Monday, May 04, 2015

PPS numbers: internet saviours?

Bank Holiday Mondays are quiet news days, making them a good time to get any old nonsense into the newspaper. Today is no exception as the Irish Times appears to have taken the opportunity for a special edition of breathless internet fear-mongering.

The prime example is this piece which makes the literally incredible assertion that "The PPS number provides the Irish Government with an opportunity to dramatically improve the safety of children and young people online." (Following on, no doubt, from the success of PPS numbers in the delivery of water services.) In effect, the author is demanding internet identity cards for the wider population. This is an astonishingly bad idea, as anybody with even a passing familiarity with the Korean internet ID fiasco should know.

So why is the author pushing this? The byline reveals that the author is "founder and CEO of TrustElevate, a technology products and services company that specialises in regulatory, policy and compliance online." But what the byline doesn't say is that her firm is selling the technology which the article promotes. According to its own site, "Trust Elevate is a UK-based technology solutions and advisory company. Our focus is on identity, privacy, security and safety from the perspectives of reputational compliance and commercial opportunities."

In short, the author is shilling her own service under the guise of an impartial opinion piece. This is bad enough in itself, but more fundamentally it is a distraction from what really needs to be done to protect children online.

At the most basic level, gardaí are dramatically under-resourced in dealing with the internet. The 2014 Garda Inspectorate report revealed there have been up to four year delays in analysing seized computers; that the Paedophile Investigation Unit had one (!) computer to receive and download evidence; that 40% of Garda stations are not networked and have no access to PULSE or internal email; that evidence cannot be shared electronically; and that even in networked stations many gardaí have no access to social media or external email.

One might expect that those genuinely interested in child welfare would address these basic points first. But where's the profit in that?


-----------

Some excerpts from the Garda Inspectorate Report - emphasis mine:
The current Garda Síochána IT system restricts the sending of evidence electronically, resulting in investigators having to travel to Dublin to view evidence. PIU only have access to one standalone computer to receive and download evidence, as they are unable to use PULSE. This is a fundamental tool for investigation of these crimes. When evidence arrives, it can take days to download information and this removes the availability of the computer to be used by investigators coming to the unit to view evidence for other cases. PIU gave an example where one case had over 8,000 videos.

Another problem area is the restriction placed on districts accessing social media sites. As a result, the PIU is swamped with requests from districts for help in cases under investigation. Since 2001, the unit has used a paper system for managing investigations and would like to move to an electronic system. Internally, the PIU uses an electronic spread sheet to monitor cases. There is a concern that two investigators could potentially be looking at the same suspect, without knowing that another garda is also investigating a crime against the same suspect. Like the SOMU, all PIU staff work on the same roster and again are all off-duty at the same time.

The delay in obtaining evidence from analysis of computers has contributed to a situation where no PIU investigation case file has been sent to the DPP for directions in the last four years of operation.


A consistent theme throughout the inspection of national and district intelligence units was that outdated IT equipment blocked them from accessing or viewing evidence about a crime. The Inspectorate was informed that the National Intelligence Unit is working on outdated software and is unable to load PDF documents and to view photographs. CIOs in particular experience daily challenges in accessing the necessary IT applications and equipment to perform their role effectively. CIOs often use personal laptops and computers to view CCTV footage, to download stills and to turn those stills into briefing documents and bulletins. This represents a risk of breaching security of intelligence data, but their motive is to ensure that intelligence is provided to local gardaí.

The access of gardaí to external e-mail was very inconsistent across the seven divisions. Some members stated that they had no external e-mail access and other gardaí explained that if you apply for access then it will be given. Many victims would like the option to use e-mail to communicate directly with the garda dealing with their case and it would ensure that the member actually received their message.

