National Firearm Register consultation submission
Note:
Our submission:
Introduction
Firearm Owners United (FOU) is a registered Not-For-Profit advocacy organisation, representing Law Abiding Firearm Owner’s (LAFO’s), hunters, and the wider sport shooting community. Our operating team consists of volunteers who bring a wide variety of expertise to the organisation, from former Defense members, security specialists – including IT security experts, agriculturalists, firearm trainers and instructors, sporting shooters, hunters, and much more.
We would like to thank the Attorney-General’s Department for inviting us to make a submission to the consultation of a “National Firearms Register”. In this document you will find our responses to the seven questions posed in the “National Firearms Register, Public Consultation Paper”, which have been answered in good faith, our formal thoughts and opinions on the implementation of a National Firearms Register, references, and an appendix. We request that this submission be read in good faith, with the understanding we want what is best for both the community we represent and public safety.
Questions posed by the Consultation Paper
Key capabilities for law enforcement and regulatory agencies
Question 1: What capabilities should a National Firearms Register provide to government regulators and law enforcement?
- Quickly being able to search up if a person has firearms licenced against their name, in the event of police action being taken against that person for any reason.
Example:
Person A in Tasmania makes a trip to Victoria to see their partner, Person B. Person A owns legally registered firearms in Tasmania.
Whilst in Victoria, Person A becomes involved in a serious domestic dispute, with physical violence involved against person B whilst staying in Person B’s house. This leads to a Victorian Police unit being called to the property. The Victoria Police unit has Person A’s name. Due to a national registry, they are able to search up if Person A owns firearms. This could then lead to the type of response Victoria Police would take (ie they would be able to conduct a risk assessment, knowing that Person A could potentially have firearms in their possession at that current stage in time). This could lead to a potential reduction of risk, and an appropriate scaling of response.
- Government regulators should be able to share direct information pertaining to firearm or other offences that occur in any state, allowing the firearm licence of the state that issued it be suspended for the occurrence.
Example:
Person A, a resident of Western Australia, is visiting a friend in New South Wales. Person A is a licensed firearm owner in W.A. Whilst visiting their friend, Person A assaults a person. The national register could give options to, in real time, report this occurrence directly to the W.A Firearm branch, allowing intelligence to be used to decide a course of action pertaining to Person A’s firearm licence.
Question 2: Should a National Firearms Register trace more than firearms, for example firearms accessories, magazines, parts and ammunition?
No. Legal ownership of these items are already often subject to holding a valid firearm or weapons act licence, depending on the jurisdiction, and sale is dependent on verifying the purchaser holds a valid licence. These accessories, magazines, parts and ammunition are not required to have a serial number or registration, and enacting such legislation would not contribute to public safety, rather, be a further drain on resources which could be directed towards meaningful manners.
Question 3: Do you have any comments on the benefits a National Firearms Register will offer to law enforcement and community safety, including any broader benefits that should be explored?
Provide real-time data to on-the-ground officers that someone they are dealing with may potentially have access to legal firearms at either that specific moment in time, or in the near future. This will allow officers to perform risk assessments, potentially minimising harm to all parties involved, with more up-to-date information.
The above is only relevant on an interstate basis. There are already checks in place at the state level. Adding a NFR would not benefit law enforcement or community safety when state police are dealing with a situation involving a legal firearm owner from their own state.
Additionally – Officers/other police officers are always free to contact their interstate counterparts and simply ask if the person legally owns firearms. This would achieve the exact same result.
Of note – the National Firearms Register will not offer any benefits to law enforcement and community safety when dealing with matters involving illegal firearms, and unlicensed firearm users. A significant majority of crime involving firearms is undertaken by people without a firearm licence and/or unregistered illicit firearms.
Other capabilities
Question 4: What other capabilities could a National Firearms Register have that would be of benefit to the community, including to lawful firearms owners?
- A database of stolen firearms to assist law enforcement in recovering lost or stolen firearms
- Facilitate the quick transfer of a firearm licence when a licensee has moved states
Question 5: Do you have any comments on the creation of a verification service to support licensing and permit systems?
Each state has their own verification service in the form of physical licence cards and licence numbers, which upon request from law enforcement, must be presented when in the possession of firearms. Each state is capable of providing an online real-time verification service of the presented licence, not each state has done so however. All states implementing a public system to facilitate real time online verifications of licenses would be of benefit in denying access to firearms to people with a forged or suspended license.
Permits, relating to “Permits-To-Acquire or PTA’s”, are state specific, with each state having their own classification system. Under the current system there is little need for interstate PTA checks, allowing for PTAs issued in one state to be valued in other states does have value for border communities.
Question 6: Do you think trusted entities should be able to electronically communicate with firearms registries, if so, what capabilities should be available to trusted entities such as firearms dealers?
