PPS numbers: internet saviours?

Bank Holiday Mondays are quiet news days, making them a good time to get any old nonsense into the newspaper. Today is no exception as the Irish Times appears to have taken the opportunity for a special edition of breathless internet fear-mongering.

The prime example is this piece which makes the literally incredible assertion that "The PPS number provides the Irish Government with an opportunity to dramatically improve the safety of children and young people online." (Following on, no doubt, from the success of PPS numbers in the delivery of water services.) In effect, the author is demanding internet identity cards for the wider population. This is an astonishingly bad idea, as anybody with even a passing familiarity with the Korean internet ID fiasco should know.

So why is the author pushing this? The byline reveals that the author is "founder and CEO of TrustElevate, a technology products and services company that specialises in regulatory, policy and compliance online." But what the byline doesn't say is that her firm is selling the technology which the article promotes. According to its own site, "Trust Elevate is a UK-based technology solutions and advisory company. Our focus is on identity, privacy, security and safety from the perspectives of reputational compliance and commercial opportunities."

In short, the author is shilling her own service under the guise of an impartial opinion piece. This is bad enough in itself, but more fundamentally it is a distraction from what really needs to be done to protect children online.

At the most basic level, gardaí are dramatically under-resourced in dealing with the internet. The 2014 Garda Inspectorate report revealed there have been up to four year delays in analysing seized computers; that the Paedophile Investigation Unit had one (!) computer to receive and download evidence; that 40% of Garda stations are not networked and have no access to PULSE or internal email; that evidence cannot be shared electronically; and that even in networked stations many gardaí have no access to social media or external email.

One might expect that those genuinely interested in child welfare would address these basic points first. But where's the profit in that?


-----------

Some excerpts from the Garda Inspectorate Report - emphasis mine:

The current Garda Síochána IT system restricts the sending of evidence electronically, resulting in investigators having to travel to Dublin to view evidence. PIU only have access to one standalone computer to receive and download evidence, as they are unable to use PULSE. This is a fundamental tool for investigation of these crimes. When evidence arrives, it can take days to download information and this removes the availability of the computer to be used by investigators coming to the unit to view evidence for other cases. PIU gave an example where one case had over 8,000 videos.

Another problem area is the restriction placed on districts accessing social media sites. As a result, the PIU is swamped with requests from districts for help in cases under investigation. Since 2001, the unit has used a paper system for managing investigations and would like to move to an electronic system. Internally, the PIU uses an electronic spread sheet to monitor cases. There is a concern that two investigators could potentially be looking at the same suspect, without knowing that another garda is also investigating a crime against the same suspect. Like the SOMU, all PIU staff work on the same roster and again are all off-duty at the same time.

The delay in obtaining evidence from analysis of computers has contributed to a situation where no PIU investigation case file has been sent to the DPP for directions in the last four years of operation.

A consistent theme throughout the inspection of national and district intelligence units was that outdated IT equipment blocked them from accessing or viewing evidence about a crime. The Inspectorate was informed that the National Intelligence Unit is working on outdated software and is unable to load PDF documents and to view photographs. CIOs in particular experience daily challenges in accessing the necessary IT applications and equipment to perform their role effectively. CIOs often use personal laptops and computers to view CCTV footage, to download stills and to turn those stills into briefing documents and bulletins. This represents a risk of breaching security of intelligence data, but their motive is to ensure that intelligence is provided to local gardaí.

The access of gardaí to external e-mail was very inconsistent across the seven divisions. Some members stated that they had no external e-mail access and other gardaí explained that if you apply for access then it will be given. Many victims would like the option to use e-mail to communicate directly with the garda dealing with their case and it would ensure that the member actually received their message.

"Homophobe" brings Ireland's first "right to be forgotten" court case

A fascinating story in today's Irish Times details what seems to be the first court case in Ireland following the Google Spain ruling. However a less sympathetic plaintiff would be hard to find. The case is being brought by a Dublin man, Mark Savage of Lios Cian, Swords, who ran in the 2014 local elections on a platform which included reference to "Gay Perverts cavorting in flagrante on the beach in broad daylight". His election literature speaks for itself (click to enlarge):

Unsurprisingly, he was not elected. He now apparently objects to a Reddit thread characterising him as "Mark Savage - North County Dublin's homophobic candidate". Following an unsuccessful request to Google to have that thread deindexed, he complained to the Data Protection Commissioner who refused to order that Google do so. He has now appealed against that decision to the Circuit Court. I look forward to a full hearing, though I doubt it will be over in his optimistic estimate of two hours and I doubt he will be successful in his claim that Google should censor discussion of his views as publicly stated in an election campaign. If anything, this appears to be a complaint of defamation dressed up as a data protection matter.

