Law enforcement agencies are being given the full URLs of web pages visited by people under Australia's controversial data retention laws, despite government assurances the practice wouldn't occur.
Commonwealth Ombudsman Michael Manthorpe called out the "ambiguity around the definition of content" at a parliamentary committee reviewing the laws last Friday.
The mandatory data retention scheme required telecommunications companies to store customer metadata for at least two years, with the information able to be accessed by law enforcement.
Metadata is defined as the technical information around a communication, meaning the time, date and location and the device or equipment used could be captured without the need for a warrant.
However, the content of a message, phone call or email and web-browsing history were supposed to be excluded from metadata handed over under the laws.
"[The data retention bill] explicitly excludes anything that is web-browsing history or could amount to web-browsing history, such as a URL or IP address to which a subscriber has browsed," the federal government said in the lead-up to the 2015 legislation.
Mr Manthorpe argued URL data captured in metadata requests could be regarded as "content" as it can "communicate something about the content of what is being looked at".
This would make it illegal for law enforcement to gather without a warrant.
"We're simply highlighting that I think when the scheme commenced, the concept was probably thought to be quite a clean and delineable thing, but we know that there is a greyness on the edges that we thought we should call out," he said.
Mr Manthorpe also said agencies had been acting on "verbally issued authorisations" instead of receiving approvals in writing.
"What we have observed is that in some instances, law enforcement agencies, particularly I think where they are operating in a spirit of urgency … in some cases they issue an internal authorisation based on verbal advice," he said.
"At an operational level, I can understand why that might occur, but that isn't catered for in the legislation. We think that is a gap in the legislation."
Inspector-General of Intelligence and Security Margaret Stone echoed Mr Manthorpe's sentiments.
"Because the nature of telecommunications have changed so much in recent years, there is this assumption that you get more from content than metadata," she said.
"But when you look at the range of metadata, and what it tells you, there's an argument that could be made that it is just as intrusive, or almost as intrusive, as content."
The Parliamentary Joint Committee on Intelligence and Security will continue conducting a review of controversial metadata retention laws.
In the 2018-2019 financial year, 295,691 authorisations to access metadata were issued across all state and federal law enforcement agencies.
Source: 9News https://www.9news.com.au/technology/data-retention-laws-ambiguity-allows-police-to-view-full-web-browsing-history/c891c883-600f-4392-a918-34c2029da37b