Thursday, September 21, 2006

Your personal information is for sale: Italian telco in wiretapping scandal

BBC News has reports of an Italian scandal involving telecom company insiders:
Telecom Italia has been in the headlines in recent weeks
Italy's justice minister has started an investigation into whether government officials were involved in an alleged wire-tapping scandal at Telecom Italia.

The news comes a day after police said they had arrested 20 people as part of an investigation into the case.

Prosecutors say the spy ring taped the phone conversations of politicians, industrialists and even footballers.
Of course the information stored by the same telecoms companies under data retention won't be abused. Oh no. Perish the thought.

Tuesday, September 19, 2006

Godaddy caves in case?

This is a fascinating development in the ever-entertaining saga. American company blocks off access to 'rate your lawyer' site - Irish Independent:
"AN American domain name provider has suspended access to the controversial website after an Irish High Court issued a court order to remove offensive material about a barrister from the site., an award winning internet site, suspended access to the portal within 24 hours of an injunction issued by Judge Michael Hanna.

Last Wednesday, Judge Hanna issued an order that defamatory material posted about Jayne Maguire, a barrister, on must be removed with immediate effect.

Ms Maguire has claimed that John Gill, of Drumline, Newmarket on Fergus, defamed her by posting offensive remarks on

Mr Gill, chairman of the Victims of the Legal Profession Society, denied that anything concerning Ms Maguire was published or posted on the site.

Ms Maguire is seeking damages for defamation and privacy and an interlocutory injunction of the statements about her on the site which she says is administered by Mr Gill. have locked access to the site domain name until High Court proceedings are concluded. Lawyers acting for Ms Gill served notice on, an American Internet Service Provider that is host to the site.

It had been thought that was hosting the site which invites Irish people to rate their lawyers, however has now been identified as the ISP and has received notice of the High Court proceedings.
Slashdot has some interesting comments. More on this when I get the chance - but if these reports are accurate I'll certainly be moving my own registrations and hosting from Godaddy.

Friday, September 15, 2006

Gardaí disclosing confidential information to media

This RTÉ News report is worrying, and reinforces the DRI complaint earlier this year about the leaking of mobile phone records by gardaí.:
"Garda Commissioner Noel Conroy is this afternoon to appoint a senior officer to investigate the circumstances surrounding the release of video footage to RTÉ News.

The footage, broadcast yesterday, features two men convicted of dangerous driving, videoing themselves driving at high speed on the N4, near Mullingar, Co Westmeath.

District Court judge John Neilan this morning requested the commissioner to commence an internal investigation.

Judge Neilan said his relationship with the force was deeply strained as a result of events this week.

Judge Neilan said he was appalled by the conduct of the garda officers in the case.

He said the case had first come before him in June and he was satisfied beyond any shadow of a doubt that one of the prosecuting officers had primed the media in respect of the case.

He said that since the tape from the camcorder found in one of the cars was not available to the court yesterday, the only evidence that was available was that as recounted by the Inspector at Mullingar District Court yesterday.

Judge Neilan also said that it was his belief that the evidence of the arresting officers was tainted and embellished by what they saw on the camcorder.

Charges withdrawn

He said that the prosecution had decided without indicating to the court or the media, which apparently had the inside track on the case, that it was withdrawing two of the charges.

Two of the charges related to the material which was used and retained on the camcorder.

The judge said the DPP did not give any reason to the court for not proceeding with those particular charges.

He said that the conduct of members of An Garda Síochána in discussing evidence and possibly releasing material which was intended to be used in the case yesterday was nothing short of scandalous.

Judge Neilan said that the material seized by gardaí was material which was under the authority of his court.

He warned members of the public to be cautious about what he called the hype surrounding this case, and he said that every member of the public should be aware that certain members of the gardaí are priming the media well in advance of any case being dealt with in accordance with the law.

Judge Neilan also said that certain members of the gardaí believe they have 'a God given right to undermine the cases of the DPP and generate as much hype and hysteria as they can'."

