Friday, October 24, 2014

Discovery of encrypted documents

Today's Irish Times has a story arising out of the Quinn litigation against the state which raises important issues around access to encrypted documents:
The family of Seán Quinn is demanding access to three letters sent between former minister for finance Brian Lenihan and then chairman of Anglo Irish Bank Donal O’Connor as part its €2.34 billion claim against the state.  This correspondence relates to late January 2009 and early February 2009, just after the state took the decision to nationalise Anglo as it tottered on the brink of collapse. The family also wants efforts to be made to crack a password-protected email sent by the bank’s chief executive David Drumm to Matt Moran, a close lieutenant, in the midst of the financial crisis in April 2008, according to documents filed in relation to their legal battle...

Legal advisers to the liquidators of IBRC, who are now in charge of Anglo, are refusing to release about 168 documents which they claim are legally privileged, with the exception of the email from Mr Drumm to Mr Moran which they cannot access... [The Quinns] have asked the liquidators of IBRC to instruct IT experts to crack the encoded email or give it to the family so that they can try to do so.

I've already looked at the encrypted Anglo files from a criminal law perspective, considering when police can demand that files be decrypted or that individuals hand over passwords. This case presents parallel civil law issues - when can a party in litigation demand that potentially relevant files be decrypted as part of the discovery process, when the other party does not have the relevant passwords?

This will be the first time this is considered by the Irish courts. There doesn't appear to be any case law on the topic, and it's not explicitly addressed in the Rules of the Superior Courts. It's also not considered in the Law Reform Commission's (rather disappointing) 2009 Consultation Paper on Documentary and Electronic Evidence. The closest Irish material is the 2013 Good Practice Guide to Electronic Discovery in Ireland which suggests that parties making discovery should if necessary attempt to break the protection on encrypted or password protected files (PDF, p.23).

I look forward to seeing the decision on this point.

Tuesday, October 21, 2014

Garda body cameras: quis custodiet ipsos custodes?

Garda body worn camera - screencap from Dublin Says No protest video.
I had a piece in Saturday's Irish Independent on the implications of the new Garda body worn cameras being used at protests against water charges. There wasn't enough room in 750 words to tackle all the issues involved so here are some thoughts that didn't make it into the finished piece:

* While there is almost no transparency around the use of the cameras, for the moment it looks as though they are only being used at protests. This is a relatively straightforward case - public protests are the best case scenario for the use of cameras as situations where there is a limited privacy interest on both sides and a likelihood of confrontation - but isn't at all representative of the problems that would be faced if cameras were rolled out to ordinary policing. For example, would cameras be turned off when gardaí are in private homes? In hospitals?

* In particular, there is a real risk that the use of cameras in day to day policing will lead to a more wary relationship with the public. Will people be deterred from talking to gardaí for fear that their casual conversations may be recorded and reviewed?

* The main financial cost lies not in the cameras themselves but in the management of the recordings they generate. Video requires lots of storage and systems in place to deal with transfer of material from device to server, deletion of material once the retention period is up, flagging of particular recordings to be stored, search and retrieval of material which might be spread across a number of different stations, backups and archiving, ensuring that older file formats can still be read, responding to subject access requests, etc. Have these points have been taken into account in garda planning? Or will we end up with another case of garda tapes being stored randomly in cardboard boxes and covered in mould?

* At the moment garda management are saying very little about these new cameras. In a few months the Freedom of Information Act 2014 will be extended to An Garda Síochána - but in the meantime anyone who has been videoed at a protest can find out more by making a (free) request under s.3 of the Data Protection Acts to determine what data from the cameras are being held and the purposes for which they are being kept.

Thursday, October 02, 2014

Watering down data protection

© P L Chadwick CC-BY-SA-2.0.
It was never likely that people would be happy about paying directly for their water. But public resentment has been stoked further by the invasive questions on the Irish Water application forms, which demand PPS numbers for the householder and all children before the free allowances are granted.
That resentment was only exacerbated when people looked at the data protection notice on the website to discover that Irish Water claims the right to use our personal information to market to us via unsolicited text messages, emails, junk mail and telephone calls and even to send salesmen to “contact the customer… in person”.

