Under the laws, telecommunications companies must store customer metadata for at least two years so it can be accessed by security and policing agencies if required. Metadata includes the identity of a subscriber and the source, destination, date, time, duration and type of communication. It excludes the content of a message, phone call or email and web-browsing history.
The Parliamentary Joint Committee on Intelligence and Security is reviewing the metadata laws amid growing evidence of a number of gaps and loopholes in the scheme.
Mr Manthorpe told the inquiry he was concerned about the way URL data was being captured in metadata requests, saying some of it could be regarded as “content”. Under the metadata laws, agencies are not allowed to access any data that could be defined as “content”, which would require a warrant.
“Sometimes the metadata in the way it’s captured – particularly URL data and sometimes IP addresses … does start to actually, in its granularity, start to communicate something about the content of what is being looked at,” he said.
“In some cases the descriptor is long enough, we start to ask ourselves: ‘Well that’s almost communicating content’.
“We’re simply highlighting that I think when the scheme commenced, the concept was probably thought to be quite a clean and delineable thing, but we know that there is a greyness on the edges that we thought we should call out.”
Mr Manthorpe also suggested law enforcement and intelligence agencies were taking advantage of an “ambiguity” or “gap” in the scheme to identify journalists’ sources without getting a journalist information warrant.
Documents submitted by the Australian Federal Police to the review in July last year showed investigators were granted two special “journalist information warrants” in the 2017-18 financial year, which were used to access journalist metadata on 58 separate occasions.
Mr Manthorpe on Friday revealed agencies could also access metadata between a journalist and their source by receiving an internal authorisation to access the source’s metadata, rather than going after the journalist.
“In so doing, [agencies can] identify those phone numbers and so forth that the source was communicating with and it may so turn out that one of those was the journalist,” Mr Manthorpe said.
“So there is a way in which a journalist’s source is identified without accessing a journalist information warrant. We’re simply raising that as an issue for consideration as to whether or not it is consistent with what was intended in the scheme.”
Mr Manthorpe also raised concern about agencies using “verbally issued authorisations” instead of receiving approvals in writing.
“What we have observed is that in some instances, law enforcement agencies, particularly I think where they are operating in a spirit of urgency … in some cases they issue an internal authorisation based on verbal advice,” he said.
“At an operational level, I can understand why that might occur, but that isn’t catered for in the legislation. We think that is a gap in the legislation.”
Inspector-General of Intelligence and Security Margaret Stone told the inquiry there was a concern about the metadata regime capturing data that was “almost as intrusive” as accessing content.
“Because the nature of telecommunications has changed so much in recent years, there is this assumption that you get more from content than metadata,” she said.
“They can be very intrusive in the sense of what they tell ASIO, not in the sense of the person being aware. They are less intrusive than, say, an overt search of your house, but in terms of what metadata tells you, they tell you a lot about a person.”
She also called for the Attorney-General’s Department’s guidelines for domestic spy agency Australian Security Intelligence Organisation to be updated, including clear rules on the agency’s obligations to destroy data which was no longer needed.
Anthony is foreign affairs and national security correspondent for The Sydney Morning Herald and The Age.