When people think of criminals, they often think about what they see on television. Long, methodical plotlines, illustrated over an episode or a few, romanticizes both the criminals and the criminal justice system, which is not always congruent to real life. “In the criminal justice system, the people are represented by two separate yet equally important groups: the police who investigate crime and the district attorneys who prosecute the offenders,” and cyberspace falls within this system [1, Reference]. The famous television show, Law & Order, consists of primarily physical crimes; however, there have been some episodes involving cybercrime. However, unlike the real world, the perpetrators are always in the department’s jurisdiction working the case.
Cyberspace is accessible to everyone who has access to a network connection, and this means that attackers can originate from anywhere in the world. This makes investigating and prosecuting cybercriminals extremely difficult, but the process still follows the same standards of the justice system. Cybersecurity experts play the role of the police; however, an expert could potentially become an attorney and prosecute their own investigations. This is not advisable, but it is possible as a computer is a primary workspace for both data forensics specialists and attorneys. Since cybercriminals can come from any country, only knowing local and federal laws is not enough. Any cybersecurity officer, especially information forensics specialists, must understand international regulations and foreign national laws of where the attacks propagate. This example is one of many that outline the sheer complexity cybersecurity entails.
The Australian Privacy Principles (APP) are standards that dictate how Australian citizens’ private data can be handled and processed by foreign organizations and governments. The Privacy Act of 1988, which covers the legal specifications, functions, and purposes of privacy laws, is the APP’s parent document. The APP sets the guidelines and standards to follow based on the precepts established in the Privacy Act. The Act essentially dictates what types of private and public personal information can be analyzed, stored, and distributed by any entity. Thus, the APP derives its authority from the Privacy Act, and both domestic and foreign agents must follow these guidelines, whether for commercial, forensic, or private purposes [2, References].
The APP contains four introductory chapters followed by thirteen chapters describing the guidelines across various aspects of privacy and how Australia intends to protect its residents’ rights. The APP is an official document outlining privacy principle guidelines, and this means it is not a legally binding document. Some aspects strictly follow the laws under the Privacy Act, but other areas are suggestions to follow when doing business in Australia. When performing an investigation, one should refer to the APP and the Privacy Act to ensure professional conduct [2, References].
The following analysis is for conducting digital forensic investigations undertaken in the United States of America. To investigate private data from Australian systems, the investigator must follow the guidelines outlined in chapters 1, 3 through 6, and 8 through 12. The chapters not included are not crucial for our use, and some included are highly situational [2, References].
Chapter 8 of the APP is titled, Cross-border disclosure of personal information, and ensures that the overseas investigator adheres to the APP guidelines when conducting their investigation. The chapter administers accountability to the APP entity giving information to the foreign agent based on the agent’s adherence to the APP guidelines. A data forensics investigator from the United States does not have the Privacy Act of 1988 as a federal law, but the data received is protected by the Act. Thus, the investigator must still conduct their investigation based on the rules where the data originates.
When investigating a case from Australia, the APP advises that there should be a contract between the APP entity and the investigator. While the investigator is unlikely to commit perjury, this risk is one to address earnestly. The APP entity supplying the private data is liable for any professional negligence and could face litigation for the investigators’ misdoing. Section 8.25 describes examples of “enforcement mechanism[s that] should meet two key requirements: it should be accessible to the individual, and it should have effective powers to enforce the privacy or data protections in the law or binding scheme” [2, References]. The mechanisms should be fair and able to be enacted if unlawful events occur.
A critical section within the Privacy Act regarding cross-border disclosure is defined in Part III section 16C subsection 1c. The legal jargon is considerably obscure, but it allows deviation from the APP for foreign entities [3, References]. However, this deviation is only possible if the investigator lives in a country with a ‘substantially similar’ law [2, References]. This guideline from APP chapter 8, paragraph 19, allows the investigator to obey their nation’s law and disregard the APP. However, one should still refer to the Privacy Act to maintain the authenticity and integrity of the case.
