Sunday, April 26, 2009

Realm Communications backs down from RegTel challenge

Remember the High Court challenge brought by Realm Communications (of Irish Psychics Live fame) against industry self-regulatory body RegTel? (Full details in this earlier post, but in short Realm were found to have been overcharging customers in breach of the Regtel Code of Practice and were banned from sending premium texts for twelve months.) In an apparent victory for RegTel, Realm has now agreed to abandon that action, to revise its services and to pay refunds in respect of customer complaints - though it seems that the twelve month ban has been waived. (Irish Times | Statement from Regtel)

The significance of this result? Although the result has no precedential value, it should strengthen the hand of Regtel in taking action against persistent breaches by removing a lingering threat about the scope of its authority. Perhaps more importantly from their perspective, it may also support the argument that premium rate services should be controlled by self-regulation via Regtel rather than (as the Minister has previously proposed) by statutory regulation giving new powers to ComReg.

Sunday, April 19, 2009

Thoughts on the new Surveillance Bill

I've a piece in today's Sunday Business Post on the Department of Justice's new Surveillance Bill. For some reason it's not online, so here's the full text:
Operation Observation Comes to Ireland

This week the Department of Justice published a Surveillance Bill which, if enacted, will allow Gardaí to break into private property to place covert video cameras and audio bugs, to plant tracking devices on cars and to use evidence gathered in this way in criminal prosecutions. The Bill – which was already on the legislative programme but was rushed forward after the murders in Limerick of Shane Geoghegan and Roy Collins – is intended to place existing Garda practices on a statutory basis in line with Ireland’s obligations under the European Convention on Human Rights.

Currently, due to the lack of statutory controls, material gathered in this way –such as transcripts of conversations – can be used for intelligence purposes but would not be admissible in criminal trials. The Bill aims to remedy this by providing that Gardaí will generally have to obtain permission from a District Court judge before this type of surveillance can be carried out (except for tracking devices and urgent cases, where internal permission will suffice) and that a designated judge of the High Court will keep the overall operation of the system under review. In addition, these methods can only be used in respect of crimes carrying a possible sentence of at least five years imprisonment and where the surveillance is, in all the circumstances, proportionate.

The Bill promises to regularise the law in this area and to that extent must be welcomed. It is unfortunate, however, that it took a number of high profile and tragic killings before this was given priority. As far back as 1996 the Law Reform Commission in a consultation paper identified a need for reform and in a 1998 report it recommended that there should be a legal basis for Garda surveillance of this type. Successive Ministers for Justice have, however, largely ignored this recommendation, most notably in 2006 when the Privacy Bill introduced by then Minister for Justice Michael McDowell targeted surveillance by the media – but entirely excluded Garda surveillance from its scope. In light of over a decade of government inactivity, the Bill is long overdue.

The timing of the Bill aside, its provisions generally represent a substantial step forward. It has clearly been influenced by the constitutional guarantee of the inviolability of the dwelling and the safeguards which it provides are more robust than those recommended in 1998 by the Law Reform Commission. It introduces for the first time in Irish law the principle that judicial approval should be required before surveillance is carried out. Unlike other forms of surveillance such as data retention – which currently can be used in respect of even the most minor crimes – the Bill is limited to genuinely serious offences and also introduces a requirement that the surveillance must be proportionate having regard to the impact on the rights of innocent third parties.

There are of course some aspects of the Bill which could be improved. For example, the procedure to deal with cases of exceptional urgency is too lax. Under the Bill as it stands those cases would bypass the judicial process entirely, so that surveillance could take place for up to 3 days without any authorisation. There must be a question mark as to whether this provision would be constitutional if it was used to break into and bug a dwelling. Instead, it would be preferable to deal with cases of urgency by permitting Gardaí to commence surveillance without a judicial authorisation but then requiring that an application be made to the District Court for retrospective approval and/or permission to continue the surveillance. There must also be a question mark over the proposal to allow the use of tracking devices on vehicles – for up to four months – without any judicial approval.

Also, while the Bill is generally good as far as it goes, there is a strong argument to be made that it doesn’t go nearly far enough.

Despite its broad title – the Criminal Justice (Surveillance) Bill 2009 – it seems to be intended to deal with one narrow form of surveillance: covert surveillance by devices which are physically planted in certain locations. Many other forms of surveillance – such as the use of long lenses to observe locations from a distance and live monitoring of internet activity – will still be entirely unregulated. As a result there will continue to be doubt as to whether Gardaí have the power to use these types of surveillance and as to whether the resulting evidence can be used in criminal prosecutions. It is likely that there will be criminal cases in the future which fail as a result.