Edited to add: Incidentally, the case also highlights an important structural point - chances are that most of the RTBF cases which become public will involve plaintiffs with relatively weak claims. The individuals with strong arguments to be deindexed will probably succeed in private at the point of initial contact with Google or else before the data protection authority. The only cases to be subject to public scrutiny before the courts will be those where both of the initial decision makers have found that the request should not be granted.

Two data retention cases pose questions for three Ministers for Justice

Two cases have now been brought in Ireland seeking to take advantage of the Digital Rights Ireland decision from the European Court of Justice in order to exclude evidence in criminal trials. First, a case stated in the prosecution of a detective garda alleged to have given false information to GSOC; second, a challenge brought by convicted murderer Graham Dwyer - commenced in January but made public only on his conviction last week.

Given how central internet and phone evidence is to many prosecutions, the only surprise is that it's taken this long for these challenges to be brought and no doubt more will come. Unfortunately it is possible that at least some convictions will be overturned as a result - and the blame for this will lie squarely with the Department of Justice and successive ministers.

Ministers Dermot Ahern, Alan Shatter and Frances Fitzgerald in particular have questions to answer.

Dermot Ahern knew in 2011 that data retention was on very shaky ground. By then data retention laws had been struck down in Bulgaria (2008), Romania (2009) and Germany (2010) - and the Irish challenge was pending before the High Court which had decided that the case raised "important constitutional questions". At this point the Irish law should have been reformed to provide for data preservation and include adequate safeguards identified by those cases, such as a requirement for a judge to approve access to data. Instead the law adopted in 2011 was equally flawed.

Alan Shatter and Frances Fitzgerald are equally if not more at fault. It was clear from the Advocate General's opinion in December 2013 that the Data Retention Directive would be struck down. But instead of replacing the 2011 law implementing the Directive both ministers adopted the ostrich position. There has been nothing but radio silence from the Minister for Justice since the Data Retention Directive was invalidated just under a year ago. It may be that she hopes by ignoring the problem it will go away. But by doing so she is only ensuring that many more prosecutions and convictions will be put at risk. As I previously predicted, "by continuing to keep its head in the sand the State is only storing up problems for the future".

Mixed internet messages from the Indian Supreme Court

The Indian Supreme Court today gave a landmark decision on the Information Technology Act 2000. Most media coverage has focused on the fact that the court struck down section 66A - the offensive messages provision - finding that it was unconstitutionally vague and would have a chilling effect on freedom of expression. This is significant for the ongoing Irish debate on "cyberbullying". The Irish offence of sending offensive messages by telephone is extremely similar to the Indian s.66A offence and there have been calls to extend it to the internet. Today's judgment suggests that this would be unconstitutional. As the Indian Supreme Court stated:

[The English cases] illustrate how judicially trained minds would find a person guilty or  not guilty depending upon the Judge’s notion of what is “grossly offensive” or “menacing”.  In Collins’ case, both the Leicestershire Justices and two Judges of the Queen’s Bench would have acquitted Collins whereas the House of Lords convicted him.  Similarly, in the Chambers case, the Crown Court would have convicted Chambers whereas the Queen’s Bench acquitted him. If  judicially trained minds can come to diametrically opposite conclusions on the same set of facts it is obvious that expressions such as “grossly offensive” or  “menacing”  are  so  vague  that  there  is  no  manageable standard by which a person can be said to have committed an offence or not to have committed an offence. Quite obviously, a prospective offender of Section 66A and the authorities who are to  enforce  Section  66A  have  absolutely  no  manageable standard by which  to  book a  person for an offence under Section 66A.

There's been less attention to the court's disappointing findings upholding the section 69A government power to order the blocking of websites where "necessary or expedient so to do, in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of  any cognizable offence relating to above". According to the court, the procedural safeguards established around blocking were sufficient to protect freedom of expression, despite the fact that blocking is ordered by the government itself rather than an independent body:

It will be noticed that Section 69A unlike Section 66A is a narrowly drawn provision with several  safeguards. First  and foremost,  blocking can only be resorted to where the Central  Government is satisfied that it is necessary so to do. Secondly, such necessity is relatable only to  some of the subjects set out in Article 19(2). Thirdly, reasons have to be recorded in writing in such blocking order so that they may be assailed in a writ petition under Article 226 of the Constitution.

The  Rules  further  provide  for a  hearing  before  the Committee set up - which Committee then looks into whether or not it is necessary to block such information. It is only when the Committee finds that there is such a necessity that a blocking order is made. It is also clear from an examination of Rule 8 that it  is  not  merely  the intermediary  who  may  be  heard. If  the “person” i.e. the originator  is identified he is also to be heard before a blocking order is passed. Above all, it is only after these procedural safeguards are met  that blocking orders are made and in case there is a certified copy of a court order, only then can such blocking order also be made.

