Dozens more government agencies accessing 'metadata'

More than 100 federal, state and local government agencies are known to be accessing so-called telecommunications ‘metadata’ despite not being among the list of enforcement agencies included in the data retention legislation.

The Department of Home Affairs has admitted that federal, state and territory government agencies are lawfully accessing telecommunications information covered by Australia’s data retention regime, even when they are not among the agencies authorised to access metadata under the 2015 legislation.

The Data Retention Act 2015 restricted access to telecommunications data under the provisions of the Telecommunications (Interception and Access) Act 1979 (TIA Act) to just 21 agencies.

Prior to it being passed, a startling array of organisations ranging from the RSPCA to the Civil Aviation Safety Authority, Taxis Services Commission and National Measurement Institute were accessing historical telecommunications data under the act.

Since the data retention scheme took effect, however, a large number of government agencies have used Section 280 or Section 313 of the Telecommunications Act to gain access to data covered by the data retention regime.

Last year industry group Communications Alliance said that its members had identified 81 government organisations ranging from Australia Post to local councils and the NSW Regional Illegal Dumping Squad using the Telecommunications Act to access metadata.

Communications Alliance CEO John Stanton told Computerworld that in the first few months of 2019 the organisation’s members had identified 27 further “supposed non-authorised entities seeking metadata from telecommunications carriers.”

“So the problem is not only persistent, but it’s growing,” he said

Although Section 280 cannot be used to compel the disclosure of data kept solely to comply with data retention obligations, in many cases telcos would have retained the relevant metadata for their own purposes.

In a report on the data retention bill before the legislation was passed, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) noted that privacy advocates had expressed concerns over the breadth of organisations potentially able to self-authorise access to historical telecommunications data (that is, without a warrant process).

“For this reason, consistent with proposed measures to safeguard access to stored communications, the Committee considers that those agencies able to access telecommunications data should be listed in the [data retention] legislation,” the PJCIS report stated.

“The Government agrees there is benefit in listing agencies that can access telecommunications data in the TIA Act but that flexibility is required to be able to include additional enforcement agencies expeditiously,” the government said in its response to the report.

In line with PJCIS recommendations, the legislation as passed listed the organisations authorised to self-authorise metadata access but also included provisions allowing the declaration of additional “enforcement agencies” by the attorney-general (such a declaration is subject to a time limit unless parliament passes an amendment to the TIA Act).

The data retention regime covers a broad range of information about the use of mobile, landline and Internet services, including subscriber details, the source, destination and timing of a communication, the duration of a communication, the type of communication, and the location of equipment used in a communication. The content of a particular communication, such as an email, SMS message or phone call, is not covered by the data retention rules.

A submission from Home Affairs to a current PJCIS inquiry reviewing the data retention regime states: “Many Commonwealth, state and territory organisations have their own ‘notice to produce’ powers, set out in their own enabling statute.”

“As a result, these bodies can lawfully access telecommunications data under section 280, provided the request falls within their legislated powers," the document says.

Home Affairs said that Section 280 is “being used regularly to request telecommunications data”.

The disclosure of data under the section is “largely regulated by industry,” Home Affairs said, with no visibility through the annual reports prepared by government outlining the use of the TIA Act.

“There are many lawful purposes for which government agencies request telecommunications data under the Telco Act,” Home Affairs said.

“A range of government agencies not designated as ‘enforcement agencies’ for the purpose of the Data Retention Act investigate criminal activity or protect public revenue. Examples of this include coroners’ courts, state justice departments, state revenue offices, Australia Post and the Australian Taxation Office.”

The section of the act can be used in conjunction with other federal, state or territory laws that authorise the disclosure of data, the department said.

“Section 280 enables these underlying laws to function as intended by relaxing the prohibition against disclosing telecommunications data if it is in response to a lawful request. Removing this exception would have serious implications to a range of entities across Australia.”