‘Pretty creepy’: Agencies illegally obtained emails, voicemails and texts
A report by the ombudsman has found police and integrity agencies routinely break the law in handling private data and are getting worse rather than better.
Australia’s law enforcement agencies have persistently accessed, retained and used private email, voicemail and text messages without legal authority and failed to provide the data protections that the law requires, according to the Commonwealth ombudsman.
In a sweeping annual examination of how the nation’s crime-fighting agencies and investigative and integrity bodies access and handle electronic data, the ombudsman has found repeated breaches of the law.
And he suggests that the New South Wales Independent Commission Against Corruption (ICAC) may be relying on unlawfully obtained data in some of its inquiries, with systems that don’t adequately prove the warrants used were proper.
The ombudsman has rebuked ICAC, as well as Australia’s police forces, other state integrity commissions and the wider law enforcement community, for failing to abide by powerful national data access laws, despite successive past warnings.
The castigation follows the agencies’ repeated wrongful accessing of personal communications data and failures in storing, protecting and then destroying it.
In response to the findings, former independent national security legislation monitor and Australia’s first in the role, Bret Walker, SC, says that if law enforcement agencies can’t meet the standards required to exercise such “drastic” powers properly, then the powers should be withdrawn.
Ombudsman Iain Anderson reveals in his annual report on agencies’ data-access compliance under the Telecommunications (Interception and Access) Act 1979 that the nation’s law enforcement agencies continue to break the law when accessing stored personal electronic data. This is despite repeated warnings about sloppy procedures.
Examining 2019-20 records of 19 agencies, the ombudsman levels criticisms at all of them. They include obtaining invalid warrants, failing to keep records, having inadequate storage and destruction arrangements, and accessing the communications of victims of serious crime without consent and without evidence of having tried to obtain it.
Federal Attorney-general Mark Dreyfus is concerned compliance appears to be going backwards.
“While the attorney-general has full confidence in agencies in the attorney
“These powers should be exercised in, and are only meant to be exercised in, exceptional circumstances. If there’s non-compliance by an agency, there should be consequences.”
general’s portfolio, he is of course concerned by the increase in the number of compliancerelated findings by the Commonwealth ombudsman,” Dreyfus’s spokesman tells
The Saturday Paper.
The spokesman says some legislative requirements for authorisation, reporting and record keeping are outdated and should be overhauled. He notes that the parliamentary joint committee on intelligence and security examined the legislation in 2020 and recommended 22 changes, including to address the absence of clear guidelines for data access and handling.
“The previous Coalition government never even responded to the … committee’s bipartisan report,” the spokesman says.
Instead of law-enforcement agencies improving their handling of private data following previous criticisms, Anderson’s report shows that compliance has worsened.
Bret Walker says this is unacceptable. “These drastic powers are given to serve the public interest and so they come at the price of safeguards and probity checks,” Walker tells The Saturday Paper.
“The safeguards and probity checks only work if the shortcomings are not merely detected but are also addressed. And to address a shortcoming cannot involve performing worse the next year, because the shortcoming means the minimum standard of performance has not been reached. The agency has performed unacceptably. In principle, were that to continue, the drastic powers should be withdrawn because the intended price for their availability is not being paid.”
The ombudsman’s report, published last week, details specific non-compliance examples but says they are illustrative of widespread problems and his criticisms apply to all.
The Australian Federal Police – among the most frequent users of the powers – attracts the highest number of criticisms.
But Anderson cautions that most does not necessarily mean worst.
He finds Victoria Police and Tasmania Police obtained people’s data using invalid warrants, despite warnings.
He singles out Queensland’s Crime and Corruption Commission and – again – Tasmania Police for not checking whether the data it was accessing came from journalists, whose information attracts special protection because of their role. Anderson suggests these agencies should get legal advice about their actions.
The Department of Home Affairs also faces criticism, with four practice breaches identified and five more actions marked as risky.
Playing a key national security watchdog role, Anderson conducts annual records inspections of the 20 agencies that use the specific data powers, examining how they handle both stored communications – the contents of emails, voicemails, SMS and MMS messages – and metadata.
