Security

Australian police: We illegally accessed journalist metadata

Two weeks after Australia's mandatory data-retention plan kicks in, federal police reveal an officer illegally gained access to a journalist's call record.

padlock-cellphone.png
CNET/Amanda Kooser

Australia's top police agency has been forced to make an embarrassing admission, revealing that Australia has had its first (reported) metadata breach. And it came at the hands of an Australian Federal Police officer.

The AFP today revealed one of its officers "illegally" accessed the metadata of an Australian journalist's phone calls "earlier this year."

The breach was "identified by the AFP as a result of our own review," AFP Commissioner Andrew Colvin said.

Colvin said that police destroyed all data once it was clear they had breached the law and that data did not form part of any police investigations.

"Put simply, this was human error," he said. "It should not have occurred."

Australia's mandatory data-retention law passed with bipartisan support in March 2015. Under the law, internet service providers and telecommunication companies are required to store metadata about customer communications, including names, addresses and the time, location and duration of communications, for two years.

The laws also include provisions requiring police to get a warrant to access journalists' metadata. The provision of the Journalist Metadata Access Warrants was made to expedite passage of the metadata legislation and to appease media organisations concerned about data retention encroaching on press freedoms and the confidentiality of sources.

However, under the warrant provision, journalists are not notified if their metadata is accessed.

Today, the AFP revealed that it failed to secure a warrant in this case, resulting in Australia's first metadata breach being reported months after the fact.

Still, Colvin rejected suggestions that the breach represented a failure of the system.

"It's extremely rare that we're interested in a journalist's metadata," said Colvin.

"We have breached in respect to a journalist's particular circumstances on this occasion," he added. "I don't think that gives cause to say that the public should have their confidence shattered in the system."

The spectre of a major data breach has been looming, with critics warning that creating a trove of metadata on every single Australian with a phone or an internet connection is a recipe for a major hack.

"The internet is a very busy place for people that choose to do harm," Michael Burgess, chief information security officer of Australia's largest carrier, Telstra, said in 2015. "We would have to put extra measures in place ... to make sure that data was safe from those that should not have access to it."

This "honeypot" of metadata not only represents a potential lure for hackers but also leaves telecommunications companies open to potential data breaches as the result of human error.

The newly confirmed breach comes just two weeks after the law officially came into effect. Originally introduced to parliament under the banner of national security concerns and curbing paedophilia and drug crime, critics were quick to frame the debate around questions of mass surveillance, access to the stored data and its use in civil cases, such as the prosecution of piracy.

The first such instance of scope creep occurred in May 2015, when, after insistence from the Australian government that the bill would limit the number of enforcement agencies with access to metadata, it granted access to the Australian Border Force immigration body.

Life, Disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it? CNET investigates.

Does the Mac still matter? Apple execs tell why the MacBook Pro was over four years in the making, and why we should care.