Wednesday, April 29, 2015

"Homophobe" brings Ireland's first "right to be forgotten" court case

A fascinating story in today's Irish Times details what seems to be the first court case in Ireland following the Google Spain ruling. However a less sympathetic plaintiff would be hard to find. The case is being brought by a Dublin man, Mark Savage of Lios Cian, Swords, who ran in the 2014 local elections on a platform which included reference to "Gay Perverts cavorting in flagrante on the beach in broad daylight". His election literature speaks for itself (click to enlarge):



Unsurprisingly, he was not elected. He now apparently objects to a Reddit thread characterising him as "Mark Savage - North County Dublin's homophobic candidate". Following an unsuccessful request to Google to have that thread deindexed, he complained to the Data Protection Commissioner who refused to order that Google do so. He has now appealed against that decision to the Circuit Court. I look forward to a full hearing, though I doubt it will be over in his optimistic estimate of two hours and I doubt he will be successful in his claim that Google should censor discussion of his views as publicly stated in an election campaign. If anything, this appears to be a complaint of defamation dressed up as a data protection matter.

Edited to add: Incidentally, the case also highlights an important structural point - chances are that most of the RTBF cases which become public will involve plaintiffs with relatively weak claims. The individuals with strong arguments to be deindexed will probably succeed in private at the point of initial contact with Google or else before the data protection authority. The only cases to be subject to public scrutiny before the courts will be those where both of the initial decision makers have found that the request should not be granted.

Monday, March 30, 2015

Two data retention cases pose questions for three Ministers for Justice

Two cases have now been brought in Ireland seeking to take advantage of the Digital Rights Ireland decision from the European Court of Justice in order to exclude evidence in criminal trials. First, a case stated in the prosecution of a detective garda alleged to have given false information to GSOC; second, a challenge brought by convicted murderer Graham Dwyer - commenced in January but made public only on his conviction last week.

Given how central internet and phone evidence is to many prosecutions, the only surprise is that it's taken this long for these challenges to be brought and no doubt more will come. Unfortunately it is possible that at least some convictions will be overturned as a result - and the blame for this will lie squarely with the Department of Justice and successive ministers.

Ministers Dermot Ahern, Alan Shatter and Frances Fitzgerald in particular have questions to answer.

Dermot Ahern knew in 2011 that data retention was on very shaky ground. By then data retention laws had been struck down in Bulgaria (2008), Romania (2009) and Germany (2010) - and the Irish challenge was pending before the High Court which had decided that the case raised "important constitutional questions". At this point the Irish law should have been reformed to provide for data preservation and include adequate safeguards identified by those cases, such as a requirement for a judge to approve access to data. Instead the law adopted in 2011 was equally flawed.

Alan Shatter and Frances Fitzgerald are equally if not more at fault. It was clear from the Advocate General's opinion in December 2013 that the Data Retention Directive would be struck down. But instead of replacing the 2011 law implementing the Directive both ministers adopted the ostrich position. There has been nothing but radio silence from the Minister for Justice since the Data Retention Directive was invalidated just under a year ago. It may be that she hopes by ignoring the problem it will go away. But by doing so she is only ensuring that many more prosecutions and convictions will be put at risk. As I previously predicted, "by continuing to keep its head in the sand the State is only storing up problems for the future".

Tuesday, March 24, 2015

Mixed internet messages from the Indian Supreme Court

The Indian Supreme Court today gave a landmark decision on the Information Technology Act 2000. Most media coverage has focused on the fact that the court struck down section 66A - the offensive messages provision - finding that it was unconstitutionally vague and would have a chilling effect on freedom of expression. This is significant for the ongoing Irish debate on "cyberbullying". The Irish offence of sending offensive messages by telephone is extremely similar to the Indian s.66A offence and there have been calls to extend it to the internet. Today's judgment suggests that this would be unconstitutional. As the Indian Supreme Court stated:
[The English cases] illustrate how judicially trained minds would find a person guilty or  not guilty depending upon the Judge’s notion of what is “grossly offensive” or “menacing”.  In Collins’ case, both the Leicestershire Justices and two Judges of the Queen’s Bench would have acquitted Collins whereas the House of Lords convicted him.  Similarly, in the Chambers case, the Crown Court would have convicted Chambers whereas the Queen’s Bench acquitted him. If  judicially trained minds can come to diametrically opposite conclusions on the same set of facts it is obvious that expressions such as “grossly offensive” or  “menacing”  are  so  vague  that  there  is  no  manageable standard by which a person can be said to have committed an offence or not to have committed an offence. Quite obviously, a prospective offender of Section 66A and the authorities who are to  enforce  Section  66A  have  absolutely  no  manageable standard by which  to  book a  person for an offence under Section 66A.
There's been less attention to the court's disappointing findings upholding the section 69A government power to order the blocking of websites where "necessary or expedient so to do, in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of  any cognizable offence relating to above". According to the court, the procedural safeguards established around blocking were sufficient to protect freedom of expression, despite the fact that blocking is ordered by the government itself rather than an independent body:

