Commonwealth Ombudsman Michael Manthorpe says that ambiguity in Australia’s data retention regime means that on some occasions law enforcement agencies have been able to obtain details of an individual’s web browsing history without a warrant.
Manthorpe appeared today before a Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry that is reviewing Australia’s data retention legislation.
The data retention legislation covers warrant-free access to metadata but not the contents of an individual's communications.
“The piece of ambiguity we have observed throughout inspections is that sometimes the metadata in the way it's captured — particularly URL data and sometimes IP addresses but particularly URL data — does start to actually... in its granularity, start to communicate something about the content of what is being looked at,” the Ombudsman said.
Manthorpe said that he believed when the regime commenced the concept of metadata was “probably thought to be quite a clean and delineable thing, but we know that that there is a there is a greyness on the edges here that we thought we should call out.”
The Ombudsman has identified multiple occasions when Australian telcos have handed over to law enforcement agencies information about the URLs visited by a customer in response to an authorisation issued under the data retention regime.
The legislation to implement data retention left to government-issued regulation the precise types of so-called ‘metadata’ (also called historical telecommunications data) that service providers are required to retain for at least 24 months (although it does not restrict them retaining relevant data for longer periods, nor from gathering other data for their business purposes).
Law enforcement and intelligence agencies are empowered, in almost all circumstances, by the data retention rules to self-authorise a direction to a telco to hand over metadata. The exception is where the data of a journalist is sought for the purposes of identifying the source of a story, which requires a ‘journalist information warrant’.
The relevant legislation states that access to the “information that is the contents or substance of a communication” is not covered by the data retention rules, nor is access to “a document to the extent that the document contains the contents or substance of a communication”.
The legislation itself includes an explicit prohibition on including web history as part of the data set outlined in the data retention regulations. The Telecommunications (Interception and Access) Act states that “service providers are not required to keep information about subscribers’ web browsing history”. That does not prohibit telcos from retaining information about their customers’ browsing habits, however.
“The Committee may wish to consider whether the Act should be amended to include a definition of the term ‘content or substance of a communication or document’,” the Ombudsman’s submission states.
The Ombudsman in evidence before the committee today and in a written submission has also identified two other key issues related to data retention.
One is the lack of a framework for verbal authorisation to access telco data
“What we have observed is that in some instances, law enforcement agencies, particularly I think, where they are operating in a in a spirit of urgency … they issue an internal authorization based on verbal advice,” Manthorpe said.
“And at an operational level, I can understand why that might occur,” he added. “But it isn't catered for in the legislation; we think that that that is a gap in the legislation.”
“There is a policy question as to whether all that should be permitted to occur and if it is permitted to occur then it should be clarified in the legislation,” Manthorpe said.
The Ombudsman believes that there should be a “sound framework within which verbal authorisations if they are to be permitted, occur”.
A third issue identified by the Ombudsman was the absence of any rule requiring agencies to retain the data the obtain from telcos, which Manthorpe said could hinder oversight of the operation of the data retention scheme.