Australia's telecommunications companies have been left with a funding hole of over AU$70 million to cover the capital costs of Australia's data retention scheme, according to the Telecommunications Interception And Access Act 1979 Annual Report 2015-16 [PDF], while data authorisations for terrorism ranked below those for illicit drug offences.
Despite handing out AU$128 million in grants last year, the report, released on Monday, states that the capital cost to industry will total AU$198 million by the end of the 2016-17 financial year.
"Information collected from industry through the Data Retention Industry Grants Programme indicates that the estimated capital cost of implementing data retention obligations over the period between 30 October 2014 and 13 April 2017 is AU$198,527,354," the report said.
"[Costs] relate to the anticipated direct upfront capital costs and not the recurring or indirect costs associated with compliance."
In 2015, Attorney-General George Brandis said he expected the average ongoing cost for telcos to run their data retention system would be around AU$4 per month.
The report said the Attorney-General's Department (AGD) received 210 applications for funding, of which 10 were withdrawn, and 180 telecommunications providers were found to be eligible for funding. Of that 180, "most" were awarded a grant to cover 80 percent of their costs.
It was also detailed that during the implementation period for the data retention scheme, AGD received 402 data retention implementation plans from 310 providers.
Under Australia's data retention laws, passed by both major parties in March 2015, telecommunications carriers must store customer call records, location information, IP addresses, billing information, and other data for two years, accessible without a warrant by law-enforcement agencies.
Over the period from October 13, 2015 to June 30, 2016, the report said the offence for which the highest number of authorisations to telco data was made was illicit drug offences, with 57,166. This was followed in ranking by miscellaneous, homicide, robbery, fraud, theft, and abduction.
Terrorism offences ranked below property damage and cybercrime, with 4,454 authorisations made.
As part of the data retention laws, the spirit of the legislation was to restrict access to stored metadata to a list of approved enforcement agencies, with those agencies not on the list theoretically having access removed on October 12, 2015.
Overall, the report said 63 enforcement agencies made 333,980 authorisations for retained data, of which 326,373 related to criminal law.
"In 2015-16, law enforcement agencies made 366 arrests, conducted 485 proceedings, and obtained 195 convictions based on evidence obtained under stored communications warrants," the report said.
During 2015-16, 3,857 telecommunication interception warrants were issued, with interception data used in 3,019 arrests, 3,726 prosecutions, and 1,812 convictions. Total cost for interception warrants was AU$70.3 million, at an average cost of AU$619,200 per warrant.
Australia Post accounted for 64 authorisations between June 30 and October 12, 2015, compared to none the year before; and the Victorian Department of Economic Development, Jobs, Transport and Resources made 173 authorisations in 3.5 months compared to 226 the entire financial year prior.
It was also noted that on six occasions, warrants were exercised by people not authorised to; in three instances, the Ombudsman could not determine whether stored communications related to the person named on a warrant; and in one instance, it could not determine who had received stored communications from a carrier.
It was also revealed that during the 2015-16 year, the Western Australia Police had received a pair of journalist warrants, which saw 33 authorisations of data made.
"These authorisations were for the purpose of enforcing the criminal law," the report said.
In April, the Australian Federal Police (AFP) revealed that it had "mistakenly" accessed a journalist's call records without a warrant in breach of the data retention legislation.
It was subsequently learned that AGD had advised government departments to skirt metadata laws and rely on coercive powers.
In May, the Commonwealth Ombudsman found the AFP to be handling metadata in a compliant manner, but noted a number of exceptions.
"We identified two instances where a stored communications warrant had been applied for and subsequently issued in respect of multiple persons, which is not provided for under the Act," the report said.
In response, the AFP said its warrant templates were not clear enough.