It will be noticed that Section 69A unlike Section 66A is a narrowly drawn provision with several  safeguards. First  and foremost,  blocking can only be resorted to where the Central  Government is satisfied that it is necessary so to do. Secondly, such necessity is relatable only to  some of the subjects set out in Article 19(2). Thirdly, reasons have to be recorded in writing in such blocking order so that they may be assailed in a writ petition under Article 226 of the Constitution.

The  Rules  further  provide  for a  hearing  before  the Committee set up - which Committee then looks into whether or not it is necessary to block such information. It is only when the Committee finds that there is such a necessity that a blocking order is made. It is also clear from an examination of Rule 8 that it  is  not  merely  the intermediary  who  may  be  heard. If  the “person” i.e. the originator  is identified he is also to be heard before a blocking order is passed. Above all, it is only after these procedural safeguards are met  that blocking orders are made and in case there is a certified copy of a court order, only then can such blocking order also be made.
Still, it is heartening to see that the Indian Supreme Court apparently considered it essential that both the intermediary and also the "originator" (the person who posts material) should be given the chance to be heard before a blocking order is made. In too many national schemes the only notice - if any - is to the host or social network, not the user.

Thursday, January 22, 2015

Mobile phone records as evidence in Irish courts

Just before Christmas a murder trial collapsed when the prosecution failed to lay the correct evidential basis for admitting mobile phone records against the accused. There's no written judgment but according to media reports:
The State entered a nolle prosequi in the case after Judge Catherine Murphy ruled that telephone records held on a mainframe computer could not be relied on as evidence because there was no evidence that the computer was operating correctly at the relevant time... 
In her ruling at Dublin Circuit Criminal Court Judge Murphy said there must be evidence of the function and operation of the main frame computer, on which the call records are held. She said: “This must include information that the computer was operating correctly at the relevant time”. 
The ruling relies on a 1992 judgement from the UK appeal courts which held that the prosecution must provide evidence of the function and operation of the mainframe computer used to store the records. The Cochrane ruling, which has been upheld by the Irish courts, noted that “the problem of proving transactions of this type must now arise frequently and it should be possible… to devise a standard form of evidence to deal with it.” 
Judge Murphy had earlier ruled that the evidence of the records held on the Meteor mainframe server was not admissible under the 1992 Criminal Evidence Act because the act does not cover automatically held records. 
The evidence in this case was that the records were held, automatically, on the Meteor mainframe server. The prosecution then submitted to the Court that the records could be admitted under Common Law. Judge Murphy ruled against them on this and noted that the UK judgement states there must be evidence “that the computer was operating correctly at the relevant time”. 
The UK judgement states that the prosecution must provide “authoritative evidence about the operation of the relevant machines”. Judge Murphy noted that an engineer from Meteor gave evidence for the prosecution that he had working knowledge of the Meteor computer system but not of the mainframe computer from on the records were held.
Today it seems that another trial has collapsed on the same basis. According to the Irish Times:
The legal argument centred on whether records from mobile phone masts could be relied on to link the phones to the robbery by placing them at relevant times and places. Detectives have developed the network of phones out of a single call allegedly made from the Dublin Mountains to the Richardson family home during the kidnapping. Mrs Richardson testified that the gang had allowed her to call her husband from the mountains. In ruling on the defence application, made in the absence of the jury, Judge Ring said that none of the three mobile phone network experts called by the prosecution could say that the relevant networks were fully operational and functioning on a given day or whether any particular cell sites are out of operation on those relevant dates. She said there was evidence that calls could be routed through another mast if the nearest mast was not operational at the time or if it was busy.
The Cochrane judgment referred to in these reports is R v. Cochrane [1993] Crim LR 98, which was applied in Ireland in relation to mobile phone records by People (DPP) v. Colm Murphy [2005] IECCA 1. It's a little surprising, therefore, that admissibility has become such a contentious issue nearly a decade later. As far as I can tell from the newspaper reports, what has happened is that trial judges have become more familiar with the technology and have become more strict in insisting that the prosecution witnesses can testify to the operation of the system as a whole and not just particular components such as the masts. In the short term this is going to require prosecutors to put forward more technical witnesses from the mobile operators; longer term I wouldn't be surprised to see legislation rushed forward to provide a statutory basis for admitting these records (probably on the basis of certificate evidence).

