Metadata access is being abused. Who would have thought?

In September 2022 the Commonwealth Ombudsman reported a major spike in surveillance involving telco metadata and communications content access.

From 13 October 2015 telecommunications providers in Australia have been required to retain metadata on communications for two years and a variety of government agencies have been given legal powers to access that metadata.

Despite privacy and other concerns raised at the time, the metadata retention laws were passed with the intention, according to the then Attorney General George Brandis, that rights of access to the metadata apply “only to the most serious crime, to terrorism to international and transnational crime, to paedophilia”.

Use of the powers has been regularly reviewed, with the latest report from the Commonwealth Ombudsman released in September 2022. And these reports show an increasing failure to comply with the safeguards imposed by the laws – by the very agencies entrusted to enforce our laws.

Could this have been foreseen and what might be the safest way forward?

Background

Under Australia’s Telecommunications (Interception and Access) Act (TIA Act) (TIA Act), certain agencies have always been entitled to access telecommunications metadata about a suspect – which includes subscriber information or the “date, time and duration” of phone calls. They have also had power to access the content of stored communications such as SMS, MMS, emails or voicemails – but only via a warrant.

Australian law enforcement agencies have a long history of relying on access to metadata.  It was reported that Australian police had made nearly 750,000 warrantless requests for metadata over the five years up to June 2014, according to documents submitted to the Parliamentary Joint Committee on Intelligence and Security (JCIS) inquiry into data retention. In the same period, law enforcement obtained only 1,228 warrants for access to stored communications.[1]

However, law enforcement agencies were concerned that telecos were not required to keep this valuable metadata, particularly as the billing model changed (to a flat fee rather than based on usage) making the storage of date, time and duration metadata unnecessary from an operational point of view.

In 2014, together with a raft of other security related laws, amendments to the TIA Act were proposed requiring telecommunications organisations to retain metadata relating to the use by all Australians of telecommunications services (covering your mobile phone and internet usage) for 2 years. The justification for the new requirement was to support law enforcement. ‘If we don’t keep this data, our crime fighting agencies and the police are flying blind,’ Mr Abbott, the then Prime Minister said, as part of the lead up to the passage of the legislation.

Home Affairs confirms that this is still the rationale for the laws. Its website states that:

Data plays a central role in almost all serious criminal and national security investigations, which is why it’s so critical that our law enforcement and security agencies continue to have the ability to lawfully access this kind of data in connection with their investigations. For example, child exploitation investigations rely heavily on access to data as perpetrators primarily share information online.[2]

The mandatory data retention laws were passed in in 2015. Following review and to address concerns raised during the legislative consultation process, the new measures also included:

• The requirement for access to stored communications to be available only with a warrant;
• Stricter limits on the agencies that could access metadata and stored communications; and
• Greater oversight obligations.

‘Metadata’ was specifically defined to be covered by the Privacy Act, extending the protections of that regime to the stored data.

Under the new powers, relevant agencies had following rights:

• to internally authorise access to metadata,[3] without applying to an external issuing authority, subject to several conditions and requirements.
• to access stored communications[4] of Australians after obtaining a warrant from a court or tribunal.
• Before a warrant is issued, an agency may authorise the ‘preservation’ of a stored communication to ensure it is retained by a carrier until the communication can be accessed under a warrant.

To address some of the privacy concerns raised by allowing agencies themselves to determine whether they could access metadata, the legislation requires that agencies must weigh the value of the information to be obtained against the reasonableness and proportionality of the intrusion on a person’s privacy. In particular, agencies must consider the likely relevance and usefulness of the information or documents, as well as the reason why the disclosure or use concerned is proposed to be authorised.[5]

However, if an agency wishes to access the telecommunications data of a person working as a journalist or their employer, and a purpose of the agency is to identify a source, the agency must apply to an external issuing authority for a Journalist Information Warrant (JIW) before it can make such an authorisation

The amendments to the TI Act also included provisions about how agencies must store the data and destroy it once it is not needed.

