The Australian Federal Police have accessed the metadata of a journalist without properly complying with Australia's new metadata retention laws, AFP commissioner Andrew Colvin has revealed.
The breach of legislation happened earlier this year, and involved Australian police investigating the phone call records of a journalist without obtaining the correct warrant for the release of that information.
A "self-report" was submitted to the Commonwealth Ombudsman regarding the metadata breach.
"This is an investigation into the release of information by a police officer to a journalist," Australian Federal Police Commissioner Andrew Colvin revealed, speaking to media at 3:30pm AEST today. "The data was records in relation to one phone number calling another phone number."
"The investigation is ongoing. There should be no inference that the journalist involved has committed an offence."
Colvin went on to say "It was important that we were open and honest that we were breached. I believe that the public should have full confidence in the police, and full confidence in this policy."
Colvin spoke of "the importance of metadata to police investigations" and said the breach was "human error."
When asked if the journalist been informed that the data was illegally accessed, Colvin said "the investigation about the leak is still ongoing, for that reason we have not notified the journalist that that journalist's data was accessed without a warrant."
When asked if this event confirms concerns around metadata, Colvin replied "the changes that were brought in by the government 18 months ago... tightened police access to metadata. It limited agencies access. The public should have confidence we found this breach; it's not about whether the information wasn't relevant to the investigation."
"Once we realised we made the breach, we stopped all investigations related to this inquiry."
Colvin confirmed that "it is extremely rare that we are interested in journalist metadata", and "we have not had any journalist information warrants sought."
Damian Kay, CEO of Inabox Group which is the parent company Australian managed IT, cloud and communications providers, said today's announcement isn't surprising.
"It won't be any shock to anyone in the media or IT industry that a police officer has illegally accessed the records of a journalis'’s phone calls. This is exactly what experts have been warning about for years," Kay said in a statement.
"The government's metadata retention laws are extremely flawed. It is simply not a good idea to have all this information in one place, leaving it open to human error or deliberate malice."
Kay called it a "massive honeypot" for people who want to do the wrong thing.
"It's not good enough simply to say this was a case of human error. Ask any security expert, and the'’ll tell you that the weakest link in any security system is people. Human error will occur again and again."
"Australia has walked into a Big Brother state, and we call on the Turnbull Government not just to review this particular incident but reconsider the entire metadata retention policy."
As of Friday last week, Australian internet service providers (ISPs) and telecommunications companies are officially required to collect “metadata” about their customers’ communications.
A long-running case on whether you're allowed access to view your own mobile phone metadata — retained by Australia's telecommunications companies for government snooping, including comprehensive call logs and location data — and whether that data is classified as "personal information" has come to an unceremonious end.
Less than three months since legislation to restrict access to metadata without a warrant to a select few Commonwealth agencies came into effect, The Australian Government has revealed the details of 57 agencies that have requested access to your metadata.