{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreihf2kb7jvx2pe2y5oyoo3my2uxt4x3ohjil2ma43juc7ea6k6x24e",
"uri": "at://did:plc:vheeqocrmpufeihqwcbic4m6/app.bsky.feed.post/3mnegrw2dvqj2"
},
"description": "In 2020, journalists asked Australian police forces whether they were using Clearview AI — the American company that scraped three billion social media photos without consent to build a facial recognition database. The answer, from several state forces and the AFP, was no.\n\nThen Clearview suffered a data breach. The stolen customer list included Australian law enforcement agencies. At that point, the denials stopped.\n\nThat sequence — quiet adoption, public denial, disclosure only under external pressure — is the pattern. Last week I wrote about the cultural conditions that make it possible: the institutional trust, the “she’ll be right” pragmatism, the absence of organised civil liberties infrastructure that might have generated friction. This post is the inventory. Here is what Australia has actually built, layer by layer — and what you can do about it.",
"path": "/blogs/2026-06-05-sleepwalking-off-a-digital-cliff/",
"publishedAt": "2026-06-02T14:30:00.000Z",
"site": "https://gaggl.com",
"tags": [
"opinion",
"Privacy",
"Surveillance",
"Digital Rights",
"Australia",
"Policy",
"Last week I wrote about the cultural conditions that make it possible",
"Digital Rights Watch Australia",
"EFF",
"Eyes Wide Shut",
"←Unicorns Build Monocultures",
"LPWAN Meshes: 2.4GHz and the Rise of the Mesh-Bridge→",
"webmention",
"@gaggl.com"
],
"textContent": "In 2020, journalists asked Australian police forces whether they were using Clearview AI — the American company that scraped three billion social media photos without consent to build a facial recognition database. The answer, from several state forces and the AFP, was no.\n\nThen Clearview suffered a data breach. The stolen customer list included Australian law enforcement agencies. At that point, the denials stopped.\n\nThat sequence — quiet adoption, public denial, disclosure only under external pressure — is the pattern. Last week I wrote about the cultural conditions that make it possible: the institutional trust, the “she’ll be right” pragmatism, the absence of organised civil liberties infrastructure that might have generated friction. This post is the inventory. Here is what Australia has actually built, layer by layer — and what you can do about it.\n\n\"Writings on the Wall\" by Elvert Barnes (CC BY-SA 2.0)\n\n### Layer One: The Physical Record\n\nWhen US researchers and activists describe Automatic Licence Plate Readers (ALPRs) as an emerging threat, they’re talking about something Australia installed years ago.\n\nOur toll road networks, average-speed camera systems, and police vehicles equipped with mobile scanners have turned vehicle movement through major cities into a longitudinal record. Drive through Sydney or Brisbane regularly and the data knows your routine — where you go, when you go, how often you deviate. This isn’t speculation; it’s the stated purpose of the systems.\n\nThe critical difference from the US isn’t the technology. It’s the architecture. In America, ALPR systems are fragmented across thousands of local police departments, county sheriffs, and private operators with inconsistent data-sharing arrangements and occasional local pushback. In Asheville, North Carolina, over 100 residents turned up to a council meeting to oppose a real-time intelligence centre, and the city backed down. That kind of friction exists because the infrastructure is patchwork.\n\nIn Australia, these systems are managed at the state level, integrated into government infrastructure, and not meaningfully contested. Centralised surveillance has network effects: every additional data point makes every other data point more useful. The whole is more dangerous than the sum of its parts, and the whole is being built deliberately.\n\n### Layer Two: Biometrics\n\nThe facial recognition trajectory in Australia moves in the opposite direction from the EU, which imposed strict restrictions through the AI Act, and against the current of US cities like San Francisco and Boston, which have banned police use outright.\n\nHere, the direction is integration. Driver’s licence photos, passport images, and visa records are being linked into a national biometric matching system. Australian police were using Clearview AI — as we now know — before any public debate about whether they should. Retail chains trialled facial recognition on customers. Airport SmartGates have made biometric identification feel routine.\n\nThe frictionlessness is the point. Systems that require explicit consent or visible signage are harder to expand. Systems embedded in normal infrastructure — airport gates, road cameras, store entrances — normalise identification by making it invisible. The question of whether Australians consented to being enrolled in a national biometric register was never asked publicly, because the register was assembled incrementally from databases that already existed for other purposes.\n\nWhat doesn’t exist alongside this: mandatory warrant requirements for police access to the national biometric database. Published accuracy rates for the systems in use. Community auditing of who is being misidentified, and at what rate. The EU AI Act requires all of this for high-risk AI systems. Australia requires none of it.\n\n### Layer Three: The Digital Layer\n\nThis is where Australia genuinely leads — in the sense of having built, earlier and more completely, what other democracies are still arguing about.\n\n**Metadata retention.** Since 2015, telecommunications companies are legally required to retain two years of metadata for every Australian: who you called and texted, when, your approximate location at the time, what IP addresses your devices used. Police and approved agencies can access this without a warrant. In 2018, the US Supreme Court ruled in _Carpenter v United States_ that historical location data requires a warrant under probable cause. No equivalent protection exists in Australia. The data sits there, warrantless, by design.\n\n**Compelled assistance.