AFP has Submitted 98 Telco Data Requests to the United States

Data requests

After failing to do so when the committee called for submissions earlier this year, the Australian Federal Police (AFP) submitted a request to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for its review of the nation’s pending Telecommunications Legislation Amendment (International Development Orders) Bill 2020 (IPO Bill).

The review sought to determine whether the IPO Bill, as drafted, is fit for purpose and appropriately addresses issues such as human rights in granting access to data on communications held overseas, specifically in the US.

The IPO Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a mechanism for Australian agencies to obtain access to stored telecommunications data from international licensed communications providers in countries that have an Australian arrangement, and vice versa.

In order to implement the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), the Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States.

In appearing earlier this month before the PJCIS, the AFP announced it had provided US telecommunications carriers with 44 data requests in 2019 to support investigations.

This received testimony that the current Mutual Assistant Request (MAR) process had made a total of 209 requests over the past five years.

In its [PDF] submission, which also served as a answer to questions taken on notice during the hearing, AFP further outlined its MAR past, disclosing that, from 1 July 2014 to 30 June 2019, 98 of its MARs had directly requested communications data from U.S. communications service providers (CSPs).

Of those 98, 91 have sought internet content data and internet non-content data, such as subscriber and traffic information. Six MARs requested internet data only for non-content, and one MAR requested subscriber data for telephone information.

“Although the type of assistance requested under a MAR is not classified in the same way as the IPO Bill (i.e. surveillance, communications data stored or telecommunications data), the above MARs will be classified as either ‘stored communications data’ or ‘telecommunications data’ under the IPO law,” wrote AFP. “None of those interception demands”

Of the 98 MARs, 29 were related to drug offenses, 26 were related to terrorism offenses, 24 were related to child sex offenses, 11 were related to money laundering, four were related to international bribery, three were related to human trafficking and one was identified as a “spectrum of extreme, unspecified offenses.”

One MAR may contain various forms of crime, and various CSPs can also look for data retained by a single MAR.

Deputy commissioner Karl Kent of Specialist and Support Operations at the AFP, repeating remarks made by others speaking before the committee, said the current MAR mechanism can sometimes cause considerable delays to investigations.

“We rely heavily on our Mutual Assistant Request scheme, which was introduced in 1987 when the internet was, of course, in its infancy, for accessing information beyond our borders,” Kent told the PJCIS.

He also said that the nature of the existing MAR process has actively discouraged its use and that by comparison, he expected the powers granted under the IPO Bill to be used more frequently.

“We wouldn’t be in a position to provide an exact figure of how many times it will be used … if we look at the existing phase there are 44 requests submitted in 2019, and we’d expect a substantial increase — I think it’s magnitude orders greater than 44 and it’s likely to increase over time as the phase ‘s familiarity and our investigators increased,” he said at the time.

The AFP used its submission for detailed case studies where it used the MAR method. It also highlighted where the powers of the IPO Bill to assist investigations would be better equipped.

The AFP said it is currently investigating an Australian person who has used a domain and related services to build, advertise, and sell malware, specifically a remote access trojan (RAT).

“While similar to the legitimate RAT software used by ICT helpdesks to serve remote clients, the RAT differed in that it contained unlawful features such as covert deployment, covert webcam operation and keylogging,” explained the AFP.

“The AFP first approached the Australian Central Authority in November 2018 to make a MAR in this matter. As of April 2020, the request remains ongoing and so far no material has been received.”

The AFP said the international provider was told not to offer email content unless it could show that the particular emails it requested were specifically linked to the offence.

“It in turn allowed the AFP to procure from the foreign provider the proof it needed before we could reach the evidentiary requirement for that information to be published under a MAR,” the AFP wrote.

“The data will only be kept by the telecommunications company concerned for 360 days before that data is destroyed. Under current MAR arrangements this may be insufficient time to secure the data.”

The AFP said it was sure for this particular investigation that there were “fair grounds to presume” that the US provider had information applicable to the full scope of the actions of the alleged offender. It clarified that if it had been able to receive an IPO from an Australian issuing authority, it would have made applications to the Australian Central Authority and then directly to the international service provider “much quicker” so that relevant content data could be supplied in order to begin the investigation with “less time for the risk of the person moving infrastructure to obstruct law”.

The AFP added that the ability to acquire evidence more quickly would also allow it to apprehend suspected criminals and ensure that international evidence needed for trial is available in time for the AFP to deliver briefs to the court.

Under the current domestic framework, an AFP authorized officer may access telecommunications data under the Interception and Access Act, but in order to obtain an IPO for telecommunications data under the IPO Bill scheme, an issuing authority would have to approve the AFP.

When asked earlier this month if it was unfair for the IPO applications to have an independent search but none for when AFP was seeking access to data kept in Australia, Kent said it was a requirement provided by the United States.

“It is my understanding that it is a US necessity that explains the need for that degree of authorisation to make them comfortable with the fact that their communications providers will receive an order directly,” he said.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.