Monday, April 30, 2012

Record numbers of complaints, data breaches and more (all on a shoestring budget)

The Data Protection Commissioner's 2011 Annual Report was published today. While the whole document is well worth reading, a few highlights struck me as worth particular attention.


Unsurprisingly - particularly in the light of the ongoing Facebook investigation - the report starts by saying that the financial and personnel position of the Office has become unsustainable in light of increased demands, with the warning that failing to remedy this will jeopardise investment in Ireland:
The scope of our responsibilities has changed significantly in the past 3 to 5 years. This arises in particular from the success of the Industrial Development Authority in attracting to Ireland companies conducting significant processing of personal data. We have worked with these companies to help them understand their obligations under EU data protection law towards all EU users of their services.

The legislative proposals presented by the European Commission1 in January of this year, if passed into law, will involve increased responsibilities for our Office under the so-called “one-stop-shop” arrangement for multinational companies providing services to EU users from an Irish base. While the exact division of labour between data protection authorities has yet to be finalised, it clearly will involve a greater degree of responsibility for our Office in relation to multinational companies which choose Ireland as an EU base. Failure to adequately discharge this responsibility will carry significant reputational risks for the country...

The implications of our increased European responsibilities were brought home to us forcefully in relation to our audit of the activities of Facebook-Ireland. Facebook- Ireland had unambiguously placed itself under our Office’s jurisdiction through changes in its contractual arrangements with its EU users and the establishment of clear responsibility for the processing of their data. We therefore included them in our programme of audits for 2011. This was the most complex audit ever undertaken by our Office, involving about a quarter of our staff resources for 3 months and external technical assistance from University College Dublin (UCD)...

We clearly cannot maintain a similar level of commitment in relation to other multinational companies without additional resources. I am confident that this message is understood by the Government and would hope to be allocated additional resources in the course of this year. [All emphasis added.]
Number of incidents

Complaints reached a record high last year with 1,161 complaints under the Data Protection Acts and 253 complaints under the ePrivacy Regulations (dealing with unsolicited texts messages, etc.). Remarkably, data breach notifications outnumbered both types of complaints with 1,167 notifications during the year from 186 different organisations (up from 119 in 2009 and 410 in 2010). This seems to reflect greater awareness of the obligation to notify, rather than any increase in breaches, and presumably will plateau in coming years - but the sheer volume of notifications presents its own challenges.

Unsolicited marketing prosecutions

One area where the DPC has been particularly successful is in relation to unsolicited marketing text messages and telephone calls, where there now seems to be a well-oiled machine in place for prosecuting repeat offenders. In relation to communications providers alone, in 2011 successful prosecutions were brought against:

* Eircom: one unsolicited telephone marketing call, Probation Act applied, €2,000 donation made to charity;
* Vodafone: four unsolicited telephone marketing calls, one text message, total of €3,850 in fines imposed;
* o2: one unsolicited text message, Probation Act applied, €2,000 donation made to charity;
* UPC: eighteen charges relating to unsolicited telephone marketing calls, total of €7,100 in fines imposed.

Political spam now prohibited

Until recently there was an extensive exemption for political direct marketing - one which was arguably incompatible with the requirements of the ePrivacy Directive. This has now been amended, which will no doubt be a relief to Irish voters in the run up to the Fiscal Treaty referendum:
A second issue of concern which I commented on in 2009 was the direct marketing exemption which excluded from the scope of the Data Protection Acts any direct marketing carried out for political purposes by political parties or by candidates for election to political office. I expressed my dissatisfaction then that I was unable to launch investigations into complaints which I received from voters who received unsolicited SMS messages, emails or phone calls even when they had made it clear that they did not wish to be contacted in that way. Had such unsolicited marketing contact been made to members of the public by any other entity, such as a commercial business, there would be no restriction on my investigating the matter. I expressed doubts in my 2009 Annual Report about the consistency with EU Directives of the exemption in this country for such political activities.

I am pleased to report that the Minister for Communications, in framing S.I. 336 of 2011, removed the exemption relating to direct marketing for political activities in the context of marketing communications carried out by electronic means – such as SMS messages, faxes, email and telephone calls. As a result, I am no longer restricted from investigating complaints in this area. Accordingly, in my role as Data Protection Commissioner, I am obliged to investigate any such complaints in this area.

In this respect, arising out of the Presidential Election which took place following the commencement of SI 336 of 2011 on 1 July, I have already issued a warning to a political party about the sending of unsolicited marketing text messages in the course of the campaign. A second such incident is likely to lead to a prosecution. [Although not identified in the Annual Report, the Sunday Times has named Sinn Fein as the offending party.]
Department of Social Protection Audit

One of the greatest offenders against individual privacy has been the Department of Social Protection, formerly the Department of Social Welfare, which has a long and ignominious track record of staff abuse of personal information. (One recent example.) Worryingly, however, the Annual Report confirms earlier reports that Social Protection databases may be open to abuse externally as well as internally - by other state entities which have access to the departmental systems:
Also included in the list of the audits is an INFOSYS investigation. This refers to an in-depth examination of the use of INFOSYS – a database of social welfare data administered by the Department of Social Protection. The INFOSYS investigation focused on the authorised use of INFOSYS by a whole range of external third parties, including local authorities and state agencies. Initially INFOSYS was a ‘desk audit’ entailing extensive correspondence in the second and third quarter of 2011 between my Office and external users of INFOSYS. It was my intention to comment extensively on this investigation in this report but this has not proven possible, given the resources needed, to complete it to a suitable level. However, the interim findings have caused my Office to engage with the Department of Social Protection and the large number of entities authorised to access the system to address the deficiencies identified so far.
Guthrie Cards / Heel Prick Samples