Ombudsman report on metadata and communications access

Role of the Commonwealth Ombudsman

The role of the Office of the Commonwealth Ombudsman (the Ombudsman) is to provide independent oversight of agencies’ use of the ‘covert and intrusive powers’ available under the TI Act.[6] It does this by conducting inspections of agencies’ records, policies, and processes to assess whether their use of the powers complies with the Act. The Ombudsman enhances transparency and public accountability by reporting its findings in an annual report, which the Attorney-General (as the relevant Minister) is required to table in Parliament.

The Commonwealth Ombudsman reports annually on the use of powers under the TIA Act.

Ombudsman’s 2021 report

In a report tabled in parliament by the Ombudsman in February 2021 (covering the period from 1 July 2018 to 30 June 2019) all agencies investigated were found to have accessed Australians’ metadata without the proper authorisation. “We identified instances at all inspections in 2018-19 where agencies had accessed telecommunications data without proper authority. As such, the disclosure of the data was unauthorised,”.[7]

In its report the Ombudsman made 13 recommendations to four agencies and suggestions to others.

Recommendations are serious. Recommendations are only made “if an issue is sufficiently serious and/or has been previously identified and not resolved.” Suggestions are given in the first instance of less serious noncompliance or where the unresolved issue has not been identified before. Suggestions for improvement are intended to encourage agencies to take responsibility for identifying and implementing practical solutions. The Ombudsman may also make ‘better practice suggestions’ where it considers an agency’s existing practice may expose it to risk of non-compliance in the future.

Ombudsman’s 2022 Report: Some of the issues

The latest report by the Commonwealth Ombudsman covers use of the powers in 2019-20 by 19 of the 20 agencies who have access to metadata and stored communications under the TI Act.[8]

The report records a 38 % year-on-year increase in serious compliance and unfinished remediation issues with the way some agencies – mostly law enforcement – accessed metadata and stored communication content.

No Commonwealth or State Law Enforcement agency was immune from criticism.

Some of the issues identified in the Report included:

• both Victoria Police and Tasmania Police secured warrants to access the contents of stored communications from officials who did not have the authority to issue them in the first place.
• lack of evidence that preservation notices had been properly given, as well as instances of template wording and “rubber stamping” of signatures.
• agencies not “vetting” that the information they received from the telco is covered by the warrant, noting that sometimes excessive or unrelated material was handed over. This additional material is meant to be destroyed, but there were instances where SA Police and WA Police did not delete the material.
• repeat issues at the Australian Federal Police with documenting why metadata access requests were approved with similar issues being uncovered with Victoria Police and the Australian Criminal Intelligence Commission (ACIC).
• a finding that the AFP and Victoria Police had lax systems to record the “use and disclosure” of metadata by recipient officers.

In the Report, the Ombudsman acknowledges how intrusive the agencies’ powers are. “Access to stored communications and telecommunications data intrudes on an individual’s right to privacy and occurs covertly,” Anderson said. “The individual generally does not know the agency has accessed their communications or data. This means the individual cannot access complaints or other review mechanisms that would ordinarily be available where they consider an agency has acted unreasonably.”

The Ombudsman made “29 recommendations in relation to six agencies”, compared to the 21 made for three agencies the year before.    A further 386 less serious suggestions and 116 better practice suggestions were made across the agencies inspected.  In the previous period – there were 237 suggestions and 77 better practice suggestions. Compliance and appropriate data handling practices are clearly on a downward trajectory.

Who would have thought?

Concerns around the breadth of the regime and potential abuse were raised at the time the legislation was passed.

For example, it was reported that a knowledgeable although anonymous insider believed that the proposed regime would be easily abused and more oversight was needed.

The Privacy Commissioner at the time, Timothy Pilgrim suggested that the mandatory retention requirement would lead to the overcollection and storage of personal information in contravention of the privacy principles[9] and that the 2 year retention period was too long, suggesting that 12 months might be a more appropriate requirement.[10]

Other prominent commentators warned that the legislation itself was poorly drafted.  One of the concerns was around the list of agencies that could access meta data.

