Monday, April 11, 2011

The curious case of internet filtering in Ireland

[Reblogged from the new website, where I will be contributing updates from Ireland.]

One of the most important developments for freedom of expression online has been the growth of internet filtering systems, which have rapidly been adopted by national governments as the “solution” to various forms of internet wrongdoing. Ireland is no exception to this trend, and last month it was revealed that the Garda Síochána (the national police force) is now attempting to introduce a system whereby ISPs would block access to websites alleged to host child abuse images.

It is somewhat ironic that this news becomes public just as both Germany and the Netherlands have decided to abandon similar systems, having found that they are ineffective as a means of tackling child abuse images. Even leaving aside considerations of effectiveness, however, the proposed Irish system still presents a number of significant concerns.

A fundamental principle under Article 10 of the European Convention on Human Rights is that measures which have the effect of restricting freedom of expression must be “prescribed by law”. In this case, however, the Irish system would not have any legal basis whatsoever, much less any judicial oversight or control. Instead, it would involve the police in telling ISPs what domains to block on a “self-regulatory” basis. Consequently, it would seem on the face of it that the proposed system would violate Article 10. The European Commission recently reached the same conclusion about self-regulatory blocking systems (p.30) as did a government study which was decisive in causing the Dutch blocking system to be abandoned.

A further problem relates to the secret manner in which the government and the police have attempted to introduce this system. There has been no public consultation or debate of any kind regarding blocking – instead, information has only dripped out in response to freedom of information requests and leaks from ISPs. This is particularly worrying given that (as Lessig points out) internet filtering is an inherently opaque process, which is prone to operating in an unaccountable way and to being extended beyond its original purposes. In the Irish context, the secrecy surrounding the introduction of filtering doesn’t bode well for the future.

The nature of the proposed blocking is also worrying. What Irish police have suggested is based on the CIRCAMP model, which attempts to block material by using DNS tampering. In short, the police would notify ISPs to block or and the ISP would then configure their DNS servers to redirect all attempts to visit any material hosted on those (sub)domains. The effect would be massive overblocking, where users would be unable to visit any page hosted on a particular domain, irrespective of whether it had any connection whatsoever with the blocked material. Last February, a similar approach in the United States saw over 84,000 innocent websites being wrongfully blocked, and there is no reason to think that the Irish approach would be any more precise.

Finally, one particularly unusual aspect of the proposals is the way in which police seek to introduce monitoring of users. According to the proposals, where a user attempts to view a blocked domain name, police would “obtain details of other websites visited by the user, along with other technical details, in order that [they] can identify any new websites that require blocking”. This in effect seeks the full browsing history of users – whether or not there has been any attempt on their part to view child pornography! (Bearing in mind that DNS tampering results in massive overblocking, it is quite likely that a user may have their browsing history disclosed due to an attempt to visit when the entirety of has been blocked due to a single image or page elsewhere in the site.) This raises fundamental privacy and data protection concerns, particularly given that a user can often be identified by viewing their browsing history (e.g.), and has therefore been referred to the Data Protection Commissioner for investigation.

Given these problems, it must be hoped that these proposals are abandoned. But quite apart from these particular proposals, it is now also time to look at the other systems of internet filtering in Ireland that have developed on an ad hoc basis. In particular, Irish mobile phone companies have been engaged in self-regulatory blocking for some time (1|2), in a manner which often affects innocent users due to crude DNS systems. Similarly, the largest Irish broadband provider Eircom recently settled an action brought by the music industry by (amongst other things) agreeing to block access to The Pirate Bay and “related domain names”. These systems have developed without any real public scrutiny or oversight and it is time to consider the effect which they have on users, whether they are subject to adequate transparency and oversight mechanisms and whether or not they are effective at achieving their goals.

Thursday, April 07, 2011

Data breach law in Ireland - the current state of play

I had a very interesting morning at McCann Fitzgerald who were kind enough to invite me in to give a legal update on data breaches - here's a copy of the handout I provided:Lessons from laptop loss: Legal consequences where organisations lose personal data

Saturday, April 02, 2011

Irish Press Council now taking online only sites as members

The Press Council published its annual report for 2010 yesterday. It details some interesting cases (1|2) involving reporting which reuses material from social networking sites and blogs, but more importantly for Irish websites the launch also revealed that the Press Council is now taking online only media as members.

From the Irish Times:
With the increase in news gathering and reporting increasing on the internet, chairman of the Press Council Daithí Ó Ceallaigh said web-based organisations or publications could benefit by joining its independent regulatory regime.

“When this happens – and at least one new web-based organisation has already been accepted as one of the recent new members of the council – we are ready to play a positive role in light of our own experience in support of the highest possible journalistic standards.”
This is a significant development. Membership of the Press Council and adherence to its Code of Practice offers periodicals a significant benefit in establishing a defence of fair and reasonable publication on a matter of public interest. The narrow definition of "periodical" in the Defamation Act 2009, however, created doubt as to whether an online-only publication would qualify for membership.

Eoin O'Dell took the view that it wouldn't (a view which I shared) though the last Minister for Justice later took a contrary view, claiming that:
The question of whether publications existing "on-line" only, either now or in the future, wish to come under the umbrella of the Press Council - and abide by its code of practice - is a matter for those publications. Nothing in the Defamation Act precludes this. Neither have I noticed any express limitation of jurisdiction in the Articles of Association of the Press Council on membership by on-line publications. Some recent commentary from media experts seems to have missed this point.
The Press Council itself has now clearly taken the position that online-only periodicals are eligible for membership, which will certainly cause a number of Irish websites to consider joining.

One note of caution, however: it will ultimately be for a court to determine whether an online-only site is a "periodical" for the purposes of the defence of fair and reasonable publication. The views of the Press Council on this point will be relevant but certainly not conclusive.