Thursday, March 21, 2013

Microsoft joins the transparency movement (with an important Irish dimension)

Kudos to Microsoft for today publishing their first annual Transparency Report setting out details of how often national police forces seek to read customer content (such as emails) or to access other information on customers. This is done as part of their commitment as a member of the Global Network Initiative and it's striking, but alas not surprising, that this makes Microsoft considerably more transparent than the Irish government which refuses to reveal even this basic statistical information.

On to the data. In 2012, in relation to Microsoft products generally (Hotmail, Outlook.com, Messenger, etc.) Gardaí sought information in 72 different requests, relating to 222 different accounts. Of these requests, 5 resulted in user content being revealed (such as the actual contents of emails), 46 resulted in non-content user information being revealed (such as the IP address last used), 19 resulted in no data being found and 2 were rejected for not meeting legal requirements.

Skype, which Microsoft now owns, was treated separately. In relation to Skype Gardaí made 4 requests relating to 7 different accounts and there was no data disclosed in relation to any of those requests. (This mostly seems to be due to no data being found but records aren't available for the entire year.). Also, in 2 cases the Skype support team provided general guidance to Gardaí regarding the procedures for accessing customer data.

There's an interesting comparison here with Google's Transparency Report. The overall numbers of requests by Gardaí to Microsoft and Google are very close (76 total for Microsoft for all of 2012; 34 for Google for the first six months of 2012). However the numbers of requests which result in information being provided are very different. In the case of Google data was provided in reply to just 2 of 34 requests (6%), while Microsoft provided data in response to 51 of 76 requests (67%). It's impossible to know without more information why that is and the low Google response rate might be just a blip for the particular six month period - nevertheless the difference is striking.

Significantly, Ireland was one of only four countries other than the US where user content was disclosed, the others being Brazil, Canada and New Zealand. The report doesn't make it clear why this is, but the FAQs imply that this may be due to Hotmail and Outlook.com accounts being hosted in Ireland and therefore being subject to local law.

The report also glosses over a question which has long interested me - what's the legal basis on which Microsoft will provide the contents of emails to Gardaí? Here's what the FAQs have to say:

What laws apply to Microsoft and Skype customer records and content? 

Irish law and European Union directives apply to the Hotmail and Outlook.com accounts hosted in Ireland...

How does Microsoft and Skype determine what law enforcement entities are able to request data? 

Microsoft must produce data in response to valid legal requests from U.S. and Irish law enforcement entities because we are headquartered in those jurisdictions or because we host data in those countries. Microsoft may disclose non-content data pursuant to a law enforcement request after it is validated locally and transmitted to our compliance teams in the U.S. and Ireland...
So - what exactly is a "valid legal request"? Irish law on interception doesn't seem to extend to webmail, suggesting that Microsoft are simply acting in response to non-statutory Garda requests rather than requiring a Ministerial warrant as would be required for telephone tapping. If so, the relevant law would be s.8 of the Data Protection Acts 1988 and 2003, which allows (but doesn't require) voluntary disclosures of user information in the context of criminal investigations. This would, however, be worrying if true as it would allow Garda access to email contents without any outside scrutiny (no Ministerial warrant or court order required) and without the other safeguards which would apply to telephone tapping - so no judicial oversight after the fact and no complaints mechanism available.

If this is the case then it would also put Ireland in breach of our obligations under Article 8 of the European Convention on Human Rights, which states that interferences with private communications must be "in accordance with the law", requiring that there should be a clear legal basis along with adequate mechanisms in place to oversee and guard against abuses of surveillance. (See in particular Klass v. Germany and Malone v. UK.)

More clarity on this point is required, and as soon as possible the law should be changed to ensure that emails enjoy the same protections as telephone calls.

Wednesday, March 20, 2013

Testifying before the Oireachtas Social Media Hearings

Leinster House, Kildare Street
I appeared today along with my colleague Fergal Crehan on behalf of Digital Rights Ireland before the Oireachtas Joint Committee on Transport and Communications which is currently holding a series of hearings on "Social Media Ethics and Regulation". There's a good summary of the proceedings in the Irish Times but the masochistic amongst you can watch the whole thing here. Our slides and Fergal's very comprehensive written submissions are embedded below.

I won't rehash here the substance of the discussion, but I should say that we got a very fair hearing from the Committee whose members - following four separate sessions on the topic - are now very familiar with the issues (previous sessions: 1|2|3). They were quite receptive to the argument that greater resources are needed for the Data Protection Commissioner and the Garda Computer Crime Investigation Unit, and I suspect that they were as shocked as I was to discover that there is currently a three year backlog for that unit to investigate child pornography cases.

The hearings as a whole were also useful in highlighting current practice in sites such as YouTube and shedding some light on the otherwise rather opaque Office for Internet Safety in the Department of Justice. I was disappointed though that there was no evidence from domestic social networking sites such as Boards.ie - the larger international players such as Facebook, Twitter and YouTube operate in a very different environment, not least in the resources they have, and it would be unfortunate if the Committee were given the impression that they were typical of social media sites generally. I don't know whether the domestic absence is because local sites didn't seek to be heard, or whether they weren't given time - but either way it seems to me that these sites would benefit from joining forces and possibly setting up a group to represent their views. In any event I look forward to seeing the Committee's report.


Tuesday, March 05, 2013

Irish court allows reporters into family law case (but bars tweeting)

The High Court gave a landmark judgment on surrogacy earlier today, holding that the biological mother of twins born to a surrogate (her sister) was entitled to be recorded as their mother on their birth certificates. I'll leave the family law side of this to the experts, but I was struck by how the court handled the issue of media coverage. In particular, in exercising its discretion to allow certain designated journalists to report on the proceedings the court did so subject to a number of conditions one of which was that: "no contemporaneous social media reporting e.g. by Twitter shall be carried out by the designated reporters."

This seems to be the first time that an Irish court has positively restricted the tweeting or live blogging of court proceedings, though that's not to say that the issue hasn't been considered.

In 2009 Abigail Rieley - then working as a court reporter - could still say that the issue hadn't yet reached the judicial consciousness. In 2011 it was reported that a judicial committee would consider the issues of jurors' use of the internet and might also consider the issue of courtroom reporting on social media. (I'm not aware that anything public ever emerged from this - if you know better please let me know.) Still again, in 2012 the media relations advisor to the Courts Service published an interesting article on social media and the courts (PDF) which amongst other things suggested that there was a need for judicial guidance along the lines of the current English rules regarding tweeting from court.

Meanwhile, despite these concerns the use of Twitter in court has simply become a part of day to day reality. Today's judgment is the first time it has butted up against judicial resistance - and that only in the particularly difficult and private context of a family law matter. I suspect, though, that it won't be the last.