Ombudsman finds unlawful metadata access by ACT cops on 1,704 occasions

Michael Manthorpe finds internal procedures at ACT Policing and a 'cavalier approach' to exercising the Telecommunications Act powers resulted in a culture that did not promote compliance. He has recommended the AFP seek legal advice.

The Commonwealth Ombudsman has confirmed that of the 1,713 individual accesses to location-based services (LBS) by ACT Policing between 13 October 2015 and 3 January 2020, only nine were fully compliant with the Telecommunications (Interception and Access) Act 1979 (TIA Act).

In January 2020, the Australian Federal Police (AFP) identified compliance issues involving record-keeping, authorisation processes, and reporting of telecommunication requests relating to location-based services under Section 180(2) of the TIA Act, dated as back as far as 2007.

Ombudsman Michael Manthorpe was engaged the following March.

In particular, the Ombudsman's investigation focussed on access to, and use of, one type of telecommunications data -- LBS or "pings".

"While initial advice provided by the AFP to my Office was that the LBS obtained by ACT Policing was only used to locate someone to arrest them, we were unable to rule out the possibility that unlawfully obtained evidence, the LBS, may have been used for prosecutorial purposes," the report [PDF] said.

"Secondly, the privacy of individuals may have been breached."

Common compliance issues the Ombudsman identified in its assessment of the 1,713 instances include: Location accessed on an incorrect number, LBS accessed after an authorisation expired, additional LBS accessed that was not authorised, no time specified on an authorisation, and authorisations that were not signed.

Providing examples of where ACT Policing operated incorrectly, the report said there were instances where the LBS was unsuccessful, such as when a phone was switched off or was not subscribed to the relevant provider, and thus was determined as not requiring an authorisation.

"We cannot be confident that the AFP's available records of authorisations made reflect all accesses to LBS," the report said.

The Ombudsman said he could not be satisfied that the scope of the breaches has been fully identified by the AFP nor the potential consequences, and considers it possible that breaches have occurred in parts of the AFP other than ACT Policing.

"The AFP and ACT Policing missed a number of opportunities to identify and address that ACT Policing was accessing LBS outside the AFP's approved process earlier," the report declared. "The internal procedures at ACT Policing and a cavalier approach to exercising the powers resulted in a culture that did not promote compliance with the TIA Act. This contributed to the non-compliance identified in this report."

ACT Policing in July 2019 confessed it found 3,249 extra times it accessed metadata without proper authorisation during 2015, on top of the 116 requests it disclosed earlier that year.

The Ombudsman is concerned this means: The access was not reported to the Minister for Home Affairs and the records were not provided to the Ombudsman's office to be considered for inspection; and that the risk of non-compliance with legislative requirements under the TIA Act was higher as the access occurred outside established processes approved by the AFP.

"I want the community to be assured that we have changed our approach to requesting and approving access to mobile device locations, which my officers are implementing daily," Chief police officer for the ACT Neil Gaughan said on Wednesday.

He also said all location requests on mobile devices are now centralised through the AFP Covert Analysis and Assurance business area.

The Ombudsman made a total of eight recommendations, all agreed to by ACT Policing.

The first asks the AFP to ascertain whether other areas of the force have accessed LBS and determine the actual number of requests made for LBS, covering the period from 13 October 2015 to 31 January 2020. Manthorpe also asks the AFP to develop consistent processes and ensure training is thoroughly conducted, in particular that privacy intrusion is justified and proportionate.

Another recommendation suggests the AFP seek legal advice on any implications arising from accessing prospective telecommunications data that has not been properly authorised.

HERE'S MORE