If a trusted entity is to be allowed to communicate with a registry, definitions of what a trusted entity must be clearly defined. Then the trusted entity would need to be checked to ensure its own system does not create a weakness or easy entry point to the registry database. If dealers become authorised trusted entities, with the capability to verify that an individual is a licenced person before shipping a licenced-restricted part to a customer without needing to contact a state registry, this has the potential to reduce administrative burdens for both firearm dealers and state governing bodies.
Information held by a National Firearms Register
Question 7: Do you have any comments on the information proposed to be held by a National Firearms Register?
The information held by a national firearms registry should be accurate, up-to-date, and securely stored to ensure community and police safety. The registry will need to hold firearms information, including enough details to uniquely identify firearms, track their movement, and record notable events such as surrender, destruction, loss or theft, and use in criminal activity.
The registry should not include personalised licence holder information, such as identification details beyond the licence holder’s name or address. Any information that relates to a person’s eligibility to hold a licence is a matter for the state.
Furthermore, the inclusion of “related articles” is not clearly defined and could potentially include non-registered and non-licensed parts, such as scopes, stocks, magazines, slings, and other miscellaneous parts. The inclusion of these parts in the registry could pose privacy concerns and could be burdensome for firearm owners to provide a parts list or photos. Therefore, it may be beneficial for the government to clarify what “related articles” specifically refer to and consider excluding non-registered and non-licensed parts from the registry to ensure that the registry is effective in enhancing community and police safety while respecting the privacy of law-abiding firearm owners and the customisability of their firearm.
End of questions from the Consultation Paper
The rest of this page has been intentionally left blank
Our statement: Information to be considered
Security
We would like to begin by reiterating the first subsection of the opening statement of the National Firearms Agreement:
“The National Firearms Agreement constitutes a national approach to the regulation of
firearms. The Agreement affirms that firearms possession and use is a privilege that is
conditional on the overriding need to ensure public safety, and that public safety is
improved by the safe and responsible possession, carriage, use, registration, storage and
transfer of firearms.”
In a less-than three-year period between 2021-2023, Australian Government organisations and departments around the country were breached no less than 28 times (see Appendix A), exposing medical documents, parliamentary minister’s details, shutting down parliament e-mail servers during an election, and worse.
Just some of the notable Australian Government organisations and departments include:
- Australian Federal Police (classified data)
- Australian Securities and Investments Commission
- New South Wales Health
- Department of Home Affairs (classified data)
- Victoria’s Revenue Office
- Victoria Police
- Private e-mail accounts of Queensland Ministers of Parliament
This picture only becomes more concerning when a larger, but still non-exhaustive, list consisting of private enterprises is considered (see Appendix A). These breaches are both concerning, but should not be surprising, as the Auditor-General delivered a report into cyber security problems in Western Australia (WA)1.
MyHealthRecord, one of the largest systems containing some of the most sensitive information in Australia, had the following assessment:
“David Vaile, chair of the Australian Privacy Foundation, said there was potential My Health Record could be subject to a “massive data breach”.
“The security model for My Health Record is appalling. I’ve been monitoring it and trying to engage with this discussion, you know, wearing several hats over about 10 or 15 years.
…
“They ended up with something [a system] that gives default access to probably hundreds of thousands of people,”.”
It is clear that in its current state, the Australian Government cannot ensure security of its electronic systems at a Federal or State level.
The information contained within the registry, if exposed to malicious parties, would put both law-abiding firearm owners and the general public at an incredible heightened risk. In fact, questions are now being asked about the Victorian state government awarding a critical security contract to Optus just months are Optus experienced a historic breach2.
Given that the objectives outlined in the first statement of the National Firearms Agreement have a clear focus on public safety, it is unlikely that a national registry could achieve the intents of the Agreement, given that when the Australian Government’s record of information security is considered, and recent breaches in the public sector; a breach is inevitable.
An important note needs to be made that information exposure need not occur via means of breach, but could simply occur via access controls not being restrictive enough – allowing users to access data not intended for them, malicious wilful disclosure (deliberate exposure by users), credentials theft (phishing – where a user believes an email to be genuine and opens a link allowing hackers to impersonate them), malware, and many other means.
According to the United States Government3, 90% of hacks now begin simply with a user being sent an e-mail that they believe to be a genuine internal e-mail from their company or department, opening a link, and thereby granting the malicious party access to their credentials to impersonate them (phishing). While measure can be taken to educate users on these types of attacks, they cannot be prevented entirely.
If this data were to be exposed, the Australian Government would be responsible for creating the largest database of legally owned and purchased firearm locations ever provided to malicious actors (including criminals or terrorists). This would put Law-Abiding Firearm Owner’s and their families, the general public, and police, at incredible risk. This could continue for years and there would be no means to undo it once it has occurred.
It would simply be unacceptable for even one person to be hurt because of ignorance in the government allowing legally owned and purchased firearms to fall into the hands of criminals or terrorists.
We would encourage anyone who backs this registry to have some serious and well-intentioned consultations with multiple security consultants in the private sector, as well as vendors (multiple Government vendors have themselves been breached); and explore every avenue available to limit the damage should a breach occur.
Government should be open and transparent about measure being taken in order to allow them to be challenged to ensure that the objective of public safety can be met. The items here that should be considered minimum items for consultation (but not limited to):
- Compliance/standards – which industry recognised best-practices and standards will the system comply with?
- g. SOC24
- Regular auditing – breaches and weaknesses should be identified early, prevention is the only acceptable outcome
- Access control – this should be prohibitive by default. Very few people should have access to the system, and fewer still should have access to more than basic data points
- Logging – all user access should be logged and available for auditing. This has been used to identify inappropriate use of data within Australia’s various state police agencies
- Record-level encryption – each record should be encrypted individually and decryption performed on a per-user basis, no single keys should be able to decrypt all records
- This is a frequent criticism of MyHealthRecord
- Multi-factor authentication – A password is simply not sufficient, and more organisations now require multiple factors of authentication
- Such as SMS code or an authenticator application
- Training is not an excuse here – if users are incapable of grasping this, then they cannot be trusted to keep data safe, inept users are overwhelmingly victims of phishing
- New laws governing the use of data contained within the system – public safety is a primary objective of the National Firearms Agreement, given the following context, it would be pertinent to consider new laws governing the use of data contained in the registry, abuse of the data and inappropriate access of the data
- Western Australian Police notoriously used their firearm registry to publish a map of Law-Abiding Firearm Owner’s homes in a newspaper5. Not only was this an egregious lack of judgement, but it was later used by a user on Reddit to pinpoint the locations, showing how easily criminals could use this information to steal firearms – Western Australian Police Minister Paul Papalia has refused to apologise
- There have been numerous instances where members of police agencies have been charged with “accessing restricted data on government computers without authorisation” and other charges relating to inappropriate use of data stored in government databases6
The difference with a national registry, when compared to current state registries, is that the system would have to be connected to multiple organisations and departments at a national level, drastically increasing the surface area for attacks over current state-level systems, some of which are not hosted offsite, and thus require more sophisticated but still relatively simple malware attacks to compromise user’s machines.
Government should be open, transparent, and consult multiple organisations and vendors, to share such findings in parliamentary readings, as well as being open to feedback, to achieve the goal of creating the most robust system and ensuring public trust.
If data can be stolen from the Australian Federal Police, as well as some of the most financially able and skill-dense companies in the IT sector, it is not a far leap to say the same will happen here. The impacts can be reduced, as can the risk, if the problem is approached with the respect and seriousness it deserves.
It should be noted that if the public safety aspect fails here, the key premise of the National Firearms Agreement will have failed. Such a situation would lead to the government facing serious questions and criticisms.
We would encourage contemplation on the benefits and risks of such a system, best industry practices assume you will be breached by default. Exposing medical data is egregious, creating a database where if obtained by malicious parties, the data could place Law-Abiding Firearm Owner’s, their families, the general public, and police officers, at risk of very real and serious harm is a far more serious issue entirely – there is a history of abolishing national firearm registries in the 21st century for a good reason.
Looking internationally
The idea of a national firearm registry is not new, nor unique to Australia, other countries have implemented these beforehand. They, however, have also been abolished. In this section of our submission, we explore two countries which have abolished their national firearm registries in the 21st century.
Canada
The Canadian firearm registry, also known as the long-gun registry, was introduced in the 1990’s as a way to reduce gun-related crime. However, the registry faced significant opposition from gun owners and law enforcement officials who argued that it was ineffective and costly. Over the years, the registry became a symbol of government overreach, and it was widely criticized for being both intrusive and wasteful. As a result, in 2012, Canada abolished the long-gun registry, citing its inefficacy and cost.
One of the primary reasons for the registry’s failure was its high cost. The initial estimate for the registry was $2 million7, but the actual cost ended up being closer to $2 billion8. This astronomical price tag was due to a variety of factors, including the need for extensive data collection, maintenance, and enforcement. Despite its high cost, the registry was ultimately deemed ineffective at reducing gun-related crime9.
Moreover, the registry was criticised for being poorly designed and implemented10. It was widely believed that the registry was ineffective at tracking illegal guns, as the vast majority of gun-related crimes were committed using illegally obtained firearms. Additionally, the registry was plagued by technical issues, including data entry errors and inconsistencies, which made it difficult to rely on as a source of accurate information.
