In 2022 the European Parliament PEGA committee adopted a damning
report on the use of spyware across the EU, following growing evidence of countries such as Spain, Poland, Greece and Hungary
abusing spyware to spy on opposition politicians, the media, and civil society.
Ireland featured in that report, but only incidentally as the home of several spyware businesses which had set up shop in Dublin for tax advantages. Consequently the report leaves unanswered the questions of whether the Irish state is using spyware and if so what legal justifications it is using to do so.
Let's have a quick look at those questions.
There's not a lot of direct evidence here - there is no Irish law specifically governing state spyware and the state refuses to comment on its use - but I obtained an interesting document under FOI which might shed some light on this.
This is the Department of Justice's response to a questionnaire from the European Commission looking for "information from all Member States about the use of spyware by national authorities and the legal framework governing such use". (Cianan Brennan had a good summary of the response in the Examiner.)
The letter to the Commission is careful not to confirm or deny that the Garda Síochána or other state agencies agencies use spyware. In fact, it doesn't even mention the word. However, it does suggest that state agencies do. (Unsurprisingly: as far back as 2015 the
Defence Forces were in discussion with Hacking Team about purchasing their products.)
Neither of these individually allows state malware - the 1993 Act permits interception only, and does not give power to tamper with devices, while the 2009 Act authorises use of surveillance devices, including access to premises to plant the devices, but does not give any express power to interfere with computer systems and specifically excludes anything (such as monitoring of email traffic) that would constitute an interception under the 1993 Act. Consequently neither power on its own would permit the use of spyware.
However by referring to both powers the letter suggests that spyware is being authorised using both of these powers - possibly combining a warrant from the Minister for Justice under the 1993 Act with a District Court authorisation under the 2009 Act in some cases to provide a (shaky) legal foundation for spyware.
If so, this is a major scandal in itself. The 2009 Act was never put forward as authorising spyware and in fact it is drafted in terms which make it clear that it is intended to apply to physical surveillance tools. The key term "surveillance device" is defined as "an apparatus designed or adapted for use in surveillance" - i.e. a physical device rather than software. Judges may authorise "enter[ing] ... any place" for the purposes of surveillance, but aren't empowered to authorise hacking into a computer.
In March 2024 the Irish government
signed up to the
US-led Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware. That statement re-commits Ireland to the
principle that "Governments should ensure transparency on the applicable general legal framework supporting the use of surveillance technologies. Governments should clearly define the legal basis for using surveillance technology with transparency on the safeguards in place to prevent abuse or discriminatory uses." It is the height of hypocrisy for the Irish government to lecture the world about transparency, when denying it at home.
