Ombudsman praises ‘compliance cultures’ but agencies still mishandle stored comms

By Shannon Jenkins

Monday September 16, 2019

Law enforcement and intelligence agencies must verify the lawfulness of stored communications before handing them to investigators, according to the Office of the Commonwealth Ombudsman.

In its most recent report, the watchdog examined agency records relating to metadata and stored communications from July 1, 2016 to June 30, 2017. Some law enforcement agencies can legally access individuals’ metadata when investigating certain offences, unless it will identify a journalist’s information source, in which case the agency must apply for a warrant. 

Ombudsman Michael Manthorpe found agencies “were generally exercising their powers to access stored communications and telecommunications data appropriately” and had “demonstrated a commitment to compliance”.

While there was a reduction in the number of problems identified since 2016–17, the ombudsman found new cases of questionable authorisations, an inability to properly demonstrate required privacy considerations, and access to unauthorised telecommunications data.

In one instance, Victorian police gave the green light for metadata access that was “not for a permitted purpose”. On 23 occasions, the Australian Federal Police authorised searches of information under missing-person laws despite the cases being related to criminal law.

AFP authorising officers took “less than one minute” to assess requests in four instances, which raised concerns, according to the ombudsman.

“Given the range of matters requiring consideration by authorised officers, this timeframe calls into question whether the requirements could have been met,” the report noted.

Non-compliance was also identified in regards to the validity of stored communications warrants, unlawful access to stored communications, compliance with destruction requirements, and delegation of stored communications powers. 

The ombudsman’s inspection also found Home Affairs pushing the limits of its authority by using “historic domestic preservation notices” to keep a person under surveillance. The department said it sent 56 of these to the same carrier, each relating to the same person, but this number was inaccurate.

“In our inspection we identified that it appeared Home Affairs had given 100, not 56, consecutive historic domestic preservation notices,” the ombudsman found. “While this practice is not strictly in breach of any legislative provision, in our view it has a similar effect to giving an ongoing preservation notice. Home Affairs is not authorised to give ongoing notices because it is not an interception agency.”

Out of the 17 agencies examined, three illegally accessed stored communications because telcos had either given them information outside of a warrant’s conditions, or had not provided enough information for them to determine the stored communications related to the person named on the warrant.

The ombudsman advises agencies to ensure stored communications comply with the law before handing them to investigators.

“Although these issues relate to carrier errors, in our view it is an agency’s responsibility to ensure it is only dealing with lawfully accessed stored communications.

“In instances where there is insufficient information to determine the lawfulness of accessed stored communications, we suggest agencies quarantine the stored communications from investigators until their lawfulness can be verified.”

Despite finding several errors by Home Affairs and intelligence agencies, the ombudsman concluded agencies generally demonstrated a “high level of compliance” in regards to metadata, and were “generally compliant” in regards to stored communication under the Telecommunications (Interception and Access) Act 1979.

“During these inspections we noted good levels of transparency and accountability and strong compliance cultures,” the ombudsman said.

About the author
Inline Feedbacks
View all comments