The Australian Federal Police (AFP) in 2019 made 44 requests to the United States for access to communications stored on its shores to support investigations. A total of 209 requests have been made in the past five years.
The requests are made through an existing mutual assistant request (MAR) process, and as the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has heard previously, the existing MAR process is cumbersome and according to deputy commissioner Karl Kent of Specialist and Support Operations at the AFP, it can cause great delays to investigations.
“To access information beyond our borders, we are heavily reliant on our Mutual Assistant Request scheme which was introduced in 1987 when the internet was, of course, in its infancy,” Kent told the PJCIS on Thursday.
He also said the nature of the existing MAR process has actively discouraged its use.
Kent said the 209 requests are for both telco data and “other evidence”, and took on notice the provision of a better breakdown.
“The process is currently used by the AFP across a broad range of crime types, including cybercrime, child exploitation, and terrorism where delays can serve to not only affect the investigation itself but create an opportunity on continued offending, placing the Australian community at risk,” he added.
“We wouldn’t be in a position to give an exact number on how many occasions it would be utilised … if we look at the current process there are 44 requests made 2019, so we would anticipate a significant increase — I think it’s orders of magnitude greater than 44 and it would probably increase over time as the familiarity of the process and our investigators strengthened.”
Kent was appearing before the committee as part of its review of the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill).
The IPO Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa.
The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).
The deputy commissioner was asked how many requests the AFP estimates it would make under a new arrangement with the United States, should the legislation be passed.
“It would be difficult to put a figure on it, that is definitive, but we would only anticipate an increase in the use of any streamlined process that is put in place where it supports acquisition of evidence for judicial processes,” he said.
“The experience to date with the existing system demonstrates that use is challenging and therefore that in and of itself can discourage the use of the process in every circumstance.”
He said given the nature and volume of data that’s stored offshore, he anticipates that it would be a significant increase.
Appearing later on Thursday, the Department of Home Affairs was asked how many IPOs would likely be made by law enforcement and security agencies if the legislation was passed.
“Deputy Commissioner Kent said he expects the numbers will be orders of magnitude above the existing mutual assistance volume and I think … the existing regime becomes a bit self-fulfilling. The challenges and the constraints involved in the MAR mean sometimes agencies don’t pursue that process so we would expect that if and when a streamlined process is implemented, that the volume would increase quite significantly,” a spokesperson for the department said.
Adding further detail, the Attorney-General’s Department said in 2019 there were 115 requests open in regards to the type of communications data sought from the United States by Australian law enforcement and security agencies.
See also: Australia served Microsoft nearly 900 data access requests in six months
Kent said there are current AFP investigations that utilise the MAR process, and if new legislation were to be introduced, then those AFP investigations would likely utilise the new powers.
Under the current domestic framework, an authorised officer of the AFP can access telecommunications data under the Interception and Access Act, but to obtain an IPO for telecommunications data under the scheme in the IPO Bill, the AFP would have to get approval from an issuing authority.
Despite this framework differing from current domestic procedures, Kent said the AFP was comfortable with the directive.
When asked if it was arbitrary that there was an independent check for the IPO applications but none for when AFP sought access to data held in Australia, Kent said it was a condition outlined by the United States.
“It’s my understanding that the intention here was to streamline a process for an international request and in order to do that, the US requirements come into play in the context of that international agreement,” he said.
“It is my understanding it is a US requirement that is driving the need for that level of authorisation in order for them to be comfortable with the fact that an order would be provided directly to their communications providers.”
With the PJCIS hearing calls for the subject of an IPO to be notified that such surveillance was occurring, the AFP was also asked if they believed such a requirement should be baked into the legislation.
Kent said that given notification isn’t a requirement under current, domestic powers, the AFP would not extend that to the IPO Bill.
The committee also reprimanded the AFP for not providing a submission, to which Kent said one was not made due to the timeframe available. The committee said, however, that the timeframe was nothing out of the usual, particularly where the PJCIS was concerned.
Kent said its omission was a once-off and gave an assurance that the AFP would not avoid making a submission in the future.