The Commonwealth Ombudsman, Michael Manthorpe, has revealed that law enforcement agencies are being given the full URLs of web pages visited by people under investigation.
Australia's mandatory telecommunications data retention scheme was meant to deliver only so-called "metadata" to the cops and spooks. Under the scheme, a warrant is not required.
But according to Manthorpe, the "ambiguity around the definition of content" means that agencies might effectively be receiving the content of communications.
The ombudsman explained his concerns during a hearing of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Friday.
Senator Andrew Hastie, Committee Chair: Could you talk about your concerns regarding ambiguity around the definition of content and whether or not an agency should have access to that when disclosed by a carrier under an authorisation?
Michael Manthorpe, Commonwealth Ombudsman: Yes, essentially, the piece of ambiguity we have observed through our inspections is that sometimes the metadata, in the way it's captured, particularly URL data, and sometimes IP addresses but particularly URL data, does start to actually in its granularity start to communicate something about the content of what is being looked at. That's essentially the point we're making.
Hastie: Just to be very clear, you get the URL, you get the full www. whatever it is .com?
Manthorpe: That's right.
Hastie: Which can indicate indicate what they're looking at.
Manthorpe: Exactly. It can be quite long, or it can be quite short, and in some cases the descriptor is long enough to start -- we start to ask ourselves well that's almost communicating content, even though it's captured in the URL.
Hastie: And then multiple -- we are getting too technical but you know -- multiple clicks, for example, on a thread would generate more and more, I guess, content.
Manthorpe: That's right. Yes, exactly. So it's, we're simply highlighting that I think when the scheme was commenced, the concept of metadata was probably thought to be quite a clean and delineable thing, but we know that there is a greyness on the edges here that we thought we should call out.
Hastie: Yeah. Sometimes there's information on the envelope, so to speak, to use the analogy from a couple of years ago.
Manthorpe: That's a good analogy.
As for the intelligence agencies, the Inspector-General of Intelligence and Security (IGIS), Margaret Stone, said that she wasn't aware of any instances of content being provided unlawfully, but she echoed Manthorpe's concerns.
"There is this assumption that you get more from content than metadata," Stone told the committee.
"But when you look at the range of metadata, and what it tells you, there's an argument that could be made that it is just as intrusive, or almost as intrusive, as content. You can tell a lot about what a person's doing from that."
See also: Why Australia is quickly developing a technology-based human rights problem (TechRepublic)
'Grave concerns' that this wasn't meant to happen
Labor Senator Anthony Byrne noted that the major telecommunications companies had given the government "numerous assurances ... that they could keep metadata in a subset" away from the content.
"The federal government actually gave these telecommunications companies a substantial amount of money to ensure that that has actually happened," Byrne said.
"If that's not happening, that's of grave concern to me."
Byrne stressed that he wasn't critical of the agencies, nor the Commonwealth Ombudsman's office, merely that what he was now being told did not match how he thought the system was meant to work.
"We are undertaking a review of this mandatory data regime, whether or not it works, whether or not it could be improved," he said. "It's nothing more than that."
Telco data requests are meant to be written down
Law enforcement agencies are obtaining telco data without written authorisation in a "very small number" of cases, according to ombudsman Manthorpe.
"In some cases, they issue an internal authorisation based on verbal advice. And at an operational level, I can understand why that might occur, but it isn't catered for in the legislation," he said.
"Sometimes, agencies -- if they issue a verbal authorisation -- do subsequently go to commit[ing it] to writing."
Or, presumably, sometimes not.
"We see non-compliance in a small minority of cases generally, and this is one area of potential non-compliance," Manthorpe said.
"I would want to emphasise that, you know, there is a big volume of authorisations, and as far as we can ascertain, most of them are authorised appropriately."
However as the committee noted, with the huge number of authorisations issues, a small percentage might still represent a large absolute number.
In the 2018-2019 financial year, 295,691 authorisations to access metadata were issued across all state and federal law enforcement agencies. This number does not include those issued to intelligence agencies.
ASIO guidelines 'well out of date'
The Attorney-General's guidelines that cover data collection by the Australian Security and Intelligence Agency (ASIO) are "well out of date", according to Margaret Stone.
"The present guidelines were issued in 2007, so guidance in relation to new powers introduced since then would be very helpful," she said.
As well as accessing mandatory data retention, those new powers include Australia's controversial encryption laws, and the power to conduit a range of "special operations".
"We've been saying for many years now, that those guidelines need revising," Stone said.
"They're well out of date, the present guidelines."
PJCIS has been hearing evidence as part of its review of the mandatory data retention scheme. These powers were legislated as Part 5-1A of the Telecommunications (Interception and Access) Act 1979, usually referred to as the TIA Act, in 2015.
The committee is due to report by April 13.