Report details ‘metadata’ failures at AFP
- 29 November, 2017 09:41
An investigation by the Commonwealth Ombudsman has concluded that an Australian Federal Police breach of the Telecommunications (Interception and Access) Act during an attempt to identify the source of a journalist’s story stemmed in part from a lack of awareness of the rules governing access to telecommunications ‘metadata’.
The AFP on 28 April revealed that it had illegally accessed the telecommunications data of a journalist without a warrant. Two days earlier the AFP had notified the Commonwealth Ombudsman’s Office of the breach, which occurred within the Professional Standards Unit (PRS).
AFP Commissioner Andrew Colvin blamed “human error” for the breach of the provisions of the TIA Act.
A Journalist Information Warrant (JIW) is required when an authorised agency — such as the AFP — seeks to access the telecommunications data of a journalist for the purposes of identifying the source of a story.
Under normal circumstances those agencies that are authorised to access historical telecommunications information covered by the data retention regime do not require warrants.
The special category of warrant was introduced in response to concerns that the data retention regime could have a chilling effect on journalism. JIWs are issued in secret and a parliamentary committee previously concluded the system may be incompatible with Australia’s human rights obligations.
In addition to a lack of awareness around JIWs, within the AFP PRS a number of officers did not appear to fully appreciate their responsibilities when exercising metadata powers, the Ombudsman concluded.
The AFP “did not have in place strong system controls for preventing applications [for access to historical telecommunications data] that did not meet relevant thresholds from being progressed” and relied heavily on manual checks and corporate knowledge.
Guidance documents were updated before the JIW regime came into effect but were not effective in preventing the breach, the report says.
The Ombudsman’s report states that there were four authorisations to access telecommunications data associated with the breach. The report says one authorisation was a clear breach of the TIA Act’s provisions requiring a warrant when accessing a journalist’s data to identify the source of a story.
Whether the other three breached the act is arguable, the report says: One was in relation to the same journalist’s telecommunications data but not in relation to identifying a source, and two were for the purpose of identifying the journalist’s source but did not involve access his or here data.
During the Ombudsman’s investigation the AFP initially claimed that it had destroyed all records that contained unlawfully accessed data. “However, to confirm that this had been done, we arranged to revisit the AFP with technical assistance, appreciating the complexities of the AFP’s systems,” the Ombudsman’s report states.
“This visit prompted PRS to conduct further checks of its systems with technical assistance, which identified additional records. We confirmed that these records were subsequently destroyed.”
The report contains a single recommendation: “That the Australian Federal Police immediately review its approach to metadata awareness raising and training to ensure that all staff involved in exercising metadata powers have a thorough understanding of the legislative framework and their responsibilities under Chapter 4 of the Telecommunications (Interception and Access) Act 1979.”
“In response to this recommendation, the AFP advised that it is now finalising an online mandatory training package that all AFP authorised officers will need to undertake annually to maintain their authorised officer status,” the Ombudsman’s report states.