much it cost the
Australian Federal Police to use Gamma International's Finfisher in the
years 2011, 2012, 2013 or 2014.
Information considered irrelevant to the scope of your request
The AFP, in its management of FOI requests, excludes the following
information on the basis that is irrelevant to the scope of a request:
- Names of AFP members, other than the Senior Executive.
- Direct telephone numbers, signatures and mobile telephone numbers
of AFP members.
- Duplicate documents, including duplicate emails. The AFP will only
provide emails where they form a final email chain and the
authors/recipients are contained within the final email.
- Information that is publicly available, for example, newspaper
articles, online publications including information available on the AFP
Information Publication Scheme and the AFP disclosure log.
If you object to the AFP excluding any of the above information, please
advise this office within seven days of receipt of this letter.
Your request was received by this agency on 5 January 2017 and the 30 day
statutory period for processing your request commenced from that date.
You will be notified of any charges in accordance with the Freedom of
Information (Fees and Charges) Regulations, should they apply, in relation
to your request as soon as practicable.
Disclosure Log
Please be advised that in accordance with section 11C of the Act, an
agency is required to publish information on their website following the
notification of a decision in respect of a freedom of information
request.
The requirement to publish information released under FOI reinforces the
objectives of the FOI Act to promote a pro-disclosure culture across
government and to increase recognition that information held by government
is a national resource. Exceptions to the requirement to publish
information would apply to personal information and information concerning
the business affairs of a person if it was considered ‘unreasonable’ to do
so. Details of the decision may be published in a Disclosure Log which
can be found at
[1]https://www.afp.gov.au/about-us/informat....
Publication will be made in accordance with timeframes stipulated in
section 11C of the Act.
If, however, after noting the above, you wish to raise any concerns about
the publication of information concerning your request prior to the
notification of a decision, please advise this office in writing before 4
February 2017. If you do not raise any concerns prior to the date of the
decision, the AFP will publish the information as notified to you in the
decision.
Yours sincerely
AFP22486
FREEDOM OF INFORMATION
CHIEF COUNSEL PORTFOLIO
Tel +61(0) 2 6131 6131
[2]www.afp.gov.au
UNCLASSIFIED
**********************************************************************
WARNING
This email message and any attached files may contain information
that is confidential and subject of legal privilege intended only for
use by the individual or entity to whom they are addressed. If you
are not the intended recipient or the person responsible for
delivering the message to the intended recipient be advised that you
have received this message in error and that any use, copying,
circulation, forwarding, printing or publication of this message or
attached files is strictly forbidden, as is the disclosure of the
information contained therein. If you have received this message in
error, please notify the sender immediately and delete it from your
inbox.
AFP Web site: http://www.afp.gov.au
**********************************************************************
References
Visible links
1. https://www.afp.gov.au/about-us/informat...
2. http://www.afp.gov.au/
UNCLASSIFIED
Good morning Mr Diamond
Please find attached the AFP’s decision in relation to your Freedom of
Information request.
Kind regards
FREEDOM OF INFORMATION
CHIEF COUNSEL PORTFOLIO
Tel +61(0) 2 61316131
[1]www.afp.gov.au
UNCLASSIFIED
**********************************************************************
WARNING
This email message and any attached files may contain information
that is confidential and subject of legal privilege intended only for
use by the individual or entity to whom they are addressed. If you
are not the intended recipient or the person responsible for
delivering the message to the intended recipient be advised that you
have received this message in error and that any use, copying,
circulation, forwarding, printing or publication of this message or
attached files is strictly forbidden, as is the disclosure of the
information contained therein. If you have received this message in
error, please notify the sender immediately and delete it from your
inbox.
AFP Web site: http://www.afp.gov.au
**********************************************************************
References
Visible links
1. http://www.afp.gov.au/
Australian Federal Police
GPO Box 401
Canberra City ACT 2601
Dear FOI Contact Officer,
Re: Your reference CRM 2017/295 . Request for internal review
-------------------------------------------------------------
1. I refer to the decision letter dated 13 January 2017 (received, 16 January 2017) from Mr Adam Raszewski refusing my recent FOI request for documents relating to software known as FinFisher (also known as FinSpy) and produced by Gamma International. Mr Raszewski's access refusal decision was on the basis of s 25 of the Freedom of Information Act; in particular, Mr Raszewski says that, if the document that I requested were to exist, it would be an exempt document in virtue of s 33 or s 37(1) of the Act. I disagree with that assessment and request an internal review of the access refusal decision.
2. Assuming the existence of the document(s) I requested, it will be apparent that, following the application of s 22(2) of the Act, the only information that would remain in the document(s) would be a list of dates together with the corresponding cost to the AFP at each date for the use of Gamma International's FinFisher software.
3. Consequently, the only two matters that would be disclosed by the document are: (a) the cost, at each date, to the AFP of using FinFisher, and (b) the fact of the use of FinFisher by the AFP.