Still, it is heartening to see that the Indian Supreme Court apparently considered it essential that both the intermediary and also the "originator" (the person who posts material) should be given the chance to be heard before a blocking order is made. In too many national schemes the only notice - if any - is to the host or social network, not the user.

Mobile phone records as evidence in Irish courts

Just before Christmas a murder trial collapsed when the prosecution failed to lay the correct evidential basis for admitting mobile phone records against the accused. There's no written judgment but according to media reports:

The State entered a nolle prosequi in the case after Judge Catherine Murphy ruled that telephone records held on a mainframe computer could not be relied on as evidence because there was no evidence that the computer was operating correctly at the relevant time... 

In her ruling at Dublin Circuit Criminal Court Judge Murphy said there must be evidence of the function and operation of the main frame computer, on which the call records are held. She said: “This must include information that the computer was operating correctly at the relevant time”. 

The ruling relies on a 1992 judgement from the UK appeal courts which held that the prosecution must provide evidence of the function and operation of the mainframe computer used to store the records. The Cochrane ruling, which has been upheld by the Irish courts, noted that “the problem of proving transactions of this type must now arise frequently and it should be possible… to devise a standard form of evidence to deal with it.” 

Judge Murphy had earlier ruled that the evidence of the records held on the Meteor mainframe server was not admissible under the 1992 Criminal Evidence Act because the act does not cover automatically held records. 

The evidence in this case was that the records were held, automatically, on the Meteor mainframe server. The prosecution then submitted to the Court that the records could be admitted under Common Law. Judge Murphy ruled against them on this and noted that the UK judgement states there must be evidence “that the computer was operating correctly at the relevant time”. 

The UK judgement states that the prosecution must provide “authoritative evidence about the operation of the relevant machines”. Judge Murphy noted that an engineer from Meteor gave evidence for the prosecution that he had working knowledge of the Meteor computer system but not of the mainframe computer from on the records were held.

Today it seems that another trial has collapsed on the same basis. According to the Irish Times:

The legal argument centred on whether records from mobile phone masts could be relied on to link the phones to the robbery by placing them at relevant times and places. Detectives have developed the network of phones out of a single call allegedly made from the Dublin Mountains to the Richardson family home during the kidnapping. Mrs Richardson testified that the gang had allowed her to call her husband from the mountains. In ruling on the defence application, made in the absence of the jury, Judge Ring said that none of the three mobile phone network experts called by the prosecution could say that the relevant networks were fully operational and functioning on a given day or whether any particular cell sites are out of operation on those relevant dates. She said there was evidence that calls could be routed through another mast if the nearest mast was not operational at the time or if it was busy.

The Cochrane judgment referred to in these reports is R v. Cochrane [1993] Crim LR 98, which was applied in Ireland in relation to mobile phone records by People (DPP) v. Colm Murphy [2005] IECCA 1. It's a little surprising, therefore, that admissibility has become such a contentious issue nearly a decade later. As far as I can tell from the newspaper reports, what has happened is that trial judges have become more familiar with the technology and have become more strict in insisting that the prosecution witnesses can testify to the operation of the system as a whole and not just particular components such as the masts. In the short term this is going to require prosecutors to put forward more technical witnesses from the mobile operators; longer term I wouldn't be surprised to see legislation rushed forward to provide a statutory basis for admitting these records (probably on the basis of certificate evidence).

Incidentally, this is certainly not limited to the case of mobile phone records - the same logic would apply to evidence of IP address allocation and use and other computer evidence. Expect these arguments to be played out soon in other cases involving computers.

Discovery of encrypted documents

Today's Irish Times has a story arising out of the Quinn litigation against the state which raises important issues around access to encrypted documents:

The family of Seán Quinn is demanding access to three letters sent between former minister for finance Brian Lenihan and then chairman of Anglo Irish Bank Donal O’Connor as part its €2.34 billion claim against the state.  This correspondence relates to late January 2009 and early February 2009, just after the state took the decision to nationalise Anglo as it tottered on the brink of collapse. The family also wants efforts to be made to crack a password-protected email sent by the bank’s chief executive David Drumm to Matt Moran, a close lieutenant, in the midst of the financial crisis in April 2008, according to documents filed in relation to their legal battle...

Legal advisers to the liquidators of IBRC, who are now in charge of Anglo, are refusing to release about 168 documents which they claim are legally privileged, with the exception of the email from Mr Drumm to Mr Moran which they cannot access... [The Quinns] have asked the liquidators of IBRC to instruct IT experts to crack the encoded email or give it to the family so that they can try to do so.