The then Attorney-General George Brandis said at the time that the regime would apply “only to the most serious crime, to terrorism to international and transnational crime, to paedophilia”.

However, even then, these statements were not correct. In addition to granting access to law
enforcement agencies, the Attorney-General was permitted to grant access to a wide range of other bodies. Indeed, a broad discretion was granted allowing the Attorney-General to make an access decision taking into account not only whether the relevant body enforces the criminal law, imposes penalties or protects the public revenue, but “any other matter” considered relevant.

“Access to metadata could be granted to local councils, gambling authorities, universities, private security firms, toll road operators and organisations responsible for enforcing copyright infringement. Even if Brandis has no wish to extend the regime in this way, the bill enables a future government to do so.’[11]

And, via poor drafting rather than Attorney General decisions, that is what has happened.

In its 2020 review of the metadata retention laws,[12] the JCIS found that a loophole in section 280 TIA Act allowed agencies outside of the data-retention scheme to use their own powers to seek access. The committee heard that while mandatory data-retention laws permit just 21 agencies to access the metadata, more than 87 other entities — including councils, the Victorian Institute of Education, the RSPCA and the South Australian fisheries department — have used section 280 to gain access. It is difficult to see how local councils, the Victorian Institute of Education, the RSPCA or the South Australian fisheries department might have justified requiring access to meta data as part of combatting serious crime, paedophilia or terrorism.[13]

And the Committee report suggests that the then government was not concerned about the over-use of access:  “The committee was disappointed that the Department of Home Affairs, which was aware of the concerns the committee had with the section, did not seek to assist the committee in finding a way to amend this section,” the report said.[14]

The Committee called for section 280(1)(b) of the Telecommunications Act to be repealed, and recommended amendments be made to ensure that only ASIO and other law enforcement agencies listed in section 110A of the Interception and Access Act can authorise the disclosure of telecommunications data.

The report from the JCIS found some unlikely support, for example, from the Australian Human Rights Commission.

What can we do

There have been calls for the data access laws to be scrapped.[15]

Electronic Frontiers Australia (EFA) chair Justin Warren has written to federal Attorney-General Mark Dreyfus demanding the surveillance powers be withdrawn immediately. “These are issues that were not only predictable, they were predicted,” Warren said in the letter. The EFA believes that agencies shouldn’t be given more time to address and remediate the issues identified. “Agencies have already had more than enough time to learn to use their powers safely, and they have comprehensively failed. …Why should Australians tolerate ongoing, systemic law-breaking by those with power while we are expected to submit to increasing restrictions on our own freedoms?”

Similarly, former independent national security legislation monitor and Australia’s first in the role, Bret Walker, SC, says that if law enforcement agencies can’t meet the standards required to exercise such “drastic” powers properly, then the powers should be withdrawn.[16]

Another eminent barrister and former counsel assisting ICAC, Geoffrey Watson, SC, says non-compliance with laws upholding Australians’ basic rights of privacy is “actually pretty creepy”. “These powers should be exercised in, and are only meant to be exercised in, exceptional circumstances,” says Watson, who is a director of The Centre for Public Integrity. “If there’s non-compliance by an agency, there should be consequences. If it’s getting worse, not better, there’s a second layer to the reason why there should be consequences. There’s no point just compiling statistics to put into a report which just gets shoved onto a shelf.”[17]

The new Federal Attorney-General Mark Dreyfus is reported to be concerned about the decreasing compliance. A spokesman for the Attorney General is reported as saying some legislative requirements for authorisation, reporting and record keeping are outdated and should be overhauled. He also notes that JCIS report on the legislation in 2020 and recommended 22 changes, including to address the absence of clear guidelines for data access and handling.[18]

JCIS Review 2020

Perhaps a good starting point would be full implementation of the recommendations from the 2020 JCIS review, including closing the loophole on access.  Generally, the recommendations to the government were designed to:

• Increase transparency;
• Raise the threshold for when data can be accessed; and
• Reduce the broad access to data.