4. It is difficult to imagine that a reasonable person would view the disclosure of the costs, per se, of using FinFisher as being matter that was exempt under s 33 or s 37(1). Whether the AFP spent $1 or $10 million per annum on licences for FinFisher, is unlikely to be a national security, defence, or international relations issue. Nor is disclosure of the costs likely to have any of the effects described in ss 37(1)(a), 37(1)(b) or 37(1)(c). For these reasons, in the paragraphs that follow I consider only whether matter that disclosed (and, particularly, confirmed or denied) the fact of the AFP's use of FinFisher would be exempt under either s 33 or s 37(1).
Background facts
------------------
5. FinFisher (https://en.wikipedia.org/wiki/FinFisher ) is a surveillance software trojan (https://en.wikipedia.org/wiki/Trojan_hor... ) produced by Gamma International (https://en.wikipedia.org/wiki/Gamma_Group ).
6. Because employees of Gamma International were better at producing malware than they were at securing their own computer system, it was possible for a hacker to access to Gamma International's IT infrastructure (http://www.zdnet.com/article/top-govt-sp... ), ironically in much the same way that Gamma International themselves hack into systems. The hacker was able to download around 40 gigabytes of Gamma International's information. That information was subsequently widely published on the internet and archived for permanent public access on WikiLeaks (https://www.wikileaks.org ). Amongst other things, the publicly available documents show that Australian police forces, including the New South Wales Police Force, have purchased and used FinFisher.
National security exemptions
-----------------------------
7. I should clarify the terminology that I use in the paragraphs below. To avoid unnecessary repetition, I use "would", as in "would cause such and such effect" to mean "would, or could reasonably be expected to cause such and such effect" and similar words for the corresponding negative case.
8. I submit that disclosure of the fact of the AFP's use, or non-use, of FinFisher would not have any national security effect. It certainly would not result in the effects described in ss 33(a)(i) or 33(a)(iii). Nor, given that Gamma International does not act on behalf of a foreign government and is not an international organization, would disclosure have the effect described in s 33(b). That leaves only the possible application of 33(a)(ii). For reasons similar to those given below, I submit that disclosure would not be exempt under s 33(a)(ii) because it would not affect the defence of the Commonwealth.
Other possible, unclaimed ground for exemption
------------------------------------------------
9. Before proceeding to s 37, it is worth commenting that if the requested document were exempt, which I dispute, the only obvious exemption might be under s 37(2)(b). Section 37(2)(b) provides that "A document is an exempt document if its disclosure under this Act would, or could reasonably be expected to: ... (b) disclose lawful methods or procedures for preventing, detecting, investigating, or dealing with matters arising out of, breaches or evasions of the law the disclosure of which would, or would be reasonably likely to, prejudice the effectiveness of those methods or procedures".
10. One can imagine that a document that revealed the details or existence of a hitherto undisclosed method of enforcing the law might be exempt under s 37(2). A case in point arose with the recent arrest of a person in connexion with the "Claremont murders" in Western Australia. In reports of the arrest, it was revealed that DNA obtained from an evidentiary object provided a "relative match" to a person on the police database. That is, it was revealed that although the then-unknown perpetrator had not previously been arrested, a relative of that person had been, and the DNA of that relative then dramatically influenced the line of investigation. The use of "relative matching" had not previously been widely reported in Australia and the inadvertent disclosure of its use might now prejudice the future effectiveness of the procedure. Simple DNA matching and fingerprint matching require that corresponding samples be available from a suspect before a match can be made, but relative DNA matching vastly enlarges the threat-surface for a criminal and as its use becomes more widely known, criminals might become even more wary about leaving any DNA at a crime scene lest the DNA of a close relative ever comes to the attention of the police.
11. Nonetheless, despite the remote possibility of its application to the document I seek, exemption under s 37(2) cannot give rise to a s 25 notice of the kind issued to me by Mr Raszewski. Moreover, I suggest that disclosure of the AFP's use of FinFisher would not, in any case, be exempt under s 37(2) because the nature of trojan surveillance software, and even its use by Australian law enforcement agencies, has been known for many years (http://krebsonsecurity.com/2011/11/apple... , http://www.spy-emergency.com/research/ma... )
Exemption under 37(1)
-----------------------
12. Disclosure of the fact of use by the AFP of the FinFisher trojan surveillance malware would obviously not either "disclose, or enable a person to ascertain, the existence or identity of a confidential source of information, or the non-existence of a confidential source of information, in relation to the enforcement or administration of the law" -- s 37(1)(b), nor "endanger the life or physical safety of any person" -- s 37(1)(c), so we can disregard those subsections.
13. That leaves only the question of whether disclosure of the document I seek would "prejudice the conduct of an investigation of a breach, or possible breach, of the law, or a failure, or possible failure, to comply with a law relating to taxation or prejudice the enforcement or proper administration of the law in a particular instance" -- s 37(1)(a).
14. Again, it is difficult to see how this could be the case. The document I seek would contain no information about any particular investigation nor about any particular instance of any of the matters referred to in 37(1)(a). Further, as I've already pointed out, the use of trojan surveillance malware by law enforcement agencies worldwide is well documented and there would be nothing about disclosure of the use of FinFisher (in particular) by the AFP (in particular) that could have any foreseeable effect that has not already been caused by the broad publicity already given to so-called "government spyware".