Personally identifiable information (PII) protection is the primary function of the Privacy Act and the APP guidelines. The protocols to protect personal data are covered in most APP chapters but are directly specified in chapters 3 through 6 and 9 through 12. Chapters 3 and 4 cover types of data and methods of legal and ethical collection practices. Chapters 5, 6, 9, and 12 describe practices one should follow while analyzing the data and what rights the person who owns the data has. Lastly, chapters 10 and 11 outlines best practices when analyzing PII data. An investigator must maintain up-to-date knowledge on amendments to the Privacy Act and APP guidelines when researching data from Australia.
The regulations described in these chapters are considerably different from privacy laws in the United States. As detailed in chapters 5 and 12, one significant difference is the requirement to inform and release information being collected and analyzed to the data owner, with some reservations. Chapter one of the textbook, Guide to Computer Forensics and Investigations, covers public and private sector investigations, and one essential detail is to maintain discretion when investigating anyone. Australian law heavily emphasizes privacy protection; however, one must consider if this can obstruct justice. While the APP entity may choose against informing the data owner, as stated in section 5.7, these two chapters leave questionable doubt [2, References]. Chapter 12 follows the same concept as chapter 5, but it pertains to the foreign agent’s collection, storage, usage, and distribution of the PII data. It is impossible to know if an insider has threatened the authority of the case until a warrant for pertinent information or an indictment is authorized and executed.
When obtaining data on a subject, the investigator must receive solicited information from the APP entity. Furthermore, the investigator can only collect data directly related to the case as long as unrelated information was procured legally and expands the investigation into new territory. If the investigator requires sensitive information on an individual, the person under investigation must consent to collect their data. There are exceptions to the guideline, such as the individual is a suspect affiliated with unlawful activity based on Australian legislation. There are other exceptions, but they are not as important as the one stated above. Investigators can find the definitions of exceptions in section 3.27 of the APP or section 16A of the Privacy Act [2, References]. While most allied countries share similar statutes, the individual could have abided by Australian law but broke the law in the United States. This can lead to complex and frustrating investigations as the investigator must follow the standards from the country of origin.
When storing data for an investigation, the investigator must have accurate and complete data that is up-to-date. The guidelines for storing PII data can be found in chapter 6, 10, and 11 of the APP. Chapter 6 covers guidelines for how personal data can be used and distributed. Chapter 10 defines what steps one should follow to ensure quality data. Chapter 11 describes security considerations to maintain the confidentiality of the quality data. These chapters also draw on aspects outlined in the chapters covered above, and foreign investigators must follow all of these topics under the Privacy Act of 1988.
Overall, an investigator must find an APP entity to receive solicited private information and use that information to conduct their case. The investigator must follow strict standards when requesting and collecting personal information, and many protocols follow the procurement process. The integrity of the data is a priority, and the investigator must take reasonable security considerations to prevent misuse, interference, and loss of data. There are also security protocols an investigator must take to ensure the authority of the investigation is maintained and safeguarded from external attacks.
Reading over the Australian Privacy Principles and the Privacy Act 1988 was significantly different from United States law documents. It was also substantially more difficult to parse the phrases, as the structure is drastically different from U.S. laws. Furthermore, I have never seen a formal document to supplement an Act or law document that is not legally binding to some extent of jurisdiction. Also, reading and adhering to privacy laws does not mean there is no other work to be done. An investigator must research extradition treaties and numerous other topics to understand how to conduct business internationally thoroughly. Becoming an information forensics expert is a daunting challenge, but investigators are crucial to any justice system. In the same right as police keeping our physical environment safe, cybersecurity officers strive to make cyberspace a safe place for all users across the globe.
[1] D. Wolf. Law & Order. NBC. 2010. Television Show.
[2] Office of the Australian Information Commissioner. (2019, June 22). Australian Privacy Principles guidelines. [Online]. Available Here.
[3] Australian Government. (2021, September 27). Privacy Act 1988. [Online]. Available Here.