Incidentally, this is certainly not limited to the case of mobile phone records - the same logic would apply to evidence of IP address allocation and use and other computer evidence. Expect these arguments to be played out soon in other cases involving computers.

Friday, October 24, 2014

Discovery of encrypted documents

Today's Irish Times has a story arising out of the Quinn litigation against the state which raises important issues around access to encrypted documents:
The family of Seán Quinn is demanding access to three letters sent between former minister for finance Brian Lenihan and then chairman of Anglo Irish Bank Donal O’Connor as part its €2.34 billion claim against the state.  This correspondence relates to late January 2009 and early February 2009, just after the state took the decision to nationalise Anglo as it tottered on the brink of collapse. The family also wants efforts to be made to crack a password-protected email sent by the bank’s chief executive David Drumm to Matt Moran, a close lieutenant, in the midst of the financial crisis in April 2008, according to documents filed in relation to their legal battle...

Legal advisers to the liquidators of IBRC, who are now in charge of Anglo, are refusing to release about 168 documents which they claim are legally privileged, with the exception of the email from Mr Drumm to Mr Moran which they cannot access... [The Quinns] have asked the liquidators of IBRC to instruct IT experts to crack the encoded email or give it to the family so that they can try to do so.

I've already looked at the encrypted Anglo files from a criminal law perspective, considering when police can demand that files be decrypted or that individuals hand over passwords. This case presents parallel civil law issues - when can a party in litigation demand that potentially relevant files be decrypted as part of the discovery process, when the other party does not have the relevant passwords?

This will be the first time this is considered by the Irish courts. There doesn't appear to be any case law on the topic, and it's not explicitly addressed in the Rules of the Superior Courts. It's also not considered in the Law Reform Commission's (rather disappointing) 2009 Consultation Paper on Documentary and Electronic Evidence. The closest Irish material is the 2013 Good Practice Guide to Electronic Discovery in Ireland which suggests that parties making discovery should if necessary attempt to break the protection on encrypted or password protected files (PDF, p.23).

I look forward to seeing the decision on this point.

Tuesday, October 21, 2014

Garda body cameras: quis custodiet ipsos custodes?

Garda body worn camera - screencap from Dublin Says No protest video.
I had a piece in Saturday's Irish Independent on the implications of the new Garda body worn cameras being used at protests against water charges. There wasn't enough room in 750 words to tackle all the issues involved so here are some thoughts that didn't make it into the finished piece:

* While there is almost no transparency around the use of the cameras, for the moment it looks as though they are only being used at protests. This is a relatively straightforward case - public protests are the best case scenario for the use of cameras as situations where there is a limited privacy interest on both sides and a likelihood of confrontation - but isn't at all representative of the problems that would be faced if cameras were rolled out to ordinary policing. For example, would cameras be turned off when gardaí are in private homes? In hospitals?

* In particular, there is a real risk that the use of cameras in day to day policing will lead to a more wary relationship with the public. Will people be deterred from talking to gardaí for fear that their casual conversations may be recorded and reviewed?

* The main financial cost lies not in the cameras themselves but in the management of the recordings they generate. Video requires lots of storage and systems in place to deal with transfer of material from device to server, deletion of material once the retention period is up, flagging of particular recordings to be stored, search and retrieval of material which might be spread across a number of different stations, backups and archiving, ensuring that older file formats can still be read, responding to subject access requests, etc. Have these points have been taken into account in garda planning? Or will we end up with another case of garda tapes being stored randomly in cardboard boxes and covered in mould?

* At the moment garda management are saying very little about these new cameras. In a few months the Freedom of Information Act 2014 will be extended to An Garda Síochána - but in the meantime anyone who has been videoed at a protest can find out more by making a (free) request under s.3 of the Data Protection Acts to determine what data from the cameras are being held and the purposes for which they are being kept.