While learning about patterns in security, a recent news story came to mind when scope creep was mentioned -specifically systems and data being created or approved for one use, but inevitably being used for another. 

The case that came to mind was the WA Police using covid QR check in data in criminal investigations. The WA covid check in app/system has been used for over 250m check ins. People were assured that it would only be used by the Department of Health contact tracing team, if necessary. 

It has been revealed that police have issued warrants on two occasions to access the information. This also ties in with what I think of as a form of no tech hacking – leveraging loopholes.

So I think we are seeing two issues here:

• Scope creep, data being used for a use case that wasn’t in the original spec
• Loopholing by the WA Police, not breaking the system, but using the system to do something that it wasn’t intended for.

The WA Attorney General has introduced urgent legislation to prevent this happening again, validating my thoughts. I think I’m starting to understand that different parts of the governments have competing roles for this purpose – to maintain balance

Sources:

Article: https://www.abc.net.au/news/2021-06-15/safewa-app-sparks-urgent-law-change-after-police-access-data/100201340 

Video: https://www.abc.net.au/news/2021-06-16/wa-police-have-used-data-from-covid-app-twice/13391760