The Law Reform Commission has just published a consultation paper on search warrants and bench warrants. In relation to search warrants it points out there is currently a bewildering array of statutory provisions (over 100 different Acts and Regulations) which deal with searches, with different procedures to be followed and different powers of search and seizure in each case. The consultation paper aims, amongst other things, to rationalise the law in this area, and seeks to put in place a single statutory framework.
Surprisingly, though, the consultation paper has almost nothing to say about searches of computers and data. In fairness, it does note that there are some existing (rather patchy) provisions which specifically deal with computer searches – such as the power to require passwords in s.48 of the Criminal Justice (Theft and Fraud Offences) Act 2001. It also makes a very brief reference to the need for specialist forensic examination of seized computers. However it fails to consider any of the difficulties which have emerged when traditional norms are applied to data, much less current proposals which would fundamentally rewrite the law in this area.
To take just a few examples: there is no recognition of the vast quantities of personal data which are often stored on computers, making searches particularly privacy invasive in a way which is not generally true elsewhere. On a similar note, the consultation paper fails to recognise that the effect of seizing a computer and data can often be to shut down a business or to seriously disrupt an individual’s life, and that this often can be mitigated by returning a copy of the seized data. There’s no analysis of how extensive searches of data should be – if, for example, a computer is seized on suspicion of fraud offences should it be permissible to automatically scan the hard drive to detect possible child pornography images? (These and many other issues have been extensively analysed by Orin Kerr in several excellent articles, including Search Warrants in an Era of Digital Evidence and Searches and Seizures in a Digital World.) Similarly, there’s no mention of so-called remote searches (police hacking into computers at a distance), despite the fact that these have been the subject of recent EU proposals.
These and other issues will have to be addressed if the Law Reform Commission analysis is to deal with computer searches adequately in a way which protects privacy – if you’re interested in bringing any of these issues to their attention, you can email them at info@lawreform.ie or make a submission via snail mail using the details on this page.
(Cross-posted from tjmcintyre.com)
December 28th, 2009
Last month the Romanian Constitutional Court issued an important decision holding that national data retention laws were unconstitutional and in breach of the European Convention on Human Rights. The full text of that judgment is now available in English and makes cheering reading for civil liberties advocates, with the Constitutional Court accepting the argument that data retention is a disproportionate intrusion into private lives which is open to abuse. In the words of the Court:
[Data retention] equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes.
November 26th, 2009
The Data Retention Bill goes to Committee Stage before the Dáil today. The Irish Council for Civil Liberties have put together some excellent submissions on how the Bill should be amended to protect fundamental rights – a copy is here.
Séan Sherlock (Lab.) is also on top of this issue and has put forward extremely desirable amendments designed to reduce the retention period and to establish greater transparency in the oversight of data retention – these are available on the Oireachtas website (PDF).
November 11th, 2009
From an email by Bogdan Manolea:
The Romanian Constitutional Court declared, yesterday afternoon, the data retention law (law 298/2008) as unconstitutional, as it breaches art 28 of the Romanian Constitution which provides that secrecy of the letters, telegrams and other postal communications, of telephone conversations, and of any other legal means of communication is inviolable.
So far there is no press release of the Court and the decision has not been published yet, there are only press articles about it. An English report (not entirely accurate) is available on mediafax.
As with the German decisions against data retention, this isn’t directly applicable to our High Court challenge. But it is extremely useful as evidence of a growing trend throughout Europe to find data retention laws constitutionally suspect.
October 9th, 2009
[Cross-posted from IT Law in Ireland]
I’m quoted in today’s Irish Times on the threats made by JC Decaux against Fusio resulting in their taking down their Dublin Bikes App.
Leave aside for a moment the PR stupidity of this strategy.
Ignore if you will the dubious legal basis of their claim. (Without going into the finer points of copyright in facts, database rights, clickwrap agreements or possible passing off, the vague nature of their complaint – “Following our conversion, I confirm that you do not have the rights to use the information published on the web site http://www.dublinbikes.ie/. In particular the data concerning the stations is the property of JCDecaux and cannot be used without our prior authorisation” – makes it clear that they have little idea what they are talking about.)
