Law Council wants warrants and crime threshold for metadata retention scheme

Agencies that are allowed to view metadata should be spelled out in legislation, Law Council of Australia states.

The Law Council of Australia has called for the introduction of warrants when the nation's enforcement agencies seek to access metadata stored in the data retention systems of Australia's telcos.

must read

What's actually in Australia's encryption laws? Everything you need to know

All the big questions answered on Australia's encryption laws answered.

Read More

Currently, enforcement agencies have access to two years' worth of customers' call records, location information, IP addresses, billing information, and other data stored by carriers without the need for a warrant.

Despite reducing the number of agencies that are capable of this access when the laws came into effect, there are many ways for other agencies to get their hands on the data, thanks to compulsion powers in other federal and state laws.

"The Law Council considers that access to the telecommunications data by a particular agency should only be accessible by warrant unless the access is strictly necessary due to an emergency situation," the Council wrote in a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the mandatory data retention regime.

The Council called for the existing journalist protections to be extended to the population as a whole.

"There is requirement for a warrant to be issued before access can be permitted to the telecommunications data of a journalist, the same requirement for a warrant should apply in relation to accessing the metadata of all members of the Australian community," the submission said.

Against accusations that using warrants would introduce delays, the Council pointed to emergency warrants currently issued under the Telecommunications (Interception and Access) Act.

"In an emergency, where there is a real and reasonable belief that there is a serious and immediate risk to public safety or health, access may be authorised through a non-delegable Ministerial warrant," it said.

"Such an exemption would also help ensure that urgent operational activity would not be unduly impeded."

In earlier submissions, Australia's law enforcement agencies said they were happy with the current metadata arrangements. and if anything, the retention period needed to be extended beyond two years due to the heavy use of metadata.

The New South Wales Law Enforcement Conduct Commission said it makes use of telco data in 90% of investigations, and that it has helped with physical surveillance.

"Historically it can be said that around 30% of all surveillance deployments were inefficient due to the absence of the target or the inability to locate the target," the ECC said.

"With access to phone mapping, this situation is nullified in that deployments are able to be more targeted with this knowledge of the target's current location."

Shock, horror: Home Affairs cannot be bothered listing all agencies with access to metadata

The Council said the addition of warrants would not create a situation where agencies require de facto judicial authorisation to investigate crimes, since agencies would still be free to investigate crimes through other means.

"The Law Council understands that there are concerns that a warrant-based system would limit the ability of law enforcement and national security agencies to employ what is often the lowest risk, least resource-intensive and least intrusive investigative tool," the submission said.

"The Law Council does not agree that the method of access to retained communications should be the paramount consideration. Rather, protection and oversight of rights of privacy should be paramount."

The submission added that since metadata contains so much data on an individual -- where they have been, who they have called, as well as potentially revealing medical conditions -- the Law Council said it should be treated the same as communication content, which currently does require a warrant to access.

"These existing processes could be extended and applied to access retained telecommunications data for investigation of threats to national security or serious criminal activity," it continued.

On the definition of serious crime, the Council said it could be "serious indictable offences or specific serious threats to national security" -- such as espionage, sabotage, violence, firearms, importation and exportation of prohibited imports, theft, fraud, money laundering, harbouring criminals, and forgery -- that have punishments for at least three years in prison.

It added that the agencies that are able to access metadata should be spelled out in the metadata legislaton, and only those agencies investigating serious crimes or assisting in finding missing persons should be named.

The submission further called for minimum security standards for retained data.

Meanwhile: Commonwealth Ombudsman singles out Home Affairs over stored communications and metadata handling

"Entities subject to mandatory telecommunications data retention requirements under the TIA Act should be required to demonstrate to the ACMA that they have met minimum standards for ensuring the security of retained telecommunications data, including a minimum national standard of encryption to be applied by industry," the Council said.

It added that agencies should be forced by legislation to de-identify data which is "irrelevant or no longer required" within a set timeframe.

"The Law Council considers that information in relation to how telecommunications data is stored, encrypted and disposed of should be made available to the public so that there is greater transparency in these key requirements of the scheme," it said.

Last week, Optus confessed it received an exemption to keep its legacy systems free from encryption when complying with metadata obligations.

"The legislative provisions which allow for certain exemptions to be granted were an important factor in Optus achieving compliance in an efficient and timely manner," Optus said in its submission to the PJCIS.

"Because part of its overall data retention architecture involved storing some data in legacy systems, Optus applied for and received limited exemption from the encryption obligation."

The telco said there had been no reported "security incident or breaches" related to the retained data.

According to the metadata legislation, section 187BA states a service provider must encrypt the information stored.

Related Coverage

Australian enforcement agencies angling for metadata review on telco cost recovery

Agencies are very happy with Australia's data retention scheme, with one using it in 90% of investigations.

Optus gained exemption to store metadata unencrypted

Use of legacy applications allow Optus to seek an exemption from the rules.

Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board trying to access metadata: Comms Alliance

The Communications Alliance has listed 27 other agencies that have tried to access metadata following the introduction of Australia's data retention regime.

Encryption laws to run up against CLOUD Act and GDPR: Law Council

Laws show the different path Australia is taking to privacy, the Law Council of Australia has said.