15. In addition to the points made above regarding exemptions under s 33 or s 37(1), there is one final point I would like to make. I recently made two FOI request for information regarding the cost to the AFP of using "offensive security" software produced by the Italian company known as "Hacking Team" (your references CRM 2017/296 and CRM 2017/329; see https://www.righttoknow.org.au/request/h... and https://www.righttoknow.org.au/request/h... ). . Conceptually, those two requests are exactly the same as my request for information regarding FinFisher. All three requests relate to "government spyware" that is reportedly used by law-enforcement agencies around the world. I submit that your direct refusal on the grounds of s 24A(b)(ii) of my two requests regarding Hacking Team's RCS (effectively denying the existence of the requested documents) is itself evidence that there is no ground for refusing either to confirm or deny the existence of parallel documents relating to FinFisher.
Request
--------
16. I ask that you make a new decision granting me access to the document(s) I requested.
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/g...
Yours faithfully,
Mark R. Diamond
Thank you for your email.
Please note that this is an automated response to confirm that your email was sent to the Australian Federal Police Freedom of Information (FOI) inbox.
This FOI inbox is monitored between 8am and 4pm Monday to Friday, excluding public holidays and the period from 27-31 December.
If you wish to lodge a request for access to documents under the Freedom of Information Act 1982 (FOI Act), please ensure that your request is in writing, states that it is an application for the purposes of the FOI Act and provides sufficient detail describing the documents you wish to access.
If you are requesting personal information about yourself then please ensure you enclose a copy of your photographic identification.
Further details on how to make a valid FOI request can be found on the Australian Federal Police’s website at: http://www.afp.gov.au/about-the-afp/foi-...
The Australian Federal Police will acknowledge your request in accordance with the legislative requirements of the Act.
The FOI Team can be contacted on 02 6131 6131
**********************************************************************
WARNING
This email message and any attached files may contain information
that is confidential and subject of legal privilege intended only for
use by the individual or entity to whom they are addressed. If you
are not the intended recipient or the person responsible for
delivering the message to the intended recipient be advised that you
have received this message in error and that any use, copying,
circulation, forwarding, printing or publication of this message or
attached files is strictly forbidden, as is the disclosure of the
information contained therein. If you have received this message in
error, please notify the sender immediately and delete it from your
inbox.
AFP Web site: http://www.afp.gov.au
**********************************************************************
Mark R. Diamond left an annotation ()
As one can see from my previous comment (https://www.righttoknow.org.au/request/g... ), I anticipated that my request would be refused on the grounds of s 25 and that I would then be able to request a review. That is what has happened.
UNCLASSIFIED
Dear Mr Diamond,
I acknowledge receipt of your request on 7 February 2017 for an internal review of a decision under the Freedom of Information Act 1982.
Your application is currently being processed, and the person conducting the internal review will notify you within 30 days after the day on which the application was received by this agency.
Should you require any further assistance please contact this office.
NATHAN SCUDDER
COORDINATOR, FREEDOM OF INFORMATION
CHIEF COUNSEL PORTFOLIO
Tel +61(0) 2 61316131
www.afp.gov.au
-----Original Message-----
From: Mark R. Diamond [mailto:[FOI #2910 email]]
Sent: Tuesday, 7 February 2017 8:27 PM
To: FOI
Subject: Internal review of Freedom of Information request - Gamma International's FinFisher
Australian Federal Police
GPO Box 401
Canberra City ACT 2601
Dear FOI Contact Officer,
Re: Your reference CRM 2017/295 . Request for internal review
-------------------------------------------------------------
1. I refer to the decision letter dated 13 January 2017 (received, 16 January 2017) from Mr Adam Raszewski refusing my recent FOI request for documents relating to software known as FinFisher (also known as FinSpy) and produced by Gamma International. Mr Raszewski's access refusal decision was on the basis of s 25 of the Freedom of Information Act; in particular, Mr Raszewski says that, if the document that I requested were to exist, it would be an exempt document in virtue of s 33 or s 37(1) of the Act. I disagree with that assessment and request an internal review of the access refusal decision.
2. Assuming the existence of the document(s) I requested, it will be apparent that, following the application of s 22(2) of the Act, the only information that would remain in the document(s) would be a list of dates together with the corresponding cost to the AFP at each date for the use of Gamma International's FinFisher software.
3. Consequently, the only two matters that would be disclosed by the document are: (a) the cost, at each date, to the AFP of using FinFisher, and (b) the fact of the use of FinFisher by the AFP.
4. It is difficult to imagine that a reasonable person would view the disclosure of the costs, per se, of using FinFisher as being matter that was exempt under s 33 or s 37(1). Whether the AFP spent $1 or $10 million per annum on licences for FinFisher, is unlikely to be a national security, defence, or international relations issue. Nor is disclosure of the costs likely to have any of the effects described in ss 37(1)(a), 37(1)(b) or 37(1)(c). For these reasons, in the paragraphs that follow I consider only whether matter that disclosed (and, particularly, confirmed or denied) the fact of the AFP's use of FinFisher would be exempt under either s 33 or s 37(1).