Thursday, September 14, 2006

Wednesday, September 13, 2006

McGarr Solicitors and public access to court files

McGarr Solicitors have a new website which has two firsts for Irish solicitors - they're the first firm of Irish solicitors to have a blog (surprisingly Irish barristers have put down their quills and been to the front here), and (more significantly) they've been the first to make some court documents publicly available on their web site.

Court documents in Ireland currently exist in a legal limbo - although justice must be administered in public, the practice has been to limit access to the court file. This is so even though every document in the file might have been read out in open court, and even though there is no rule prohibiting disclosure of the contents. Consequently if you as a member of the public wish to see the papers in a case you are dependent on the good will of the parties. This is unlike other jurisdictions such as the United States, where it is generally presumed that court documents are public documents in the same way that the proceedings themselves are public. I've long felt that the Irish practice is far too restrictive, and it's good to see solicitors making it easier to view these documents.

Thursday, September 07, 2006

Schools fingerprinting children - Data Protection Implications

It seems as though everybody wants to fingerprint your children these days. The latest issue is whether schools can fingerprint children without so much as a parental by your leave. The Register has a very interesting discussion of the data protection issues involved:
Parents cannot prevent schools from taking their children's fingerprints, according to the Department for Education and Skills and the Information Commissioner.

But parents who have campaigned against school fingerprinting might still be able to bring individual complaints against schools under the Data Protection Act (DPA).

DfES admitted to The Register that schools can fingerprint children without parents' permission.

This position has also been taken by the Information Commissioner, who interprets and enforces the Data Protection Act - the law privacy campaigners hope might be used to stop schools fingerprinting their children.

The Information Commissioner's Office (ICO) is drawing up guidance on the use of fingerprints for purposes other than law-enforcement. The guidance will say once and for all whether parents can prevent their children's fingerprints being taken.

David Smith, deputy Information Commissioner, said it was a complex issue that was still being worked out, but it was likely that parents did not have an automatic right to decide whether their children's biometrics could be taken by a school.

"The Data Protection Act talks of consent of the individual - essentially that's consent of the child," he said.

"Now there's a requirement that consent is informed and freely given. That will depend on the age of the child," he said.
Update: Spongebobb asks what the situation would be in Ireland. The Irish Data Protection Commissioner has given guidance on whether children can consent to the use of their personal information, though this doesn't specifically address this situation:
The minimum age at which consent can be legitimately obtained is not defined in the Data Protection Act, 1988.

Section 2A(1) of the Acts states that consent cannot be obtained from a person who, by reason of age, is likely to be unable to appreciate the nature and effect of such consent. Judging maturity will vary from case to case.

In the medical area, the GPIT Guide ( suggests that an individual may be assumed to be competent to give consent for medical purposes on reaching the age of 16 years. Where the individual is below that age, consent may still be given, but this requires that the medical practitioner involved must assess whether a child or young person has the maturity to understand and make their own decisions about the handling of their personal health information. In relation to the right of access to health data, where the individual is below 16 years, it was recommended that the general practitioner should use professional judgement on a case by case basis, on whether the entitlement to access should be exercisable by (i) the individual alone, (ii) a parent or guardian alone, or (iii) both jointly. In making a decision, particular regard should be had to the maturity of the young person concerned and his or her best interests.

In the marketing area, where sensitive data is not involved, including on websites, a lower threshold may be permissible. For example, it is a matter for a company to judge if a 14 year old can appreciate the issues surrounding consent and to be able to demonstrate that a person of that age can understand the information supplied and the implications of giving consent. While care should be taken that a person under that age would not be enticed into a deception concerning his/her age, a clear statement that an age limit applies would normally suffice. Where the company becomes aware at a later date that a person has supplied false age-related information, then that data subject's details should be removed from the live site. Sufficient identifiers may be retained purely for the purpose of blocking future entry attempts by that individual.