What do they propose to sell us? The website says that Irish Water or its agents may contact us about “water related products or services”, whatever those might be. Bathtubs? Swimming lessons? Boats? Perhaps we should expect phone calls at dinnertime which begin “Hi there. I’m calling you today because your body is 66% water.”

Irish Water also claims the right to send our information outside of Europe, which would allow outsourcing of their operations (for example, call centres or IT support) to a low cost location such as India. As originally drafted, their website also stated that information would be disclosed if Irish Water was bought by a third party – though they have since deleted this last point, no doubt because it is too close to the political hot potato that is privatisation of the water system.

Are Irish Water entitled to do these things with our information?

Let’s start with PPS numbers. There has been some talk of the criminal offence of requesting a PPS number without legal authority, but that is a red herring: since July Irish Water has been a specified body entitled to use PPS numbers.

However, the fact that they are seeking PPS numbers at all points to a flawed system

For example, Irish Water tell us that they need PPS numbers of children to confirm their eligibility for a water allowance. Yet the Department of Social Protection already holds this information in relation to child benefit. Rather than create an additional bureaucracy within Irish Water it would have been preferable to leave this within the existing state agency – for example, by simply adding the relevant amount to the child benefit payment. This is already being done for the household benefit, which will be increased by an additional €100 each year towards water bills without any need for anyone in Irish Water to know who is on household benefit.

(Using PPS numbers also creates a fresh problem. Many residents in Ireland - such as foreign students and foreign pensioners - will not have PPS numbers. What is to happen to their allowances?)

Quite apart from the initial request for PPS numbers there is also a problem with ongoing storage. While Irish Water may need PPS numbers to verify water allowances initially, that is no reason to continue storing them once this is done. It is a fundamental rule that personal information should not be stored for longer than necessary – especially in cases such as this, where Irish Water would end up holding a vast database which would be vulnerable to both corrupt insiders and outside attackers. Their apparent intention to store PPS numbers in this way is likely to breach data protection law - particularly if Irish Water follow through on what appears to be a half-baked plan to use PPS numbers to track down tenants for non-payment. Such a use would clearly be incompatible with the purpose for which they claim to be collecting the information.

The situation is no better in relation to marketing. For example, the assertion that Irish Water can send us unsolicited text messages and emails unless we object is wrong. Positive, opt-in consent is required by law before this can be done. Similarly, Irish Water is lacking in the mechanisms it provides to opt-out of marketing. The website makes opt-out excessively difficult by providing only a postal address and telephone number and (because it is not a freephone number) violating the requirement that opt-out should be free of charge. Indeed, it has since emerged that Irish Water staff answering that telephone number are actually unable to register opt-outs in the way promised by the privacy statement.

In relation to transferring our information outside Europe, Irish Water fails again. The website claims that “by submitting data to Irish Water” you agree to such transfers. However the fiction that you consent by filling out the registration form is unsustainable – as Irish Water is a monopoly and there is no choice but to fill out the form then any supposed consent would not be “freely given” as required by European law. Any transfer outside Europe would have to be justified in some other way.

The beleaguered head of PR has appeared on Morning Ireland attempting to extricate Irish Water from this quagmire - stating for example that Irish Water would only be direct marketing via postal inserts with bills, not by phone calls or emails. However her ad hoc assurances are meaningless while the data protection statement still claims much wider rights.

These are fundamental failures to meet basic requirements of data protection law and have already resulted in one change to the privacy statement. The Data Protection Commissioner is now also involved, and it is safe to say that her office will also insist on further changes. However it is astonishing that it is only at this late stage that the privacy issues involved are being given the attention which should have been there from the start.

For more see this excellent series of posts from Daragh O'Brien, who has been on top of the issue from the start: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10.