Metadata can include the origin, destination, duration, size, date and time of communications, along with phone numbers, email addresses and any subscription details. Accessing the data requires a warrant issued by a judge, magistrate or properly authorised member of the Administrative Appeals Tribunal (AAT) in the case of message content, or by an agency’s own specially appointed officer for metadata.
The Australian Securities and Investments Commission was not examined in the most recent inspections because it had not used the powers in the relevant period.
Anderson’s report notes the inspections are important because under the agencies’ “covert and intrusive powers” people are unaware their data is being collected.
“This means the individual cannot access complaint or other review mechanisms that would ordinarily be available where they consider an agency has acted unreasonably,” he writes. In other words, without the inspections, breaches could continue with those subjected to them never knowing and with nothing done to stop further breaches.
The ombudsman has three levels of response indicating concern. He makes formal recommendations about issues he considers serious, including previously identified problems that are still unresolved. “Suggestions” are first warnings on newly identified or less serious issues and “best practice suggestions” indicate concern that an agency’s existing practice risks future non-compliance.
The ombudsman makes 29 recommendations about serious problems in six agencies – all of them police forces. Across these and every other agency examined, he makes a further 386 suggestions and 116 better-practice suggestions.
This compares with the previous inspection year, in which 21 recommendations were made to three agencies, along with
237 suggestions and 77 better-practice suggestions.
Among the new findings, 10 specific “suggestions”, or first warnings, are aimed at NSW’S ICAC – two more than after the previous inspection. They cover the need for both a proper vetting process to ensure data was obtained under lawful warrants, and a process to quarantine any found to be collected unlawfully.
Anderson’s report says there “remained some instances in a specific system used by ICAC NSW where we were unable to be satisfied that the stored communications were within the parameters of the warrant”.
The report continues: “We also noted the ICAC NSW’S data vetting procedures did not include instructions for confirming that the relevant carrier accessed the stored communications while the relevant warrant was in force.”
It is not clear which, if any, of ICAC’S high-profile inquiries could be affected by the system failures.
The ombudsman urges ICAC to ensure it develops processes to vet stored communications and can accurately confirm all were legally obtained. Where it cannot, the ombudsman says it should ensure the electronic data is quarantined and not communicated or otherwise used. ICAC reports that it has developed a vetting process.
Victoria’s equivalent, the Independent Broad-based Anti-corruption Commission, is advised to improve consistency in its log-keeping. The ombudsman suggests the Australian Criminal Intelligence Commission should also improve its record keeping and storage practices. Both have made changes in response.
The federal government had been due to introduce its legislation for a national integrity commission into parliament this week, until the death of Queen Elizabeth II meant the sittings were deferred to later this month.
Another eminent barrister and former counsel assisting ICAC, Geoffrey Watson,
SC, says non-compliance with laws upholding Australians’ basic rights of privacy is “actually pretty creepy”.
“These powers should be exercised in, and are only meant to be exercised in, exceptional circumstances,” says Watson, who is a director of The Centre for Public Integrity. “If there’s non-compliance by an agency, there should be consequences. If it’s getting worse, not better, there’s a second layer to the reason why there should be consequences. There’s no point just compiling statistics to put into a report which just gets shoved onto a shelf.”
Watson likens the law enforcement community to a rugby competition whose participants play to whatever standard is set.
“Everyone gets dragged down to the lowest level,” he says.
He notes that the legislation provides for “very severe consequences” – including prosecution – for breaches but that this would require the AFP to gather the evidence.
“Normally, you can say the person who can lift the standards is the referee,” he says. “But here, the AFP seems to be responsible for the lowest standards.”
Ombudsman Iain Anderson berates Victoria Police and Tasmania Police for obtaining invalid warrants, both having been warned before. His previous report had admonished Victoria Police for obtaining warrants from an AAT member who was not properly authorised and had suggested it quarantine the unlawfully obtained proceeds to ensure no further use.
The pandemic delayed the next annual inspection by a year, but the ombudsman reports that when his office finally reviewed the agency’s actions, including a register designed to track the status of warrants, it found the potentially invalidly obtained communications had not been quarantined “and appeared to have been used or communicated”.
