Australian Federal Police calls for audit into its telco data requests

After finding 'compliance issues' from as far back as 2007, the AFP has commissioned PwC to independently audit requests it made to telecommunications carriers.
Written by Asha Barbaschow, Contributor

An audit has been called to probe requests the Australian Federal Police (AFP) made to telecommunications carriers.

The AFP said it commissioned PwC to perform the audit after "identifying compliance issues, some dating back to 2007".

The identified issues relate to record-keeping, authorisations, and reporting of requests under Section 180(2) of the Telecommunications (Interception and Access) Act 1979.

The AFP said it undertook an examination of historic documents and records to estimate the extent of the compliance issues, and self-reported to the Commonwealth Ombudsman on 24 January 2020.

In a statement, the AFP confirmed the requests were made by ACT Policing and related to the potential identification of a mobile device location during an investigation.

Location requests cover the general location of the device, such as several streets or a suburb, but do not provide metadata or private communication from the mobile device.  

Location requests can only be made for investigations into serious offences or offences punishable by imprisonment for at least three years. 

Offences that meet these definitions include murder, kidnapping, drug trafficking, terrorism, aggravated robbery, and firearms offences.

As a result of these "compliance issues", some requests were not reported to the Minister for Home Affairs, as they were not included in submissions by the AFP for annual reporting.  

See also: Commonwealth Ombudsman singles out Home Affairs over stored communications and metadata handling

"This resulted in the AFP not discharging their reporting obligations in respect to these requests, nor presenting requests for Ombudsman inspection," a statement from the AFP said.

"The AFP has identified and taken corrective action to ensure legislative compliance, including appropriate recording, authorisation and future reporting."

ACT Policing had separately confessed in July that it found 3,249 extra times it accessed metadata without proper authorisation during 2015, on top of the 116 requests disclosed earlier that year.  

"Once the issue was discovered, ACT Policing notified the Ombudsman's Office to seek advice on how to remedy this administrative oversight," it said at the time.

From the extra requests, 240 were forwarded to case officers, which landed ACT Policing in legal hot water.

"ACT Policing has sought legal advice regarding the management of two matters relating to a missing persons case and a criminal matter where the data in question may have been used in a prosecution," it said.

"The Ombudsman's Office has been kept informed throughout the examination and quarantining process. It is not appropriate to identify particular cases."

The Commonwealth Ombudsman is expected to commence an own-motion investigation into the compliance issues matter, and PwC's audit is due to be completed by June 2020.


Cops are getting full URLs under Australia's data retention scheme

There is content on the envelope. A Senate committee has been told that law enforcement agencies sometimes get full URLs from telcos, despite government reassurances.

OAIC wants visual on what telcos are handing over under data retention regime

The commissioner also reiterated the importance of limiting the retention period, introducing a warrant-based system, better defining terminology used in the legislation, and restricting who exactly has access to data.

Anti-corruption and police integrity bodies reject call to reduce data retention period

The NSW Law Enforcement Conduct Commission was joined by the Australian Commission for Law Enforcement in asking for the minimum two-year period for retaining telco data be kept under the country's data retention regime.

Australian enforcement agencies angling for metadata review on telco cost recovery

Agencies are very happy with Australia's data retention scheme, with one using it in 90% of investigations.

Editorial standards