Background facts
------------------
5. FinFisher (https://en.wikipedia.org/wiki/FinFisher ) is a surveillance software trojan (https://en.wikipedia.org/wiki/Trojan_hor... ) produced by Gamma International (https://en.wikipedia.org/wiki/Gamma_Group ).
6. Because employees of Gamma International were better at producing malware than they were at securing their own computer system, it was possible for a hacker to access to Gamma International's IT infrastructure (http://www.zdnet.com/article/top-govt-sp... ), ironically in much the same way that Gamma International themselves hack into systems. The hacker was able to download around 40 gigabytes of Gamma International's information. That information was subsequently widely published on the internet and archived for permanent public access on WikiLeaks (https://www.wikileaks.org ). Amongst other things, the publicly available documents show that Australian police forces, including the New South Wales Police Force, have purchased and used FinFisher.
National security exemptions
-----------------------------
7. I should clarify the terminology that I use in the paragraphs below. To avoid unnecessary repetition, I use "would", as in "would cause such and such effect" to mean "would, or could reasonably be expected to cause such and such effect" and similar words for the corresponding negative case.
8. I submit that disclosure of the fact of the AFP's use, or non-use, of FinFisher would not have any national security effect. It certainly would not result in the effects described in ss 33(a)(i) or 33(a)(iii). Nor, given that Gamma International does not act on behalf of a foreign government and is not an international organization, would disclosure have the effect described in s 33(b). That leaves only the possible application of 33(a)(ii). For reasons similar to those given below, I submit that disclosure would not be exempt under s 33(a)(ii) because it would not affect the defence of the Commonwealth.
Other possible, unclaimed ground for exemption
------------------------------------------------
9. Before proceeding to s 37, it is worth commenting that if the requested document were exempt, which I dispute, the only obvious exemption might be under s 37(2)(b). Section 37(2)(b) provides that "A document is an exempt document if its disclosure under this Act would, or could reasonably be expected to: ... (b) disclose lawful methods or procedures for preventing, detecting, investigating, or dealing with matters arising out of, breaches or evasions of the law the disclosure of which would, or would be reasonably likely to, prejudice the effectiveness of those methods or procedures".
10. One can imagine that a document that revealed the details or existence of a hitherto undisclosed method of enforcing the law might be exempt under s 37(2). A case in point arose with the recent arrest of a person in connexion with the "Claremont murders" in Western Australia. In reports of the arrest, it was revealed that DNA obtained from an evidentiary object provided a "relative match" to a person on the police database. That is, it was revealed that although the then-unknown perpetrator had not previously been arrested, a relative of that person had been, and the DNA of that relative then dramatically influenced the line of investigation. The use of "relative matching" had not previously been widely reported in Australia and the inadvertent disclosure of its use might now prejudice the future effectiveness of the procedure. Simple DNA matching and fingerprint matching require that corresponding samples be available from a suspect before a match can be made, but relati ve DNA m atching vastly enlarges the threat-surface for a criminal and as its use becomes more widely known, criminals might become even more wary about leaving any DNA at a crime scene lest the DNA of a close relative ever comes to the attention of the police.
11. Nonetheless, despite the remote possibility of its application to the document I seek, exemption under s 37(2) cannot give rise to a s 25 notice of the kind issued to me by Mr Raszewski. Moreover, I suggest that disclosure of the AFP's use of FinFisher would not, in any case, be exempt under s 37(2) because the nature of trojan surveillance software, and even its use by Australian law enforcement agencies, has been known for many years (http://krebsonsecurity.com/2011/11/apple... , http://www.spy-emergency.com/research/ma... )
Exemption under 37(1)
-----------------------
12. Disclosure of the fact of use by the AFP of the FinFisher trojan surveillance malware would obviously not either "disclose, or enable a person to ascertain, the existence or identity of a confidential source of information, or the non-existence of a confidential source of information, in relation to the enforcement or administration of the law" -- s 37(1)(b), nor "endanger the life or physical safety of any person" -- s 37(1)(c), so we can disregard those subsections.
13. That leaves only the question of whether disclosure of the document I seek would "prejudice the conduct of an investigation of a breach, or possible breach, of the law, or a failure, or possible failure, to comply with a law relating to taxation or prejudice the enforcement or proper administration of the law in a particular instance" -- s 37(1)(a).
14. Again, it is difficult to see how this could be the case. The document I seek would contain no information about any particular investigation nor about any particular instance of any of the matters referred to in 37(1)(a). Further, as I've already pointed out, the use of trojan surveillance malware by law enforcement agencies worldwide is well documented and there would be nothing about disclosure of the use of FinFisher (in particular) by the AFP (in particular) that could have any foreseeable effect that has not already been caused by the broad publicity already given to so-called "government spyware".
