This article is more than 10 months old

This article is more than 10 months old

The Australian Signals Directorate has disclosed legal breaches including cases of failing to get ministerial authorisation before producing intelligence on Australians and intercepting communications without a warrant.

The annual reports of the ASD and the Inspector-General of Intelligence and Security reveal the intelligence and cybersecurity agency has “reported three confirmed breaches of legislation and two potential breaches of legislation to IGIS” in the last financial year.

The Centre Alliance senator Rex Patrick seized on the IGIS report, telling Guardian Australia it “is worrying as it shows Australia’s electronic espionage agency has repeatedly illegally intercepted and communicated the telecommunications of Australian persons and failed to promptly report those breaches of the law to the IGIS and the defence minister”.

“Aside from revealing a disturbing pattern of noncompliance with legal requirements, perhaps the most striking feature of the IGIS’s annual reports is the absence of any reference to consequences,” he said.

Christian Porter asks high court not to destroy material from Annika Smethurst raid Read more

The ASD’s legislated functions are to obtain intelligence about and disrupt cybercrime undertaken by “people or organisations outside Australia”, a limit highlighted by Annika Smethurst’s reporting on a proposal to extend spying powers to Australians.

But the Intelligence Services Act allows the defence minister to authorise the ASD to produce intelligence on Australians provided it is “necessary” and reasonable because the Australian is likely to be a significant risk to a person’s safety or is committing a serious crime.

The IGIS annual report revealed that in June 2018 ASD disclosed it was investigating an incident when it “conducted intelligence activities in relation to two Australian persons without obtaining authorisation from the minister”.

“ASD then contravened the requirements of [the Act] by conducting a subsequent activity without consideration of the ASD privacy rules,” the IGIS report said.

“The combination of human error and a failure to comply with ASD policy contributed to the breaches.”

In August 2018 the ASD advised IGIS of an investigation into another breach which “involved undertaking activity to produce intelligence on an Australian person without obtaining ministerial authorisation to do so”.

“The breach resulted from a failure to consider if there is a purpose to produce intelligence on an Australian person where there is more than one purpose,” it said.

In January 2019, ASD confirmed an incident where it had failed to provide a report to the defence minister about activities conducted under an emergency ministerial authorisation, a breach of its reporting requirements it corrected in March 2019.

The IGIS said in all three of those cases it was satisfied with the ASD investigation and remedial action.

The IGIS report noted in July 2018 the ASD advised it had “intercepted communications without a warrant … and had then communicated the intercepted material” – both in breach of the Telecommunications Interception and Access Act.

“The breach was the result of a system processing error,” it said.

In May 2019 the ASD notified the IGIS on two occasions it “may have” breached the TIA Act by “enabling interception without the correct warrant”, and in June 2019 confirmed the breach.

In June 2019, ASD informed the IGIS office it “may have” breached the TIA Act by “unauthorised interception of a specific type of communication” and in June 2019 confirmed it “likely contravened the TIA Act”.

“In addition to these confirmed instances of non-compliance, ASD also advises this office of ‘potential breaches’ where a breach is technically possible but cannot be proven.”

Those included “a potential breach of section 7 of the TIA Act as a result of the misconfiguration of an ASD system” and “an incident whereby communications were potentially intercepted due to a system error”.

The IGIS report said in late 2018 ASD disclosed it had “contravened certain legislation” but due to “the sensitive nature of ASD’s operational activities” the IGIS could not provide details of the breach.

Patrick said the report shows at best that ASD is “on a slow learning curve” and “at worst they reveal a cavalier attitude towards legislative compliance and to the agency’s accountability to ministers and oversight agencies”.

“This is quite unacceptable for a national security agency that has such great power to intrude on the privacy of Australians,” he said.

Patrick called for a parliamentary joint committee on intelligence and security inquiry into the failures and “what measures would be appropriate to ensure that ASD’s executives have a greater appreciation of the importance of compliance with the law”.

Despite the criticism, the IGIS praised the ASD for its “strong record of proactive self-reporting” and said it had taken “mitigation and remediation actions where required in consultation with the office”.

The shadow attorney general, Mark Dreyfus, said the revelations showed the importance of regular reporting requirements, which the third-term Liberal government “has consistently tried to water down … as part of its sustained assault on the public’s right to know”.

In June police raided the home of the News Corp journalist Annika Smethurst over the publication of a leaked plan to extend ASD powers with respect to Australians.

The home affairs minister, Peter Dutton, has claimed it is “complete nonsense” the government wants to enable spying on Australians, but has confirmed the substance of the report by calling for a “sensible discussion” about whether ASD should gain powers to disrupt paedophile networks and stop cyber-attacks in Australia.