A review of Australia’s telecommunications metadata retention laws concludes a longstanding loophole allowing all manner of agencies to access metadata should be closed off, saying it was of “considerable concern” this was ever allowed in the first place.
The same review also recommends that warrantless access to metadata should continue, albeit to a smaller number of agencies, declaring requests to establish a judicial oversight “out of scope”.
The recommendations are contained in a review of the mandatory data retention scheme by the Parliamentary Joint Committee on Intelligence and Security (PCJIS), published near close of business Wednesday.
The 189-page report [pdf] makes a total of 22 recommendations that it says the government, or more specifically Home Affairs, should implement.
Authorised officer numbers should be reined in
The review overrules human rights and civil liberties groups that had wanted judicial or other independent oversight of requests for metadata access.
While noting “tension between the rights of Australian citizens to their privacy and the pressures facing law enforcement when investigating crime”, the PJCIS said it was “not satisfied that a warrant should be required for data held as part of the MDRR [mandatory data retention regime].”
However, the committee went on to express considerable concern at the number of law enforcement officers that are currently able to authorise a request from within their agency to access metadata as part of an investigation.
“The committee regards the numbers of authorised officers being in the thousands as disconcerting and recommends means of reducing those numbers, by having regard to issues such as the seniority and level, and qualification and experience of officers,” it said.
In addition to limiting the number of authorised officers, the PJCIS said there should be better reporting of the number of authorised officers, the number of authorisations they make, and for what specific types of crime.
Over 100 agencies, from councils to the RSPCA and environmental authorities, have used a loophole - section 280(1)(b) of the Telecommunications Act 1997 - to get access to metadata.
Communications Alliance, which represents telcos, has been central in both keeping track and exposing these data requests, which sit well outside the intended scope of the mandatory data access regime.
The regime itself lists the parties that are meant to be able to access metadata, but loopholes elsewhere mean the list does not limit access as it was intended.
The PJCIS expressed “considerable concern” that this situation had been allowed to occur, along with “disappointment” in Home Affairs’ response and lack of assistance “in finding a way to amend this section”.
Home Affairs, for its part, has previously denied section 280(1)(b) constitutes a loophole.
The committee said it tried to solicit justifications for continuing the loophole from the scope-creeping agencies but got little response, and what it did get back was unconvincing.
“There were very few submitters that took this opportunity up,” it said.
“Those that did were unable to convince the committee of the need for this broad access to telecommunications data.”
The PJCIS recommended that section 280(1)(b) of the Telecommunications Act 1997 “be repealed”, and that the government make clear that the Telecommunications Interception Act (TIA) is the only legal mechanism available to gain access to metadata.
The committee recommended that location data should not be removed from the dataset collected by telcos and available to law enforcement agencies under the regime “at this time.”
It was also unmoved by arguments to lengthen or shorten the amount of time metadata is kept by telcos, maintaining the existing two-year period.
The committee did, however, clarify that telcos do not have to keep metadata related to internet of things (IoT) services.
It also said that some rules around data format consistency as well as storage and disposal of metadata were needed.
This came in response to law enforcement agencies finding variations between the datasets they got from different telcos, as well as concerns by telcos about how the agencies handled and disposed of the data once it was in their possession.
It is not clear when or how the government might respond to the committee’s recommendations.