Australian police obtain metadata from foreign communications companies about Australians with no formal processes or record keeping, and have separately made hundreds of formal requests for both metadata and content data, according to information provided to Parliament.

South Australian independent Senator Nick Xenophon, who has been pursuing the issue of Australian Federal Police interception and metadata access, asked a series of questions about the Australian Federal Police’s accessing of foreign data back in February and only received a response in June, but it provides a level of previously undisclosed detail about the extent to which foreign governments, police forces and communications companies co-operate with the AFP.

According to the AFP, 411 requests have been made to foreign countries for either content data or metadata under mutual assistance arrangements by police forces, prosecutors or defendants from 2009-14. However, the Attorney-General’s Department barred the AFP from advising to which countries the requests were made, in order to hide the identities of communications companies that might have cooperated with requests.

The “mutual assistance” process is a government-to-government process by which requests from policy, prosecutors or emanating from elsewhere in the legal system are relayed to a foreign government by the Australian government for consideration under the domestic laws of that country. Australia has a number of treaties with other countries for mutual assistance but is also party to the draconian Council of Europe Convention on Cybercrime, to which the Gillard government acceded. However, the response to Xenophon’s questions revealed that AFP officers can go around mutual assistance requests by simply informally contacting foreign police forces or communications companies for “some” information — it’s not clear what.

“Outside of the mutual assistance process, Australian law enforcement agencies may be able to seek some telecommunications information on an informal basis, either through police channels or directly from a foreign service provider. There is no formal process to be followed, or specific request form to be utilised, by Australian law enforcement agencies when seeking to access telecommunications information in this way. The process used by Australian law enforcement agencies depends on whether the information sought is content or non-content subscriber data, and the laws and domestic process of the foreign country.”

There are, as a matter of definition, no details on the extent of this informal practice, though access to content data rather than metadata appears to require a formal process, because the answer goes on to explain:

“For non-content subscriber data, Australian law enforcement agencies may directly seek the assistance of:

  • their international counterparts on a police-to-police basis. Police-to-police assistance is voluntary, but may allow Australian agencies to access data to further their investigations into cybercrime offences under the Commonwealth Criminal Code, and/or
  • an overseas provider where the request is consistent with both Australian and overseas legal requirements.”

Under Australian law, data on warrantless requests for metadata from Australian communications companies by agencies other than intelligence agencies must be recorded, and are made available every year. No such requirements apply to data requests to foreign companies or police forces. It is thus not clear how many Australian citizens were the subject of such requests (nor are the 411 formal requests broken down by citizenship). Nor is it clear what types of providers were contacted — in particular, whether service providers like social media companies or virtual private network operators have been asked for data on Australian citizens (though some of the biggest social media companies, like Facebook, Twitter and of course Google, have a local presence). Given the increasingly common use of VPNs to encrypt and anonymise online activity by Australians, it is likely foreign VPNs are being increasingly requested to provide information on Australian users — all the more reason to select a VPN that doesn’t log activity.