Nine ASIO breaches of wiretapping laws reported in 2013-14

IGIS says maintaining capability, capacity could be 'challenge' after latest national security legislation

ASIO breached laws governing telecommunications intercepts on nine occasions in the 12-month reporting period ended June 2014, according to a report released by the Inspector-General of Intelligence and Security (IGIS).

IGIS reviewed about half of the warrants obtained by ASIO in the 2013-14 period and discovered four breaches of either the Telecommunications (Interception and Access) Act 1979 (TIA Act) or the ASIO Act. ASIO self-reported an additional five breaches of one of these laws.

The TIA Act authorises wiretaps with warrants, while the ASIO Act authorises other powers including the use of listening devices, searches and computer access.

IGIS said it will need to redouble its oversight efforts in the 2014-15 reporting period as the government introduces new surveillance powers under its national security legislation.

“The principal challenge in 2014-15 will thus be to ensure the office develops and maintains the technical capability to continue providing effective assurance about the legality and propriety of intelligence agencies’ extended activities, while maintaining the capacity to respond to ministerial requests, initiate inquiries, and handle complaints as necessary.”

In 2013-14, IGIS found three breaches of the TIA Act. In two instances, ASIO was not to blame, and the breaches occurred because a carrier provided incorrect information, IGIS said. In the third incident, ASIO failed to address the usefulness of warrant activity in a formal report to the Attorney-General.

ASIO identified an additional three breaches of the TIA Act, including an incident where the agency accidentally spied on itself.

“In the first breach of the TIA Act, ASIO intercepted, without warrant, calls made from one of its own regional offices due to a technical error,” IGIS said.

“The data was deleted and processes put in place to ensure it does not happen again.”

In a second breach, ASIO told a telecom provider to cease collection but the provider renewed the collection instead. ASIO said it found the error within 24 hours and quarantined and deleted the data before it could be accessed by staff.

In a third breach, a telecom provider’s malfunctioning equipment forwarded non-warranted data to ASIO. After the problem was identified, ASIO deleted the data from its systems.

IGIS found one breach of the ASIO Act, which was related to a delay by ASIO in revoking a warrant. IGIS cited a “considerable delay” in notifying the Attorney-General that the grounds for issuing the warrant had ceased to exist.

ASIO has responded to the breach by consulting with IGIS about an appropriate timeframe and developing a new policy, IGIS said.

ASIO self-reported two more breaches of the ASIO Act.

In the first breach, “an incorrectly configured device collected data that was not covered by a warrant over a period of several months,” IGIS said. ASIO deleted the data.

In the second, an internal administrative error led to a listening device collecting information for seven days after the warrant was revoked by the Attorney-General. IGIS said ASIO accessed none of the data, and it was subsequently deleted.

The full report is available on the IGIS website.

Adam Bender covers telco and enterprise tech issues for Computerworld and is the author of dystopian sci-fi novels We, The Watched and Divided We Fall. Follow him on Twitter: @WatchAdam

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia