ACT Policing may have unlawfully accessed location data, Ombudsman finds

ACT Policing may have illegally accessed the approximate location of mobile devices during investigations due to its “cavalier approach to exercising telecommunications data powers”, the Commonwealth Ombudsman has found.

An investigation [pdf] into the access and use of location-based services (LBS) or ‘pings’ found that the community policing arm of the Australian Federal Police failed to properly authorise or report LBS authorisations between October 2015 and 2019.

LBS provides the “location of a mobile devices from which communication was made”, either for a single point in time or at regular intervals, and is used by law enforcement agencies to identify persons of interest.

The investigation was prompted by an internal review that found about 8000 requests for prospective telecommunications data such as LBS had taken place outside of the AFP’s approved processes since 2007.

The report, released on Wednesday, found that less than one percent of individual instances of access to LBS between October 2015 and 2019 were “fully compliant” with the Telecommunications (Interception and Access) Act.

“We identified that many of the authorisations made by ACT Policing for access to telecommunications data between 13 October 2015 and 2019 were not properly authorised,” Ombudsman Michael Manthrope said in the report.

“Of the 1713 individual accesses to LBS by ACT Policing for that period, we were only able to provide assurance that nine were fully compliant with the Telecommunications (Interception and Access) Act.”

The sheer number of non-compliant requests means “many LBS could have been accessed unlawfully”, Manthrope said, which could have a number of implications, particularly in instances where data was relied on in prosecutions.

“While initial advice provided by the AFP to my office was that the LBS obtained by ACT Policing was only used to locate someone to arrest them, we were unable to rule out the possibility that unlawfully obtained evidence, the LBS, may have been used for prosecutorial purposes,” he said.

Manthrope also noted that AFP and ACT Policing missed “a number of opportunities” to rectify issues with LBS access and that “possible breaches have occurred in parts of the AFP other than ACT Policing”.

The report details instances where “authorised officers approved LBS searches within minutes of receiving a request”, with “no documentation available that reflects they had sufficient information to properly consider the circumstance of the request”.

On other occasions, police officers would access LBS data without approval from the relevant officer in charge and then submit an approval request retrospectively, confirming that officers were unfamiliar with their responsibilities.

“The emails show ACT Policing often took an informal approach to using these intrusive powers,” the report found, adding that this was despite regular email reminders that “access to LBS should be considered and undertaken only when absolutely necessary”.

It also “identified numerous internal communications that highlighted significant problems affecting ACT Policing’s use of LBS and others that demonstrated ACT Policing’s efforts to improve its practices and standards”.

But despite this “regular engagement with intelligence staff and investigators on issues relating to LBS practices”, the Ombudsman said “there appears to have been little improvement in the equality of the process ACT Policing employed from 2010 to 2020”.

The report partially blames the breaches on “ACT Policing not following the AFP’s approved process when requesting and accessing prospective telecommunications data”, but noted the existence of “several disparities in how this process had been communicated”.

All requests for prospective telecommunication data, including LBS, were meant to be made through the AFP’s centralised compliance team, known as the covert analysis and assurance team, with historic telecommunication data approved through a separate process.

“The internal procedures at ACT Policing and a cavalier approach to exercising the powers resulted in a culture that did not promote compliance with the TIA Act. This contributed to the non-compliance identified in this report,” Manthrope said.

The report has made eight recommendations, including that the AFP audit all LBS requests between October 2015 and February 2020 and seek legal advice on the “implications arising from accessing prospective telecommunication data that has not been properly authorised”.

With powers that will allow the AFP to gain exclusive control of a person’ online account to gather evidence about serious offences currently before parliament, Manthrope used the report to highlight the need to correctly use powers.

“Law enforcement agencies rely on a wide range of covert and intrusive tools to do their work, but to maintain public trust these tools need to be properly deployed, in accordance with the legislation which governs their use,” he said.

‘Indeed, the parliament currently has before it proposed legislation which will further extend the powers of law enforcement agencies, in relation to being able to detect and disrupt criminal activity.  

“A critical factor in effective oversight of such powers is that law enforcement agencies need to report to the Ombudsman about how the powers are being used, so that compliance can be assessed and publicly reported.

“In this case full reporting did not occur to the Ombudsman for a considerable period of time.’