Wednesday, April 06, 2016

Search warrants and privacy in Ireland - CRH, Irish Cement & Lynch v. CCPC

The High Court gave a very important judgment yesterday (Independent.ie story) on the issues raised by the use of a search warrant to seize an entire email account where many of the emails in the account were not caught by the terms of the warrant. To grossly simplify a complicated decision, Barrett J. held that where the Competition and Consumer Protection Commission (CCPC) had seized an entire email account it was not itself entitled to carry out a "sifting" exercise to determine which emails fell within the scope of the warrant - instead, this had to be done by some impartial vetting process. In the lack of a suitable statutory mechanism, this could be done by agreement between the parties.

The full decision isn't yet on the courts.ie site, but courtesy of the CCPC I've uploaded a scanned copy to Scribd. The full decision will need careful consideration, but at first glance it's a very privacy protective decision which may have far reaching consequences in other areas of criminal procedure. Notably, it cites with approval the 2013 Canadian Supreme Court decision in R. v. Vu on the special privacy issues presented by searches of computers. (And, I'm glad to see, the Digital Rights Ireland litigation.) By requiring specificity in what is seized and how that material is then examined, it puts a question mark over other search powers - such as those under s.48 of the Criminal Justice (Theft and Fraud Offences) Act, 2001 - which are generally used so as to seize an entire computer and not merely specific records.

Wednesday, March 16, 2016

Destroying the history of those victimised by the State

Fiona de Londras has a letter in the Irish Times today, co-signed by a range of prominent lawyers, highlighting an injustice about to be done by the Irish state. The letter is worth quoting in full:
As human rights lawyers we note with great concern the proposal that records of applicants to the symphysiotomy payment scheme would be shredded after March 20th.
This would reinforce the harm done to women by the physical and symbolic destruction of official medical records attesting to the abuse and harm they experienced. Furthermore it would lead to the destruction of vital records and evidence that might be of assistance in future legal, historiographical and political processes of recording the symphysiotomy in Ireland and ensuring accountability for these instances of inhumane and harmful treatment.
The UN Human Rights Committee has called for a “prompt, independent and thorough investigation into cases of symphysiotomy” leading to prosecutions where appropriate.
It is likely that Ireland is under a positive obligation to hold such an inquiry under the European Convention on Human Rights
That these records would be returned to the applicants to the scheme is, thus, of paramount importance.
We note that applicants to this scheme were obliged to provide “relevant supporting records”. They were not informed that these records would be destroyed, that they should send or retain certified copies, or that by applying to the scheme through submission of these records they were at risk of losing this documentary evidence of their medical mistreatment
The limitations of data storage at hospitals are such that such records, if destroyed, might not be capable of retrieval elsewhere, and in some cases processes for accessing records can be so difficult to navigate as to be almost inaccessible.
Thus, we call on Ms Justice Harding Clarke to reconsider this, and to ensure that all records are returned to the applicants to the scheme, by registered post, at the earliest possible date. Under no circumstances should they be destroyed.
We also endorse the call from Marie O’Connor of Survivors of Symphysiotomy that applicants to the scheme be asked for their consent to these records being archived. 
Quite apart from the collective harm involved, the destruction of these records will be a significant wrong to the individual women. They were told that "the Assessor  shall,  where  reasonably possible, arrange  for  the  return  to  the  Applicant  or  her  Solicitor  of  any  documents submitted". The plan to shred these documents is a direct breach of this promise and makes it likely that the women will not be able to get copies of those documents from other sources.

The issue is urgent. The documents will be destroyed unless "an option letter" is received by 20th March. However, there is an interim solution for those affected: a subject access request under the Data Protection Acts will, in effect, stop the clock. Daragh O'Brien has details of the steps to take.

Thursday, November 12, 2015

How trustworthy is Microsoft's "data trustee"?