I've already looked at the encrypted Anglo files from a criminal law perspective, considering when police can demand that files be decrypted or that individuals hand over passwords. This case presents parallel civil law issues - when can a party in litigation demand that potentially relevant files be decrypted as part of the discovery process, when the other party does not have the relevant passwords?

This will be the first time this is considered by the Irish courts. There doesn't appear to be any case law on the topic, and it's not explicitly addressed in the Rules of the Superior Courts. It's also not considered in the Law Reform Commission's (rather disappointing) 2009 Consultation Paper on Documentary and Electronic Evidence. The closest Irish material is the 2013 Good Practice Guide to Electronic Discovery in Ireland which suggests that parties making discovery should if necessary attempt to break the protection on encrypted or password protected files (PDF, p.23).

I look forward to seeing the decision on this point.

Garda body cameras: quis custodiet ipsos custodes?

Garda body worn camera - screencap from Dublin Says No protest video.

I had a piece in Saturday's Irish Independent on the implications of the new Garda body worn cameras being used at protests against water charges. There wasn't enough room in 750 words to tackle all the issues involved so here are some thoughts that didn't make it into the finished piece:

* While there is almost no transparency around the use of the cameras, for the moment it looks as though they are only being used at protests. This is a relatively straightforward case - public protests are the best case scenario for the use of cameras as situations where there is a limited privacy interest on both sides and a likelihood of confrontation - but isn't at all representative of the problems that would be faced if cameras were rolled out to ordinary policing. For example, would cameras be turned off when gardaí are in private homes? In hospitals?

* In particular, there is a real risk that the use of cameras in day to day policing will lead to a more wary relationship with the public. Will people be deterred from talking to gardaí for fear that their casual conversations may be recorded and reviewed?

* The main financial cost lies not in the cameras themselves but in the management of the recordings they generate. Video requires lots of storage and systems in place to deal with transfer of material from device to server, deletion of material once the retention period is up, flagging of particular recordings to be stored, search and retrieval of material which might be spread across a number of different stations, backups and archiving, ensuring that older file formats can still be read, responding to subject access requests, etc. Have these points have been taken into account in garda planning? Or will we end up with another case of garda tapes being stored randomly in cardboard boxes and covered in mould?

* At the moment garda management are saying very little about these new cameras. In a few months the Freedom of Information Act 2014 will be extended to An Garda Síochána - but in the meantime anyone who has been videoed at a protest can find out more by making a (free) request under s.3 of the Data Protection Acts to determine what data from the cameras are being held and the purposes for which they are being kept.

Watering down data protection

© P L Chadwick CC-BY-SA-2.0.

It was never likely that people would be happy about paying directly for their water. But public resentment has been stoked further by the invasive questions on the Irish Water application forms, which demand PPS numbers for the householder and all children before the free allowances are granted.
That resentment was only exacerbated when people looked at the data protection notice on the website to discover that Irish Water claims the right to use our personal information to market to us via unsolicited text messages, emails, junk mail and telephone calls and even to send salesmen to “contact the customer… in person”.

What do they propose to sell us? The website says that Irish Water or its agents may contact us about “water related products or services”, whatever those might be. Bathtubs? Swimming lessons? Boats? Perhaps we should expect phone calls at dinnertime which begin “Hi there. I’m calling you today because your body is 66% water.”

Irish Water also claims the right to send our information outside of Europe, which would allow outsourcing of their operations (for example, call centres or IT support) to a low cost location such as India. As originally drafted, their website also stated that information would be disclosed if Irish Water was bought by a third party – though they have since deleted this last point, no doubt because it is too close to the political hot potato that is privatisation of the water system.

Are Irish Water entitled to do these things with our information?

Let’s start with PPS numbers. There has been some talk of the criminal offence of requesting a PPS number without legal authority, but that is a red herring: since July Irish Water has been a specified body entitled to use PPS numbers.

However, the fact that they are seeking PPS numbers at all points to a flawed system

For example, Irish Water tell us that they need PPS numbers of children to confirm their eligibility for a water allowance. Yet the Department of Social Protection already holds this information in relation to child benefit. Rather than create an additional bureaucracy within Irish Water it would have been preferable to leave this within the existing state agency – for example, by simply adding the relevant amount to the child benefit payment. This is already being done for the household benefit, which will be increased by an additional €100 each year towards water bills without any need for anyone in Irish Water to know who is on household benefit.

(Using PPS numbers also creates a fresh problem. Many residents in Ireland - such as foreign students and foreign pensioners - will not have PPS numbers. What is to happen to their allowances?)

