Friday, June 24, 2011

Irish documents on interception of communications and surveillance

I've uploaded a few documents recently which might be useful to anyone interested in issues of surveillance and interception of communications in Ireland.

First is the 2009/10 report of the Designated Judge responsible for monitoring the interception of communications and data retention:
Interception and Data Retention Annual Report 2009/10

Second is the 2009/10 report of the (different) Designated Judge responsible for monitoring covert surveillance:
Covert Surveillance Report 2009-10

Third is the Revenue manual setting out their understanding of their powers and duties in relation to covert surveillance, following the enactment of the Criminal Justice (Surveillance) Act 2009:
Revenue Surveillance Manual

(Many thanks to Mark Tighe for copies of the two judges' reports.)

Monday, June 13, 2011

Ireland to extradite " hacker"?

Continuing our series of "interesting stories lost behind the Sunday Times paywall", John Mooney and Mark Tighe reveal that the DPP has directed the extradition of a Latvian man suspected of involvement in the January 2010 hacking of [subscription only].

According to that article:
Gardai from the force's computer crimes unit quickly traced the hacker to Latvia but it is only in recent weeks that the Director of Public Prosecutions (DPP) has ordered the suspect to be extradited. The DPP has directed that there is enough evidence to secure a conviction...

Legal sources said it may be possible for the suspect to be charged with theft or fraud: some of the passwords obtained in the hack appear to have been used to steal money from people's Paypal accounts... The hacker is suspected of downloading a number of databases to order.
Background on the attack on 1|2.

Sunday, June 12, 2011

The first Irish case on defamation via autocomplete

Another story lost behind the Sunday Times paywall last week was Mark Tighe's piece on what seems to be the first Irish case alleging defamation via Google's autocomplete system:
Hotel Fury over Google

A FAMILY-OWNED hotel in Louth is suing Google because it says the search engine giant gives web surfers the mistaken impression it is bust. The four-star Ballymascanlon House hotel, located outside Dundalk, has applied for a High Court injunction to prevent the Google search engine from suggesting it is in receivership.

Ballymascanlon is not in receivership and the Quinn family, who have run the hotel for 70 years, say it is trading successfully.

Google declined to comment on the legal action.

When search engine users type the first seven letters of the hotel's name into Google, the website's automatic prompting service, Google Instant, throws up the suggestion "Ballymascanlon hotel receivership".

The hotel, one of the most popular wedding venues in the northeast, says it has been contacted by brides who had booked weddings there and were "in tears" after seeing the Google prompt.
Mark Collier has an excellent post setting out the background to this case and more details, from which I've borrowed the following image showing the offending search terms:

This isn't the first time Google has been sued over autocomplete suggestions - it recently lost similar cases in France and Italy - and the case raises a fundamental issue as to whether Google should be treated as responsible for the suggestions which it claims merely reflect the most popular user queries. Undoubtedly (if the case makes it to trial) Google will rely heavily on the recent English judgment in Metropolitan International Schools v. Designtechnica, in which it was found not to be the publisher of defamatory snippets in search results on the basis that:
When a snippet is thrown up on the user's screen in response to his search, it points him in the direction of an entry somewhere on the web that corresponds, to a greater or lesser extent, to the search terms he has typed in ... it is for him to access or not, as he chooses. [Google] has merely, by the provision of its search service, played the role of a facilitator.
In this case, however, it may be that Google will face difficulties in running that defence. Looking at both Metropolitan International Schools and the recent Italian judgment, three factors seem likely to be important. First, unlike the case of search results, autocomplete suggestions do not merely reflect what is elsewhere on the web but are created by Google (albeit by algorithm). Second, as Google actively censors the autocomplete system it makes it harder to argue that there is no "human input" into the results - a factor which was critical in Metropolitan International Schools. Third (although the judgment isn't entirely clear on this point) the court in Metropolitan International Schools found it signficant that Google could not block all searches against particular terms without also blocking a great deal of unrelated material. In this case, however, it would seem quite simple to remove a particular autocomplete result for this hotel, ruling out any argument based on practicability or collateral damage.

Incidentally, I see from the High Court search that the action is listed as QUINN [SENIOR] & ORS -V- GOOGLE IRELAND LIMITED 2011/4784 P. I was surprised to see Google Ireland named as a defendant, as I understand that Google's search functions are run by Google Inc., California - a distinction which tripped up the Red Cross in their action seeking to identify a blogger hosted on Google's blogspot. In that case the Red Cross eventually had to seek the permission of the court to substitute Google Inc. as the defendant, and I'll be interested to see whether this happens in this case also.

Saturday, June 11, 2011

Data Protection Commissioner investigating Eircom's "three strikes" system

Between the bank holiday weekend and the Sunday Times paywall Mark Tighe's story last week revealing that the Data Protection Commissioner is investigating the Eircom / IRMA three strikes system didn't receive the attention it deserved. However the investigation has the potential to entirely derail the system and needs to be considered further.

First, the background. I'm disappointed but not surprised to find that my 2009 prediction - that Eircom would end up falsely accusing innocent users - has come to pass in relation to 300 users:
THE "three strikes" scheme to prevent music piracy, which is operated by Eircom at the behest of record companies, is being investigated by the data protection commissioner (DPC) after customers said they were sent warning letters in error. The investigation began after an Eircom customer complained that he had wrongly received a "first strike" letter. The company has admitted it incorrectly issued such warnings to a "limited number" of customers.
So why did Eircom falsely accuse users?
This was due to a software failure caused when the clocks went back last October, it said.
Far from being a technical sounding "software failure", this appears to show up ineptitude in relation to a very basic aspect of network management - i.e. making sure that the server clock reflects daylight savings time. As a result, it seems that users found themselves being accused on the basis of what somebody else did from the same IP address either an hour earlier or an hour later. Consequently, the users who were wrongfully accused should consider themselves lucky that this incompetence did not lead to their being accused of a serious crime - for example, being arrested and having their homes searched due to the wrong time being used (as happened to these Indian users).

The significance of this case goes beyond simple technical failings, however, as the complaint to the Data Protection Commissioner has triggered a wider investigation of the legality of the entire three strikes system:
The DPC said it was investigating the complaint "including whether the subject matter gives rise to any questions as to the proportionality of the graduated response system operated by Eircom and the music industry".
This is unsurprising - when the Eircom / IRMA three strikes settlement was being agreed the Data Protection Commissioner identified significant data protection problems with it. These problems remain, notwithstanding the deeply flawed High Court judgment which approved of the system - a judgment which, for example, decided on the question of whether or not IP addresses are personal data without once considering the views of the Article 29 Working Party. It is not surprising that the Data Protection Commissioner was not convinced by that judgment (the judgment was problematic at least in part because the Commissioner was not represented - the only parties before the court had a vested interest in the system being implemented). However, until a concrete complaint arose no further action could be taken.

The complaint in this case has now triggered that action, and it seems likely that the Commissioner will reach a decision reflecting his previous views that using IP addresses to cut off customers' internet connections is disproportionate and does not constitute "fair use" of personal information. If so, the Commissioner has the power and indeed the duty to issue an enforcement notice which would prevent Eircom from using personal data for this purpose - which would ultimately seem likely to put the matter back before the courts. Watch this space.