Yesterday Microsoft announced a radical new structure for some of its European data centres. In an attempt to put customer data beyond the reach of the US government, it has entered into a relationship with Deutsche Telekom which will operate new European facilities on its behalf and act as "trustee" for data held there. The aim is that:
[Microsoft] employees will have no access to the data held at the facilities without the German company’s permission. The companies believe this arrangement means Microsoft will not have to respond to governmental demands for information held in these data centres, forcing official requests to go through German authorities instead.
This is a direct response to the ongoing US litigation asserting that the Stored Communications Act has extraterritorial effect and captures data which Microsoft holds in Dublin or anywhere else worldwide. The harm to its European cloud operations has forced Microsoft's hand - rather than waiting for the result of the appeal in that case (or proposed amendments which would cut back the extraterritorial effect of US law) it has opted to put itself in a position where it simply can't comply with US demands.

But how trustworthy is Microsoft's trustee? Deutsche Telekom looks like an unfortunate choice. It's probably best known in privacy circles for systematically using its phone records to spy on journalists writing critical stories about it - including tracking journalists' movements using mobile phone data. It's deeply ironic that Deutsche Telekom now sees privacy as a selling point when it previously spied on its users not in response to government demands but simply for its own commercial advantage.

Tuesday, October 13, 2015

Law Society Annual Human Rights Conference

I spoke at the Law Society's 2015 Annual Human Rights Conference last Saturday about privacy and surveillance online in light of recent CJEU decisions - a particularly topical area following the decision in Schrems. I was joined on my panel by Karlin Lillington, the journalist whose advocacy was responsible for data retention being treated as a civil liberties issue in Ireland, and the session was chaired by Michael McDowell who as Minister for Justice was responsible for introducing data retention in Ireland in 2005 and was one of the main proponents behind data retention at a European level. As you would expect with this range of views, there was a full and interesting discussion of privacy generally and the specific area of state surveillance. Unfortunately there's no recording of the conference, but I've embedded my own slides below.



The Law Society will be making available other slides/papers from the conference - including hopefully the very interesting papers from Olivia O'Kane on privacy and the media and Judge Michael O'Reilly on prisoners' rights - and I'll link to those once they are put up.

Tuesday, September 15, 2015

Whitewashing your internet profile: political edition

Irish politicians are getting nervous. Although the government still insists it will serve out its full term, insiders are muttering about the possibility of a post-budget snap election. It's no coincidence, therefore, that they are now looking to clean up their online presence and two stories from this week are particularly telling.

First Alan Kinsella, of the invaluable Irish Election Literature website, tweets:

Second, an anonymous user from an Oireachtas IP address attempted a systematic (but ultimately unsuccessful) whitewashing of the Wikipedia entry for Senator Jim Walsh, deleting all reference to various gaffes by him through the years.

There's nothing new about attempts to suppress unfavourable information about Irish politicians - and the current stories are nowhere near the seriousness of the recent incident in which the aide to Derek Keating TD dumped several thousand copies of a local freesheet containing a critical story about his boss. But these examples still raise interesting issues for lawyers. In the case of the Irish Election Literature website - should politicians be able to invoke what would presumably be a copyright argument in order to conceal their past promises? In the case of Wikipedia, should edits made by TDs, Senators or their staff about themselves be disclosed? (Wikipedia certainly thinks so.) More generally, how should Irish law deal with sites such as Politwoops which archive deleted tweets from politicians? Is Twitter correct in saying that politicians should be able to delete their ill thought out tweets without that fact being highlighted - or should we accept that what politicians say is inherently newsworthy?

The Irish courts have yet to confront most of these issues - but it will be interesting to see what happens in an ongoing case brought by a Dublin election candidate who has invoked the "right to be forgotten" against online discussion of his election literature. Hopefully this will result in a judicial statement affirming the strong public interest in political discussion.