Where the company accepts that an individual is a minor and are seeking parental consent, e-mail might not be the best medium, unless they can establish that the e-mail address is genuinely a parent/guardian's e-mail address. A postal address is more readily authenticated, though it still does not preclude a letter being addressed to a sibling.
The closest Irish precedent is a case involving a primary school which put the personal details of pupils on a website without parental consent. The Data Protection Commissioner took a dim view of this:
A parent contacted my Office to complain that the local primary school was publishing personal details of pupils on the school web site, without the knowledge or consent of parents. The details included photographic images of named individual pupils, as well as general details volunteered by pupils regarding their hobbies, likes and dislikes. The parent was concerned that the non-selective publication of children’s details in this way was inappropriate, and could expose the children to unnecessary risks. The parent had raised the matter with the school authorities and was very dissatisfied with the response she had received.

I immediately contacted the school principal to arrange that personal details relating to identifiable children would be deleted from the web site, pending an urgent meeting on this matter. At the meeting, the school principal explained that the web site had been set up several weeks previously in order to meet the educational needs of children in relation to computing. The pupils themselves had been quite positive about the development. Photographs of individual pupils in the junior and senior infants classes had been posted on the web site. Other pupils had been invited to contribute to the web site through other activities, such as filling out questionnaires giving personal information that would be of interest to pupils in other schools, both nationally and internationally. It was noted that the school web site had been given an award by an internet service company in recognition of its merit. As regards parental consent, the principal said that the new web site had been mentioned in a recent school newsletter, and that parents had been invited to come to the school to check it out for themselves.

I pointed out that section 2(1)(a) of the Data Protection Act requires that personal data "shall have been obtained, and the data shall be processed, fairly ". When dealing with personal data relating to schoolchildren, "fairness" in my judgement requires that the clear and informed consent of parents or guardians must be obtained before any use is made of the children’s data. This is particularly so where the use envisaged involves the posting of data on the worldwide web. The principal accepted these points and undertook not to post personal details of schoolchildren on the web site except with the express authorisation of a parent or guardian.
Of course, the children in this case were of primary school age and so unlikely to be able to give an informed consent. It leaves open the question of whether parental consent could still be required in respect of an older child.

Your personal information is for sale - HP spies on directors' home telephone calls

Newsweek has revealed that:
To catch a leaker, Hewlett-Packard's chairwoman spied on the home-phone records of its board of directors.

The confrontation at Hewlett-Packard started innocently enough. Last January, the online technology site CNET published an article about the long-term strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. HP’s chairwoman, Patricia Dunn, told another director she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then took the extraordinary step of authorizing a team of independent electronic-security experts to spy on the January 2006 communications of the other 10 directors—not the records of calls (or e-mails) from HP itself, but the records of phone calls made from personal accounts. That meant calls from the directors’ home and their private cell phones. ...

The HP case specifically also sheds another spotlight on the questionable tactics used by security consultants to obtain personal information. HP acknowledged in an internal e-mail sent from its outside counsel to Perkins that it got the paper trail it needed to link the director-leaker to CNET through a controversial practice called “pretexting”; NEWSWEEK obtained a copy of that e-mail. That practice, according to the Federal Trade Commission, involves using “false pretenses” to get another individual’s personal nonpublic information: telephone records, bank and credit-card account numbers, Social Security number and the like. Pretexting is heavily marketed on the Web.

Typically—say in the case of a phone company—pretexters call up and falsely represent themselves as the customer; since companies rarely require passwords, a pretexter may need no more than a home address, account number and heartfelt plea to get the details of an account. According to the Federal Trade Commission’s Web site, pretexters sell the information to individuals who can range from otherwise legitimate private investigators, financial lenders, potential litigants and suspicious spouses to those who might attempt to steal assets or fraudulently obtain credit
The UK Information Commissioner has shown that "pretexting" is prevalent in the UK also, in his report "What Price Privacy? The Unlawful Trade in Confidential Personal Information". While we have no comprehensive report in respect of Ireland, it is likely that it is just as common here.

Incidentally, one of the most common misconceptions about privacy is that it's merely about trusting the government not to abuse its powers. This case illustrates that when you create vast databases, you have to cross your fingers and hope that there is no one else (such as your employer) with a motive to spy on you.

Update: It's now emerged that HP spied on journalists' telephone calls also. Particularly in the US, there's been media lethargy about privacy issues - hopefully there'll be more coverage of the issues as reporters realise that it may be their ox being gored.