When a group of international media organisations this week revealed details of a Chinese tech company’s vast database profiling millions of people around the globe, it was in no small part due to a small Australian cybersecurity firm established only last year.
The Canberra-based firm, Internet 2.0, was co-founded by the cybersecurity expert Robert Potter, who was an adviser to the then Labor MP Gai Brodtmann when she was the shadow assistant minister for cybersecurity in Bill Shorten’s opposition. He later took a role with the Department of Foreign Affairs and Trade as a contractor.
The company’s other co-founder, David Robinson, is a retired captain from the Australian Army Intelligence Corps who also describes himself as a “serial entrepreneur”. Their customers include the US and Australian governments.
Potter said his firm was respected for its work on North Korea and China and a mutual friend introduced him to the US academic Christopher Balding, who was previously based in the Chinese city of Shenzhen.
Balding has said he received the leaked materials from an individual who had put themselves at risk by providing the data – proof, he said, that many inside China were concerned about surveillance practices in the country.
Potter said the leaked files contained large amounts of data but were corrupted, so Balding had sought his help to recover as much information as possible. The pair started speaking in April, forming a partnership that laid the groundwork for the publication of the details in a range of media outlets including the Australian Financial Review, the Daily Telegraph in the UK, and the Washington Post in the US. Potter also offered storage space for the data that was being examined.
Potter, a former head of cyber operations at the private security firm BAE Systems Applied Intelligence, said his company had been able to recover the records of about 250,000 people from the leaked dataset, including about 52,000 Americans, 35,500 Australians and nearly 10,000 Britons. They include politicians, including the prime ministers Scott Morrison and Boris Johnson and their relatives, the royal family, celebrities and military figures.
On Tuesday, the Australian Labor Party asked the information commissioner to investigate the “deeply concerning” reports and whether any Australian privacy laws may have been breached.
The Labor senator, Jenny McAllister, who chairs a Senate select committee into foreign interference through social media, said the reports about the database were “the latest in a long line of warnings that there are actors with the intent and ability to influence Australia’s democracy”.
Zhenhua Data, based in Shenzhen, has denied any links to the Chinese government or military and insisted that it merely “integrated” public data found on the internet.
A representative of Zhenhua Data told the Guardian that a database, known as the Overseas Key Information Database, did exist but that it was “not as magical” as suggested in foreign media reports because it simply connected individuals to the social media they used.
With some Australian-based analysts also questioning the significance of the leaked materials, Potter conceded that most of the data was based on material openly available on platforms such as Twitter, Facebook, Crunchbase and LinkedIn.
But collecting vast troves of data in this way raised important questions, he said. “Open source doesn’t necessarily mean people want it to be public,” Potter told Guardian Australia at Parliament House in Canberra.
“The reason Cambridge Analytica was scandalous wasn’t because they were accessing information on people’s private messages on Facebook. It was because they were misusing the permissions that were given by users to those platforms.”
Potter said the database showed attempts had been made to uncover the criminal records of anyone in Queensland with the last name Gilmour. Because these searches were tagged “space”, he formed a view that the effort reflected an interest in finding details related to a space technology company in Queensland, Gilmour Space Technologies. Ultimately, however, there were no criminal records of people at that company, he said.
“If you combine that with publicly available information and you start scraping for criminal activity around somebody’s name, you’re into the security vetting and intelligence vetting side … you’re not just looking at someone’s Twitter at that point. You’re gathering multiple sources together to make an assessment of vulnerability.”
A Gilmour Space Technologies spokesperson said the company was aware of the story and security was “an ongoing concern for all companies developing innovative research and technology, and we are continuously evolving our processes and systems to mitigate these risks”.
Potter said the database also showed “a huge amount of effort to to categorise data around universities, particularly crime data, to see if that criminal data matches the names of staff”. He cited the case of a janitor at an Australian university – which he did not name – who was working in a sensitive lab and apparently had a criminal record.
“So that’s the sort of insight that people look to get from shaking out the open source intelligence data at large scale.”
Asked whether Australian and other western intelligence services would similarly be scraping public open source material, he rejected the comparison by pointing to the safeguards that would apply in that case.
Potter said he would not discuss his career history in great detail, but he had previously worked “in a space where we developed and employed this sort of technology on behalf of like-minded democratic countries for the purposes of national security”.
“And we operate very differently,” he said.
“Mosaic collection of intelligence is particularly dangerous and generally operates only within intelligence agencies at this scale. We follow pretty significant rules and have non-trivial amounts of oversight.
“And I think it’d be fair to say to somebody from the Guardian that we’ve gotten ourselves in more than enough trouble over the years with that. So imagine that with no inspector general of intelligence and security [and] no free press staring down their heels.”
Amid diplomatic tensions with China, the Australian government responded to the reports in a relatively subdued way, with several ministers saying the information would be concerning if true.
Speaking to the ABC, the education minister, Dan Tehan, indicated Australia’s intelligence agencies would “investigate to see whether these claims, and this reporting, is accurate” and action would be taken if necessary.