The Australian Federal Police revealed on April 28 that one of their officers broke the law by accessing a journalist's phone records without a warrant.
The Police Commissioner Andrew Colvin explained that it involved an investigation of “the unauthorised release of sensitive police information to a journalist.” He blamed human error and denied any malice. The journalist affected has not been informed of the release.
Internet service providers and telcos are required to keep customers’ metadata — information about who they've contacted, and when — relating to both phone and Internet, for two years’ time. Currently, law enforcement must obtain a warrant from a judge if they wish to access journalists’ communications metadata. This safeguard only applies to journalists — other customers do not have this protection.
Australia's data retention policy, as described on the Attorney General's website, defines said data as “information about a communication rather than the content or substance of a communication.” For calls, this include “phone numbers of the people talking to each other and how long they talked for—not what they said.” For emails, “data is information such as the relevant email addresses and when it was sent—not the subject line of the email or its content.”
International tech news website CNetT joined a chorus of online voices pointing out that the public had been warned:
Chalk this one up for the security record books under the chapter titled, “We told you so.”
[…] The spectre of a major data breach has been looming since the laws were first mooted, with critics warning that creating a trove of metadata on every single Australian with a phone or an internet connection was a recipe for a major data breach, or a major hack.
Today's confirmed breach comes just two weeks after the laws officially came into effect. Originally introduced to parliament under the banner of national security concerns and curbing paedophilia and drug crime, critics of the policy were quick to frame the debate around questions of mass surveillance, access to the stored data and its use in civil cases, such as the prosecution of piracy.
Australia's technology news iTWire called for action:
…there should now be a fresh inquiry into the entire data retention scheme in the wake of the actions by the [Australian Federal Police]
Paul Murphy, the CEO of the MEAA union, which protects journalists and other media workers in Australia, was appalled by the revelation:
The use of journalist’s metadata to identify confidential sources is an attempt to go after whistleblowers and others who reveal government stuff ups. This latest example shows that an over-zealous and cavalier approach to individual’s metadata is undermining the right to privacy and the right of journalists to work with their confidential sources.
There was also a strong negative reaction on social media, especially from critics of the data retention system. There were concerns that the police, often referred to as the AFP (not to be confused with the French news wire) are above the law as the officer concerned is not facing any action. William Tinkle tweeted:
when anyone not a member of the AFP illegally obtains something its called theft and they're prosecuted #metadata
— william p tinkle (@willytinkle) April 28, 2017
Others shared their concerns that the original justification for retaining and accessing data, namely national security and drug law enforcement, was being used to control media freedom:
Everyone promised the metadata laws were about national security. Today we learn AFP are using them to find out who leaks to journos #auspol
— Dylan Whitelaw (@WhitelawDylan) April 28, 2017
— What the… (@Poddumpuddytat) April 28, 2017
One tweep spoke up for the Federal Police, reflecting the low esteem that the media has in many quarters:
— JMV (@j1m1v) April 28, 2017
There was cynicism on all sides:
Signaling: anyone who leaks info will be tracked down using metadata. The point of yesterday’s [Federal Police] theatre.
— Mark Pesce (@mpesce) April 29, 2017
Meanwhile Electronic Frontiers Australia (EFA) have launched a petition calling for ‘a universal warrant requirement for all access to retained telecommunications data':
Last week’s revelation … demonstrates the complete lack of effective protection provided by the current legislation.
There is some good news on the metadata front with the Federal government ruling out expanding access to metadata to civil cases. EFA welcomed the decision:
This is an important victory.
Had the government allowed even a limited expansion of access, it would almost certainly have been just the first of a number of such expansions.
The police have admitted that the data revealed by the breach cannot be “unseen”. Whether evidence arising from the illegality will be admissible in a court case remains unclear.
Update 4 May 2017
From Jon Lawrence, executive officer of Electronic Frontiers Australia:
There's one inaccuracy in your story, namely this: ‘Today's confirmed breach comes just two weeks after the laws officially came into effect.’
The journalist warrant requirement actually came into effect on 13th October 2015. Two weeks ago was just the deadline for technical implementation of the full scheme. This incident was about phone call records, which have been retained for many years already, so there was nothing new to implement.
It's a small but I think important point, ie that the AFP actually had 18 whole months (not just two weeks) to train themselves to remember the two words ‘journalist’ and ‘warrant’.