Trust us: Telcos told they can't verify journalist metadata warrants
Telecommunications companies receiving requests from government agencies to access the metadata of a journalist will have to take the agency at its word that it has obtained a court warrant to access the metadata of a journalist, and will not be able to see the warrant to verify it before handing over the data.
Under mandatory data-retention legislation passed in March, Australian carriers must retain a certain, as yet undefined, set of customer data -- such as call records, IP addresses, billing information, data volumes, and other so-called "metadata" for a minimum of two years.
This data can then be accessed by a number of government agencies without a warrant, with the only hurdle to clear being internal authorisation. The agencies then state to telecommunications companies in writing that they have authorisation for the data, and ask for it to be handed over.
The process is largely the same as it has been conducted in the past, but when passing the mandatory data-retention legislation, the Labor opposition, in voting with the government, sought to protect the sources of journalists by including the requirement that agencies seeking to find the source of a leak to a journalist will require a warrant before accessing that journalist's metadata.
Despite this new protection, documents sent to Australian telecommunications companies from the Attorney-General's Department (AGD) and obtained by ZDNet reveal that the telcos will have no way of knowing whether the warrant has been obtained. The request will look the same as any other to the carrier.
In the industry FAQ sent to carriers, the Attorney-General's Department has said that authorisations will continue the same way they have today, in writing. The carrier should "take steps to verify the authenticity of the request from the agency" with the agency directly, or the Attorney-General's Department, but the process will remain largely the same.
"The data-retention obligations do not alter the powers relevant to making requests. Service providers should expect that the kinds of requests they receive will change only to the extent that once the data-retention regime is fully implemented, requested data within the prescribed data set may be two or more years old," the document states.
Latest Australian news
"A request to a service provider for data for the purpose of identifying a journalist's source will have the same form as other data requests."
While the agency will have additional requirements to make the request for a journalist's metadata, the carrier will have no knowledge of that.
"The existence of a journalist information warrant will not be disclosed to the service provider as part of an agency's data request. It is the responsibility of the requesting agency, not the service provider, to determine whether requested data falls under this category. Agencies' decisions in this respect will be subject to independent oversight by the Inspector-General of Intelligence and Security, in the case of ASIO, and the Commonwealth Ombudsman, in the case of enforcement agencies," the document states.
This aspect is not specifically outlined in the legislation, but there is a potential two-year jail term for disclosing the application, or existence, of a journalist warrant.
A spokesperson for the Attorney-General's Department said it was up to the Commonwealth Ombudsman to ensure warrants were obtained.
"Enforcement agencies are required to provide the ombudsman with a copy of every journalist information warrant and every data authorisation made under the authority of a journalist information warrant," the spokesperson said.
"This ensures that the ombudsman has complete visibility of all such warrants are authorisations."
Due to the journalist warrants just allowing authorisation to be given to an agency, the AGD has argued it is different to interception warrants that are provided to telcos, because no action is required from telcos when the journo warrant is issued.
The Australian Federal Police (AFP) confirmed earlier this year that in the 18 months prior to the announcement, the agency had received 13 referrals relating to leaks to journalists. The AFP told a Senate Estimates committee that four of these came from the offices of members of parliament, eight were from agencies, and one was from a private individual. The AFP said that nine of the 13 referrals were triggered by media reporting.
ISPs have until August 13 to submit to the AGD their implementation plans for complying with the mandatory data-retention regime.
Cracks are already appearing in the department's implementation of the policy. ZDNet has heard from ISPs that are unsure of what data they will be required to retain, and complained about a lack of communication from the Attorney-General's Department. At a recent event hosted by the Communications Alliance, frustration with the government boiled over, with Skeeve Stevens from Eintellego Networks describing it as a "mess".
"There is such a mess, and so many unanswered questions, and [AGD] needs what I am going to do in six weeks? Get serious, people, this is just ridiculous," he said at the meeting.