Quite apart from the initial request for PPS numbers there is also a problem with ongoing storage. While Irish Water may need PPS numbers to verify water allowances initially, that is no reason to continue storing them once this is done. It is a fundamental rule that personal information should not be stored for longer than necessary – especially in cases such as this, where Irish Water would end up holding a vast database which would be vulnerable to both corrupt insiders and outside attackers. Their apparent intention to store PPS numbers in this way is likely to breach data protection law - particularly if Irish Water follow through on what appears to be a half-baked plan to use PPS numbers to track down tenants for non-payment. Such a use would clearly be incompatible with the purpose for which they claim to be collecting the information.

The situation is no better in relation to marketing. For example, the assertion that Irish Water can send us unsolicited text messages and emails unless we object is wrong. Positive, opt-in consent is required by law before this can be done. Similarly, Irish Water is lacking in the mechanisms it provides to opt-out of marketing. The website makes opt-out excessively difficult by providing only a postal address and telephone number and (because it is not a freephone number) violating the requirement that opt-out should be free of charge. Indeed, it has since emerged that Irish Water staff answering that telephone number are actually unable to register opt-outs in the way promised by the privacy statement.

In relation to transferring our information outside Europe, Irish Water fails again. The website claims that “by submitting data to Irish Water” you agree to such transfers. However the fiction that you consent by filling out the registration form is unsustainable – as Irish Water is a monopoly and there is no choice but to fill out the form then any supposed consent would not be “freely given” as required by European law. Any transfer outside Europe would have to be justified in some other way.

The beleaguered head of PR has appeared on Morning Ireland attempting to extricate Irish Water from this quagmire - stating for example that Irish Water would only be direct marketing via postal inserts with bills, not by phone calls or emails. However her ad hoc assurances are meaningless while the data protection statement still claims much wider rights.

These are fundamental failures to meet basic requirements of data protection law and have already resulted in one change to the privacy statement. The Data Protection Commissioner is now also involved, and it is safe to say that her office will also insist on further changes. However it is astonishing that it is only at this late stage that the privacy issues involved are being given the attention which should have been there from the start.

For more see this excellent series of posts from Daragh O'Brien, who has been on top of the issue from the start: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10.

United States v. Microsoft (and Ireland)

I have a short piece in today's Irish Independent on the remarkable legal battle between Microsoft and US prosecutors over access to data on non-US users which is stored in Ireland, which has now resulted in a finding that Microsoft is in contempt of court.

The Irish Independent doesn't allow inline links to resources in stories, so for background here are:

• The Magistrate Judge's original ruling that Microsoft must hand over the data;
• The opinion of Michael McDowell SC on Irish law as it applies to the Microsoft case;
• The Mutual Legal Assistance Treaty between Ireland and the US (which I argue US prosecutors should have used); and
• The Department of Justice Guide to Mutual Legal Assistance in Ireland.

In the piece I suggest that Microsoft might commit a criminal offence under Irish law if it discloses user emails without an Irish court order or other Irish law entitlement to do so. The relevant provision is section 21(2) of the Data Protection Acts which makes it an offence for any data processor to knowingly disclose personal data without the prior authority of the data controller on whose behalf the data were processed.

This does, of course, assume that Microsoft would be a data processor rather than a data controller in respect of the contents of user emails. While there is some debate as to when a cloud service operator should be treated as a data controller rather than a data processor, guidance from the Article 29 Working Party (Opinion 1/2010 on the concepts of "controller" and "processor", p.11) strongly suggests that Microsoft should be treated as a data controller only in relation to content (such as traffic data) which it generates - in relation to the emails themselves Microsoft would be treated as a data processor and would therefore be exposed to criminal liability.

"State must be more mindful of your private data"

I've waited a while to quote Fr. Dougal McGuire in the national press, but finally got my chance in the Independent:

Last week the Irish Independent revealed further abuses of private files in the Department of Social Protection. The abuses ranged from private investigators illegally accessing personal information, to one male employee who spent up to two hours per day looking up information on women and their partners... The response of the department - that it constantly reviews its internal controls - is reminiscent of Father Dougal McGuire's promise: "As I said last time, it won't happen again".

 Full text.

"Significant gaps" in Department of Justice IT security

You might think that the Department of Justice and Equality - which is responsible for data protection law in Ireland - would have adequate security in place for its own systems. Apparently not. Here's an excerpt from briefing materials for the new Minister, Frances Fitzgerald:

Significant gaps have been found in levels of IT security in use to protect our systems and data. The systems have become out of date as investment (as with infrastructure) has not been applied to maintaining levels at what would be deemed adequate. A security consultant has been retained and a dedicated security manager has been taken on to review and remediate this deficiency. This will require significant investment and resource to bring us to a suitable level of protection and awareness. (p.82)

Proving the point, the briefing material was released as a PDF with crude redaction, easily defeated by the time honoured method of copying and pasting the blacked out material. While the department hurriedly pulled the material from its own site the entire brief remains available in Google cache.

