nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Australian Federal Police accessed metadata without warrant, broke law

Single phone call by journalist probed, Feds then self-report breach to Ombudsman

By Simon Sharwood, 28 Apr 2017

Australian Federal Police Commissioner Andrew Colvin has admitted that one of the force's investigators accessed a journalist's telecommunications metadata without a warrant, thereby breaching the Telecommunications (Interception and Access) Act 1979.

That Act was amended to add mandatory metadata collection provisions in October 2015. Just over two weeks ago, on April 13th, 2017, marked the final deadline for all carriers to start collection of metadata.

The law was advanced as giving law enforcement organisations the tools needed to investigate crime and terrorism and does not require investigators to secure a warrant to request access to metadata. An exception applies to journalists and was drafted to stop warrantless attempts to find journalists' sources.

But Colvin said one of the force's investigators sought out and was provided a journalist's metadata without a warrant. That investigator accessed what Colvin described as “A record of one phone number calling another and the time date and duration.” Just one record was accessed. Once the force realised its error, it self-reported the incident to Australia's Ombudsman and an investigation is now in train.

In a televised press conference, Colvin defended the breach and the metadata legislation. The breach, he said, was inadvertent and picked up by audit of the organisation's practices, then self-reported. “What was improper was that the right steps were not taken,” he said.

He went on to suggest that the public should not lose confidence in the metadata retention legislation, which attracted much criticism as likely to create a honeypot of data irresistible to investigators and criminals alike, likely to occasionally leak due to carriers' negligence or errors, and an unfair burden on carriers that asks them to go well beyond their core business. “If anything the public should have confidence we have found this breach,” Colvin said.

“We have breached in respect of a journalist's circumstances,” he said. “I do not think that should shatter public confidence.”

But it likely won't enhance it either, because the process of accessing metadata should have seen whichever carrier the Federal Police approached request a warrant. Which supports critics who felt carriers were being asked to do too much in support of investigators.

The short period between the full commencement of the collection scheme and news of this breach is also unfortunate, to say the least.

Colvin said the force will reduce the number of officers who can authorise metadata access, to reduce the likelihood of future breaches. Training on metadata access has also been increased. A review of other investigations has yielded no evidence of similar breaches.

Colvin would only say the unauthorised access happened “earlier this year”. He also did not name the carrier that coughed the metadata. The journalist's identity is also obscure at this time.

Colvin's statement can be viewed below and the Feds have issued a statement . ®

The Register - Independent news and views for the tech community. Part of Situation Publishing