The Commonwealth Ombudsman recorded a 38 percent year-on-year increase in serious compliance and unfinished remediation issues among agencies accessing telecommunications metadata or the content of messages under Australia’s surveillance laws.
In a report tabled in parliament late on Wednesday, covering uses of the powers in 2019-20, the ombudsman said it had made “29 recommendations in relation to six agencies”, compared to 21 for three agencies the year before.
“A recommendation reflects a serious compliance issue or an issue on which an agency has not made sufficient progress in implementation,” the ombudsman said.
Its review covers the use of powers under the Telecommunications (Interception and Access) Act – often simply shortened to TIA Act.
These allow agencies to apply for warrants to access telecommunications metadata about a suspect – things like subscriber information or the “date, time and duration” of phone calls – or, in some cases, for the content of SMS, MMS, emails or voicemails.
The ombudsman said it had observed “several good practices among agencies” year-on-year, which it saw as evidence of a “maturing compliance culture” around use of the intrusive powers.
However, as in years past, it also uncovered a range of issues with the way some agencies – and notably, police forces – made use of the laws.
While naming the agencies responsible, it added the examples are “illustrative of findings or risks that are relevant to all agencies that exercise powers under Chapters 3 and 4 of the Act and not just the agencies about which the examples are written.”
For accessing the content of “stored communications”, both Victoria Police and Tasmania Police secured warrants from people that didn’t have the authority to issue them in the first place.
There were also problems identified with “preservation notices”, which compel a telco to retain the content of messages on their systems while a warrant is sought for it.
The ombudsman found a lack of evidence the notices are properly given, as well as instances of template wording and “rubber stamping” of signatures.
It also uncovered issues with agencies not “vetting” that the information they received from the telco is covered by the warrant, noting that sometimes excessive or unrelated material was handed over.
This additional material is meant to be destroyed, but there were instances where SA Police and WA Police did not delete the material.
On metadata access, the ombudsman said there were repeat issues at the Australian Federal Police with documenting why metadata access requests were approved; similar issues were uncovered with Victoria Police and the Australian Criminal Intelligence Commission (ACIC).
It also found AFP and Victoria Police had lax systems to record the “use and disclosure” of metadata by recipient officers.