Law enforcement agencies are being provided with the web browsing histories of people under investigation using mandatory data retention powers, despite the federal government specifically excluding that practice in the legislation, the commonwealth ombudsman has warned.

When the Coalition government passed mandatory data retention laws in 2015, the legislation explicitly ruled out forcing telecommunications companies to hold web-browsing histories of its users as part of the regime.

Under the scheme, telecommunications companies such as Telstra, Optus, or NBN Co are required to retain information such as time of call, location data, and other so-called metadata for two years for law enforcement to access without a warrant for investigating a range of criminal activity or for missing person cases.

A disastrous 2014 interview in which the then attorney general George Brandis struggled to explain what was or was not considered to be content or metadata led the government to clarify that URLs, because they effectively give away the content of what someone was doing on the internet, would be excluded from the scheme.

The commonwealth ombudsman Michael Manthorpe, however, has warned that while it might be explicitly excluded from the mandatory data retention regime, some telecommunications companies are providing web browsing histories to law enforcement when sent a request for metadata by the agencies.

“The piece of ambiguity we observed through our inspections is sometimes the metadata in the way it is captured, particularly URL data … in its granularity starts to communicate something about the content of what is being communicated,” he told the joint parliamentary committee on intelligence and security on Friday.

“So just to be very clear you get the full URL, you get the full www dot, whatever it is, dotcom?” committee chair Andrew Hastie asked.

“That’s right. It can be quite long or it can be quite short, and in some cases the descriptor is long enough we start to ask ourselves that it is almost starting to communicate the content, even though it is captured in the URL,” Manthorpe replied.

He said there was a “greyness” in the definition of metadata that needed to be examined. It is unclear whether law enforcement have asked for this data, or have simply been provided it when an access request is sent to them.

In the ombudsman’s submission to the inquiry, it is noted that law enforcement obtaining such data could be in violation of the law, and have suggested to law enforcement that the data should be quarantined until legal advice is obtained.

The ombudsman said in some cases a person’s account number and their physical addresses have been provided.

The committee is reviewing the operation of the scheme, now having been in effect for close to five years. The latest annual report on the scheme revealed law enforcement was provided data 295,691 times in the last financial year.

Inspector general of intelligence and security, Margaret Stone, told the committee there needed to be a consideration for whether metadata, when considered in the full range of metadata available, could be considered more intrusive than obtaining the content of a communication.

“Metadata tells you a lot about a person,” she said.

Stone also said in a small number of instances, Asio was provided metadata for people by mistake due to an error either in the access request or on the part of the telecommunications company, but she said in those instances Asio was good at isolating and destroying the data held.