15. In addition to the points made above regarding exemptions under s 33 or s 37(1), there is one final point I would like to make. I recently made two FOI request for information regarding the cost to the AFP of using "offensive security" software produced by the Italian company known as "Hacking Team" (your references CRM 2017/296 and CRM 2017/329; see https://www.righttoknow.org.au/request/h... and https://www.righttoknow.org.au/request/h... ). . Conceptually, those two requests are exactly the same as my request for information regarding FinFisher. All three requests relate to "government spyware" that is reportedly used by law-enforcement agencies around the world. I submit that your direct refusal on the grounds of s 24A(b)(ii) of my two requests regarding Hacking Team's RCS (effectively denying the existence of the requested documents) is itself evidence that there is no ground for refusing either to confirm o r deny t he existence of parallel documents relating to FinFisher.
Request
--------
16. I ask that you make a new decision granting me access to the document(s) I requested.
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/g...
Yours faithfully,
Mark R. Diamond
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[FOI #2910 email]
This request has been made by an individual using Right to Know. This message and any reply that you make will be published on the internet. More information on how Right to Know works can be found at:
https://www.righttoknow.org.au/help/offi...
If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
UNCLASSIFIED
UNCLASSIFIED
**********************************************************************
WARNING
This email message and any attached files may contain information
that is confidential and subject of legal privilege intended only for
use by the individual or entity to whom they are addressed. If you
are not the intended recipient or the person responsible for
delivering the message to the intended recipient be advised that you
have received this message in error and that any use, copying,
circulation, forwarding, printing or publication of this message or
attached files is strictly forbidden, as is the disclosure of the
information contained therein. If you have received this message in
error, please notify the sender immediately and delete it from your
inbox.
AFP Web site: http://www.afp.gov.au
**********************************************************************
Mark R. Diamond left an annotation ()
Some long time ago, I read the application by Henare Degan (https://www.righttoknow.org.au/request/g... ) to the Australian Federal Police for information relating to Gamma International’s FinFisher suite of software. That application was refused with a s 25 notice --- that is, a notice to the applicant that says that the agency neither confirms nor denies the existence of a certain document. On the one hand, I was a little surprised that Henare hadn't asked for an internal review; on the other, I think that the hurdle a s 25 notice raises can be pretty difficult to overcome. In any case, I didn't do anything at the time about filing a similar request.
Almost two years later, I saw similar applications by Culley Palmer to CrimTrac (https://www.righttoknow.org.au/request/g... ), the Department of Foreign Affairs (https://www.righttoknow.org.au/request/g... ) and the Australian Crime Commission (https://www.righttoknow.org.au/request/g... ). All three of Culley Palmer's requests were refused by the respective agencies on the grounds of s 24(1)(b)(ii). That is, the agencies conducted searches for documents that might have satisfied Culley Palmer's requests but, because they didn't find anything, they refused the requests on the basis that the documents didn't appear to exist (or at least couldn't be found).
In case it isn't obvious, the difference between the responses received by Henare Degan and Culley Palmer is more than trivial. A s 25 decision (i.e., a decisiion neither to confirm nor deny the existence of certain documents) should occur much earlier in the decision making process that a decision relating to s 24A. In the case of a notice under s 25, it is completely irrelevant whether the requested documents do or don't exist, so there is no call for the agency to conduct searches of any kind. Instead, one would expect that an agency (every agency) would first determine whether an FOI request is valid, issue an acknowledgement notice under s 15 if it is, and then immediately decide whether a s 25 notice should be issued.
It is therefore more than a little strange that neither CrimTrac nor, particularly, the Australian Crime Commission thought that they needed to refuse and of Culley Palmer's requests on the grounds of s 25 but that the AFP thought it was necessary. Even stranger is that the AFP used s 25 to refuse my request for information about FinFisher but thought that it was quite OK not to invoke that section in the case of my requests for information about similar software produced by the Italian malware group called Hacking Team. Draw conclusions as you will!
UNCLASSIFIED
Dear Mr Diamond
Please find attached a decision on internal review, in relation to FOI request 2017/295.
Sincerely,
NATHAN SCUDDER
COORDINATOR, FREEDOM OF INFORMATION
CHIEF COUNSEL PORTFOLIO
Tel +61(0) 2 61316131
www.afp.gov.au
-----Original Message-----
From: Mark R. Diamond [mailto:[FOI #2910 email]]
Sent: Tuesday, 7 February 2017 8:27 PM
To: FOI
Subject: Internal review of Freedom of Information request - Gamma International's FinFisher
Australian Federal Police
GPO Box 401
Canberra City ACT 2601
Dear FOI Contact Officer,
Re: Your reference CRM 2017/295 . Request for internal review
-------------------------------------------------------------
1. I refer to the decision letter dated 13 January 2017 (received, 16 January 2017) from Mr Adam Raszewski refusing my recent FOI request for documents relating to software known as FinFisher (also known as FinSpy) and produced by Gamma International. Mr Raszewski's access refusal decision was on the basis of s 25 of the Freedom of Information Act; in particular, Mr Raszewski says that, if the document that I requested were to exist, it would be an exempt document in virtue of s 33 or s 37(1) of the Act. I disagree with that assessment and request an internal review of the access refusal decision.
