The Department of Home Affairs and its minister, Peter Dutton, have been considering an expansion of the agencies who can access Australia’s controversial metadata pool, new information has revealed.
A ZDNet report, using information supplied to CommsDay under an FOI request, has revealed Dutton had been in correspondence with various agencies from the country’s states and territories for their inclusion in the access list.
The agencies suggested were Australian Consumer Law regulators from each jurisdiction, who had been excluded due to not being law enforcement. That list would include NSW Fair Trading, the Queensland Office of Fair Trading and Consumer Affairs Victoria among others.
While the letter contained no date, the report outlines it was in response to Tasmania’s Attorney-General Elise Archer on 29 July 2019 who recommended the above ACL regulators be considered for inclusion.
Under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, criminal law enforcement agencies, such as the Australian Federal Police, ICAC and ASIC, can access the metadata of Australians without a warrant if it’s in the interest of national security.
Metadata is described as “set of data that describes and gives information about other data”. Senator Brandis infamously explained back in 2014 that metadata was the envelope holding the letter, but not the letter’s message — in other words, data about when and how the website was accessed but not what was seen on the website.
Not the only non-law enforcement agency with interest in accessing Australian metadata
While the ATO could previously access that data under the Telecommunications (Interception and Access) Act 1979, it was excluded from the 2015 legislation.
In 2019, the Australian Tax Office (ATO) requested it be able to access metadata in order to investigate tax fraud and evasion.
In a submission to Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) metadata retention inquiry, ATO’s CEO Michael Allsop said the agency needed to access the metadata for timely investigating.
“The ATO has a demonstrated ongoing operational need for [telecommunications data] in order to effectively administer the taxation and superannuation system which are directly related to the protection of public revenue,” Allsop wrote.
An ATO spokesperson told Gizmodo Australia at the time it was requesting access so it could help link devices to the offenders in order to bring about prosecution.
“Telecommunications metadata can be used effectively by the ATO to filter and exclude innocent parties from investigations, saving substantial time and resources that could be more advantageously deployed elsewhere,” an ATO spokesperson told Gizmodo Australia.
Metadata contains more information than initially promised
Earlier this year, a senate hearing heard the Commonwealth Ombudsman Michael Manthorpe admit law enforcement agencies had been accessing more data than initially anticipated due to ambiguities with the legislation.
“The piece of ambiguity we have observed through our inspections is that sometimes the metadata in the way that it is captured – particularly URL data and sometimes IP address, but particularly URL data — does start to actually, in its granularity, communicate something about the content of what is being looked at,” Manthorpe told the committee.
“It can be quite long or it can be quite short, and in some cases the descriptor is long enough where we start to ask ourselves, ‘well that’s almost communicating content, even though its captured in the URL.'”
“When the scheme was commenced the concept of metadata was probably thought to be quite a clean and definable thing, but we know that there is a greyness on the edges here that we thought we should call out.”
In essence, it meant in the five years the legislation had been in effect, metadata requests were giving away more than what was originally sold to the public. For example, the website’s URL, in some cases, contained information indicating the webpage’s content so it could give law enforcement agencies more information than the legislation allowed for.
The PJCIS is expected to deliver a report next month on its recommendations for the mandatory data retention’s legislation.