July 2014 updates

Blogging here has been light with most material going on Twitter or DigitalRights.ie instead but I should jot down a few updates you might not otherwise have seen.

• I've put together a surveillance library on the DRI site which brings together in one place the key sources on state surveillance in Ireland. It is, as far as I know, the first time this has been done and the process of pulling together all the documents highlighted to me just how opaque and fragmented the Irish surveillance systems are.
• DRI has succeeded in its application for amicus status in Max Schrems' challenge to the transfer of personal data to the US under Safe Harbour. Following the decisions in Digital Rights Ireland and Google Spain it is clear that the ECJ is prepared to adopt strong positions on privacy issues and I look forward to being able to contribute to their continued development of the law.
• The Internet Content Governance Advisory Group published its report in June. The report is a sensible and balanced assessment which focuses on education and parental empowerment rather than legislative responses. I do have a concern about the recommendation that internet messages should be brought within the scope of the existing law on "grossly offensive, indecent, obscene or menacing" messages - while the recommendation itself is quite nuanced there is a risk that a clumsy implementation could jeopardise free expression online in the way that Fergal and I outlined before the Oireachtas social media hearings last year.
• In a peculiar case, an Irish man was convicted of criminal damage for posting a Facebook update purporting to be from his ex-girlfriend. He was fined €2,000 for posting a status update from her phone stating that she was a "whore" who "would take any offers". This was the first time that the offence of criminal damage to data was used in relation to social media and it is notable in that the sentence imposed was based not on the damage itself but on the reputational harm the damage caused.
• The "right to be forgotten" is beginning to have an impact on Irish newspapers.
• Revenue and Social Welfare staff continue to misuse personal data.
• Finally, the Irish courts have seen regular convictions for online harassment, using the existing provisions of the Offences Against the Person Act 1997, raising the question whether the Content Advisory Group recommendation for change is genuinely necessary.

ECJ finds data retention unacceptable in a democratic society

My preliminary thoughts on our data retention victory, in yesterday's Irish Independent:

This is a significant decision for Irish law. The Digital Rights Ireland case will now return to the High Court in Dublin which will decide whether Irish data retention law is unconstitutional in light of the European Court of Justice ruling.

It is difficult to see how the national law implementing the directive can stand up to challenge now that the directive itself has been held invalid. Consequently it is very likely that new Irish legislation will be proposed.

More generally the judgment will have fundamental implications both throughout Europe and worldwide. The decision itself is effective throughout all 28 member states and will provide greater privacy protection for over half a billion EU citizens.

It will almost certainly be followed by more cases in other member states by national civil rights groups challenging local data retention laws. It also comes at a time when data protection law throughout Europe is under review and will help to establish high standards for any new law.

Finally, this is the first major ruling on surveillance following the Edward Snowden revelations and is clearly influenced by the abuses which he exposed. The judgment will be of central importance to other cases, pending against the UK government, challenging internet surveillance by the British intelligence service GCHQ. In effect, the European Court of Justice has set out a position which directly rejects the type of indiscriminate mass surveillance carried out by the US and UK governments as being unacceptable in a democratic society.

Full text.

Recording of calls to and from Garda stations

I have a piece in today's Irish Independent on the revelation that there was widespread recording of calls to and from garda stations over a number of years. Excerpt:

The revelation that telephone calls to and from garda stations have been systematically recorded since the 1980s raises many fundamental issues for the Garda Siochana and for the wider criminal justice system.

The most grave issue is that each recording likely amounted to a serious criminal offence. Under Irish law, the recording of a telephone conversation on a public network without the consent of at least one party to the call amounts to an "interception", a criminal offence carrying a possible term of imprisonment of up to five years.

Interceptions can only be authorised by a warrant signed by the Minister for Justice, but such warrants are restricted to specific cases involving serious offences and are limited to three-month periods. There is no suggestion that any such warrant was issued in relation to this system, and it is clear that the system as a whole fell well outside the bounds of any possible warrant.

Consequently, unless gardai were notified that their calls might be recorded then a large number of criminal offences are likely to have been committed by and within the Garda Siochana itself.

Full text.

Yahoo moves from London to Dublin; scuppers UK spies

It's surprising to see Ireland as a privacy haven, but by comparison with the UK we look good. The arrogance of the Home Office is astonishing - it genuinely appears to believe it should be able to dictate where a company runs its business so as to allow it to engage in mass surveillance.

