Police agencies duplicate technical requests to comms providers

Australian authorities are doubling up on technical assistance requests sent to cloud and network service providers because the laws prevent them from any disclosure or coordination.

Between July 1 2023 and June 30 2024, state police agencies issued a total of 60 technical assistance requests (TARs), seeking "voluntary" assistance from service providers to supply data or support during investigations.

However, according to the Commonwealth Ombudsman, designated communications providers (DCPs) are receiving duplicated requests for the same type of assistance from different agencies.

The issue may arise because agencies lack “visibility of the requests made to DCPs,” due to laws preventing the disclosure of information about, or obtained under a TAR. Contravening these laws can result in fines or imprisonment.

TARs came into force following the passing of the Assistance and Access Act at the end of 2018.

Known colloquially as "encryption-busting" laws, the legislation paved the way for a suite of new powers compelling services providers to cooperate with law enforcement requests for data or access.

If a provider doesn't comply with a TAR, an agency can issue a technical assistance notice (TAN) or technical capability notice (TCN), which compels them to “enable access” to a particular service, device or piece of software.

No TANs or TCNs were issued during the latest recorded period.

But the ombudsman did note that a handful of enforcement agencies were issuing TARs despite there being other ways to access the information already.

Both Queensland Police Service and the Australian Federal Police were flagged by the ombudsman for issuing TARs when they already had the necessary access through either another capability or a previous industry assistance request.

QPS was also noted for setting up a TAR request that extended nine months beyond the expected 90-day expiry.

Under the Telecommunications Act, a TAR remains in force for 90 days after issuance unless a specific expiry date is listed.

During this time, a DCP is expected to assist with technical actions such as data extraction or communication interception in conjunction with existing warrants and authorisations.

The ombudsman “found that TARs with long validity periods are often issued to support the execution of warrants or authorisations not yet issued”.

In the case of QPS, a TAR was given with an extended validity period of up to 12 months to enable the execution of a warrant or authorisation.

Upon the ombudsman’s inspection, only one request had been since the TAR's issuance.

With the ombudsman raising concerns over the “feasibility, necessity, proportionality and reasonableness of the TAR”, QPS has since agreed to review longer validity periods at six-month intervals.