Sunday, July 20, 2014

"Significant gaps" in Department of Justice IT security

You might think that the Department of Justice and Equality - which is responsible for data protection law in Ireland - would have adequate security in place for its own systems. Apparently not. Here's an excerpt from briefing materials for the new Minister, Frances Fitzgerald:
Significant gaps have been found in levels of IT security in use to protect our systems and data. The systems have become out of date as investment (as with infrastructure) has not been applied to maintaining levels at what would be deemed adequate. A security consultant has been retained and a dedicated security manager has been taken on to review and remediate this deficiency. This will require significant investment and resource to bring us to a suitable level of protection and awareness. (p.82)
Proving the point, the briefing material was released as a PDF with crude redaction, easily defeated by the time honoured method of copying and pasting the blacked out material. While the department hurriedly pulled the material from its own site the entire brief remains available in Google cache.

Wednesday, July 16, 2014

July 2014 updates

Blogging here has been light with most material going on Twitter or instead but I should jot down a few updates you might not otherwise have seen.
  • I've put together a surveillance library on the DRI site which brings together in one place the key sources on state surveillance in Ireland. It is, as far as I know, the first time this has been done and the process of pulling together all the documents highlighted to me just how opaque and fragmented the Irish surveillance systems are.
  • DRI has succeeded in its application for amicus status in Max Schrems' challenge to the transfer of personal data to the US under Safe Harbour. Following the decisions in Digital Rights Ireland and Google Spain it is clear that the ECJ is prepared to adopt strong positions on privacy issues and I look forward to being able to contribute to their continued development of the law.
  • The Internet Content Governance Advisory Group published its report in June. The report is a sensible and balanced assessment which focuses on education and parental empowerment rather than legislative responses. I do have a concern about the recommendation that internet messages should be brought within the scope of the existing law on "grossly offensive, indecent, obscene or menacing" messages - while the recommendation itself is quite nuanced there is a risk that a clumsy implementation could jeopardise free expression online in the way that Fergal and I outlined before the Oireachtas social media hearings last year.
  • In a peculiar case, an Irish man was convicted of criminal damage for posting a Facebook update purporting to be from his ex-girlfriend. He was fined €2,000 for posting a status update from her phone stating that she was a "whore" who "would take any offers". This was the first time that the offence of criminal damage to data was used in relation to social media and it is notable in that the sentence imposed was based not on the damage itself but on the reputational harm the damage caused.
  • The "right to be forgotten" is beginning to have an impact on Irish newspapers.
  • Revenue and Social Welfare staff continue to misuse personal data.
  • Finally, the Irish courts have seen regular convictions for online harassment, using the existing provisions of the Offences Against the Person Act 1997, raising the question whether the Content Advisory Group recommendation for change is genuinely necessary.