Think instead about the issue of principle. A body which is operating in partnership with Dublin City Council is attempting to stop an Irish company from providing – free of charge – facts to the public about the service which they offer, without giving any justification for doing so, and without offering an alternative of their own. (I’m happy to see that at least some of our politicians understand the absurdity of this.)
I spoke to the press office in Dublin City Council today, who made it clear that they regard this matter as nothing to do with them. But why not? DCC were happy to work with Fusio to develop the app. Is there no provision in their contract with JCD establishing an obligation to provide information to the public about the service? Will they make sure that future contracts address this type of situation? (And – while I’m on the topic of the contract – why does JCD own the domain dublinbikes.ie? Is there any provision in the contract for the domain to revert to DCC on its expiry?)
- TJ
[Update - since initially posting this I have asked DCC for a copy of any correspondence with JCD over this issue and with any relevant portions of their contract with JCD. This seems to be an issue where JCD would be likely to reverse their stance if pressure were applied (one would hope they understand the risks of bad publicity!) - and where an important point of principle about reuse of data could be established. You may wish to email JCD at info@jcdecaux.ie; you can find contact details for your local councilors here.]
September 25th, 2009
Karlin Lillington has a strong piece in today’s Irish Times about a leaked draft agreement on data retention between state agencies (the Garda Síochána, Revenue and Defence Forces) and the telecoms industry (represented by ALTO, TIF and the ISPAI). Her comments are worth quoting extensively:
A secret memorandum of understanding between State agencies and the communications industry on how to implement the as-yet non-existent Government data retention legislation, confirms longstanding concerns about who is managing the data retention agenda and to what end.
With data retention, it appears that the tail is wagging the dog, in blatant disregard for proper democratic legislative process. The agencies that want access to our call and internet data are bypassing the Oireachtas, which at least theoretically, is the body that draws up and implements legislation.
As one alarmed privacy advocate told me: “This is legislation by decree.” …
No doubt, the argument will be made – and indeed is, within the body of the 13 page memorandum – that the document exists to help streamline the process by which our data are requested and handed over to various bodies that will now be allowed to look at it. Or as the memorandum states: “to promote efficient and effective standards of co-operation between the State and the Communications Industry.”
But it is not the business of the agencies to arrange any such matters privately with the communications industry, especially in the absence of actual legislation, or any public discussion or input, or any significant Oireachtas debate on a Bill that has only recently been published and not yet debated.
A data retention bill has not been passed by the Oireachtas yet, so this extraordinary “agreement” is based on sweeping assumptions, not articles of law.
More startling is the fact that agencies and industry are making such secretive plans for co-operation at all. It is the job of the Oireachtas and, ultimately, the courts to determine how legislation will be interpreted and implemented, not the Garda Commissioner, the Revenue Commissioners or the Defence Forces by private agreement.
This is the equivalent of the Financial Regulator securing a private understanding with Irish companies and banks as to how they will be supervised and how evidence will be obtained from them for investigations.
Another concern is that the memorandum, as it stands, indicates an agreement to obtain data that goes beyond what has been proposed so far in the published data retention bill.
The memorandum arranges for communications companies to hand over ‘‘any available personal details” of an IP address user, e-mail sender or VoIP user, even though the draft Bill (as seen by The Irish Times earlier this year) only requires name and address.
The memorandum also contains an agreement to hand over the MAC address associated with a computer user – the numerical “address” of a physical piece of hardware, such as a laptop, that enables it to connect to a network – though not required by the Bill.
The memorandum concludes with supreme arrogance: a detailed schedule pertaining to what will be handed over and how, matched to the text from the “Act” – again, simply the proposed Bill the Oireachtas has not yet approved. The schedule has a column for the “mutual agreement of retained data” and another for “issues addressed and agreed”.
