23 May 2017

Telco Access

The Commonwealth Ombudsman's report Telecommunications (Interception and Access) Act 1979 — Commonwealth Ombudsman’s monitoring of agency access to stored communications and telecommunications data—Report for 2015-16 presents the results of inspections conducted by the Commonwealth Ombudsman under s 186B of the Telecommunications (Interception and Access) Act 1979 (Cth) from 1 July 2015 to 30 June 2016.

Under the Act, 20 specified law enforcement agencies are able to lawfully access individual’s telecommunications data and/or stored communications when investigating certain offences.

The report states
Telecommunications data, or ‘metadata’, is information about a communication. Metadata does not include the contents of a communication. In the example of a phone call, metadata may include the phone numbers of the two parties to the conversation, the duration, date and time of that phone call but not what was said. Any of the 20 specified agencies have the power to authorise access to this information. If, however, an agency wishes to access metadata that will identify a journalist’s information source, the agency must apply to an external issuing authority for a warrant.
Stored communications are communications that have already occurred and are stored on a carrier’s systems. An example of this would be a Short Messaging Service (SMS) that has been sent to or from a person’s mobile phone, and would include the contents of that message. An agency must apply to an external issuing authority for a warrant to access stored communications.
Before a warrant is issued, however, an agency may authorise the ‘preservation’ of a stored communication, to prevent a carrier from destroying the communication before it can be accessed under a warrant.
These are covert and intrusive powers, given to agencies for the purposes of combating crime and protecting our community.
The fact that these powers are exercised covertly is the reason why oversight is so important. A person who has been subject to the powers will not be aware of the fact, and therefore, will not be in a position to make a complaint. Instead, the Ombudsman provides independent oversight by conducting inspections at each agency that has exercised these powers. At these inspections, we assess whether agencies are compliant with legislation and whether they have used these powers in line with the spirit of the legislation.
The purpose of oversight is to provide assurance to Parliament and the wider public that agencies are using these powers as Parliament intended. That is, that these powers are not being abused and that agencies are being held accountable for their use. We report our findings to agencies and the Commonwealth Attorney General, who must then make the report public.
It is reassuring to note that overall, agencies are appropriately exercising their powers to access stored communications and have frameworks in place to ensure appropriate access to metadata. It was evident that agencies are committed to compliance and want to ‘get it right’.
During an inspection, there may be a range of issues identified, including minor administrative errors, instances of serious non-compliance and systemic issues. The Ombudsman may make suggestions for improvement or may make formal recommendations in instances where an issue has not been addressed by the agency, or if it is sufficiently serious. Of the 36 inspections conducted under the Act during 2015-16, only three recommendations were made. Ultimately, all agencies have been responsive to the Ombudsman’s findings.
Access to metadata
Overseeing access to metadata is a new function for the Ombudsman. Agencies have accessed metadata for a number of years without external oversight, which means that each agency already had policies and procedures in place.
As this was the first time agencies would be scrutinised on how they managed and used this power, during 2015-16 the Ombudsman focused on understanding the policies and procedures already in place at each agency. Due to the varying size, structure, nature and complexity of each agency, processes varied. In taking all of this into account, we were able to work with each agency to identify individual strengths and risks for non-compliance with the Act.
As a result of our 2015-16 inspections, we found that agencies had mostly sound policies and procedures in place for accessing metadata. Although each agency faced its own challenges, we identified some common areas of risk for all agencies, including:
ï‚· the level of involvement and support from senior leadership
ï‚· the timeliness and comprehensiveness of training given to those exercising metadata powers
ï‚· the effectiveness of internal communications within an agency to raise awareness of relevant changes and share best practices.
Overall, agencies demonstrated a strong commitment to comply with the Act. Agencies were open to feedback and willing to improve their processes. This was particularly evident in the lead-up to inspections, with significant engagement from most agencies with the Ombudsman.
Access to stored communications
The Ombudsman has performed an oversight role in relation to access to stored communications since 2006. This is the Ombudsman’s first public report on the results of these inspections.
As a result of the 2015-16 inspections, most agencies were compliant with the Act. However, we identified non-compliances in relation to various record keeping provisions and adherence to warrant conditions and restrictions. All agencies were ultimately receptive to our current and previous findings and best practice suggestions.