Data breach by the Australian Federal Police involving journalist metadata

April 28, 2017 |

The Australian Federal Police have self reported on a data breach involving a journalist’s metadata.  The breach was accessing the data without first obtaining a warrant  It is reported by the Fairfax press at Police illegally obtained journalist’s phone records under new metadata retention regime and the Guardian at Federal police admit to accessing journalist’s metadata without a warrant.  The ABC reports on it at AFP officer accessed journalist’s call records in metadata breach.

There was always a problem with the journalist exception in the  Telecommunications (Interception and Access) Act 1979.   The exception was devised and legislated in response to complaints from the media.  Those complaints did not extend, or extend strongly enough, to the real problems with a meta data regime, its ultimate effectiveness in combating crime and the likelihood it would lead to abuses.  The structure of the legislation is confusing and prone to abuse.  The journalist warrant provisions are set out at sections 180G and and 180H.  That there was a breach of the Act is both concerning but also quite predictable.

The media release from the AFP provides:

The Australian Federal Police (AFP) has self-reported to the Commonwealth Ombudsman a breach of the Telecommunications (Interception and Access) Act 1979 (TIA Act) by a member of the AFP.

In the process of an investigation, an AFP member accessed Call Charge Records and telecommunications data pertaining to a journalist. These records were accessed without a Journalist Information Warrant being issued, which is required by the legislation.

AFP Commissioner Andrew Colvin said the breach was identified as the result of a routine review of the relevant case by a senior officer, and an internal independent review was immediately undertaken.

“Once the breach was confirmed, immediate steps were taken to mitigate the effects of the breach and to ensure that this was an isolated incident. All relevant records in the AFP’s possession were destroyed and no investigative activities were undertaken as a result of the telecommunications data obtained from the journalist’s records,” Commissioner Colvin said.  

“Initial inquiries reveal this breach was a result of human error. Immediately after this incident was identified, our internal processes were reviewed and steps have now been put in place to ensure a similar breach should never happen again.”

On Wednesday, 26 April 2017, the AFP notified the Commonwealth Ombudsman of the breach.

“I have already been notified by the Commonwealth Ombudsman that they will conduct a full audit of the breach under the Telecommunications (Interception and Access) Act, commencing Friday, 5 May 2017. I welcome that audit and the AFP will fully cooperate,” Commissioner Colvin said.

“The AFP put comprehensive guidance and training material in place to support compliance with this legislation when it commenced in 2015. This is the first investigation where the AFP was required to obtain a Journalist Information Warrant under the TIA Act, and the processes we had in place were found to be lacking. Our internal procedures have been changed to prevent a repeat of this incident.”

In addition, the AFP has undertaken a comprehensive review of other similar investigations to ensure further errors have not occurred. No other breaches have been identified, and the AFP is confident this has been an isolated incident.

“It is important to note that this investigation did not relate to the conduct or action of a journalist and was not about targeting a particular journalist. The journalist is not the subject of this investigation, nor are they being investigated for any alleged breach of Commonwealth law,” Commissioner Colvin said.

“The AFP understands the importance of individual privacy and we support this as a fundamental right in Australia. However, in the 21st century, access to metadata is central to the vast majority of successful crime investigations. It is critical that our law enforcement and intelligence agencies can access it.

“While it was not an offence under the Act, given our organisation’s commitment to transparency and honesty with the Australian community, I felt it was important the matter is reported early and put on the public record.

“We have strengthened mechanisms to ensure the public can have confidence that the AFP’s powers will be used in a targeted, transparent and accountable manner and that the appropriate checks and balances are firmly in place.”

Fortunately the Government has decided that following a review there will be no variation on the restrictions on civil litigants accessing telecommunications data retained under the metadata regime.  On 13 April 2018 the Attorney General and Minister for Communications announced:

The Turnbull Government has decided to leave in place existing restrictions on civil litigants accessing telecommunications data retained solely under the data retention scheme.
The decision follows a review conducted by the Attorney-General’s Department and the Department of Communications and the Arts, which found there was insufficient reason to justify making exceptions to the restrictions imposed by the data retention legislation.
The conduct of the review was a recommendation of the Parliamentary Joint Committee of Intelligence and Security. It is incorrect to say, as some have falsely asserted, that the review was conducted for the purposes of weakening existing restrictions.
The review received over 260 submissions from individuals and organisations. It considered the use of telecommunications data in the civil justice system, privacy of communications and the regulatory burden on the telecommunications industry.
In line with the Committee’s recommendation, the Government has completed this review and tabled its findings by 13 April 2017, which coincides with the end of the data retention implementation period.
The Government’s data retention legislation standardised the type of data telecommunications companies are required to retain and the length of time they need to keep it. It also reduced the number of agencies that can access the data – from over 80 to 21.
Metadata is the basic building block in nearly every counter-terrorism, counter-espionage and organised crime investigation. It is also essential for investigating child abuse and child pornography offences that are frequently carried out online.

2 Responses to “Data breach by the Australian Federal Police involving journalist metadata”

  1. Data breach by the Australian Federal Police involving journalist metadata | Australian Law Blogs

    […] Data breach by the Australian Federal Police involving journalist metadata […]

  2. Sharon

    Funny that Mr Clarke that the person whom some have suggested the investigation relates was unable to make submissions to the committee nor could her lawyers. It seems all her computers have been corrupted for sometime so that she has been prevented from obtaining any relevant information pertaining to the AFP and other govt department’s mishandling of a related matter. Yes, the cover up has been so great that all search engines provided all incorrect news and “road blocks” to exposing the metadata breaches and cyber security beaches. Do you think Mr Turnbull and Mr Dutton suddenly bought about the cyber security strategy, the prohibition on access to metadata on 13 April 2017, the tougher immigration stance and move toward Australia first. I expect this person needed to be muzzled first then they attempted to affect her credibility, and then well she started to make sense. People started to listen. Maybe LNP and AFP think it’s time to be transparent because that’s what the Australian public expect, and well, maybe a bomb is about to drop! And from one Lawyer to another, one very large injustice has occurred and has been allowed to occur for over a year to the detriment of two Australian citizens, one of which is a small child. One wonders who the Journalist is and the leaker but more to the point, what sensitive content or incidental data was leaked in the unauthorised collection which not doubt breached the privacy of the individuals concerned. public interest requirements have to prevail in this case!

Leave a Reply