Commonwealth Ombudsman finds instances of telco data accessed without authority at all agencies inspected
Late last week, the government tabled the Commonwealth Ombudsman's report on agency access to stored communications and telecommunications data for the 2018-19 financial year, and while the Ombudsman was upbeat about most agencies getting better, all agencies fell foul of sticking to the letter of the law in some way.
The irony is that the agencies inspected form the law enforcement arm at federal and state levels. The agencies looked at were Australian Criminal Intelligence Commission, Australian Federal Police (AFP), Crime and Corruption Commission Queensland, Department of Home Affairs, Independent Commissioner Against Corruption for South Australia, New South Wales Police, Queensland Police, Tasmania Police, Victoria Police, and Western Australia Police.
"We identified instances at all inspections in 2018-19 where agencies had accessed telecommunications data without proper authority. As such, the disclosure of the data was unauthorised," the report [PDF] said in the section dedicated to telco data inspections.
Problems with the authorisations ranged from "administrative error", such as in incorrect number or time period on a notice, to authorisation being made by those without authority to do so, failing to send written notices as required by law, and relying on oral notices.
"At all agencies, we identified instances where carriers had provided data that was not authorised because it was outside the parameters of the authorisation. This included instances where the carrier provided data that exceeded the time period authorised, or provided a different type of data than was authorised," the report said.
The Ombudsman said although "many agencies" could identify and quarantine unauthorised data, at around half of the agencies, the inspections found further instances of unauthorised data.
Called out for an elevated level of criticism was Tasmania Police, which the Ombudsman said did not have a "well-developed compliance culture".
"This was indicated by a large number of issues across several of its processes, including limited progress in addressing our previous inspection findings and significant variances in the level of awareness of requirements under the Act," the report said.
"We considered that the required improvements could not be implemented without fundamental changes to the way Tasmania Police approaches compliance."
In the telco data section, Tasmania Police received two recommendation and 10 suggestions, with failures in gaining consent to access data, a lack of record keeping on when communications data is destroyed, failing to destroy data when required, and data being destroyed without proper approval.
"At both the 2017-18 and 2018-19 inspections, we identified that all stored communications a particular carrier provided to Tasmania Police were received by a staff member who was not authorised to receive them," the report stated.
The inspections also found Tasmania Police had an "ineligible issuing authority" around stored communication warrants.
"We were not satisfied that Tasmania Police had taken appropriate remedial action to manage the unlawfully accessed stored communications or that there was sufficient awareness within Tasmania Police of the existence of these invalid warrants," the Ombudsman said.
Further, the inspections showed Tasmania Police failed to provide its annual report for 2017-18 to the Minister for Home Affairs, as required.
Previous instances of the report have seen the Department of Home Affairs dressed down for failing to handle stored communications data properly. In this instance, Home Affairs walked away with 11 suggestions in total.
"Over previous inspection periods we identified, and the department has disclosed, serious compliance issues relating to its use of stored communications powers. However, the scale and seriousness of these issues decreased as the department developed and implemented measures to improve its compliance," the report said.
The department disclosed 74 instances of an unauthorised officer making authorisations for data, and 54 instances where received data was outside the period of the authorisations.
"In each instance, the department's telecommunications data request system inputted the end time for authorisations as 00:00, rather than 23:59, which meant the period of the authorisation ended at the beginning of the day rather than the end," the report said.
"While the department sought to address this through manual annotations on the authorisations, in some instances telecommunications data disclosed was dated after the end time of the authorisation and therefore outside of what was authorised," the report said.
The AFP were handed three recommendations and 33 suggestions as the agency continued to issue successive foreign preservation notices, failed to gain consent of victims in one instance, failed to destroy data, and directed telcos to perform actions that were not required or did not have legal authority to perform.
The report said there were several instances where it could not be confirmed whether authorised officers had made "required considerations" prior to authorisation due to a lack of documentation. It also passed on multiple requests from foreign law enforcement without checking whether the request was permitted in Australia.
"We also identified that the AFP had made two foreign prospective authorisations (one of which had been extended) in the absence of the Attorney-General having made an authorisation ... despite this being required before a foreign prospective authorisation can be made," the report said.
"In our 2019-20 inspection, we found that the AFP was not able to account for the use and disclosure of the information it obtained under one of these authorisations and suggested that it do so."
The AFP also received a number of stored communications warrants from a member of the Administrative Appeals Tribunal (AAT) that was not authorised to do so. This was a common issue amongst the agencies inspected, as were the issues of warrant templates not being in a prescribed form, and having incorrect wording in affidavits.
Victoria Police was also found to have authorised officers making requests without proper consideration, nor proper training or reference materials. The police force also does not have a system capable of quarantining unauthorised data. Consequently, Victoria Police received four recommendations and nine suggestions.
During the period covered by the report, NSW Police led the way with over 98,000 uses of its powers for historic records, followed by Victoria Police with 82,700, Queensland Police used the powers almost 25,300 times, the AFP used its powers for historic records 19,550 times.
For prospective records, Victoria Police used its powers almost 9,700 times, the AFP was next with 3,700 uses, followed by Queensland Police on 3,430.
Of those records, the Commonwealth Ombudsman only needed to look at 155 records from the AFP, 125 from Victoria Police, and 92 from Tasmania Police to find issues on which to base its report.
Updated at 12:14pm AEDT, 9 February 2021: Clarified number of agencies inspected was ten. Twenty agencies in total have access to stored communications and telecommunications in Australia.
Related Coverage
- Budget 2020: Commonwealth Ombudsman scores AU$1.6m to oversee encryption laws
- Intelligence review recommends new electronic surveillance Act for Australia
- Surveillance Bill to hand AFP and ACIC a trio of new computer warrants
- Tech giants not convinced Australia's critical infrastructure Bill is currently fit for purpose
- PJCIS stops short of recommending warrants to access metadata as scheme is tightened