New Zealand
New Zealand abolished its national firearms registry in 2019, just over two decades after it was established. The registry was intended to keep track of all firearms in the country, but it was plagued by issues from the start. One of the main issues was that the registry was incomplete, with many firearms not being registered at all. This made it difficult to determine the actual number of firearms in the country and who owned them. Additionally, criminals were not inclined to register their firearms, and there were no provisions in the registry to enforce registration or punish those who did not comply.
The registry was also extremely costly to maintain, with estimates putting the total cost at over NZD $100 million. This is a significant amount of money for a small country like New Zealand, and many argued that the funds could have been better spent on other priorities, such as mental health services or education. Despite the high cost, the registry was not effective in reducing gun crime or improving public safety, which was its main goal.
Lessons learnt
The abolishment of these national firearm registries should serve as a lesson to the Australian Government as to why the proposed National Firearm Registry is not the answer to reducing gun-related crime.
The evidence on the effectiveness of registries in crime prevention
Law-Abiding Firearm Owner’s (LAFO’s) are not responsible for firearm crimes
A common talking point amongst the LAFO community is that LAFO’s are not responsible for firearm related crimes, such as homicide or robbery. This claim is backed by a report from the Australian Institute of Criminology stating that since the implementation of the NFA, licensed firearm owners have not been responsible for over 90% of firearm-related homicides, nor have over 90% of firearms used in these crimes been registered or were their owners licensed11. Furthermore, analysis of legal firearm ownership and firearm-related assault and/or homicide have found that there is no correlation between those two factors12.
LAFO’s are not the source of criminal-use firearms
It is a false to imply that firearms used in criminal activities come from LAFO’s, or that a National Firearm Registry would a statistically significant effect on the accessibility of firearms to those who wish to use them for nefarious activities. Current data estimates that there may be from 260,000 to 600,000 firearms in the domestic illicit market13. The grey market, the firearms which have never been registered and possession is illegal, is currently and will continue to be a major source of firearms to be used by criminals13. Criminals can target these firearms easily, as they are not in the possession of a LAFO, nor would their theft be reported. Furthermore, interviews with people convicted of firearm-related offences admit to the ease of which they can access firearms on the illicit market, and that their preferred method of acquisition is not theft14.
Where thefts from LAFOs has occurred, this has been reported as a mix between opportunistic and targeted incidents15. These thefts account for less than 9% of firearms diverted to the illicit market13. Should a national registry be implemented, and then compromised, this number would likely increase.
Concluding remarks
Firearm Owners United do not support the development and implementation of the proposed National Firearm Register. The security risk alone should be a deterrent to development, as when a breach occurs, it will pose an unnecessary risk to the public. The concept relies on the securement of many points of entry, as well as highly competent users. The idea that a national registry will enable better tracking between the state and territory registries is rendered moot by the fact that if police fail to communicate properly and check existing records, a new system won’t fix it.
However, should the government continue to develop and implement the proposed National Firearm Register, there are a number of items which should be included. First, security and validation audits of the current registries must occur. Second, the Australian Government must consult with multiple IT security companies to develop a world-class system. Third, the system must not be easily accessible, nor should any one given person be permitted to access the entirety of the database, which leads to point four. Any person permitted to access the register must be highly trained, vetted, and competent with technology, with per-user logging encryption for accountability.
Yours Sincerely,
[SIGNATURES OMITTED FROM WEBPAGE]
References
- Department of Local Government, S. and G.o.W.A. Cultural Industries, Audit report identifies cyber security issues. DLGSC, 2022.
- Deery, S., Singtel Optus group’s Trustwave awarded critical cyber security contract, in Herald Sun. 2023.
- Cybersecurity and A. Infrastructure Security, General Information | CISA. www.cisa.gov.
- System and Organization Controls. Wikipedia, 2021.
- Hastie, H., WA gun owners demand apology for police map showing their locations. WAtoday, 2022.
- Lang, A., Sydney cop charged with accessing restricted data and stalking. news.com.au, 2022.
- Government of, C., Information archivée dans le Web. publications.gc.ca, 2010.
- TIMELINE | The gun registry debate. CBC, 2011.
- Op-Ed: Seventeen false claims about the effectiveness of the gun registry. web.archive.org, 2005.
- OFAH.org – Ontario Federation of Anglers and Hunters. web.archive.org, 2009.
- Mouzos, J., The Licensing and Registration Status of Firearms Used in Homicide. 2000.
- Negin, J., et al., Gun violence in Australia, 2002–2016: a cohort study. Medical Journal of Australia, 2021. 215(9): p. 414-420.
- Australian Criminal Intelligence, C., Illicit Firearms in Australia. 2016.
- Boaz, J., As Melbourne and Sydney reel from inner-city shootings, researchers look to trace where the guns are coming from, in ABC News. 2022.
- Bricknell, S., Public Policy Series 116 Firearm trafficking and serious and organised crime gangs. 2020.