Wednesday, December 19, 2012

Cloud surveillance in Ireland: coming soon to a server near you?

There's an excellent article by Peter Swire in the current International Data Privacy Law journal titled "From real-time intercepts to stored records: why encryption drives the government to seek access to the cloud". The core argument is relatively familiar though particularly well articulated - with the move away from conventional telephony and towards the use of VOIP, webmail and encrypted web connections over SSL there are growing problems for national governments in using traditional surveillance powers. Instead governments are increasingly attempting to access stored communications after the fact, where these are held in cloud services.

An important implication is that this divides up countries into "haves" (where cloud services are based and can be compelled to cooperate) and "have nots" (who will lack leverage over foreign companies). Consequently, as he puts it:
the 'have nots' become increasingly dependent, for access to communications, on cooperation from the 'have' jurisdictions... This technical possibility to respond to process leads to an important, specific split between the ‘haves’ and ‘have nots’. Some jurisdictions will have the cloud server in their jurisdiction, with relatively straightforward access to the stored records under local law. Other jurisdictions will not have such access. They will have to use a Mutual Legal Assistance Treaty (MLAT) or other mechanism to gain access to the holder of the records. These ‘have not’ jurisdictions may well face added expense and delay in gaining access to the records. In some (or perhaps many) cases they will not be able to access records that they consider important for law enforcement or national security purposes. Conversely, cloud providers and other holders of records are likely to face an increasing number of lawful access requests, from a potentially bewildering array of jurisdictions.
So what does this mean for Ireland? Think about these recent headlines: "Dropbox to establish Irish office", "Twitter ramps up hiring in Dublin", "Facebook is liking Ireland more and more". Add Google and other companies with Dublin HQs and suddenly Ireland becomes - in Swire's analysis - one of the "have" jurisdictions when it comes to internet surveillance.* Better yet, it's a jurisdiction with antiquated laws on surveillance, where oversight of police activities continues to be inadequate. Consequently we can expect both domestic and international interest in accessing the contents of these cloud services - with the added advantage that the out of date Irish law might allow the more stringent requirements of US law to be evaded in the case of providers with their main base in the US. Watch this space.


*There is one possible caveat - some US providers appear to be basing only e.g. sales and marketing functions here, leaving actual data hosting in the hands of a different (US) corporate entity and therefore theoretically outside the scope of the Irish authorities. It remains to be seen though whether this will be effective.

Tuesday, December 18, 2012

Voyeurism as harassment

There's an case reported in today's Irish Independent about a man convicted of hiding a camera in the shower of a women's locker room. In the absence of a voyeurism offence in Irish law he was charged with harassment contrary to s.10 of the Non Fatal Offences Against the Person Act 1997. This isn't the first of these cases and a practice has developed of using the 1997 Act in these circumstances. At first glance this might seem to be a good fit - the definition of harassment does after all cover situations where a person by "watching" another person thereby "seriously interferes with the other's peace and privacy". However, it seems to me that s.10 isn't a substitute for a dedicated voyeurism crime along the lines of the English offence. In particular, the section is aimed at overt harassment and requires that the harassment be carried out "persistently". Once-off incidents - including once-off cases of voyeurism - wouldn't be covered on this basis.

Monday, December 03, 2012

Irish mobile phone companies: still spammy

Last year, following a complaint to the Data Protection Commissioner, I finally received an apology from Carphone Warehouse for multiple spam text messages sent to my phone. It seems that they didn't get the message then. From today's Irish Times:
Carphone Warehouse was fined €1,250 on each of two charges relating to the sending of an unsolicited email marketing messages. The court heard the company had previously been warned in relation to similar breaches, although it had no previous convictions.

Meteor was also prosecuted over the sending of an unsolicited marketing email. The customer who complained to the Data Protection Commissioner had previously gone to "some lengths" to ensure he would not be contacted by the company, the court heard. While the customer was the only one who complained, the message had been sent to between 11,000 and 18,500 people who should not have received it, the court heard. Counsel for the Data Protection Commissioner agreed that while Meteor had no previous convictions for such offences, it had previously had the benefit of the Probation Act. Judge O'Neill said that if the company paid €5,000 to Temple Street children's hospital by December 17th, he would strike out the charge. If the money was not paid by that date he would convict and impose a fine of €5,000.

Hutchison 3G, trading as Three, was prosecuted on three counts - one of sending an unsolicited email, one in relation to an unsolicited phone call, and a third in relation to an unsolicited marketing text message sent to deputy data protection commissioner Gary Davis.

Judge O'Neill asked the company to pay €2,500 to Crumlin children's hospital by December 17th. He said if such payment was made he would strike out the charge. He took two of the three charges into account.
Pro tip: if you're going to spam, try not to spam the Data Protection Commissioner's Director of Investigations.