Theresa May summoned the internet giant Yahoo for an urgent meeting on Thursday to raise security concerns after the company announced plans to move to Dublin where it is beyond the reach of Britain's surveillance laws.  By making the Irish capital rather than London the centre of its European, Middle East and Africa operations, Yahoo cannot be forced to hand over information demanded by Scotland Yard and the intelligence agencies through "warrants" issued under Britain's controversial anti-terror laws...

The home secretary called the meeting with Yahoo to express the fears of Britain's counter-terrorism investigators. They can force companies based in the UK to provide information on their servers by seeking warrants under the Regulation of Investigatory Powers Act, 2000 (Ripa).  The law, now under review by a parliamentary committee, has been widely criticised for giving police and the intelligence agencies too much access to material such as current emails and internet searches, as well as anything held on company records...

"There are concerns in the Home Office about how Ripa will apply to Yahoo once it has moved its headquarters to Dublin," said a Whitehall source. "The home secretary asked to see officials from Yahoo because in Dublin they don't have equivalent laws to Ripa. This could particularly affect investigations led by Scotland Yard and the national crime agency. They regard this as a very serious issue."

Oliver Connolly is wrong – Sgt McCabe broke no laws with his secret recording

I have a piece in today's Irish Independent on Oliver Connolly's claim that his rights were infringed by secret recording of his comments. To put it mildly, I'm not convinced. Here's the piece with added links:

Oliver Connolly is wrong – Sgt McCabe broke no laws with his secret recording

SECRET recordings by a party to a conversation can be powerful things. When somebody does not know they are being recorded, they are more candid in their comments. They are often prepared to reveal things they would never repeat publicly. The recording then becomes important evidence to expose inconsistencies between public positions and private admissions.

Unsurprisingly, those who are recorded often feel threatened by this. A common response in many jurisdictions – not just Ireland – is to claim that secret recording is illegal or in breach of the right to privacy.

The former Garda Confidential Recipient, Oliver Connolly, has now taken that approach, asserting that his "constitutional right to privacy" was infringed and that garda whistleblower Sgt Maurice McCabe acted "in breach of confidence" by secretly recording and publishing details of a meeting with him. He has also said that politicians, by repeating excerpts under parliamentary privilege, have further violated his constitutional rights.

These, however, are not correct statements of the law. The starting point is that Irish law generally requires only "single party consent" for the recording of conversations – whether on the phone or in person.

Unlike some other countries, where legislation expressly requires that all parties should consent to a recording, in Ireland any one party can record the conversation. Other parties need not agree – or even be informed.

There are exceptions to this general rule. In some situations, data protection law imposes higher duties on businesses, employers and other "data controllers".

But those duties do not apply to information that an individual keeps only for their "personal affairs" – meaning Sgt McCabe's covert recording would not be covered by data protection rules.

Mr Connolly correctly states that Irish law recognises a constitutional right to privacy – and it is true that this right could apply to recordings if they related to his personal life. The carrying out of his public functions is quite another matter. There is no basis for saying that senior public officials enjoy a right to privacy in the way they carry out their duties. Public officials act on behalf of the people – not in any private capacity – and are open to scrutiny about what they do in our name.

In any event, the claim of privacy is misguided where a person voluntarily reveals information in the course of their duty. There can be no reasonable expectation of privacy in information that has been deliberately disclosed in this way, however much a person might later regret the disclosure.

Mr Connolly might superficially appear to have a better case as regards confidentiality. His former title – Confidential Recipient – reflects duties in the 2007 regulations establishing that role to "take all practicable steps to ensure that the identity of the confidential reporter is not disclosed".

But those duties are imposed to protect the identity of the whistleblower. They apply to the Confidential Recipient, the Garda Commissioner, the Minister for Justice and Equality, GSOC, and the Chief Inspector of the Garda Inspectorate – in short, to everyone other than the whistleblower himself. The confidentiality belongs to the whistleblower and can be waived by him.

In any event, even if a duty of confidentiality did apply, it would be defeated by a countervailing public interest that favours disclosure.

In this case, it is clear that there is such a public interest. Mr Connolly is alleged to have said: "If Shatter thinks you're screwing him, you're finished" and: "If Shatter thinks it's you, or if he thinks that it is told by the commissioner or the gardai, here's this guy again trying another route to put you under pressure, he'll go after you."

Such comments about the minister by the person designated to receive complaints of garda wrongdoing can only give rise to very significant concern. They would certainly be a matter of genuine interest and importance to the general public which would override any obligation of confidentiality.

