Australian telcos handing over more metadata than than legally required

The Independent Broad-based Anti-corruption Commission told a federal inquiry into the retention of metadata there needed to be greater oversight and regulation of the scheme, revealing service providers "frequently" supplied them with data outside the parameters of their request.

When this happened, the Commonwealth Ombudsman placed the onus on the commission to ensure the extra data was "quarantined" and not used in the investigation.

Meanwhile service providers continued to charge law enforcement bodies for the extra data provided.

There was also "significant resourcing implications" in quarantining the additional information, the commission said.

The cost of data varied between telcos. The same request made of two different providers cost $462 and $1250 respectively, the inquiry was told.

"One ... investigation involving a large number of potential persons of interest had 26 requests for [call charge records] and reverse call charge records held for period of 24 months that totalled $20,000," the commission said.

"Requests for this operation was reduced and certain elements of the offending may not have been subject to comprehensive investigative analysis."

Communications Alliance chief executive John Stanton rejected the commission's claim telcos frequently handed over extra data.

"Every service provider is different - they have different systems, different databases and often different methods of data retrieval, as well as differing internal costs of meeting retrieval requests," Mr Stanton said.

"Requests for metadata from security agencies also vary greatly - including as to how specific, well-framed and precise they are.

"It is not impossible that in seeking to meet a data request - particularly one that does not match the characteristics of a given database - the data provided might not exactly square with what the requesting agency was expecting to receive. Providing 'extra' data is not something that providers routinely do or seek to do."

The Australian Communications and Media Authority also said telcos spent more money complying with the scheme than they recovered from law enforcement agencies.

Since 2014, the industry has spent $211 million on complying with mandatory retention laws. In the same period law enforcement agencies spent $39 million buying the data.

Metadata only accounted for a fraction of disclosures under the Telecommunications Interception and Access Act as well, the agency said.

In 2017-18, nearly 12,000 metadata disclosures were made, compared to nearly 564,000 disclosures made under the entire act.

But the Australian Human Rights Commission remains concerned about the broad scope of the scheme.

"The commission is concerned that the operation of the regime in its current' catch-all' form is not a proportionate restriction of the right to privacy and freedom of expression," it told the inquiry.

The human rights commission has recommended the two-year retention period be significantly curtailed.

READ MORE:

Retained communications data should also only be able to be accessed by law enforcement agencies for the investigation of defined and sufficiently serious crimes.

But despite its concerns, the Independent Broad-based Anti-corruption Commission said the data retention scheme was an "essential law enforcement tool" and the current thresholds to obtain data were "appropriate".

It said the use and disclosure provision should be widened, so the anti-corruption body could hand over information to public bodies for disciplinary action, when the criminal threshold was not met.

"For example in an operation where IBAC was investigating allegations of prison officers introducing contraband into a maximum security prison including illicit drugs, it was found that a prison officer was maintaining contact with former prisoners and making requests on their behalf in the prison system," the commission said.

"This evidence was obtained from telecommunications data but the [law] did not permit the disclosure of the data to prison management."

Ultimately the commission used its other powers to hand legally intercepted information over to the agency.