One of the most important issues dealt with by the report is the (long delayed) destruction of illegally-held blood samples taken from all newborns. The full discussion is too long to excerpt here, but one important point (which the media don't appear to have picked up) is that the Minister for Health and the HSE appear to have attempted to evade the Data Protection Commissioner in their efforts to create a national DNA database, by freezing out the DPC from a "review" of the decision to destroy the samples:
A final issue that emerged can essentially be summarised as that it would be useful to continue to hold the millions of samples involved to form the basis of a national database which could be used for health-related genetic (DNA) analysis We were obliged to point out that the creation of such a database, without the consent of the persons involved (or their parents/guardians as appropriate) would be a clear breach of the Data Protection Acts. It would also run counter to the spirit (if not the letter) of the Disability Act 2005 – which requires individual consent for the carrying out of genetic tests – and of the Marper judgment of the European Court of Human Rights in relation to the retention of DNA samples in a criminal context However, in light of concerns expressed around such issues, we understand that the Minister for Health asked for a full review of the decision taken by the HSE to destroy the samples on the terms agreed with this Office. We were not a party to this review but it is now completed and at the time of writing the Minister had approved the position previously agreed including the publicity campaign for people to seek earlier deletion or continued retention depending on their own particular preferences.
Security cluelessness

Finally, although it's not an issue of any great significance, I was amused by case study 7 in which insurance company Allianz chose to use three pieces of publicly available information for their "security questions":
Allianz informed us that it introduced three ID security questions consisting of date of birth, mother's maiden name and place of birth. It stated that these questions were introduced to ensure that it was keeping its customer's personal information safe and secure and to prevent any unauthorised disclosure. As previously outlined in my 2009 Annual Report it is our view that the use of questions such as date of birth and mother's maiden name for the purpose of ensuring security of data is not an adequate safeguard against disclosure to a third party. Such questions may in fact be a security vulnerability as this type of information is publicly available upon payment of a fee to the General Register Office and is therefore of limited value on its own as a security feature.

Sunday, April 08, 2012

Surveillance up, but bugs being discovered by targets

Smoke alarm claimed to have been bugged by gardaí
John Mooney and Mark Tighe have an detailed piece in today's Sunday Times arising out of the latest report of the designated judge under the Criminal Justice (Surveillance) Act 2009. Some highlights:
AN INCREASING number of requests by gardai for permission to spy on alleged criminals and terrorists are being rejected because the operations were premature, excessive or contained inadequate information. A report on the state's covert surveillance operations by Kevin Feeney, a High Court judge appointed to audit spying activities by gardai, Customs and the military, found a small increase in the number of cases where gardai were refused permission to plant eavesdropping devices and tiny cameras to spy on people suspected of involvement in paramilitary groups and organised crime.

In one case, a chief superintendent who asked to use an audio transmitter was refused permission because the surveillance was not proportionate to the identified objectives of the operation. Applications by garda officers for surveillance warrants were turned down on the basis that the premises where the device was to be located had not been confirmed as available or appropriate.

The 2009 Surveillance Act allows gardai, the Defence Forces and Revenue Commissioners to break into homes and cars to plant recording devices and tiny cameras to record private conversations. The "product" can be used as evidence in prosecutions. Permission for the surveillance, which can last up to three months, must be granted by a district court judge.

Feeney said the number of cases where gardai obtained district court authorisation to plant devices was "a small double-figure number". The number of authorisations that were declined was fewer than 10, but up on the previous year.

The report, obtained by The Sunday Times, also noted that surveillance and countersurveillance devices can be bought by the public. The judge said the availability of such equipment was brought to his attention when gardai found a device that had been installed by an unknown third party to monitor a person they were spying on. The report makes no reference to the discovery of such equipment by people being spied upon. Security sources say several devices have been detected recently...
I'll upload a copy of the latest report as soon as I have it. In the meantime, the 2009/2010 report is available here.

Fresh claims that Irish police have been hacked

It's been an embarrassing time recently for Irish police, following allegations that Lulzsec hackers were able to compromise the personal email accounts of senior gardaí, enabling them to record a FBI hosted conference call involving international computer crime specialists. Interestingly, Monday's Daily Mail had a story (which doesn't seem to have been picked up by other Irish media) suggesting that there have been wider breaches of garda security. Excerpt:
A MAJOR Garda security alert into phone and email hacking of the country's highest ranking officers is under way.

The Mail can reveal that deputy commissioner Noirín O'Sullivan has ordered an investigation into apparently widespread phone and email hacking of senior gardaí.

It is understood the investigation has established that Pulse, the Garda intelligence system, has not been compromised.

However, senior security sources say that the emails and phones of senior gardaí have been hacked.

The investigation is attempting to establish the extent of the hacking and for what purpose confidential garda information is being targeted.

The probe has established that the head of police in another European country has had his email illegally accessed by an Irish-based hacker.

At least two other senior police officers in other European forces have had their email compromised.

The investigation is being taken 'extremely seriously' by Garda management and checks are under way on senior officers' phones and emails to see if they have been illegally accessed.

Some gardaí have had their phones and emails hacked, but because of the sensitive nature of the investigation, senior sources could not reveal what exactly has been accessed. A file is being prepared for the Director of Public Prosecutions. One key aspect of the probe is trying to establish for what purpose the hacking was initiated. It is understood that gardaí checking to see if online Irish based hackers are sharing the confidential information that has been hacked with others internationally...

As one of the State's two deputy commissioners, Noirín O'Sullivan holds the second most senior rank in the force, with responsibility for operational policing and national security.

The fact she ordered the investigation indicates how seriously the matter is being taken by Garda management.