Australian police, regulators continue unlawfully accessing metadata

Ten agencies, including Commonwealth and state law enforcement, accessed telecommunications metadata “without proper authority” in the 2018-19 financial year, the Commonwealth Ombudsman has found.

The breaches of the Telecommunications (Interception and Access) Act are revealed in the ombudsman’s fourth assessment of agency compliance with the legislation [pdf], tabled last week.

“We identified instances at all inspections in 2018-19 where agencies had accessed telecommunications data without proper authority,” the ombudsman said.

“As such, the disclosure of the data was unauthorised.”

Agencies assessed included Home Affairs, the Federal Police and the Australian Criminal Intelligence Commission (ACIC), as well as state policing agencies from NSW, Victoria, Queensland, WA and Tasmania.

The report said the breaches were largely down to “defects in the authorisation process”, meaning officers had “no valid authorisation” or “were not delegated” to access metadata.

ACIC was one such agency where this was the case, with 171 instances disclosed where “telecommunications data was access without property authority”.

The report said the breaches were the result of the agency failing to formalise “acting arrangements for the relevant authorised officers” to access the data.

ACIC also disclosed seven instances where data was accessed “without signed authorisation”, four where “approval was not documented” and nine where “authorisation was not made prior”.

Home Affairs disclosed 74 instances where an officer made authorisations for data when they were not authorised to do so due to a new instrument that increased the level of seniority required.

“The department did not communicate the change effectively to its staff, therefore the officer continued to make authorisations despite no longer being authorised to do so,” the report said.

The Australian Securities and Investments Commission (ASIC) similarly disclosed 28 instances where officers made data authorisations when they were “no longer authorised to do so” due to a new instrument that omitted those previously admitted.

“It appears these changes were not sufficiently communicated within ASIC and a number of officers who were not included on the new instrument continued to make authorisations,” the report said.

“ASIC took appropriate remedial action to quarantine all telecommunications data received as a result of these unauthorised disclosures.”

Administrative errors also saw some agencies state the “wrong service number of time period on an authorisation” or enter the “wrong number in the integrated public number database”.

In the case of Home Affairs, it disclosed 54 instances where data was receive “outside the period specified on the authorisation” due to errors with the department’s telco data request system.

The ombudsman also uncovered an additional seven instances.

Previous years' reports have also disclosed similarly unauthorised access to telecommunications metadata.

Agencies struggle to shake oral requests

For half the agencies, the ombudsman was “unable to assess whether the authorised officer had enough information… at the time of making the authorisation”.

“In some instances this may have been because the authorised officer was orally briefed at the time of application or was directly involved in the investigation,” the report said.

“However, without records of this, we could not be satisfied the required considerations were made.”

At the Australian Federal Police, the report said that “many” metadata requests made by officers “did not include detailed background information, or referred only to case numbered operations”.

“As such, we were not able to assess what information the authorised officer had regard to in making the authorisation,” the report said.

The ombudsman added the inconsistent practice around documentation gave it a “general lack of confidence that authorised officers routinely had regard to required considerations”.

In the case of NSW Police, oral authority for integrated public number database (IPND) searches was formally disbanded in June 2018, but the ombudsman said it had yet to implement the policy.

“We identified that, in certain circumstances, [NSW Police] was conducting IPND searches and obtaining subscriber telecommunications data without a written or electronic authorisation,” it said.

Tasmania Police also had “no records to demonstrate what information was available to the authorised officer at the time of the authorisation”, though this was likely to have taken place orally.