Excuse me? Since when do agencies and industry get to “mutually agree” how they will privately interpret and comply with publicly mandated legislation (setting aside the glaring absence of any such legislation on which to base their ‘mutual agreement’)?
The memorandum notes in conclusion that it should be disseminated within Government “where necessary” and copies of the signed agreement be filed with legal representatives and stored internally in company files.
So, we have a private deal arranged in advance, in disregard of the role of the democratically elected Oireachtas and with no public input or scrutiny, between State agencies and the communications industry on how they will interpret and act on one of the most controversial pieces of legislation proposed for the State and European Union.
Legislation that has massive privacy and security implications for citizens and for businesses, and which already has been criticised by several leading business figures from indigenous and multinational companies as a threat to Ireland’s business environment.
Such arrangements have no place in a democracy and will surely alarm businesses that have chosen to base themselves in Ireland. Revelations that they exist will not instill confidence that privacy safeguards will be respected for citizens or businesses, nor dispel concerns that other murky off the record arrangements will be made along the way.
To be fair, there are portions of the draft agreement which are highly desirable. It aims to establish a single point of contact principle, which should minimise mistakes and abuse. It seeks to have state authorities digitally sign and encrypt any email requests for information. And it clarifies the appallingly vague technical language in the draft Data Retention Bill in a way which may make it workable.
But these safeguards should be built into the legislation itself, made mandatory and enforceable by judicial supervision. Instead, this agreement leaves them to an ad hoc arrangement between the State and the telecoms industry, and admits that it is merely “a non-binding statement of understanding or agreement [which] creates no legal obligations or commitments on the signing parties”. Moreover, it does so in secret, with no public input into the process. And, as Karlin points out, in some places it goes beyond what the draft legislation would require, and commits ISPs to handing over information without any legal obligation or permission to do so.
Read the full text of the leaked agreement here.
September 25th, 2009
They’re not our words (though we’d agree) but those of Adrian Weckler writing in the Sunday Business Post. Here’s an excerpt:
Unbelievable. That is the only word to describe the loophole that the new Retention of Data bill has created.
For those who missed it, the bill seeks to compel telephone and internet operators to retain details of emails, text messages and phone calls for up to two years. This is to help fight crime. But what are the most popular e-mail services for Irish users?
That’s right: Hotmail, Yahoo Mail and Gmail. Will any of these e-mail services be covered by the bill? Nope. Will messages or instant chat on Facebook, Bebo and Twitter be covered under the bill? No again.
And it gets worse. The bill is supposed to track telephone calls to identify who called who at what time. But will it cover calls made on Skype, Blueface or any of the dozens of VOIP services that Irish people use in their thousands? Nope. Will it cover Skype calls made on mobile phones (like the iPhone or 3’s Inq phone)? No again.
The state’s view of criminals’ communications habits is quite clear. They use a contract mobile phone to make and receive calls and texts. They use a Microsoft Exchange e-mail account hosted with a recognised Irish internet service provider.
And they have an Eircom phone line, on which they organise gang meetings with key lieutenants.
I would really like to know who drafted this bill. What age are they? Have they ever heard of social networking sites? Have they ever heard of Skype? Or do they simply think that organised criminals are complete idiots who openly converse with each other on server-hosted Microsoft Exchange e-mail accounts?
More from yesterday’s Sunday Business Post: 1, 2, 3.
July 20th, 2009
Daithi MacSithigh has put together a summary of problems with the Bill – cross posted here with his permission:
The Minister for Justice in Ireland published the Communications (Retention of Data) Bill last week: it was made available on the Oireachtas website (and brought to my attention by the ever-helpful Darius Whelan), although curiously, some reputable (and normally reliable) newspapers wrote on Monday morning about the legislation being due to be published! It will presumably be debated in the Oireachtas (parliament) when its honourable members return after the summer. Data retention legislation requires service providers to keep certain types of data on the activities of their subscribers and users, and to disclose it to relevant authorities on request. I hope that this post is of interest to Irish and non-Irish audiences, though, as the issues are arising in many jurisdictions, whether through the EU’s data retention directive of 2006 or independently. I also point to this extremely helpful status report on transposition as of January 2009: it shows very clearly that many states have included both judicial authorisation and cost recovery, which are absent from the Irish proposals.
