The Parliamentary Joint Committee on Intelligence and Security (PJCIS) handed down its report [PDF] of Australia's metadata retention scheme on Wednesday, issuing 22 recommendations that tighten access to data, without introducing any large overhauls, such as needing a warrant.
In broad terms, thresholds are recommended to be increased by the committee in an effort to avoid a warrant regime, security and transparency on data held and passed across by telcos and authorised agencies would be boosted, while the period of time Australian telcos need to retain data collected on customers remains at two years.
"The committee is not satisfied that a warrant should be required for data held as part of the [mandatory data retention regime]. However, the committee considers that access should require a higher level of authorisation within each agency as well as more detailed reporting in relation to how, when, and for what reason that access is granted," the report said.
"It is the committee's view that there is a need for more information to be collated about the current functioning of the matter data retention regime. This would assist all relevant oversight and review bodies in undertaking their work as well as affording a higher degree of transparency which the committee believes will give the Parliament and the Australian community greater trust in the use of these powers."
One area to gain a recommended exemption from the committee is the use of Internet of Things devices, which is set to be specifically omitted.
"If the government considers that there are clear benefits in requiring service providers to keep information for particular Internet of Things devices, and that those benefits outweigh the costs, the Telecommunication (Interception and Access) Act 1979 could be further amended to impose clear and specific requirements on providers to retain that information," the report said.
The committee said it was "disconcerting" that there were thousands of authorised officers around the country that could approve access to retained data, and instead put forward reducing it only to officers in a "supervisory role in the functional command chain" as well as individuals with a specific appointment.
"The indiscriminate authorisation of entire classes/ranks of officers as 'authorised officers' is, in the committee's view, inappropriate," it said.
The committee also recommended cutting out the loopholes that have allowed agencies that are not deemed as enforcement agencies to use other powers in order to gain access to metadata. The Attorney-General's Department was previously advising agencies to skirt the restrictions on metadata access.
"The committee has considerable concern around the use of section 313(3) and 280(1)(b) of the Telecommunications Act to allow for access to metadata," the report said.
With 87 agencies found to be skirting the restrictions, the committee asked those agencies to tell it why they should be able to continue to do so.
"There were very few submitters that took this opportunity up. Those that did were unable to convince the committee of the need for this broad access to telecommunications data," the report said.
"The committee is concerned to build on and retain confidence in the data retention regime and concludes that the number and type of agencies that can access a person's telecommunications data via section 280 (1) (b) of the Telecommunications Act may undermine the social licence for ASIO and law enforcement agencies to access the information."
Home Affairs was also called out for failing to assist the committee in finding a way to amend this particular section to remove the loophole.
In seeking to tighten access, the committee recommended the binning of provisions that allow an officer to "authorise the disclosure of historic telecommunications data if he or she is satisfied that the disclosure is reasonably necessary to find a missing person, or for the enforcement of the criminal law or any law imposing a pecuniary penalty (including, for example, a parking infringement)". Instead, it wants access kept to voluntary disclosure, locating a missing person, or the investigation of a serious offence or an offence with a penalty of at least three years' imprisonment.
The committee said the definition of serious offence could be found in the Telecommunications Interception Act, and that access for "pecuniary penalties or protection of the public revenue" be repealed.
"Access to existing information and documents granted for 'enforcement of the criminal law' (section 178) is drafted broadly and is subject to no limitations," the report stated.
Despite concerns that location data kept is extremely private, the committee did not recommend for it not to be retained. Similarly, the committee said there are no "specific concerns" over agencies receiving URLs from telcos, but it did recommend an amendment for if such data is received, and the agency does not use it, and informs oversight agencies before destroying it with approval.
On the issue of oversight, PJCIS said it was difficult due to a lack of data about the operation of the scheme, and said it would be better if the Department of Home Affairs could create a report from each agency with access.
"This could be achieved by each agency adhering to an agreed format and method of recording prescribed information, which could be provided to Home Affairs, an oversight agency or a parliamentary committee on request for aggregation into a report," the report said before the committee went meta and put forward the idea of a database to help oversee the scheme.
"If it were deemed to be more cost effective, a national database created and managed by Home Affairs could also be an option albeit this would require consideration regarding privacy, security and rules for access. Ideally, data entered as part of the request for authorisation could be recorded in the agreed fields to reduce duplication of effort," the report said.
Similarly, the report also recommended telcos keep "detailed records of the kinds of information included in each disclosure", which it also said would go some way to alleviating concerns over browsing histories being passed across by telcos.
The report also called for Home Affairs to develop national guidelines on how the regime would operate within 18 months; that agencies keep received metadata long enough for oversight from either the Inspector-General of Intelligence and Security and Commonwealth Ombudsman to be performed before it is subsequently deleted when no longer needed; and state criminal law-enforcement agencies be made to notify of any data breach involving received metadata.
It was also recommended that Home Affairs clearly define "content or substance of a communication".
"In defining the term 'content or substance of a communication', Home Affairs should specifically consider whether some information that is currently treated as telecommunications data should now be regarded as content given what that information can reveal about an individual," it said.
The committee also called for the explicit requirement that metadata is stored on servers within Australia, whereas currently, it could be stored anywhere in the world -- as well as requiring agencies and carriers to meet minimum security standards.
In additional comments from the Labor party, opposition members laid out the case for warrants to be introduced from an independent issuing authority.
"Labor members are concerned that the power to access telecommunications data without a warrant may be used -- and is, in fact, currently being used -- to access the telecommunications data of individuals who are not themselves suspected of any wrongdoing."
Enforcement agencies should not be able to access metadata of those not suspected unless that person consents, consent cannot be gained to the person being injured or killed, or seeking consent from the person could compromise an investigation, the Labor members said.
If an enforcement agency thinks an innocent person's metadata could assist an investigation and they do not provide consent, at that point, the agency would need a warrant.
"Labor members note that significant intrusions into privacy by law enforcement agencies, such as a search of a person's home, opening a person's mail, installing a listening device or obtaining a saliva sample, generally require agencies to obtain a person's consent or a warrant from an independent issuing authority," the additional comments from Labor said.
"Given that context, we consider our proposal to be both modest and sensible."
PJCIS recommended that the committee conduct another review of the scheme by June 2025.