In April, the Australian Federal Police (AFP) apologetically promised it would destroy illegally-collected metadata about a journalist. It's now emerged that it botched the job, and didn't until shown the error of its ways.
The AFP discovered its mistake and reported itself to the Ombudsman, because Australia's controversial telecommunications data retention laws included a provision that a warrant must be obtained before investigating a journalist's metadata.
At the April media conference announcing the breach, AFP commissioner Andrew Colvin said the organisation deleted the data.
Not so, the Ombudsman's report stated: “As a result of our inspection, we also identified that not all copies of records containing the unlawfully accessed data had been destroyed by the AFP”.
The Ombudsman attributed the oversight to the complexity of the Feds' systems. The report said its staff “arranged to revisit the AFP with technical assistance, appreciating the complexities of the AFP’s systems. This visit prompted PRS [The AFP's Professional Standards Unit] to conduct further checks of its systems with technical assistance, which identified additional records. We confirmed that these records were subsequently destroyed.”
The report found four contributing factors to the breach.
- The PRS didn't understand the rules applicable to Journalist Information Warrants;
- ”A number of officers” in the PRS “did not appear to fully appreciate their responsibilities” when accessing metadata;
- The police lacked “strong system controls” managing applications for metadata, instead relying “heavily on manual checks and corporate knowledge”; and
- Officers didn't RTFM: the “guidance documents … were not effective as a control to prevent this breach.”
There's one other unsettling detail revealed in the Ombudsman's report: journalists didn't get as much protection under the warrant regime as they probably believed.
The report stated “there is ambiguity” about when warrants are needed. Despite the intention that the warrant is meant to help protect journalists' sources, “it is arguable that those provisions only apply” to requests for the journalists' (or their employer's) metadata.
A journalist can, however, be identified from a source's metadata, with no warrant required: “if an authorisation was issued for the purpose of identifying a journalist’s source but is not made directly in relation to that journalist or their employer, a warrant is not required.” ®