Dear Australian Federal Police,

I request access to any document that shows how much it cost the Australian Federal Police to use Gamma International's Finfisher in the years 2011, 2012, 2013 or 2014.

Yours faithfully,

Mark R. Diamond

Australian Federal Police
GPO Box 401
Canberra City ACT 2601

Dear FOI Contact Officer,

Re: Your reference CRM 2017/295 . Request for internal review
-------------------------------------------------------------
1. I refer to the decision letter dated 13 January 2017 (received, 16 January 2017) from Mr Adam Raszewski refusing my recent FOI request for documents relating to software known as FinFisher (also known as FinSpy) and produced by Gamma International. Mr Raszewski's access refusal decision was on the basis of s 25 of the Freedom of Information Act; in particular, Mr Raszewski says that, if the document that I requested were to exist, it would be an exempt document in virtue of s 33 or s 37(1) of the Act. I disagree with that assessment and request an internal review of the access refusal decision.

2. Assuming the existence of the document(s) I requested, it will be apparent that, following the application of s 22(2) of the Act, the only information that would remain in the document(s) would be a list of dates together with the corresponding cost to the AFP at each date for the use of Gamma International's FinFisher software.

3. Consequently, the only two matters that would be disclosed by the document are: (a) the cost, at each date, to the AFP of using FinFisher, and (b) the fact of the use of FinFisher by the AFP.

4. It is difficult to imagine that a reasonable person would view the disclosure of the costs, per se, of using FinFisher as being matter that was exempt under s 33 or s 37(1). Whether the AFP spent $1 or $10 million per annum on licences for FinFisher, is unlikely to be a national security, defence, or international relations issue. Nor is disclosure of the costs likely to have any of the effects described in ss 37(1)(a), 37(1)(b) or 37(1)(c). For these reasons, in the paragraphs that follow I consider only whether matter that disclosed (and, particularly, confirmed or denied) the fact of the AFP's use of FinFisher would be exempt under either s 33 or s 37(1).

Background facts
------------------
5. FinFisher (https://en.wikipedia.org/wiki/FinFisher ) is a surveillance software trojan (https://en.wikipedia.org/wiki/Trojan_hor... ) produced by Gamma International (https://en.wikipedia.org/wiki/Gamma_Group ).

6. Because employees of Gamma International were better at producing malware than they were at securing their own computer system, it was possible for a hacker to access to Gamma International's IT infrastructure (http://www.zdnet.com/article/top-govt-sp... ), ironically in much the same way that Gamma International themselves hack into systems. The hacker was able to download around 40 gigabytes of Gamma International's information. That information was subsequently widely published on the internet and archived for permanent public access on WikiLeaks (https://www.wikileaks.org ). Amongst other things, the publicly available documents show that Australian police forces, including the New South Wales Police Force, have purchased and used FinFisher.

National security exemptions
-----------------------------
7. I should clarify the terminology that I use in the paragraphs below. To avoid unnecessary repetition, I use "would", as in "would cause such and such effect" to mean "would, or could reasonably be expected to cause such and such effect" and similar words for the corresponding negative case.

8. I submit that disclosure of the fact of the AFP's use, or non-use, of FinFisher would not have any national security effect. It certainly would not result in the effects described in ss 33(a)(i) or 33(a)(iii). Nor, given that Gamma International does not act on behalf of a foreign government and is not an international organization, would disclosure have the effect described in s 33(b). That leaves only the possible application of 33(a)(ii). For reasons similar to those given below, I submit that disclosure would not be exempt under s 33(a)(ii) because it would not affect the defence of the Commonwealth.

Other possible, unclaimed ground for exemption
------------------------------------------------
9. Before proceeding to s 37, it is worth commenting that if the requested document were exempt, which I dispute, the only obvious exemption might be under s 37(2)(b). Section 37(2)(b) provides that "A document is an exempt document if its disclosure under this Act would, or could reasonably be expected to: ... (b) disclose lawful methods or procedures for preventing, detecting, investigating, or dealing with matters arising out of, breaches or evasions of the law the disclosure of which would, or would be reasonably likely to, prejudice the effectiveness of those methods or procedures".

