Seven months after its long-stalled examination of how 20 agencies across federal and state government in Australia handled stored communications and metadata over the 2016-17 financial year, the Commonwealth Ombudsman has released its 2017-18 edition [PDF].
Despite seeing fewer problems for 2017-18, the Ombudsman issued one recommendation to the Australian Federal Police (AFP), discussed a number of previous recommendations with Home Affairs, and found eight of 17 agencies that were inspected had instances of failing to comply with destruction of stored communication requirements.
For the AFP, the Ombudsman found 23 instances where authorisation was made under missing person laws despite the case being related to criminal law, and another two cases where authorisations under provisions to protect public revenue also related to enforcing criminal law.
The federal police also disclosed 563 instances of authorisations made by authorised officers that were subsequently rejected by an internal quality assurance process, and 73 instances where authorisations were notified to telcos with errors.
"Our Office also identified four instances where records reflected less than one minute had lapsed between the request being sent to the authorised officer and the return response making the authorisation," the Ombudsman said.
"Given the range of matters requiring consideration by authorised officers, this timeframe calls into question whether the requirements could have been met."
The authorisation errors were made by a number of officers across a number of teams, the report said.
"This means the errors cannot be attributed to an individual, team, or process, but rather, indicate AFP staff do not have a well-embedded appreciation of the requirements of the [Telecommunications (Interception and Access) Act] (TIA Act) and the individual responsibility of authorised officers," the Ombudsman said.
"We note this was also a contributing factor to the breach of the journalist information warrant provisions, which was disclosed by the AFP in April 2017."
The Ombudsman recommended the AFP implement processes to ensure authorised officers have regard to required consideration for authorisations.
In response, the AFP said it had released a mandatory training package in November 2017, and expects the number to fall for 2018-19.
A subsequent Ombudsman report into the April 2017 incident said AFP officers did not fully appreciate their responsibilities when using metadata powers.
For Home Affairs, of which the AFP is a part, the department told the Ombudsman it had issued a series of 56 historic domestic preservation notices to one telco over consecutive periods for the same person of interest. However, the Ombudsman found 100 notices.
"While this practice is not strictly in breach of any legislative provision, in our view it has a similar effect to giving an ongoing preservation notice," the report said.
"Home Affairs is not authorised to give ongoing notices because it is not an interception agency."
In the prior installment of the report released in 2017, which covered the 2015-16 financial year, Australian Customs was handed the only three recommendations contained within the report.
"In our view, Customs does not have sufficient processes in place to demonstrate that it is only dealing with lawfully accessed stored communications," the report said.
On the recommendations made previously, the Ombudsman said his office would continue to monitor Home Affairs' continuing remedial action.
An area the Ombudsman identified as getting worse was in complying with destruction of stored communications requirements.
From 26 instances last year, the figure jumped to 134 instances in 2017-18.
State agencies were particularly to blame, with the Queensland Crime and Corruption Commission having 10 instances, Queensland Police with 18, Northern Territory Police had 23 instances, and Western Australia Police had 19.
Tasmania Police was a runaway infringer, with a final figure of 53 instances.
The Ombudsman also pointed out a number of agencies had accessed telco data outside of the TIA Act by using other legislated powers.
"Our Office is not aware of any statutory external oversight of any disclosure of telecommunications data that may occur outside an authorisation made under the TIA Act," the Ombudsman said.
While the Commonwealth Ombudsman could use his own powers to inspect federal agencies, the report said, oversight would still be lacking for state agencies.
Home Affairs Minister Peter Dutton recently appeared in a video labelled as "the baddest MP".
Soon it might just be easier for Australia's telcos to keep a copy of every TCP or UDP header for the cops to poke through.
Australian developers really do need to relax. Cops and spooks are being told very clearly that the Assistance and Access Act isn't for dragooning you into deceiving your bosses.
The department said it is however 'focused' on addressing the negative perception of Australia's encryption laws, saying companies actually lack a clear understanding of the obligations within legislation.
eSafety Commissioner to decide what Australians shouldn't see.
ATO claims a lack of access to retained metadata of Australians has impacted its criminal cases to the tune of an average AU$10,770 per investigation.
Feedback from consultation will be used to form a superseding document to the 2016 Cyber Security Strategy.