An investigation has revealed that the AFP’s community policing arm, the Australian Capital Territory (ACT) police, used “covert and intrusive” powers to unlawfully gain personal location information on an estimated 1,704 separate occasions between October 2015 and 2019.
The report (pdf) by the Commonwealth Ombudsman, Michael Manthorpe, came after the Australian Federal Police (AFP) self-reported a number of records that were not submitted for the usual compliance inspections leading to Manthorpe’s investigation determining that Location-Based Services (LBS) were accessed 1,713 times, of which only 9 were fully compliant with the Telecommunications (Interception and Access) Act 1979 (TIA Act).
“When the AFP identified records that showed ACT Policing (the AFP’s community policing arm) had accessed LBS and that those records had not previously been provided to my Office, I decided it was appropriate for my Office to conduct its own investigation,” Manthorpe said.
Police may access LBS data by requesting it from telecommunications carriers, and this includes data in the past or in real-time. Requests for LBS can legally only be made for investigations into serious offences or those that are punishable by imprisonment for a minimum of three years—these include murder, kidnapping, drug trafficking, and terrorism.
Prior to this, in January 2020, the AFP disclosed to the Ombudsman that ACT Policing had made 800 requests for accessing LBS data from 2007, the legitimacy of which the AFP was unable to verify.
The report warned that not only did the actions by the ACT police breach individual privacy, but in cases where access was unlawful, repercussions for using unlawfully accessed data as part of convictions could be severe.
“The consequence of a prosecution relying on unlawfully obtained LBS could be very serious,” the report said.
The report attributed part of the non-compliance to a casual attitude that was inappropriate, particularly given matters concerning the personal privacy of Australian residents.
“The internal procedures at ACT Policing and a cavalier approach to exercising the powers resulted in a culture that did not promote compliance with the TIA Act.”
The AFP responded to the report in a media release, stating that it had accepted all eight recommendations suggested by the report to remedy the breaches.
“ACT Policing has implemented a number of measures to prevent identified issues from reoccurring,” said Chief Police Officer for the ACT Neil Gaughan.
“As police officers, we have access to special powers for investigative purposes to ensure the safety of the entire community,” Gaughan said. “We take this responsibility seriously and accept and apologise for our past non-compliance outlined in the Ombudsman’s report.”
Gaughan said that one of the methods employed to mitigate the potential abuse of personal location data in the future would involve channelling all LBS data requests through a controlled, centralised system.
“All location requests on mobile devices are now centralised through the AFP Covert Analysis and Assurance business area,” Gaughan said.