2. Assuming the existence of the document(s) I requested, it will be apparent that, following the application of s 22(2) of the Act, the only information that would remain in the document(s) would be a list of dates together with the corresponding cost to the AFP at each date for the use of Gamma International's FinFisher software.
3. Consequently, the only two matters that would be disclosed by the document are: (a) the cost, at each date, to the AFP of using FinFisher, and (b) the fact of the use of FinFisher by the AFP.
4. It is difficult to imagine that a reasonable person would view the disclosure of the costs, per se, of using FinFisher as being matter that was exempt under s 33 or s 37(1). Whether the AFP spent $1 or $10 million per annum on licences for FinFisher, is unlikely to be a national security, defence, or international relations issue. Nor is disclosure of the costs likely to have any of the effects described in ss 37(1)(a), 37(1)(b) or 37(1)(c). For these reasons, in the paragraphs that follow I consider only whether matter that disclosed (and, particularly, confirmed or denied) the fact of the AFP's use of FinFisher would be exempt under either s 33 or s 37(1).
Background facts
------------------
5. FinFisher (https://en.wikipedia.org/wiki/FinFisher ) is a surveillance software trojan (https://en.wikipedia.org/wiki/Trojan_hor... ) produced by Gamma International (https://en.wikipedia.org/wiki/Gamma_Group ).
6. Because employees of Gamma International were better at producing malware than they were at securing their own computer system, it was possible for a hacker to access to Gamma International's IT infrastructure (http://www.zdnet.com/article/top-govt-sp... ), ironically in much the same way that Gamma International themselves hack into systems. The hacker was able to download around 40 gigabytes of Gamma International's information. That information was subsequently widely published on the internet and archived for permanent public access on WikiLeaks (https://www.wikileaks.org ). Amongst other things, the publicly available documents show that Australian police forces, including the New South Wales Police Force, have purchased and used FinFisher.
National security exemptions
-----------------------------
7. I should clarify the terminology that I use in the paragraphs below. To avoid unnecessary repetition, I use "would", as in "would cause such and such effect" to mean "would, or could reasonably be expected to cause such and such effect" and similar words for the corresponding negative case.
8. I submit that disclosure of the fact of the AFP's use, or non-use, of FinFisher would not have any national security effect. It certainly would not result in the effects described in ss 33(a)(i) or 33(a)(iii). Nor, given that Gamma International does not act on behalf of a foreign government and is not an international organization, would disclosure have the effect described in s 33(b). That leaves only the possible application of 33(a)(ii). For reasons similar to those given below, I submit that disclosure would not be exempt under s 33(a)(ii) because it would not affect the defence of the Commonwealth.
Other possible, unclaimed ground for exemption
------------------------------------------------
9. Before proceeding to s 37, it is worth commenting that if the requested document were exempt, which I dispute, the only obvious exemption might be under s 37(2)(b). Section 37(2)(b) provides that "A document is an exempt document if its disclosure under this Act would, or could reasonably be expected to: ... (b) disclose lawful methods or procedures for preventing, detecting, investigating, or dealing with matters arising out of, breaches or evasions of the law the disclosure of which would, or would be reasonably likely to, prejudice the effectiveness of those methods or procedures".
10. One can imagine that a document that revealed the details or existence of a hitherto undisclosed method of enforcing the law might be exempt under s 37(2). A case in point arose with the recent arrest of a person in connexion with the "Claremont murders" in Western Australia. In reports of the arrest, it was revealed that DNA obtained from an evidentiary object provided a "relative match" to a person on the police database. That is, it was revealed that although the then-unknown perpetrator had not previously been arrested, a relative of that person had been, and the DNA of that relative then dramatically influenced the line of investigation. The use of "relative matching" had not previously been widely reported in Australia and the inadvertent disclosure of its use might now prejudice the future effectiveness of the procedure. Simple DNA matching and fingerprint matching require that corresponding samples be available from a suspect before a match can be made, but relati ve DNA m atching vastly enlarges the threat-surface for a criminal and as its use becomes more widely known, criminals might become even more wary about leaving any DNA at a crime scene lest the DNA of a close relative ever comes to the attention of the police.
11. Nonetheless, despite the remote possibility of its application to the document I seek, exemption under s 37(2) cannot give rise to a s 25 notice of the kind issued to me by Mr Raszewski. Moreover, I suggest that disclosure of the AFP's use of FinFisher would not, in any case, be exempt under s 37(2) because the nature of trojan surveillance software, and even its use by Australian law enforcement agencies, has been known for many years (http://krebsonsecurity.com/2011/11/apple... , http://www.spy-emergency.com/research/ma... )
Exemption under 37(1)
-----------------------
12. Disclosure of the fact of use by the AFP of the FinFisher trojan surveillance malware would obviously not either "disclose, or enable a person to ascertain, the existence or identity of a confidential source of information, or the non-existence of a confidential source of information, in relation to the enforcement or administration of the law" -- s 37(1)(b), nor "endanger the life or physical safety of any person" -- s 37(1)(c), so we can disregard those subsections.