“Our office raised concerns regarding the accuracy and adequacy of Victoria Police’s register, the management of this information and the absence of record-keeping,” the ombudsman writes.
This time, he recommends the police “immediately quarantine and cease any further use and communication” of the material until it has reviewed the accuracy of its records, confirmed precise details, obtained written advice on each instance of wrongful use and communication, and determined “what remedial action should be taken”.
Anderson says Victoria Police responded that all affected material was quarantined and revealed further written advice and other relevant records that “were not available to our office” during the inspection.
His report also strongly criticises Tasmania Police for twice obtaining warrants from a magistrate who was not correctly authorised.
In response to the latest inspection, the police force advised it had inquired about the magistrate’s eligibility and had accepted as proof a copy of an application for appointment as an issuing authority – when the appointment had not, in fact, proceeded. After Tasmania Police had been advised to quarantine the proceeds of two affected warrants and seek legal advice, it “identified an additional instance” involving a third warrant in 2020-21. The ombudsman says the police had begun checking whether any of the information obtained had been used or passed on “and would obtain legal advice”.
Along with the Queensland Crime and Corruption Commission, Tasmanian and NT police forces were separately criticised in relation to the handling of journalist information warrants. Two recommendations, 10 suggestions and 12 better-practice suggestions were made across 16 agencies relating to failures to properly check or keep consistent records on whether a journalismspecific warrant was required. Anderson advises the organisation to obtain legal advice.
He also raises concerns about agencies accessing the stored communications of people who are victims of crime. Under the act, this requires the person’s consent and can proceed without it only if they are either “unable” to consent or if obtaining consent is “impracticable”.
This means the agency must demonstrate the person is dead, incapacitated, missing or unable to be found, or that obtaining consent is not practical because of the difficulty, time or cost involved.
Anderson notes that if the victim is given the opportunity to consent and does not do so, then accessing their data is illegal and their reasons for withholding consent “are immaterial”.
Anderson finds that Victoria Police and the AFP both failed to address these issues in applying for warrants. The former agreed to update its policy, procedures and templates in response. The AFP argued that it had provided sufficient information in two identified instances but advised it would update templates and guidance.
An AFP spokesman tells The Saturday Paper that the AFP has introduced digital data-access processes to ensure it complies with legislation and that the records the ombudsman examined date back two years.
“Since this time the AFP has proactively worked with the ombudsman to address issues raised,” the spokesman says. “The AFP is confident that the findings of the ombudsman in this report have been addressed.”
The ombudsman finds numerous agencies had inadequate processes to vet the data received to ensure it came via authorised means. Without that, he warns, illegally obtained evidence could be used in prosecutions and individuals’ privacy could be breached.
His warnings extend to the Australian Competition and Consumer Commission, which he advises risks future breaches by having no established vetting policy.
While the ombudsman does not have jurisdiction over telecommunications carriers, it oversees how law enforcement agencies issue “preservation notices” – notices requiring telcos to retain certain information in case it is required in future. He makes 17 recommendations across 12 agencies to improve how those notices are given and records of them maintained.
The ombudsman also warns that 14 agencies have inadequate or slow processes for destroying information. It finds some are not keeping basic records of what has been kept and what destroyed.
South Australia Police is criticised for inadvertently destroying communications information that was still required, failing to destroy information that wasn’t, and having entrenched delays in obtaining authorisations.
Queensland Police is criticised over record-keeping and the Australian Commission for Law Enforcement Integrity for using preservation notice templates that lack detail. Western Australia Police
Force is chastised for moving too slowly on destruction orders and is told to stop using signature stamps to authorise notices and warrants. It is reminded that somebody authorised must sign in person. But WA
Police Force gets a bouquet for maintaining centralised compliance arrangements.
When it comes to metadata, the ombudsman finds most agencies obtained at least some of it unlawfully.
Overall, he finds the compliance culture is “maturing”, including through ready disclosure of non-compliance, strengthening storage procedures, continual improvement and timely remediation in response to findings.
He adds that most agencies are “receptive” to the feedback. But he highlights that several have had recurring problems. In some instances, his office was less than satisfied with the response.