Meanwhile, although there is some legislation regulating other forms of surveillance such as the interception of communications, data retention and Garda use of CCTV, that legislation has developed on an ad hoc and reactive basis with few consistent principles applying to its use or oversight. Much of it is also out of date, most notably the 1993 interception of communications legislation. That law was designed with voice telephony and faxes in mind but due to technological changes no longer adequately protects email and other internet communications. For example, the law does not cover interception of internet telephone calls using services such as Skype, nor does it protect users of webmail services such as Gmail or Hotmail. In addition, Irish law currently protects messages only as they are “being transmitted”, making it likely that the stored contents of a person’s inbox would not be protected.

This ad hoc legislative framework also suffers from weak oversight mechanisms. Although the legislation provides for a designated judge to oversee interception, data retention and now covert surveillance, the annual reports of that judge have consisted of no more than a single page stating that the operation of the law has been kept under review and its provisions are being complied with. Compared with the UK system, for example, Irish law has little public accountability in relation to matters such as the volume of surveillance being carried out; whether individual files are reviewed to ensure correct procedures were followed; or whether mistakes were made such as the targeting of the wrong individual or number and what steps were taken to safeguard against such mistakes in future.

Considered as a whole, therefore, the wider Irish law is inadequate. Given that many of these issues were flagged by the Law Reform Commission in 1998, it is hard to see any justification for the failure to address them to date. Although this Bill does provide for some improvements, it is at best a piecemeal response which will not address similar problems with other forms of surveillance. It is clear that the time has come for comprehensive reform of the overall law relating to surveillance. This Bill is a good first step towards that reform. But it is only a first step, and it would be regrettable if the government were to continue to ignore this area until forced to act by another highly visible crime.

TJ McIntyre is a solicitor, Lecturer in Law in UCD and Chairman of Digital Rights Ireland
Edited to add: It's now available here.

Wednesday, April 15, 2009

Perspectives on internet filtering

In light of recent EU moves towards internet filtering now might be a good time to point to a paper by Colin Scott and myself where we argue that filtering risks jeopardising values we associate with freedom of expression - in particular legitimacy, transparency and accountability. It's available on SSRN here. If you find that paper interesting you might also enjoy the collection of essays from which it was taken - Brownsword and Yeung (eds.), Regulating Technologies.

Sunday, April 12, 2009

European Commission position on anonymisers

European law requires data retention - tracking details of every email you send. But data retention is easily circumvented by using anonymous email services. So will European law eventually prohibit anonymous email as well?

Jens Holm MEP recently put down a question on this issue. Here's the text of his question and the Commission's rather lukewarm response - while anonymisers might not be under threat at European level at the moment, the answer suggests that this might change in the not too distant future:
Anonymity services

The need for reliable systems for giving information anonymously has been highlighted in connection with trials concerning serious criminal cases and financial crime. Large sums can be lost if ordinary members of the public do not dare to contact journalists or the police. The development of electronic anonymity services has come a long way in Sweden. They are used by both private individuals and companies, on both the Internet and intranets, for both private and commercial use.

1. Does the Commission intend to submit a proposal to prohibit such services within certain fields?

2. Does the Commission consider that individual Member States have the right to prohibit such services?

3. Does the Commission consider that the right to electronic anonymity is or should be guaranteed at EU level?

Answer given by Mr Barrot on behalf of the Commission (3.4.2009)

1. The Commission is studying the impact of anonymity services on the ability of law enforcement bodies to provide security to the citizens in the EU. The Commission is currently not planning to submit a proposal prohibiting the use of such services.

2. It is the Member States' responsibility to safeguard their internal security. If the use of these services demonstrably limits their ability to do so, they may consider regulating the use of these services, while respecting the European Convention on Human Rights and other principles and guarantees regarding civil liberties in Europe and their obligations under the Treaties. Any such measures must be duly justified and must be proportionate and limited to what is necessary in a democratic society. Furthermore, given the relevance of whistle blowing systems for law enforcement against certain types of crime, the need to maintain the possibility of conferring information anonymously to the relevant organisations should be taken into account when considering regulation of anonymous communications services.

3. The fundamental right to protection of personal data is enshrined in Article 8 of the EU Charter. Whilst there is no explicit right to electronic anonymity as such under Community law, the Data Protection Directive is to require that personal data must be processed fairly and lawfully, including the data minimisation principle. This principle may be furthered by the use of anonymous data wherever possible. Confidentiality of communications and related traffic data is protected by the Directive on privacy and electronic communications. The data minimisation principle, leading to anonymity, may also be achieved by the use of Privacy Enhancing Technologies (PETs). However Member States may adopt measures to restrict the scope of these principles which are necessary to safeguard important public interests such as national security or law enforcement, including combating terrorism or fighting cybercrime.

Friday, April 10, 2009

EU to require internet filtering?