13. That leaves only the question of whether disclosure of the document I seek would "prejudice the conduct of an investigation of a breach, or possible breach, of the law, or a failure, or possible failure, to comply with a law relating to taxation or prejudice the enforcement or proper administration of the law in a particular instance" -- s 37(1)(a).
14. Again, it is difficult to see how this could be the case. The document I seek would contain no information about any particular investigation nor about any particular instance of any of the matters referred to in 37(1)(a). Further, as I've already pointed out, the use of trojan surveillance malware by law enforcement agencies worldwide is well documented and there would be nothing about disclosure of the use of FinFisher (in particular) by the AFP (in particular) that could have any foreseeable effect that has not already been caused by the broad publicity already given to so-called "government spyware".
15. In addition to the points made above regarding exemptions under s 33 or s 37(1), there is one final point I would like to make. I recently made two FOI request for information regarding the cost to the AFP of using "offensive security" software produced by the Italian company known as "Hacking Team" (your references CRM 2017/296 and CRM 2017/329; see https://www.righttoknow.org.au/request/h... and https://www.righttoknow.org.au/request/h... ). . Conceptually, those two requests are exactly the same as my request for information regarding FinFisher. All three requests relate to "government spyware" that is reportedly used by law-enforcement agencies around the world. I submit that your direct refusal on the grounds of s 24A(b)(ii) of my two requests regarding Hacking Team's RCS (effectively denying the existence of the requested documents) is itself evidence that there is no ground for refusing either to confirm o r deny t he existence of parallel documents relating to FinFisher.
Request
--------
16. I ask that you make a new decision granting me access to the document(s) I requested.
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/g...
Yours faithfully,
Mark R. Diamond
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[FOI #2910 email]
This request has been made by an individual using Right to Know. This message and any reply that you make will be published on the internet. More information on how Right to Know works can be found at:
https://www.righttoknow.org.au/help/offi...
If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
UNCLASSIFIED
UNCLASSIFIED
**********************************************************************
WARNING
This email message and any attached files may contain information
that is confidential and subject of legal privilege intended only for
use by the individual or entity to whom they are addressed. If you
are not the intended recipient or the person responsible for
delivering the message to the intended recipient be advised that you
have received this message in error and that any use, copying,
circulation, forwarding, printing or publication of this message or
attached files is strictly forbidden, as is the disclosure of the
information contained therein. If you have received this message in
error, please notify the sender immediately and delete it from your
inbox.
AFP Web site: http://www.afp.gov.au
**********************************************************************
Dear Mr Scudder,
Thank you for your letter of 17 February 2017 notifying me of the outcome of my request for internal review in the matter of my request for information relating to Gamma International's FinFisher software.
Yours faithfully,
Mark R. Diamond
Thank you for your email.
Please note that this is an automated response to confirm that your email was sent to the Australian Federal Police Freedom of Information (FOI) inbox.
This FOI inbox is monitored between 8am and 4pm Monday to Friday, excluding public holidays and the period from 27-31 December.
If you wish to lodge a request for access to documents under the Freedom of Information Act 1982 (FOI Act), please ensure that your request is in writing, states that it is an application for the purposes of the FOI Act and provides sufficient detail describing the documents you wish to access.
If you are requesting personal information about yourself then please ensure you enclose a copy of your photographic identification.
Further details on how to make a valid FOI request can be found on the Australian Federal Police’s website at: http://www.afp.gov.au/about-the-afp/foi-...
The Australian Federal Police will acknowledge your request in accordance with the legislative requirements of the Act.
The FOI Team can be contacted on 02 6131 6131
**********************************************************************
WARNING
This email message and any attached files may contain information
that is confidential and subject of legal privilege intended only for
use by the individual or entity to whom they are addressed. If you
are not the intended recipient or the person responsible for
delivering the message to the intended recipient be advised that you
have received this message in error and that any use, copying,
circulation, forwarding, printing or publication of this message or
attached files is strictly forbidden, as is the disclosure of the
information contained therein. If you have received this message in
error, please notify the sender immediately and delete it from your
inbox.
AFP Web site: http://www.afp.gov.au
**********************************************************************
Mark R. Diamond left an annotation ()
This is now a little further along than Henare Degan's original request (https://www.righttoknow.org.au/request/g... ) was. Now I have to draft an application for review to the Office of the Australian Information Commissioner. Unfortunately it can't be done through Right to Know because the FOI Act requires me to "include a copy of the notice given under section 26 of the IC reviewable decision for which an IC review is sought." It's not clear exactly what is meant by "a copy" (it might mean a copy that looks like the original such as a photocopy, or it might just mean a copy of the text) but in any case, it's not really feasible to request the IC review through Right to Know.