One more law should be mentioned. Sgt McCabe is also subject to the Garda Siochana Act 2005, which prohibits disclosures of information which are "likely to have a harmful effect". But "harmful effect" is defined very narrowly by the legislation to mean only particularly serious and direct harms such as "facilitating the commission of an offence". The information revealed by Sgt McCabe would not come within the terms of this prohibition.

In short, there does not appear to be any support for Mr Connolly's claim that Sgt McCabe made an "unlawful recording". Rather than attempting to shift the focus to the actions of Sgt McCabe, Mr Connolly might do better to consider how he can help resolve the significant public concerns which have been raised by this episode.

TJ McIntyre is a lecturer in the UCD Sutherland School of Law

What would Turkey like to hide from its citizens?

Internet censorship in Turkey is a prime example of why democracies should not attempt to filter the internet. I've blogged before about the blocking of Richard Dawkin's website by the Turkish authorities so I was fascinated to learn that a full list of sites which have been blocked by Turkey is available. The information has been compiled by EngelliWeb.com which identifies 31,694 sites as having been blocked, roughly doubled from last year. You can also view all blocked sites as a single page.

Highlights of the blocking list? In addition to Kurdish news sites, it includes the entirety of:

Blogger
Blogspot
Dailymotion
Google Groups
Google Sites
Shoutcast
Ustream.tv
Vimeo
Wordpress
YouTube

One important caveat - not everything on the list is currently blocked. Turkey has flipflopped on many of these sites with on again/off again bans at different times for different reasons. Some sites - such as YouTube - have also been unblocked after caving in to Turkish government pressure and agreeing to censor for Turkish users.

More on Turkish blocking from the excellent Reporters Without Borders site. The Guardian has a recent piece on how Turkish internet users are getting around this censorship.

Quote of the day

The way things are supposed to work is that we're supposed to know virtually everything about what they do: that's why they're called public servants. They're supposed to know virtually nothing about what we do: that's why we're called private individuals.

Glenn Greenwald nails it.
 

Will Irish courts take phone hacking seriously?

There's a remarkable story in today's Irish Independent about a woman whose criminal charges were struck out - without even a conviction - despite having been found guilty of listening to her former supervisor's voicemails. From the article:

A CIVIL servant who was found guilty of spying on her former supervisor by hacking into her mobile phone's voicemail messages has escaped punishment.

Dublin City Council employee Severine Doyle (39) had pleaded not guilty to 11 charges under the Postal and Telecommunication Act. However, following a hearing last June, she was found guilty of intercepting voice messages on a phone used by Teresa Conlon, Dublin City Council's head of housing allocation.

Dublin District Court heard that Ms Conlon's voicemail messages had been intercepted over a five-week period, from January 8 until February 11, 2010.

Doyle's sentencing had been adjourned until yesterday. Judge Eamon O'Brien told defence solicitor Declan Fahy: "I will strike it out with liberty to re-enter. I am giving her a chance, the ball is in her court."

During the trial on June 28 last year, Ms Conlon told the judge she found out that some city councillors had said they had listened to tapes of messages left on her phone.

This is an unusual outcome. The offences established carry a possible sentence of 5 years if prosecuted on indictment or 12 months otherwise. There were multiple incidents of phone hacking over an extended period. There was no guilty plea. The offences were aggravated by dissemination of the recorded material to councillors. Despite all this, the case was struck out. This may not have been a case for a custodial sentence, but I see no reason why a conviction shouldn't have been registered to mark the gravity of the offence. While there may be more to the matter than emerges from the media coverage, on the face of it this is a case where the court has failed to give adequate weight to the right to privacy in communications.

"Anyone who uses Facebook does so at his or her peril"

Lawyers: Angry that former clients are suing you over failed investments? Apparently the correct response is not to post on Facebook "They thought they knocked me down, now they will see the full scale of my reaction. F*** them, just f*** them. They will be left with nothing."

Turns out that Facebook posts are not automatically confidential, and will be admissible in evidence against you in proceedings to stop you dissipating the money you owe. Whodathunkit?

The key passage is at para. 4 of the judgment and neatly summarises why very few posts will attract a duty of confidence:

[A]nyone who uses Facebook  does so at his or her peril. There is no guarantee that any comments posted to be viewed by friends will only be seen by those friends. Furthermore it is difficult to see how information can remain confidential if a Facebook user shares it with all his friends and yet no control is placed on the further dissemination of that information by those friends. No evidence was adduced as to how many friends the defendant had and what his relationship was with each of them. It was certainly not suggested that those friends were in anyway restricted as to how they used any information given to them by the defendant. For the avoidance of doubt, I do not consider that any of the friends viewing that information would necessarily have concluded that the information was confidential and could not be disclosed. I have received no evidence as to why those friends were in any way restricted as to how they can use information received from the defendant and why they would have known this information was confidential or private