Revelations this week that the Australian Prime Minister Malcolm Turnbull and cabinet ministers (including a specific Defence-related WhatsApp group) are using Facebook’s messaging system WhatsApp for confidential discussions have raised issues around cybersecurity. The use of WhatsApp by government officials also raises legal issues.
There are over eighty pieces of legislation around Australia dealing with document and record retention and destruction. The Archives Act 1983 (Cth), for example, prohibits the destruction of Commonwealth records without the permission of the National Archives of Australia, subject to certain exceptions. These exceptions include where destruction is ‘required by any law’ or is in accordance with a ‘normal administrative practice’. If a federal politician deletes WhatsApp messages relating to the exercise of government, then is this a “normal administrative practice”?
There is also the Privacy Act 1988, which requires government to destroy, delete or de-identify certain types of personal information.
Finally, there is the Freedom of Information Act 1982, which provides to individuals rights of access to government documents including those held by Australian Government ministers. The definition of “document” in this act includes “electronically stored information”.
It is not clear how these pieces of legislation could be accommodated by the use of WhatsApp. WhatsApp allows the exportation of messages, which would allow compliance with these acts. But WhatsApp also makes it clear that if the messages are “deleted or lost for any reason, [WhatsApp] cannot help you recover the messages because we do not store your WhatsApp chat history in our system”.
There must be an administrative mechanism by which determinations are made as to what should be done with information contained on WhatsApp – the periodic exportation of the data for assessment and processing by staffers, for example. In addition, ministers’ devices would need to be handed over upon change of government or retirement, so as to capture that information (including metadata) for assessment.
WhatsApp also does not make it inherently easy to accommodate the requirements of the Australian Government Information security management guidelines which notes:
15. Information which needs increased protection is to be either security classified and identified by a protective marking showing the level and protection required, assigned a dissemination limiting marker (DLM) or, when appropriate, a caveat….
52. Not all information needs to be protectively marked (assigned a security classification or DLM). Information is only to be protectively marked if its compromise could damage the National Interest, organisations or individuals, or requires protection under the Privacy Act, the Archives Act or other legislation.
68. Dissemination limiting markers (DLMs) are markings for information where disclosure may be limited or prohibited by legislation, or where it may otherwise require special handling.
WhatsApp does not provide for DLMs.
This is all following a decision in September this year by the Hamburg Commissioner for Data Protection and Freedom of Information, which said Facebook, the owner of WhatsApp, was infringing data protection law and had not obtained effective approval from WhatsApp’s 35 million users in Germany to store user data. There was also an allegation in April this year that, in the UK, anti-Brexit policy advisors to David Cameron were using WhatsApp to subvert FOI requests made pursuant to the equivalent UK legislation.