The recommendations included:

• Publication by the Department of Home Affairs of guidance on the operations of the mandatory data retention scheme to ensure greater clarity, consistency and security in respect of requests for and collection of metadata by law enforcement agencies across Australia;
• Clarifying the term ‘content or substance of a communication’ particularly in regard to distinguishing between metadata and content;
• Clarifying the requirements for handling information obtained in breach of the Act;
• Additional reporting requirements including:
  • the number of authorised officers in each enforcement agency and ASIO;
  • the number of authorisations made by each authorised officer;
  • the number of individuals that the authorisations by each enforcement
    agency and ASIO related to; and
  • in respect of authorisations in relation to criminal investigations, the
    specific offence – or offences – that the authorisations related to.
• Developing guidelines for ensuing better reporting to oversight agencies, so that at a minimum each report should including (among other things) the following information:
  • the specific offence – or offences – that the investigation related to;
  • if the authorisation related to a missing person case, the name of the
    missing person;
  • brief reasons why the authorised officer was satisfied that the disclosure
    was reasonably necessary;
  • where the data related to a person who did not have an obvious relationship to a suspect in an investigation, brief reasons why the authorised officer was satisfied that any interference with the privacy of the person that may have resulted from the disclosure or use of the telecommunications data was justifiable and proportionate;
  • the name(s) of the officers involved in the case;
  • the name and appointment of the authorising officer

Where practicable, the report should also include:

• whether or not the data was used to rule someone out from an investigation;
• whether or not the person whose data was accessed was eventually charged, prosecuted and/or convicted of a crime;
• whether or not the data accessed eventually led to the charge, prosecution and/or conviction of another person for a crime; and
• the cost of the disclosure.

• Reducing the number of officers who may be designated as authorised officers (to issue warrants etc).
• Clarifying that access to stored information can only be authorised in relation to the investigation of a serious offence.
• Removing s280(1)(b) and list those agencies allowed to access telecommunications data.

None of these recommendations seem to have been actioned with the previous government reportedly not responding at all to the bipartisan committee report.[19]

Conclusion

It is very troubling that the agencies responsible for upholding our laws seem to be showing so little concern around exercising the power they have been entrusted with in a way that is consistent with a respect for the rights and interests of ordinary Australians. And these are the issues that we are aware of from the Ombudsman’s report.

The Ombudsman’s report does not extend to the 87 other entities — including councils, the Victorian Institute of Education, the RSPCA and the South Australian fisheries department — which have accessed our metadata.  We are no wiser as to how they are complying with the legislation and what justification is offered for their access to metadata that was supposed to have only been made available to combat “only to the most serious crime, to terrorism to international and transnational crime, to paedophilia”.

Australians have been required to permit data about our on-line lives to be collected and retained in a way which amounts to extensive, non-targeted and continuing surveillance. This treasure trove of data is then made available to a wide range of agencies, ostensibly to help solve serious crimes and only subject to an assessment which includes the proportionately and necessity of access.

However, successive reports have shown almost every agency involved has failed to comply with its obligations regarding the collection, use, storage and deletion of this data. And a JCIS report which included 22 recommendations for improvement – agreed on by the bi-partisan committee – did not even warrant a response from the previous government.

Surely it is time for this imbalance to be addressed, and for the personal data of Australians to be treated with the respect and concern we are all entitled to expect from our government and law enforcement agencies.  Is it too much to expect that our law enforcement agencies themselves comply with the law?

References

Ombudsman’s report:

https://www.aph.gov.au/Parliamentary_Business/Tabled_Documents/245

What is metadata?

Section 187AA outlines what kinds of information a service provider must keep under the regime, which includes:

• the subscriber, account, service and device information relating to the relevant service;
• the source of the communication;
• the destination of a communication;
• the date, time and duration of a communication, or of its connection to a relevant service;
• the type of a communication or of a relevant service used in connection with a communication; and
• the location of equipment, or a line, used in connection with a communication

Joint Intelligence and Security Committee Review Terms of Reference

Section 187N of the Telecommunication (Interception and Access) Act 1979 provides for review by the JCIS. The Terms of Reference for most recent review were determined by the Committee of the 45th Parliament to focus on the following matters:

• the continued effectiveness of the scheme, taking into account changes in the use of technology since the passage of the Bill;
• the appropriateness of the dataset and retention period;
• costs, including ongoing costs borne by service providers for compliance with the regime;
  any potential improvements to oversight, including in relation to journalist information warrants;
• any regulations and determinations made under the regime;
• the number of complaints about the scheme to relevant bodies, including the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security;
• security requirements in relation to data stored under the regime, including in relation to data stored offshore;
• any access by agencies to retained telecommunications data outside the TIA Act framework, such as under the Telecommunications Act1997; and
• international developments.

