A government report reveals that law enforcement agencies sought access to information covered by Australia’s data retention regime on more than 296,000 occasions in FY18.
The Department of Home Affairs today released its annual report on the operation of the Telecommunications (Interception and Access) Act 1979 for 2017-18 (a delayed release of the TIA Act report is not unusual for the government).
The report offers a snapshot of telecommunications interception, access to stored communications, and access to historical and prospective telecommunications data.
Telecommunications data, sometimes dubbed ‘metadata’, covers a range of information such as the source, destination and timing of a particular communication, but not its content.
The data retention legislation amended the TIA Act to restrict to 20 “enforcement agencies” the ability to self-authorise access to metadata.
Those agencies comprise federal, state and territory police forces, a number of anti-corruption and police integrity bodies, the Department of Home Affairs, the Australian Securities and Investments Commission, and the Australian Competition and Consumer Commission.
During the 2017-18 financial year, those agencies employed the TIA Act to access historical telecommunications data on 295,779 occasions in relation to enforcing criminal laws. On 2113 occasions the agencies authorised access for the purposes of a law imposing a pecuniary penalty or protection of the public revenue.
On 2347 occasions the agencies authorised the disclosure of prospective telecommunications data (data that comes into existence during a particular period covered by an authorisation).
The majority of occasions where law enforcement bodies sought access to metadata related to drug offences. On more than 67,000 occasions police sought access to historical telecommunications data to inform drug-related investigations; terrorism offences, by way of contrast, were only cited on around 3500 occasions. The second-most common category of offence was homicide, followed by fraud.
During the period covered by the report, the Australian Federal Police issued 58 historical telco data authorisations in relation to two Journalist Information Warrants. (The AFP came under scrutiny earlier this year over raids targeting reporting by the ABC and News Corp.)
Although the TIA Act report offers some insight into law enforcement use of the data retention scheme, it doesn’t cover a swathe of other government entities that are using different legal mechanisms to access metadata.
According to telco industry group Communications Alliance, its members have counted more than 100 entities that have requested access to metadata without citing the TIA Act.
In addition to some of the same TIA Act enforcement agencies, organisations including the city councils, the Healthcare Complaints Commissions, Racing Integrity Victoria, SA Fisheries, Report Illegal Dumping (NSW), SafeWork NSW, and the Veterinary Surgeons Board of WA have accessed metadata, according to the group.
The Telecommunications Act 1997 includes a general prohibition on telcos disclosing certain protected information about their customers. However, agencies have used Section 280 or Section 313 of the Telco Act to gain access to information which they would not necessarily be able to obtain under the TIA Act.
Section 313 states that telcos must “give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary” in a range of circumstances, including enforcing criminal laws and laws that involve fines, assisting the enforcement of criminal laws in force in a foreign country, protecting public revenue, and safeguarding national security.
The government has declined to rein-in the broad power; instead it in 2017 released guidelines for Commonwealth agencies that employ Section 313. The power has been used by the Australian Federal Police to block access to sites hosting child abuse material, as well combat the spread of malware.
The most infamous use of Section 313, however, was an Australian Securities and Investments Commission direction to telcos to block access to fraud sites. Because ASIC requested an IP-based block, hundreds of thousands of unrelated sites were blocked for some Australian Internet users.
Section 280 permits telcos to disclose data if the “the disclosure or use is required or authorised by or under law,” allowing entities to take advantage of state and territory laws, for example.
The Department of Home Affairs has defended the use of Section 280, arguing that the legislation “enables these underlying laws to function as intended by relaxing the prohibition against disclosing telecommunications data if it is in response to a lawful request.”
“Removing this exception would have serious implications to a range of entities across Australia,” the department argued in a submission to an inquiry by the Parliamentary Joint Committee on Intelligence and Security, which is examining the operation of the data retention regime.