Mark R. Diamond left an annotation ()
There's an interesting United States parallel to my request, but with a very different outcome, reported in an article on Motherboard titled "Here's a DEA Invoice for Zero-Day Exploits". The link is here "https://motherboard.vice.com/en_us/artic... .
Mark R. Diamond left an annotation ()
I have lodged an application for IC review. I had intended to post here the text of the request for IC review sooner, but forgot. The text is as follows:
Thursday, 9 April 2017
Office of the Australian Information Commissioner
GPO Box 2999
CANBERRA ACT 2601
Dear Commissioner,
Request for IC Review
Agency: Australian Federal Police
Agency references: 2017/295 and CRM 2017/396
I’m writing to ask that you review two recent decision by the Australian Federal Police to refuse my requests for access to documents. Both decisions have resulted in the AFP issuing me with a notice under s 25(2), neither confirming nor denying the existence of the documents I requested.
I have attached copies of the two notices given to me by the agency. You will note that one decision follows an internal review (17 February 2017); the other decision is a first-instance decision (3 April 2017).
I appreciate that it is probably unusual to ask that you review two access refusal decisions simultaneously. I also appreciate that an applicant would normally seek an internal review before asking for IC review. However, I believe that there are good reasons for joining the two requests and for not seeking an internal review of the first-instance decision. First, the requests relate to similar subject matter (i.e., the use by the AFP of various types of computer surveillance software), despite being for somewhat different kinds of documents. Second, to request an internal review of the first-instance decision would almost certainly result in the issuance of yet another s 25 notice and would also (because of the time-limits) prevent me from asking you to examine the two decisions together.
Although you have previously reviewed two decisions [1,2] that have resulted in s 25 notices, they are both very different from the two requests that are relevant here—despite the AFP quoting your decision in Sun-Herald Newspapers as being supportive of their access refusal decision of 3 April 2017. If you are willing to review the decisions, please let me know and I will provide you with additional information to support my contention that the documents I seek are not exempt documents. For convenience, and because my original requests are not quoted in the decision letters, I include copies of the requests as an attachment to this letter.
Yours sincerely,
Mark R. Diamond
[1] Welch and Department of Foreign Affairs and Trade [2014] AICmr 3 (14 January 2014) (http://www.austlii.edu.au/au/cases/cth/A... )
[2] The Sun-Herald Newspaper and the Australian Federal Police [2014] AICmr 52 (3 June 2014) (http://www.austlii.edu.au/au/cases/cth/A... )
Mark R. Diamond left an annotation ()
This is the text of the follow-up letter to the Information Commissioner regarding my request for IC review.
Sunday, 21 May 2017
Office of the Australian Information Commissioner
GPO Box 2999
CANBERRA ACT 2601
Dear Commissioner,
Your reference: MR17/00186 and MR17/00192
Agency: Australian Federal Police
Agency reference: 2017/295 and CRM2017/396
--------------------------------------------------------
I am writing in support of my contention that none of the documents to which I was refused access by the Australian Federal Police are in fact exempt documents.
An applicant for review of any decision that invoked an s 25 notice is inevitably in the position of having no real information against which to argue. Consequently, I don’t propose to attempt any detailed argument in support of my claim that none of the information I sought is exempt. Instead, I would like to draw your attention to a two points:
(1) In response to a request under the United States Freedom of Information Act, the U.S. Drug Enforcement Agency has publicly acknowledged purchasing and using Hacking Team’s surveillance malware (see, https://motherboard.vice.com/en_us/artic..., https://www.schneier.com/blog/archives/2... ). That the DEA released the information is of significance because the U.S. law provides a mechanism (“Glomar denial” or “Glomarization” ), similar to that provided for by s 25 of the Commonwealth Act, to allow an agency neither to confirm nor deny the existence of certain documents.
(2) Despite issuing s 25 notices in response to the two requests for which I have sought IC review, in response to two other very similar requests, the AFP was willing to deny having any relevant documents and to issue decision notices under s 24A (AFP references CRM2017/296 & CRM2017/329). In a truly bizarre sequel, when I requested an internal review of the decision notified in CRM2017/329, the AFP substituted a notice under s 25 for the original notice under 24A!
I trust that the relevance will be obvious of both the points above to both of the requests for which I have requested IC review.
Yours sincerely,
Mark Diamond
Henare Degan left an annotation ()
Talk about leaving us hanging, Mark 😀
The result of the review of this request was that the Information Commissioner upheld the AFP's decision: http://www6.austlii.edu.au/cgi-bin/viewd...
I looked up this request after seeing https://www.accessnow.org/finfisher-shut...
Mark R. Diamond left an annotation ()
Henare Degan sent a related request in 2013 (https://www.righttoknow.org.au/request/g... ). That request was refused on the basis of section 25 of the FOI Act (http://www.austlii.edu.au/au/legis/cth/c... ). I expect that my request will be refused on the same grounds. My reason for lodging a new request is that I would like to see the decision reviewed, and I can't ask for a review of the decision that Henare got. It's simply not possible to re-enliven an old request by a third party.