australian federal police data breach Andrew Colvin

For the second time in less than a year, the Australian Federal Police has stuffed up handling its investigations into leaks to a journalist, and, for the second time, there has been absolutely no adverse ramifications for the agency.

As I report elsewhere in Crikey, AFP commissioner Andrew Colvin revealed on Friday that, during the course of an internal investigation into a leak from the AFP to the media earlier this year, an AFP officer accessed one week’s worth of a journalist’s call logs. It was just human error that the law wasn’t followed and the AFP didn’t first seek to get a warrant to access that data. No ill will was meant by it. No action had been taken against the officer involved. While the data had been destroyed, Colvin admitted that it would not be possible for the investigator to “unsee” the metadata, meaning the source to the journalist might have been identified and could potentially face prosecution on the basis of this illegally obtained evidence.

Even if we accept the premise that this was simply human error, it is a disturbing trend for the AFP to have a complete lack of respect for proper processes in investigations into whistleblowers. 

Just last year, in the middle of the 2016 election campaign, the Australian Federal Police took an NBN Co employee to the home of an ALP staffer to help find NBN Co documents that were leaked to that staffer. During the raid, the employee happened to see the names of two NBN Co employees who were emailing the staffer and communicated those names back to NBN Co. The ALP claimed at the time it was making a parliamentary privilege claim over everything obtained during the raid, and it was granted that claim this year, meaning the AFP can no longer use that evidence to investigate the leaks.

Save up to 50% on a year of Crikey

Choose what you pay, from $99.

Sign up now

But the damage was done. Just as the AFP investigator couldn’t “unsee” the metadata this time, NBN Co couldn’t unhear the names of those involved. By the time the privilege claim was approved, NBN Co already had the names of the staffers alleged to have leaked to the ALP and had fired them both. Although NBN Co claims that the staffers were fired as a result of NBN Co’s own investigation, in its own submission to the Senate, NBN Co admitted one of the two employees was not under investigation before the raid.

The journalist warrants were always something of a farce, and last week’s revelation merely proved that. It was a last-minute token gesture to some of the more hardline news outlets that were cheering on mandatory data retention up to the point when they realised it might affect their livelihoods. It is easy to circumvent if the investigator just chases people who may have talked to journalists rather than the journalist themselves. It offers no protection to the average citizen, about whom journalists should be just as concerned — not just as potential sources, but as readers, too. Readers are not going to have much sympathy in this instance because all their privacy can also be violated without the pesky need for a warrant, and we have no idea whether this data is being misused because there is very little transparency around metadata access generally.

The best insight we have into this comes in the Attorney-General’s Department’s annual report on how many times metadata was accessed, and which agencies were most keen to go through your data. This is usually tabled in Parliament around November in the next financial year, but we are still waiting on the report from 2015-2016 — more than seven months late. This, despite the government narrowing the number of agencies able to access that data from over 80 to just over 20. Shouldn’t it be an easier report to compile? What are they hiding in there, exactly?

The warrant system — which apparently was too much of a burden to be extended to everyone else — also has very few checks and balances in place. As I revealed in 2015 when the legislation passed, the telecommunications companies that hold all this data for the government were told they would never see or have to verify whether an agency had actually bothered to obtain a warrant before accessing a journalist’s metadata. It’s just treated as any other request for metadata. Sign the form, hand over the logs.

Senator Nick Xenophon told Crikey on Friday he would be seeking answers from the AFP in Senate estimates hearings later this month. In addition to the Commonwealth Ombudsman’s own investigation, a full-blown Senate inquiry — which Xenophon said he backs — is needed into how metadata is being used, how the process can become more transparent, and whether there should be penalties for officers misusing this data they keep telling us they should be trusted to handle.

Our media landscape is amongst the most concentrated in the democratic world. Big media businesses are marred by big media interests. If you want the full, untainted picture on important issues — our environment, corruption, political competence, our culture, our economy — Crikey is required reading.

I am a private person that takes online privacy very seriously but I wanted to contribute my words to this campaign as I genuinely believe that we will improve as a country if more people read publications such as Crikey.

Sydney, NSW

Join now and save up to 50%

Subscribe before June 30 and choose what you pay for a year of Crikey.

Save up to 50%