December 8, 2022
Law enforcement agencies’ ability to request or require assistance from telcos is plagued with governance and record-keeping shortcomings and poorly-drafted legislation, the Commonwealth Ombudsman has found. The power to issue technical assistance requests (TARs), technical assistance notices (TANs) or technical capability notices (TCNs) created a regime under which law enforcement could seek decryption of encrypted…

Law enforcement agencies’ ability to request or require assistance from telcos is plagued with governance and record-keeping shortcomings and poorly-drafted legislation, the Commonwealth Ombudsman has found.

The power to issue technical assistance requests (TARs), technical assistance notices (TANs) or technical capability notices (TCNs) created a regime under which law enforcement could seek decryption of encrypted communications.

The powers were granted to law enforcement in 2019, and this is the first report [pdf] the Ombudsman has prepared into those powers.

The report found three agencies used the assistance and access powers between December 2018 and June 2020: the Australian Federal Police, NSW Police, and the Australian Criminal Intelligence Commission.

Those agencies, the report found, were keen to adopt the powers but failed to put governance arrangements in place first: “the agencies that used industry assistance powers during the reporting period had started using the powers before establishing comprehensive governance frameworks”, the report said. 

“For example, agencies used industry assistance powers prior to having a completed policy document, formalised training procedures, a full suite of templates or guidance material and fully realised procedures for using the powers.

“This led to instances of statutory non-compliance or, at best, a failure by agencies to demonstrate compliance with key safeguards and requirements under Part 15 of the Act.”

When the Ombudsman later conducted a “health check”, two of those agencies – NSW Police and the Australian Federal Police – had put governance arrangements in place.

“The remaining agency … had an incomplete governance framework in place at the time of our health check. In our view, this contributed significantly to the instances of statutory non-compliance we identified in the agency’s records.”

Victoria Police was also criticised. When the Ombudsman launched its investigation, the agency had not used the powers; when the office returned for the health check, Victoria Police had used the powers, before it had “a complete and accurate governance framework”.

Gaps in the legislation

The report also reveals gaps in the drafting of the legislation.

For example, the legislation is vague about who in law enforcement can exercise the assistance powers (documented in “delegation instruments” the agencies draft).

The Ombudsman found some “delegation instruments that were either incomplete or did not comply” with the Act.

“In some instances, this arose because the drafting of section 317ZR is not clear as to what ranks are delegable under Part 15 of the Act, particularly for state and territory agencies,” the report said.

The Ombudsman also found the law was missing a key definition, and doesn’t “require interception agencies to maintain records of their industry assistance activities (other than requirements relating to urgent oral TARs and TANs)”.

A lack of record keeping puts stumbling blocks in the way of the Ombudsman’s oversight role.

“Agencies generally did not have documented procedures for record keeping to ensure consistency and completeness of relevant records and to demonstrate compliance with the Act. We made better practice suggestions directed at improving agencies’ record management practices for seven of the eight agencies we inspected.”

The three agencies using industry assistance powers “had poor record keeping practices in place during early use of the powers”, the report found.

For all TARs issued, agencies could not provide records that demonstrated “the decision-maker had considered whether a request was reasonable and proportionate”, or that compliance with a TAR was “technically feasible”.

The report also reveals an apparently-cavalier attitude to privacy.

“In some instances, TARs were given that requested the [telco] to do acts or things that had the potential to affect the privacy of numerous individuals who were not the target, or who were not of interest to the requesting interception agency. 

“Despite this potential privacy intrusion, agencies were unable to produce evidence the decision-maker had turned their mind to whether the request, when compared to other forms of industry assistance available, was the least intrusive form of assistance”.

The Ombudsman found “agency records did not include formal processes for identifying and quarantining personal information of persons not of interest to the agency which was obtained in accordance with the TAR and affiliated warrants or authorisations.”

Agencies at times overlooked another key protection in the legislation: they were “unable to produce documents demonstrating the decision-maker’s consideration of whether the specified assistance requested in a TAR would create a systemic weakness or systemic vulnerability”.

How agencies authorised assistance requests (whether by warrant or authorisation) was also poorly documented.

“We were not satisfied from the records available during the inspection that telecommunications data authorisations … had been properly made,” the Ombudsman found.

The Ombudsman recommended that in those cases, the agencies should quarantine the affected data while they assess the implications of use or disclosure of the data, and if necessary inform partner agencies.

Source