Australian Taxation Office really wants its access to telco metadata returned

The Australian Taxation Office (ATO) is complaining it has been adversely impacted by the stripping of its access to data retained by Australia's telcos.

In 2015, the Coalition Australian government and the Labor opposition passed laws mandating the collection of customer call records, location information, IP addresses, billing information, and other data for two years, which made this information accessible without a warrant to enforcement agencies.

In early 2016, the ATO was revealed to be among the 61 agencies that sought to be named as enforcement agencies in order to regain access to metadata after the legislation limited warrantless access to 21 agencies, which had cut off the ATO's myriad access that it previously had to compel data from telcos. 

The ATO is currently not an enforcement agency.

In a submission to the Parliamentary Joint Committee on Intelligence and Security and its review of the mandatory data retention regime, acting assistant commissioner Michael Allsop said the agency is currently using its powers under section 353 of the Tax Administration Act and section 280 of the Telecommunications Act to get its hands on telecommunications data for civil reviews and audits.

"ATO criminal investigators do not have recourse to the ATO's civil information gathering powers and are effectively shut off from the ability to access [telecommunications data] which is ... one of the most powerful pieces in the evidentiary puzzle in a digital environment," Allsop said.

The ATO pointed that while it could use subsection 313(3) of the Telecommunications Act to force a telco to help it "as is reasonably necessary to enforce the criminal law and laws imposing pecuniary penalties and protect public revenue", it had not decided to do so yet.

Instead, Allsop argued that the ATO should be given wholesale access to the metadata retention regime.

"It is anomalous in the extreme that the ATO is unable to utilise the relevant and important provisions of the [Telecommunications (Interception and Access) Act] that specifically permits collection of telecommunications data for its primary related roles of administering the taxation and superannuation systems and being able to effectively protect the public finances of Australia," Allsop said.

"Comparing the functions, roles, and powers of the ATO with those of ASIC which are broadly aligned, it appears inconsistent for the ATO not to be declared either a [Criminal Law Enforcement Agency] or permanent Enforcement Agency"

See also: Optus gained exemption to store metadata unencrypted

At the same time, the ATO said it wouldn't use the full scope of powers it would have if it were to become an enforcement agency, saying prior to data retention becoming law, the ATO could access stored communications, but did not use the power.

"On one hand, this could be seen as a tacit admission that the ATO did/does not need access to stored communications," Allsop said.

"We would argue that the better view is that this is a powerful example of the restraint and good governance practices that the ATO exercises, coupled with the high threshold in order to apply for a stored communication warrant."

Allsop stated that the metadata laws has prevented enforcement agencies from working effectively with the ATO, as they are not permitted to pass on metadata the ATO would like to access, even if that metadata is of no interest to the other agency.

The loss of access to metadata has costed the ATO an average AU$10,770 per investigation, the revenue agency said, due to having to physically surveil persons of interest.

Under the metadata laws, a ministerial declaration can unilaterally provide an agency with temporary enforcement agency status, for up to 40 parliamentary sitting days, but that is not enough for the ATO.

"This outcome is unsatisfactory for the ATO as it has ... an ongoing need to access [telecommunications data] to effectively perform its functions. Making constant submissions covering the same issues to the minister is inefficient and onerous," Allsop said.

In its own submission to the committee, Telstra said some agencies have skirted the metadata laws and are not paying for access. The incumbent telco also questioning whether the regime was operating effectively in its submission.

Generally agreeing with the submission by the Communications Alliance, Telstra echoed that non-enforcement agencies often request large amounts of data and are unable to interpret it.

Telstra added that non-enforcement agencies might not be encrypting data received from telcos.

"We believe there is a need for the introduction of appropriate oversight mechanisms to ensure measures are in place to securely protect disclosed data and to control who can/can't access the data," Telstra said.

In July, ACT Policing confessed that it found 3,249 extra times it accessed metadata without proper authorisation during 2015, on top of the 116 requests disclosed earlier in the year.

Related Coverage

• Boomers and Coalition voters least worried by metadata and encryption laws
• Telstra questions whether metadata restrictions are working as intended
• Dutton defends metadata protections, claims consequences exist for breaches
• Law Council wants warrants and crime threshold for metadata retention scheme
• Australian enforcement agencies angling for metadata review on telco cost recovery
• Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board trying to access metadata: Comms Alliance