10. One can imagine that a document that revealed the details or existence of a hitherto undisclosed method of enforcing the law might be exempt under s 37(2). A case in point arose with the recent arrest of a person in connexion with the "Claremont murders" in Western Australia. In reports of the arrest, it was revealed that DNA obtained from an evidentiary object provided a "relative match" to a person on the police database. That is, it was revealed that although the then-unknown perpetrator had not previously been arrested, a relative of that person had been, and the DNA of that relative then dramatically influenced the line of investigation. The use of "relative matching" had not previously been widely reported in Australia and the inadvertent disclosure of its use might now prejudice the future effectiveness of the procedure. Simple DNA matching and fingerprint matching require that corresponding samples be available from a suspect before a match can be made, but relative DNA matching vastly enlarges the threat-surface for a criminal and as its use becomes more widely known, criminals might become even more wary about leaving any DNA at a crime scene lest the DNA of a close relative ever comes to the attention of the police.

11. Nonetheless, despite the remote possibility of its application to the document I seek, exemption under s 37(2) cannot give rise to a s 25 notice of the kind issued to me by Mr Raszewski. Moreover, I suggest that disclosure of the AFP's use of FinFisher would not, in any case, be exempt under s 37(2) because the nature of trojan surveillance software, and even its use by Australian law enforcement agencies, has been known for many years (http://krebsonsecurity.com/2011/11/apple... , http://www.spy-emergency.com/research/ma... )

Exemption under 37(1)
-----------------------
12. Disclosure of the fact of use by the AFP of the FinFisher trojan surveillance malware would obviously not either "disclose, or enable a person to ascertain, the existence or identity of a confidential source of information, or the non-existence of a confidential source of information, in relation to the enforcement or administration of the law" -- s 37(1)(b), nor "endanger the life or physical safety of any person" -- s 37(1)(c), so we can disregard those subsections.

13. That leaves only the question of whether disclosure of the document I seek would "prejudice the conduct of an investigation of a breach, or possible breach, of the law, or a failure, or possible failure, to comply with a law relating to taxation or prejudice the enforcement or proper administration of the law in a particular instance" -- s 37(1)(a).

14. Again, it is difficult to see how this could be the case. The document I seek would contain no information about any particular investigation nor about any particular instance of any of the matters referred to in 37(1)(a). Further, as I've already pointed out, the use of trojan surveillance malware by law enforcement agencies worldwide is well documented and there would be nothing about disclosure of the use of FinFisher (in particular) by the AFP (in particular) that could have any foreseeable effect that has not already been caused by the broad publicity already given to so-called "government spyware".

15. In addition to the points made above regarding exemptions under s 33 or s 37(1), there is one final point I would like to make. I recently made two FOI request for information regarding the cost to the AFP of using "offensive security" software produced by the Italian company known as "Hacking Team" (your references CRM 2017/296 and CRM 2017/329; see https://www.righttoknow.org.au/request/h... and https://www.righttoknow.org.au/request/h... ). . Conceptually, those two requests are exactly the same as my request for information regarding FinFisher. All three requests relate to "government spyware" that is reportedly used by law-enforcement agencies around the world. I submit that your direct refusal on the grounds of s 24A(b)(ii) of my two requests regarding Hacking Team's RCS (effectively denying the existence of the requested documents) is itself evidence that there is no ground for refusing either to confirm or deny the existence of parallel documents relating to FinFisher.

Request
--------
16. I ask that you make a new decision granting me access to the document(s) I requested.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/g...

Yours faithfully,

Mark R. Diamond

Dear Mr Scudder,

Thank you for your letter of 17 February 2017 notifying me of the outcome of my request for internal review in the matter of my request for information relating to Gamma International's FinFisher software.

Yours faithfully,

Mark R. Diamond