Data snooping free-for-all: loophole exploited
Laws to protect the metadata of millions of Australians are being subverted by organisations.
Laws to protect the private metadata of millions of Australians are being subverted by a vast array of organisations, which are using a loophole in data-retention laws to access information only meant to be used by security agencies and police.
Australia's biggest telco, Telstra, has called for a crackdown to limit access to information being sought by councils, small government agencies and other bodies that investigate minor legal breaches.
A parliamentary inquiry has been told that at least 87 agencies — including veterinary bodies, councils and fisheries agencies — have sought warrantless access to metadata held by telcos under mandatory data-retention laws in place since 2015.
The Veterinary Surgeons Board of WA, Victorian Fisheries, Liverpool City Council and the Australian Sports Anti-Doping Authority have been named among at least 27 bodies that have sought data from telecommunications companies since November.
The agencies are believed to have sought location data, call records and customer identification in the requests.
Some of the requests related to investigations into traffic offences, the unlawful removal of trees, illegal rubbish dumping and billposters.
Under the Telecommunication Interception and Access Act, only 22 agencies are named as having access to the information, which is required to be held for two years.
Telstra has told a parliamentary committee reviewing the regime that dozens more agencies are “circumventing the intended restriction” by instead seeking data for matters that aren’t about serious criminal activity or national security via the Telecommunications Act.
“While the issues these agencies and bodies are dealing with are undoubtedly significant in their own domain, they may not fall into the category of ‘serious criminal activity or national security’,” Telstra said in a submission to the parliamentary joint committee on intelligence and security.
“These agencies and bodies have relied on section 280 of the Telecommunications Act to access telecommunications data, thereby circumventing the intended restriction and avoiding assessment of whether disclosure is justifiable. There is a risk this type of access to telecommunications data could erode public trust in the regime and undermine the relationship we have with our customers in relation to protection of their privacy.”
Under section 280, the release of such data is allowed “if the use or disclosure is required or authorised by or under law”. The data cannot be used in civil proceedings.
Telstra said some agencies were “not contributing to the cost” of providing such information.
While Telstra did not identify the agencies, it did refer to a separate submission by the Communications Alliance — an industry group of which it is a member — that named 87 agencies and bodies that had sought warrantless access to metadata since the regime began in 2015.
Its chief executive, John Stanton, said yesterday he did not know how many requests had been successful, but companies had complied with requests when the data was available and the entity had the power to make the request. “Some of the requests are being granted,” Mr Stanton said.
“If the state-based agency has a lawful right under its own legislation to request the data, well then the telco can’t refuse that (under the Telecommunications Act).”
Telstra has also raised concerns with how those agencies not named in the TIA Act are handling the data.
“Under the (data retention) regime service providers are required to encrypt and securely protect retained data,” Telstra said. “We are concerned that agencies and bodies not listed … (in) the TIA Act may not have sufficiently strong security measures to protect received data.”
Under the mandatory data retention regime, telcos — including Telstra, Optus and TPG Telecom — are required to keep telecommunications data for two years.
The data to be retained includes customers’ names, addresses, contact details, phone numbers contacted and the location of the device used at the start and end of any call or text message.
The Telecommunications Act states that only the following criminal law-enforcement agencies can apply for access to retained data: the Australian Federal Police; a police force of a state; the Australian Commission for Law Enforcement Integrity; the Australian Criminal Intelligence Commission; the Immigration and Border Protection Department; the Australian Securities & Investments Commission; the Australian Competition & Consumer Commission; states’ anti-corruption bodies; or an authority or body for which a declaration is in force.
If the data is solely stored to comply with the regime, only those named agencies are allowed to receive it. However, many companies keep the data for other purposes, which allows other agencies to access it.
More Coverage
Result looms as count hastens after by-election
Vote counting in the tight race for Werribee will be brought forward, with a significant number of the outstanding votes expected to be published on Thursday.
Land council boss ‘should be celebrated’
The Central Australian Aboriginal Congress has defended Central Land Council chair Warren Williams, claiming he needs to be ‘celebrated’ for his leadership despite having an extensive criminal record.