One of the most important recent developments at EU level - and one that's received surprisingly little media attention (The Register aside) - is the proposal from the Commission to require member states to introduce internet filtering for child pornography. This requirement would be part of a wider Framework Decision on combating the sexual abuse, sexual exploitation of children and child pornography (PDF) and article 18 is the relevant provision:
Blocking access to websites containing child pornography
Each Member State shall take the necessary measures to enable the competent judicial or police authorities to order or similarly obtain the blocking of access by internet users to internet pages containing or disseminating child pornography, subject to adequate safeguards, in particular to ensure that the blocking is limited to what is necessary, that users are informed of the reason for the blocking and that content providers are informed of the possibility of challenging it.
In short, all European countries would be required to introduce filtering along the general lines of that coordinated by the Internet Watch Foundation in the UK (which I've described and criticised here).

The lack of detail in this proposal is worrying - what is meant by "internet pages" for example? Web pages? Usenet posts? Gopher pages? (Yes, it still exists folks - try it!) What are "adequate safeguards"? What is the difference between pages which "contain" and pages which "disseminate" child pornography? Would the ability to challenge a block include an appeal to an independent judicial authority? What sort of blocking would suffice - simple DNS poisoning, crude blocks of particular ranges of IP addresses, two-stage systems along the lines of BT's Cleanfeed?

On the other hand, in some jurisdictions (notably the UK), this proposal would represent a step forward for civil liberties. The specific safeguards proposed - decisions by "competent judicial or police authorities", blocking being limited to what is necessary, users being informed of the reason for a block and content providers being informed of a right to challenge a block - go well beyond what is currently provided for by the IWF for example. (Indeed, the Commission's impact assessment (PDF) for this proposal points out (p.30) that a system such as the IWF's which is based solely on self-regulation may not be "prescribed by law" as required by Article 10 ECHR.)

This proposal has met with strong opposition from EuroIPSA:
Malcolm Hutty, president of EuroISPA, representing ISPs from across Europe at the EU, considers the EU plans to block sites will "increase risks to the security, resilience and interoperability of the internet" and also stated: "For technical reasons, blocking simply cannot provide the level of protection that is necessary, and simple morality demands that we take strong collective action to get child pornography removed from the Internet, rather than simply hiding behind national firewalls," he added.
Incidentally, the impact assessment for the proposal contains an interesting and rather optimistic assessment of the costs associated with filtering (p.28):
In particular, blocking access to websites containing child abuse material would involve economic costs. The economic impact of a similar measure to restrict access to material inciting terrorism was assessed in revising the Council Framework Decision on Combating Terrorism. As the impact assessment accompanying the Commission proposal stated, the cost of imposing any of the different filtering methods to all internet service providers based in the EU is impossible to calculate. An upper limit of EUR 10 per computer is given on the basis of a specific example of implementing filtering in a network of 100 000 computers at 4 000 schools in Ireland. The cost of running a blacklist of illegal content may be borne by those in charge of it, whether law enforcement authorities or specific NGOs. This can be estimated at about EUR 110 000 to build the database and EUR 90 000 per year for maintenance. However, EU funding may be available for managing blacklists and exchanging information on illegal content.
The idea that the cost of generating and maintaing a blacklist can be capped at €90,000 per annum seems optimistic beyond belief. Is this supposed to include, for example, costs of compensating businesses who have been wrongfully blocked? The legal costs associated with appeals against wrongful blocks? The staff needed to look at alleged illegal content and decide whether it is in fact illegal? The effort required to keep the block list under review? By way of contrast, the overall budget for the IWF in 2006/2007 (PDF, p.15) was STG£876,087. Although not all that amount would be directed to generating and maintaining a blacklist, the figure nevertheless suggests that the Commission costs have little contact with reality.

[Edited to add: I've uploaded to SSRN a paper by Colin Scott and myself on internet filtering more generally.]

Friday, April 03, 2009

New rules for electronic discovery in Ireland

Statutory Instrument No. 93 of 2009 has made some significant changes to electronic discovery in Ireland. McCann Fitzgerald have summarised the effects:
* a party may seek electronic data in searchable form from its opponent;
* the court may order a party to give inspection and search facilities for electronic data on its computer systems to the other side;
* where computers contain sensitive non-discoverable data, the court instead may order that an independent expert carry out the inspection and search for relevant electronic data (the party seeking that discovery will have to fund the expert’s costs and expenses);
* where a party giving discovery finds that searching for the documents or data is excessively costly or burdensome, it may apply to the court to seek to narrow the scope of the discovery order;
* a party giving discovery must list the documents or data according to agreed categories or in a sequence corresponding with the manner in which the documents or data has been stored or kept in the usual course of business – the intention is to make discovery more comprehensible;
* all parties giving discovery must swear in an affidavit of discovery that they understand their obligation to give discovery of documents and electronic data (within the categories of discovery agreed or ordered by the court) which may help or damage their case in any way.
Interestingly, although the new rules provide for parties to be obliged to allow the other side "inspection and searching facilities", they appear to apply only to existing documents. They don't seem to refer to the question of whether the court can order a party to carry out analysis of ("data mine") electronic records - thus leaving unaltered the effect of the ruling in Dome Telecom v. Eircom.