TIA Act telecom data privacy implementation under fire

A federal senator critiques the government’s “cavalier disregard” for hard-fought protections in a contentious parliamentary debate.

cso siem visibility gap in security apps legacy eyes crack breach privacy
DNY59 / Getty Images

Despite earlier promises, a federal senator alleges agencies aren’t tracking or protecting access to sensitive telecommunications metadata. The implementation of the contentious Telecommunications (Interception and Access) Act 1979 (TIA Act) has been the subject of a rough debate in the Australian parliament.

TIA Act implementation called insufficient

The security of Australians’ personal metadata has been compromised by the government’s “cavalier disregard” for hard-fought protections implemented to protect it, a federal senator has alleged as the Parliamentary Joint Committee on Intelligence and Security (PJCIS) wraps up its review of the country’s contentious mandatory telecommunications data retention legislation. The review is due to be completed by 13 April.

Government authorities have “no central database” and “no centralised public reporting” of which organisations are given access to metadata about Australians’ communications, Jennifer McNeill, first assistant secretary in the Communications and Infrastructure Division of the Department of Infrastructure, Transport, Regional Development, conceded under questioning during a recent hearing.

That wasn’t good enough, said committee member Senator Anthony Byrne, who sat on the committee that passed the contentious TIA Act — originally intended to support criminal investigations by the country’s 21 law-enforcement organisations.

“Our committee was told in 2012, 2013, 2015, and 2016 that they would be doing everything within their power to limit the number of organisations that could access this metadata,” Byrne said. “So for me to hear you effectively say that you’re not quite sure how many organisations can access this metadata, and then casually say that it’s a jurisdictional issue, goes against the guarantee that we were given to put the scheme in the first place. … [it’s] a cavalier disregard for people accessing intrusive information which this parliament had to fight years for.”

Industry figures suggest at least 87 organisations have requested access to the metadata stored by telecommunications under the legislation, whose scope has slowly expanded as local governments and private organisations pushed for access to phone usage data that can corroborate the activities of persons of interest.

Early deliberations over the legislation had suggested that police agreed the data should only be available to law-enforcement bodies and that the legislation would be stopped if its scope expanded inappropriately, an “annoyed” Byrne added during an escalating exchange with an evasive Hamish Hansford, first assistant secretary with the National Security and Law Enforcement Policy Division within the Department of Home Affairs.

The reason PJCIS gave the agencies the new powers “was that we would protect access to intrusive data,” Byrne said, “and prevent the very thing that you’ve just casually described as happening, from happening. … I was told it would be plugged. It has not been plugged [and] you’ve indicated to me that you’re not seriously wanting to address the issue.”

How the telecommunications data retention law has been used

The verbal stoush came as committee members debated the efficacy of the legislation, which took years to pass and has remained controversial throughout its first years.

The legislation has, according to the latest annual report into its operation, cost Australian telecommunications providers $229 million so far, with agencies paying them $46.5 million for access to the data through the end of fiscal 2019.

Some 295,691 authorisations made during fiscal 2018-19 for disclosure of historical telecommunications data, with an additional 27,824 authorisations for disclosure of “prospective telecommunications data”.

Six ‘journalist information warrants’ issued to the Australian Federal Police — facilitating the controversial swoop on journalists at the ABC and elsewhere.

The range of uses for the data reflected the fact that some complex crimes take years to investigate and require access up to and beyond the 24-month mandatory retention period, Hansford said, but he was unable to provide “specific analysis” when pressed for details about how effective the data has been in supporting investigations.

Australian Security Intelligence Organisation director-general Mike Burgess was more specific in his testimony. The “limited fragmented information” provided to ASIO by the data retention regime is “critical to the majority of our investigations,” Burgess said, noting that communications records “may be the only intelligence we have available to identify terrorist networks and conspiracies. … It is the bedrock for furthering our investigations and it is critical to our responses.”

One case of the data’s usage, Burgess said, involved the investigation of a visiting scientists who was “undertaking clandestine intelligence activity” for a foreign government. Retained metadata allowed ASIO to trace the scientist’s access to classified material over a decade, evaluating the “harm the scientist caused to Australia”.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)