Tuesday, June 16, 2015

Downloading or accessing certain material could constitute a criminal offence

Poster put up in London internet cafes from 2010 onwards
Background:
It's not about asking owners to spy on their customers, it's about raising awareness," a police spokesman said, speaking anonymously in line with force policy. "We don't ask them to pass on data for us."Still, he said, police were "encouraging people to check on hard drives." He did not elaborate, saying it would be up to cafe owners to decide if or how to monitor what customers left on their computers.

Monday, May 04, 2015

PPS numbers: internet saviours?

Bank Holiday Mondays are quiet news days, making them a good time to get any old nonsense into the newspaper. Today is no exception as the Irish Times appears to have taken the opportunity for a special edition of breathless internet fear-mongering.

The prime example is this piece which makes the literally incredible assertion that "The PPS number provides the Irish Government with an opportunity to dramatically improve the safety of children and young people online." (Following on, no doubt, from the success of PPS numbers in the delivery of water services.) In effect, the author is demanding internet identity cards for the wider population. This is an astonishingly bad idea, as anybody with even a passing familiarity with the Korean internet ID fiasco should know.

So why is the author pushing this? The byline reveals that the author is "founder and CEO of TrustElevate, a technology products and services company that specialises in regulatory, policy and compliance online." But what the byline doesn't say is that her firm is selling the technology which the article promotes. According to its own site, "Trust Elevate is a UK-based technology solutions and advisory company. Our focus is on identity, privacy, security and safety from the perspectives of reputational compliance and commercial opportunities."

In short, the author is shilling her own service under the guise of an impartial opinion piece. This is bad enough in itself, but more fundamentally it is a distraction from what really needs to be done to protect children online.

At the most basic level, gardaí are dramatically under-resourced in dealing with the internet. The 2014 Garda Inspectorate report revealed there have been up to four year delays in analysing seized computers; that the Paedophile Investigation Unit had one (!) computer to receive and download evidence; that 40% of Garda stations are not networked and have no access to PULSE or internal email; that evidence cannot be shared electronically; and that even in networked stations many gardaí have no access to social media or external email.

One might expect that those genuinely interested in child welfare would address these basic points first. But where's the profit in that?


-----------

Some excerpts from the Garda Inspectorate Report - emphasis mine:
The current Garda Síochána IT system restricts the sending of evidence electronically, resulting in investigators having to travel to Dublin to view evidence. PIU only have access to one standalone computer to receive and download evidence, as they are unable to use PULSE. This is a fundamental tool for investigation of these crimes. When evidence arrives, it can take days to download information and this removes the availability of the computer to be used by investigators coming to the unit to view evidence for other cases. PIU gave an example where one case had over 8,000 videos.

Another problem area is the restriction placed on districts accessing social media sites. As a result, the PIU is swamped with requests from districts for help in cases under investigation. Since 2001, the unit has used a paper system for managing investigations and would like to move to an electronic system. Internally, the PIU uses an electronic spread sheet to monitor cases. There is a concern that two investigators could potentially be looking at the same suspect, without knowing that another garda is also investigating a crime against the same suspect. Like the SOMU, all PIU staff work on the same roster and again are all off-duty at the same time.

The delay in obtaining evidence from analysis of computers has contributed to a situation where no PIU investigation case file has been sent to the DPP for directions in the last four years of operation.


A consistent theme throughout the inspection of national and district intelligence units was that outdated IT equipment blocked them from accessing or viewing evidence about a crime. The Inspectorate was informed that the National Intelligence Unit is working on outdated software and is unable to load PDF documents and to view photographs. CIOs in particular experience daily challenges in accessing the necessary IT applications and equipment to perform their role effectively. CIOs often use personal laptops and computers to view CCTV footage, to download stills and to turn those stills into briefing documents and bulletins. This represents a risk of breaching security of intelligence data, but their motive is to ensure that intelligence is provided to local gardaí.

The access of gardaí to external e-mail was very inconsistent across the seven divisions. Some members stated that they had no external e-mail access and other gardaí explained that if you apply for access then it will be given. Many victims would like the option to use e-mail to communicate directly with the garda dealing with their case and it would ensure that the member actually received their message.