The law offers bodies investigating individuals a way to monitor terrorists, pedophiles and those committing other serious crimes by requiring telecommunications companies to keep our communications metadata for two years.

This could include metadata about our phone calls — numbers, start and end location of calls for both parties, identity of the mobile base station and call duration — but not the conver­sa­tion. It could be metadata about emails and text messages — when and to where they were sent and to whom — or the address used when visiting websites.

In 2015 the Coalition and Labor voted for the Telecommunications (Interception and Access) Amendment (Data Reten­tion) Act despite protests and amendments proposed by crossbench senators to safeguard privacy. George Brandis, the attorney-general at the time, said the laws were “measured and proportionate”.

“In dealing with national security issues, we do have to bring the public with us, we do have to get the balance right between protection and liberty,” he said.

While there’s support for equipping our law enforcement bodies with the investigative tools they need, there also is concern about the breadth of organisations accessing the metadata and calls for more stringent monitoring of requests.

The Parliamentary Joint Committee on Intelligence and Security has received 43 public submissions in its review of the mandatory data retention law and has held public hearings.

Last week it took evidence from the Department of Home Affairs, ASIO and law enforcement agencies.

In its submission, telecommunications industry body the Communications Alliance listed agencies, departments and others that have sought access to people’s retained metadata. It says about 80 organisations had sought metadata up until November 2018, and another 27 had requested metadata since.

The list includes some federal and state agencies covering agriculture, fair trading, environment, heritage, health, transport, fisheries and primary industries.

The submission says many local councils have sought access, as have the Clean Energy Regulator, Centrelink, Victoria’s Racing Integrity Commission, the Australian Sports Anti-Doping Auth­or­ity, the Hunter Region Illegal Dumping Squad, SafeWork NSW, the Legal Services Commission and the Victorian Institute of Teaching.

These organisations have a job to do and that may include investigations, but there is concern the provision of metadata goes beyond what the original law intended and that access needs better public scrutiny.

Alliance chief executive John Stanton tells The Australian that many organisations have “right to produce powers” under state legislation. They can use section 280 of the Telecommunications Act to request metadata without a warrant. He sees the lack of a warrant as problematic.

“There’s not a comprehensive reporting arrangement around which organisations are making the requests and what reasons they are making them for,” Stanton says.

“We had operated under an understanding that warrantless access to telecoms metadata should be for serious crime issues, which is demonstrably often not the case.

“The agencies will make a request for what they want, whether it’s what location is this mobile at or near at 10pm on Friday night, which was the time that there was some illegal dumping of asbestos or something in the local council area. They can request a more comprehensive set of the different data points that are retained under the data retention regimen.”

Stanton doesn’t know whether these bodies use metadata for activities beyond law enforcement, “but you can make some inferences from the types of organisations that are making the request”.

He says the government’s stated intention of reducing the list of agencies accessing retention metadata down to about 21 didn’t happen; now it seems to be more than 100 organisations.

He sees a few ways to address this. Departments needing metadata could file a request through federal law enforcement agencies. “The police could vet whether that agency has the requisite power to make the request and pass it to the service provider,” he says. Alternatively, agencies could be required to seek a warrant.

Stanton says in some cases, the metadata even can be used in civil proceedings for up to a period of seven years. Could the metadata in future be used in, say, divorce proceedings where a partner wanted to establish whom their spouse was talking to, where and when, and where they travelled? “That’s the sort of possibility that the loose nature of the legislation throwsup at the moment,” Stanton says.

The Law Council of Australia also is concerned. In its submission it says recent developments in technology mean the types of metadata that can be accessed without a warrant are “considerably broader” than when the law was passed. It says organisations can glean further information by applying analytics and artificial intelligence to obtained data.

It has become possible to track people with ever greater precision. La Trobe University says existing 4G and coming 5G networks use small cells with a radius capability of between centimetres, 1m, 100m and 500m. “This creates a dense network of cells that are tracking every movement of a mobile device,” it says in its submission to the joint committee.

The law council says it still believes that access to telecommunications data should be restricted to agencies investigating a serious indictable offence.

Federal watchdog the Office of the Australian Information Commissioner says the law lets a service provider keep metadata longer than two years but agencies should be required to destroy or de-identify it. It also wants restrictions on agencies that are allowed to access metadata and suggests the committee introduce a warrant system to access data.

The Department of Home Affairs disagrees, saying raising thresholds for access to metadata would mean agencies potentially rely on more intrusive powers such as physical surveillance and search powers, and it would constrain their ability to obtain the preliminary information to apply for these powers.

It says the legislation allows agencies to access telecommunications data only if it is “reasonably necessary” for the enforce­ment of criminal law, “a law imposing a pecuniary penalty” or “for the protection of the public revenue”. Agencies have to weigh the proportionality of the intrusion into privacy against the value of the evidence and the assistance that the data offers.

Home Affairs says oversight is used to ensure compliance with requirements. But is that sufficient? “Ultimately, the effect of additional layers of approval would considerably reduce the ability of agencies to obtain telecommunications data and significantly hamper their capacity to investigate crime and protect Australians,” it says.

It also is concerned that law enforcement agencies are unable to intercept encrypted messaging, commonly provided by social networks and chat services.

Requiring messaging services to offer backdoor access to encrypted messages is already a political hot potato. There will be more opposition if there are fears that the range of agencies that access encrypted data can spread as it has with metadata access.

The Australian Taxation Office, meanwhile, says it wants its status to be upgraded to that of a criminal law enforcement agency so it can better protect public finances from criminal activities. Surprisingly, it doesn’t seem to have that access now.

The committee is required to complete its review by April 13.

More related stories

Wish

Tour the family polo farm of Sportscraft chief executive Elisha Hopkinson

For the powerhouse behind some of Australia’s best known brands, regularly escaping to the country with her young family provides a necessary respite.

Read more

Wish

How a Melbourne rich lister saved one of Scotland’s oldest whisky distilleries

Bladnoch is putting the Lowlands back on the map with its latest scotch release.

Read more