** The 2018 Assistance and Access Act created a legal framework for compelling technology companies to help bypass encrypted communications — under arrangements that can be kept secret, with oversight mechanisms too weak to exercise meaningfully. The US FBI has sought equivalent powers for years through the “going dark” debate. They don’t have them. Australia handed them over with bipartisan support and minimal public debate, under a secrecy regime that makes independent assessment of how they’re being used nearly impossible.\n\n**Account access.** The 2021 Identify and Disrupt Act goes further than most people realise. It gives the AFP and ACIC powers to take over online accounts, modify data on networks, and conduct operations under emergency authorisations that can bypass standard warrant processes. The Conversation noted the modification power could allow authorities to alter social media posts without the account holder’s knowledge. Whether and how that power has been used is not publicly known.\n\n**Digital identity.** As of late 2025, 15 million Australians have biometrically verified digital IDs. The government is committing $654 million over four years to extend this into banking, utilities, and health services. The US has never managed a national digital ID. The EU is building one with explicit privacy protections written into the framework. Australia built one first and is rolling it out at pace, with the accountability architecture still catching up.\n\nNone of this is hidden. The legislation is public. The OAIC publishes guidance. Parliamentary committees write reports. What the reports don’t establish is how these powers are being used in practice, because the oversight mechanisms aren’t strong enough to find out — and the secrecy provisions in several of these laws make public accountability structurally difficult.\n\n### What You Can Actually Do\n\nThe EFF’s approach is instructive here. When people couldn’t inspect the surveillance apparatus, they built instruments to observe it from the outside: RayHunter detects fake cell towers, WeSpy maps surveillance cameras. Neither tool rolls back the infrastructure. Both put information in the hands of the people the infrastructure is watching.\n\nYou don’t need custom hardware. Some practical starting points:\n\n**Reduce the metadata you generate.** Your telco is storing two years of your metadata by law — that’s not changing. What you can change is the fidelity of what’s recorded. Signal for calls and messages means your telco sees that a call happened but not its content. A no-log VPN changes the IP address metadata. None of this makes you invisible. All of it reduces the richness of the record.\n\n**Use encrypted messaging.** Signal remains the standard. WhatsApp has the encryption but not the metadata protection. Telegram has neither by default — the “secret chats” feature is end-to-end encrypted, the regular interface is not.\n\n**Be deliberate about digital identity.** The national digital ID has legitimate uses. It also creates a single point of failure and a single point of surveillance. Understand what you’re enrolling in, what data is retained, and who can access it before you enrol.\n\n**Support the organisations doing the sustained work.** Digital Rights Watch Australia is monitoring legislation, submitting to parliamentary inquiries, and fighting with thin resources against well-funded changes to the law. The EFF does the same internationally. These organisations produce the legal and technical analysis that makes accountability possible — they need members and funding to do it.\n\n**Ask institutional questions.** If your workplace, school, health service, or local council is considering facial recognition, biometric access, or data-sharing arrangements with government agencies: ask what the retention policy is, who has access, what the audit trail looks like, and what happens to the data if the arrangement ends. These questions are rarely asked in procurement processes. They should be standard.\n\nThe infrastructure described above is already built. Rolling it back requires political will that currently doesn’t exist in either major party. But the choices you make about how you move through this infrastructure — and whether you push the institutions around you to ask harder questions — still matter.\n\nThe dragnet is not yet complete. There are gaps, there are choices, and there are organisations working to keep both open.\n\n* * *\n\n_Part of a series on digital rights in Australia. Eyes Wide Shut examines the cultural conditions that made this infrastructure possible — why Australia built it without friction. Next month: Open Weights, Closed Minds applies the same lens to AI transparency and what it actually requires._\n\n * Privacy\n * Surveillance\n * Digital Rights\n * Australia\n * Policy\n\n\n\n←Unicorns Build Monocultures\nLPWAN Meshes: 2.4GHz and the Rise of the Mesh-Bridge→\n\nIn 2020, journalists asked Australian police forces whether they were using Clearview AI — the American company that scraped three billion social media photos without consent to build a facial recognition database. The answer, from several state forces and the AFP, was no.\n\nThen Clearview suffered a data breach. The stolen customer list included Australian law enforcement agencies. At that point, the denials stopped.\n\nThat sequence — quiet adoption, public denial, disclosure only under external pressure — is the pattern. Last week I wrote about the cultural conditions that make it possible: the institutional trust, the “she’ll be right” pragmatism, the absence of organised civil liberties infrastructure that might have generated friction. This post is the inventory. Here is what Australia has actually built, layer by layer — and what you can do about it.\n\n## Comments\n\n**Be the first to comment!** Reply to this post from your Mastodon/Fediverse or Bluesky account, or mention this post's URL in your reply. Your comment will appear here automatically via webmention.\n\nFollow this blog on Mastodon at **@gaggl.com@web.brid.gy** or on Bluesky at **@gaggl.com**",
"title": "Sleepwalking Off a Digital Cliff: Australia's Surveillance Infrastructure, Layer by Layer"
}