While the AGD's report counts access to multiple metadata records about a person as one individual "authorisation" by a law-enforcement agency, the ACMA report counts them as separate disclosures and is based on information sourced from telcos through a form rather than from agencies. If a request was made for someone's mobile and landline call data under one authorisation, for example, this would count as two "disclosures" under ACMA's report and one "authorisation" under the AGD's. If a person of interest had multiple mobile subscriptions with a number of carriers, that single authorisation can also result in multiple disclosures of their metadata. A spokesman for iiNet said it counted one disclosure as a disclosure of any piece of information. "Searches under an IP address, an email account, phone calls made, and phone calls received would constitute four disclosures," the spokesman said. A Vodafone spokeswoman said even if a disclosure resulted in no actual information being handed over it still counted as a disclosure.

Fairfax understands that law-enforcement agencies also often send out authorisation forms to multiple telcos when they know the name of a person of interest but don't know which telco they are using. This can often result in a higher number of disclosures being reported in the ACMA report. When informed of the disparity, Greens Senator Scott Ludlam - a passionate defender of the right to privacy and internet freedom - called for better reporting requirements and "urgent reform" of the warrantless system, which allows agencies to access metadata records to solve crime and find missing persons. "What it tells us is that the system for snooping and warrantless access of Australians' private information is even more out of control than we thought," Senator Ludlam said. For some time now journalists have referred to the lower AGD annual report figures when giving people a sense of how many requests for citizen's metadata were being made by law-enforcement. But given the revelation that one authorisation can result in multiple disclosures of an individual's different data - from their mobile phone and landline metadata records to their internet records - Senator Ludlam argued the AGD figures were misleading. Even then, both reports don't show how many metadata requests were made in total, as domestic spy agency ASIO is exempt from reporting. Former ASIO boss David Irvine recently said the number of metadata requests ASIO made was "proportional" to other agencies, but declined to reveal figures.

The Attorney-General's Department said there was "no conflict between" the ACMA and AGD reports. "This is an apples and oranges comparison – the two annual reports measure different things," a department spokesperson said. "The [AGD] TIA Act annual report includes the authorisations made by agencies to access non-content information [metadata]. The ACMA report includes the number of resulting disclosures made by industry. "There is not a one-to-one relationship between authorisations and disclosures. "For example, an agency can make an authorisation to seek the subscriber details of a particular person, but that authorisation needs to be given to multiple phone companies to check for the subscription details. If the person has multiple subscriptions with a number of carriers, that single authorisation will result in multiple disclosures.

"The ACMA report will include the larger figure of disclosures from industry; the AGD report will include the smaller number of authorisations from agencies." Australian telecommunications industry veteran David Havyatt, a former staffer to Labor communications spokesman Jason Clare and now a Labor candidate for Epping at next year's NSW election, said as the data used in both reports came from different sources it could be revealing reporting errors. Access to metadata held by telcos has been the subject of much debate recently, as the government seeks to extend the power of law-enforcement and spy agencies to fight terror and crime. It has proposed telcos retain customers' metadata for up to two years. Agencies that have accessed metadata to date include federal, state and territory police, Medicare, Bankstown Council in NSW, Worksafe Victoria, the RSPCA, the Tax Office, Australia Post, ASIO, ASIC and many other agencies when conducting criminal and financial investigations. No warrant is required to access the information.

Instead, senior officers within agencies are required to sign off on a form completed by them or a subordinate to give authorisation. Senator Ludlam said warrantless access was inadequate. "Quite frankly a lot of people, including myself, believe the [Attorney-General's Department] figure of 330,000 is completely over the top considering that none of it is applied through a lawful warrant," Senator Ludlam said, adding he believed the reporting system was "broken". The fact one authorisation could result in multiple disclosures was an example of this, he said. "What [the disparity in reports] tells us is that we need to tighten the criteria by which material is being accessed and there have been a number of reviews that have recommended that," Senator Ludlam said. "The number of agencies that can access this material is out of control because there's no limit or no real accountability as is provided with a lawful warrant process."

Senator Ludlam added that certain existing agencies' access should be circumscribed. The Parliamentary Joint Inquiry into Potential Reforms of Australia's National Security Legislation recommended in 2013 that the AGD examine the Telecommunications (Interception and Access) Act 1979 "with a view to revising the reporting requirements to ensure that the information provided assists in the evaluation of whether the privacy intrusion was proportionate to the public outcome sought". AGD's recent submission to the inquiry into the comprehensive revision of the Act indicated that its preliminary view was to support that recommendation. But Attorney-General George Brandis has not yet indicated government's support. Metadata about a phone call includes information such as the number of the person you called, the duration of the call, its start and finish time, and your location and the recipient's, but not the contents of the call. On the internet things begin to get a bit murky, and Telstra has interpreted it to include the Uniform Resource Locators (URLs) of websites people visit online.