AFP has issued the United States with 98 telco data requests since 2014 | ZDNet

by

The Australian Federal Police said an updated regime to request communications data from overseas would be more heavily utilised.

The Australian Federal Police (AFP) has provided a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for its review of the nation's pending Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill) after failing to do so when the committee called for submissions earlier this year.

The review has been seeking to determine whether the IPO Bill, as drafted, is fit for purpose and appropriately considers issues, such as human rights, in granting access to communications data held overseas, specifically in the United States.

The IPO Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa.

The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).

In appearing before the PJCIS earlier this month, the AFP revealed it had served US telecommunications carriers with 44 requests for data in 2019 to support investigations.

It provided testimony that a total of 209 requests had been made in the past five years under the existing mutual assistant request (MAR) process.

In its submission [PDF], serving also as a response to questions taken on notice during the hearing, AFP further detailed its MAR history, revealing that from 1 July 2014 through 30 June 2019, 98 of its MARs had specifically sought communications data from US-based communications service providers (CSPs).

Of those 98, 91 sought both content internet data and non-content internet data, such as subscriber information and traffic data. Six MARs sought non-content internet data only and one MAR sought subscriber data relating to telephone records.

"While the type of assistance sought under an MAR is not categorised in the same way as the IPO Bill (ie interception, stored communications data, or telecommunications data) the above MARs would be categorised under the IPO regime as either 'stored communications data' or 'telecommunications data'," AFP wrote. "None of those requests related to interception."

Of the 98 MARs, 29 were related to drug offenses, 26 to terrorism offenses, 24 to child sex offending, 11 to money laundering, four to foreign bribery, three to human trafficking, and one was described as a "range of serious, unspecified offenses".

One MAR may include multiple offence types and a single MAR may also seek data held by multiple CSPs.

Echoing remarks made by others appearing before the committee, deputy commissioner Karl Kent of Specialist and Support Operations at the AFP said the existing MAR process can sometimes cause great delays to investigations.

"To access information beyond our borders, we are heavily reliant on our Mutual Assistant Request scheme which was introduced in 1987 when the internet was, of course, in its infancy," Kent told the PJCIS.

He also said the nature of the existing MAR process has actively discouraged its use and that he expected the powers granted under the IPO Bill would be used more frequently by comparison.

"We wouldn't be in a position to give an exact number on how many occasions it would be utilised … if we look at the current process there are 44 requests made in 2019, so we would anticipate a significant increase -- I think it's orders of magnitude greater than 44 and it would probably increase over time as the familiarity of the process and our investigators strengthened," he said at the time.

The AFP used its submission to detail case studies where the MAR process was used. It also highlighted where the IPO Bill powers would be better equipped in aiding investigations.

The AFP said it currently investigating an Australian individual who developed, advertised, and sold malware, specifically a remote access trojan (RAT), using a domain and related services.

"While similar to legitimate RAT software used by ICT helpdesks to service remote clients, the RAT differed in that it contained non-legitimate features such as covert deployment, covert webcam operation and keylogging," the AFP explained.

"The AFP first approached the Australian Central Authority to make an MAR in this matter in November 2018. As at April 2020, the request remains ongoing and no material has been received to date."

The AFP said it was advised the foreign provider would not provide email content unless it could demonstrate that the specific emails it sought were directly related to the offence.

"This in effect required the AFP to obtain the evidence it required from the foreign provider, before we could meet the evidentiary threshold for that information to be released pursuant to an MAR," the AFP wrote.

"The telecommunication company concerned will only keep data for 360 days before that data is destroyed. Under current MAR arrangements this may be insufficient time for the data to be secured."

For this particular investigation, the AFP said it was confident there were "reasonable grounds to suspect" that the US provider had content relevant to the entire spectrum of the alleged offender's conduct. It explained that if it had been able to obtain an IPO from an Australian issuing authority, it would have allowed for requests to the Australian Central Authority and then directly to the foreign service provider "much more quickly", so that relevant content data could be provided to further the investigation with "less time for the risk of the individual moving infrastructure to obstruct law enforcement efforts".

The AFP added that the ability to obtain evidence faster would also allow it to arrest alleged offenders and ensure foreign evidence required for prosecution is available in time for the AFP to submit briefs to court.

Under the current domestic framework, an authorised officer of the AFP can access telecommunications data under the Interception and Access Act, but to obtain an IPO for telecommunications data under the scheme in the IPO Bill, the AFP would need to get approval from an issuing authority.

When asked earlier this month if it was arbitrary that there was an independent check for the IPO applications but none for when AFP sought access to data held in Australia, Kent said it was a condition outlined by the United States.

"It is my understanding it is a US requirement that is driving the need for that level of authorisation in order for them to be comfortable with the fact that an order would be provided directly to their communications providers," he said.

MORE ON THE IPO BILL