More information:

https://www.itnews.com.au/news/ombudsman-sees-serious-issues-spike-for-surveillance-law-usage-584982

The 19 agencies are:

• Australian Competition and Consumer Commission (ACCC);
• Australian Criminal Intelligence Commission (ACIC);
• Australian Commission for Law Enforcement Integrity (ACLEI);
• Australian Federal Police (AFP);
• Crime and Corruption Commission (Queensland) (CCC QLD);
• Corruption and Crime Commission (Western Australia) (CCC WA);
• The Department of Home Affairs (the Department);
• Independent Broad-based Anti-corruption Commission (IBAC);
• Independent Commission Against Corruption New South Wales (ICAC NSW);
• Independent Commissioner Against Corruption (South Australia) (ICAC SA);
• Law Enforcement Conduct Commission (LECC);
• New South Wales Crime Commission (NSW CC);
• New South Wales Police Force (NSW PF);
• Northern Territory Police (NT Police);
• Queensland Police Service (QPS);
• South Australia Police (SA Police);
• Tasmania Police;
• Victoria Police; and
• Western Australia Police (WA Police).

[1] http://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Data_Retention

[2] https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-retention-obligations

[3] Metadata is information about a communication but does not include the content or substance of that communication.

[4] Stored communications are communications that have already occurred and are stored on a carrier’s systems. They contain the content of the communication

[5] Section 180F TIA Act.

[6] file:///C:/Users/jodie/Downloads/Commonwealth%20Ombudsman%20202021%20Annual%20Report.pdf at 1.

[7] https://www.news.com.au/technology/online/security/data-retention-laws-australian-police-given-new-metadata-recommendations/news-story/29b6c3c9f831e70b5d0898758e9acfbf

[8] A list of the 19 agencies covered is included at the end of this article.

[9] http://www.theage.com.au/digital-life/consumer-security/australias-privacy-commissioner-tim-pilgrim-fears-telco-metadata-breaches-20150126-12ydmc.html

[10] : http://www.theage.com.au/federal-politics/political-news/privacy-commissioner-questions-need-for-governments-twoyear-metadata-storage-plan-20150129-1318ne.html

[11] Prof George Williams Holes in metadata bill make it unacceptable January 5, 2015 http://www.cla.asn.au/News/metadata-bill-holey-unacceptable/

[12] The terms of reference of the review are included at the end of this article.

[13] More on the extended use of the access rights to metadata: https://www.news.com.au/technology/online/security/loophole-in-metadata-retention-laws-could-leak-aussie-data/news-story/17026b3f48487d1d906a40438a46c60a

[14] .https://www.themandarin.com.au/143754-overhaul-of-australias-data-retention-regime/

[15] https://ia.acs.org.au/content/ia/article/2022/calls-for-data-access-laws-to-be-scrapped

[16] https://www.thesaturdaypaper.com.au/news/politics/2022/09/17/pretty-creepy-agencies-illegally-obtained-emails-voicemails-and-texts

[17] https://www.thesaturdaypaper.com.au/news/politics/2022/09/17/pretty-creepy-agencies-illegally-obtained-emails-voicemails-and-texts

[18] https://www.thesaturdaypaper.com.au/news/politics/2022/09/17/pretty-creepy-agencies-illegally-obtained-emails-voicemails-and-texts

[19] https://www.thesaturdaypaper.com.au/news/politics/2022/09/17/pretty-creepy-agencies-illegally-obtained-emails-voicemails-and-texts