The Australian federal police’s ACT unit has been blasted for a “cavalier” attitude to access of location information to arrest criminal suspects which could put prosecutions at risk.
On Wednesday the commonwealth ombudsman released a scathing report into the AFP’s access of metadata from location-based services, warning of a failure to identify the scope of unlawful access and remediate potential breaches of privacy.
The report details instances of ACT police retrospectively authorising metadata access and conducting “fishing expeditions” including pinging a phone without being sure it was still the suspect’s number and pinging the girlfriend of a suspect where she had no connection to the alleged offence.
The report found that between 13 October 2015 and 2019 ACT policing accessed location information 1,713 times, of which the ombudsman could only be confident nine instances were fully compliant.
The ombudsman’s probe was launched in March 2020 after the AFP identified 800 requests made by ACT policing for metadata outside approved processes.
The report found many of the authorisations were not reported to the ombudsman or the home affairs minister.
“This means [location-based services] could have been accessed unlawfully,” ombudsman Michael Manthorpe said.
“If access was unlawful and the information [was] relied on in prosecutions, there may be consequences for people convicted of an offence,” the report warned.
Although the AFP claimed the metadata was “only used to locate someone to arrest them” the report said the ombudsman was “unable to rule out the possibility that unlawfully obtained evidence [the location-based services] may have been used for prosecutorial purposes”.
“We could not be satisfied that the scope of the breaches has been fully identified by the AFP nor the potential consequences and consider it is possible breaches have occurred in parts of the AFP other than ACT Policing.”
The ombudsman found that the majority of requests for data it tested that were outside AFP protocols also breached the Telecommunications Interception and Access Act.
The most serious potential legislative breaches included 90 instances of authorisations being made after metadata had been accessed, 15 instances where authorisations were not signed, and 27 instances of offences being misstated or described with inadequate detail.
Other non-compliance included failure to keep records of information put to the authorising officer and failure to consider whether the request related to a journalist.
The ombudsman found ACT policing displayed “a continued and longstanding cavalier attitude” to requirements to seek authorisation to access metadata.
It said the AFP had made some progress with remedial action but “needs to do more to confirm the extent of non-compliance with the legislation for this type of telecommunications data and remediate any consequences of non-compliance”.
The report made eight recommendations, which have all been accepted by the AFP, including to provide information about access of location-based services by the AFP outside ACT policing.
The AFP said it has sought “preliminary legal advice” in response to a recommendation to determine whether metadata was used in prosecutions and whether metadata should now be quarantined and deleted.
ACT policing chief police officer, Neil Gaughan, told reporters in Canberra police were working with the DPP to determine if the data was used in prosecutions, but suggested it was unlikely it would be “the nail in the coffin” for a prosecution and was usually used only to locate suspects.
Gaughan accepted that “poor internal processes … were not up to community expectations”. He said he would not “slap officers on the wrist for previous sins” but future breaches may be punished.
He said ACT policing had improved processes including streamlining requests with an online form, centralising authorisations within the AFP and educating police about the use of the metadata laws.
In 2019 the ombudsman revealed ACT policing had accessed metadata unlawfully at least 116 times. ACT policing later admitted the true figure was 3,365 but then chief officer, Ray Johnson, played down the “administrative oversight” caused by an officer approving metadata searches without proper authorisation.
Then-home affairs minister, Peter Dutton, suggested there may be unspecified “consequences” for the breaches, but the AFP has never publicly committed to contact individuals’ subject to breaches.
Manthorpe said that law enforcement agencies “rely on a wide range of covert and intrusive tools to do their work, but to maintain public trust these tools need to be properly deployed, in accordance with the legislation which governs their use”.
He noted the federal government is seeking to extend the powers of the Australian Signals Directorate to assist police in detecting and disrupting criminal activity.
Manthorpe said reporting to the ombudsman was a “critical factor in effective oversight of such powers” and that “full reporting did not occur to the ombudsman for a considerable period of time” in relation to location metadata.
The AFP did not respond to requests for comment about compliance outside ACT policing.