TRANSCRIPT
Senior officials in the Trump administration are under pressure to explain how they allowed one of the most serious breaches of US national security in recent memory to happen.
In what's being called Signalgate, editor-in-chief of the Atlantic, Jeffrey Goldberg, was added to a chat on an unsecured group messaging app Signal which included senior officials discussing plans to strike Houthi rebels in Yemen.
The non-profit American Oversight has now launched legal action alleging the incident - with Signal's feature of disappearing messages - potentially violated federal record keeping laws.
Users of the Signal app can set messages to disappear after any length of time between one second to four weeks.
Questions are being asked about the policies in place that would reduce the risk of such a breach happening outside the United States, including in Australia.
It is not just about the breach of access to information relating to sensitive military operations, but also the potential violation of protocols, and government accountability in the event of a breach.
So, if the use of encrypted messaging apps raises risks, what policies are in place to mitigate them?
Daniel Casey is a former public servant and current lecturer in politics and international relations at the Australian Catholic University.
He says record keeping obligations are governed by the Archives Act.
"It is an offence against the Archives Act to fail to record or fail to store key pieces of information or fail to hand them over to the archives."
He says electronic record-keeping has changed what is kept.
"There's probably a lot more being kept because the IT department's of these departments can automatically keep every word document, every email, et cetera. But with messaging apps, whether it be Signal or WhatsApp, you have an ability for public servants and ministers to communicate on a platform that's not controlled by the government."
While more may be available to be stored, Dr Casey says not all records need to be saved.
"For example, records about organising meetings or records involving, I'm running late for that meeting, so an email from one person to another saying I'm running late for a meeting for you soon. That is a Commonwealth record because it's about an official thing, but there is zero need to keep that record."
He says the responsibility is on the individual to record what is said on the messaging apps.
"When it comes to Signal, there's no way of the government to be automatically storing it, which places an obligation back on those individuals to be careful about what thought of messages are sent by official channels and what's sent via Signal."
There are also cybersecurity risks to be considered.
Associate professor at R-M-I-T University, Mark Gregory, studies telecommunications and networking engineering.
He says the release of the Signal chat in the U-S was both surprising and unsurprising.
"The news is surprising that it would be made public in the way that it was, and it's unsurprising that the government has adopted applications that haven't been approved by the defence and security organisations."
He says that there are insufficient regulations for what messaging apps can and can't do.
As for whether the public could know if a messaging app was being inappropriately used, Dr Casey says it would be difficult to find out.
"I guess that would first require us to know that the information was being stored in the wrong way. And I think the Office of Australian Information Commissioner's report is encouraging agencies to make sure that it doesn't happen."
Five days before the story broke, Australia's national privacy and information access regulator released a report on the policies in place for government agency use of messaging apps.
With input from the National Archives of Australia, the Office of the Australian Information Commissioner found an increased risk of problems with recordkeeping, freedom of information and privacy.
Three-quarters of government agencies surveyed in the report encouraged or preferred the use of Signal as a messaging app for work purposes.
The report said the potential to automatically delete messages, which is a feature on several messaging apps, could result in the unlawful destruction of information under the Archives Act.
Only half of the participating agencies had policies or procedures to govern the use of messaging apps.
"Are there measures in place that would prevent critical information, and I know Home Affairs doesn't do war plans on Yemen, but critical national security information being shared on Signal?"
That was Greens Senator David Shoebridge raising this issue with the department of Home Affairs in Senate Estimates last week [[27 MARCH]].
The Department's representatives explained that while there is policy covering the use of messaging apps, it does not cover disappearing messages.
They’ve also explained that the guidance on the use of messaging apps, including Signal specifically, requires staff to follow certain rules.
"For example, you must have a work account that's associated. It must be on your work mobile device. It can't be on other devices and then we've got other sort of policies as well."
As for whether there is a risk that such a breach would happen in Australia, Dr Casey says it is important to remember that the Australian and U-S public service are structured differently.
"In general, senior Australian public servants are professional public servants who've been in the APS for most of their careers. This means that they're inculcated to the practices and procedures required by the APS. That's not the same in America where all the senior public servants are replaced at every change in administration. And you get people coming in from the private sector who may not be as aware or may not care as much about these sort of due process requirements."