The publication of the Bill isn’t a major surprise. A draft had been leaked, and of course this is but the Irish implementation of the 2006 Directive – so we cannot blame the Irish government alone for bringing forward these proposals. The underlying Directive remains an unconvincing one. I am not opposed to all attempts to use new forms of communication in conjunction with crime prevention, detection and prosecution. Nor am I unsympathetic to the way that some in law enforcement will feel that they are falling behind those who they pursue in terms of the use of technology. But data retention carries with it a financial burden, an administrative nightmare and, most importantly, a shift in the balance between the citizen and the state that may be presumed to be irreversable: surveillance powers, once granted, are rarely rolled back. These are broad powers, requiring retention of everyone’s data even if those having data disclosed are a subset of this (rather than the alternative of notifying a service provider to retain data on a given subject for a limited, specific purpose). As is so often the case, specific information from law enforcement on the problems with existing legislation has not been forthcoming, and public statements focus on the most extreme of cases (the Irish Minister for Justice gave us international terrorism and child pornography in his public comments today). Anyway, to ten questions that occur to me after giving the Bill some consideration.
(1) We are reassured that the legislation, as with the Directive, doesn’t apply to ‘content’, but getting information on who you are communicating with and (particularly in the case of mobile telephony) where you have been over the course of two years is more than trivial – it is a very intrusive way of finding out what a person (unconvicted of any crime) has been doing in their private life. How is this acceptable?
(2) The proposals follow in the disreputable tradition of sidelining the judicial branch – making the powers in essence a general authority for digital search and surveillance operations without a warrant. Nothing in EU law requires that the powers of accessing data be exercisable by senior Gardai (not to mention principal officers in the Revenue Commissioners, a new addition to the Bill that was not part of the earlier draft) – although it does appear tighter than the UK version, which appears to let anyone with a tanard or a lanyard to make a request. There are some safeguards supposedly in place (annual statistical reporting, a judge with the job of monitoring the system), but we’ve seen that they are quite weak: see for example TJ McIntyre’s recent discussion of the current judicial ‘oversight’ of phone intercept and data retention legislation. Furthermore, the officer authorising the access to data merely has to be satisfied that it is required for preventing, detecting, investigating or prosecuting a serious offence – which, for example, carries no need for reasonable suspicion of criminal behaviour on the part of the person whose data is being disclosed. It’s a dragnet-style provision that gives powers to police, Army and revenue officials and enables them to carry out large-scale investigations without any disclosure of such to the affected individuals nor any effective right of appeal or transparency. Why could this system not be restricted to cases approved by an independent judge after specific evidence of necessity is presented by the requesting officer?
(3) Data retention remains doubtful in terms of fundamental rights compliance: in the ECHR, S & Marper v UK questions mass monitoring of the unconvicted, Copland v UK reiterates that traffic data is covered by Article 8 (as I argue here); the German courts are considering various challenges (summarised by Digital Rights Ireland: 1 | 2), and DRI itself is engaged in a challenge to the Directive. The prior case brought by Ireland against the Directive related purely to legal basis and did not address fundamental rights at any stage. Does this legislation comply with the high standards of the protection of fundamental rights that Ireland aspires to meet?
(4) Under the Directive, retention is required for between six months and two years. The UK provisions (SI 2009/859) require a standard 12 month period. The Irish proposals would require it for a year for Internet and two years for telephone. Supporters of the legislation are spinning this as a reduction from the existing (and supposedly stopgap) three year period under 2005 legislation, conveniently neglecting the requirement under EU law to reduce it to a maximum of 2 years in any event. Why is a 2-year period necessary, particularly where other implementing States are able to adopt shorter periods?
(5) No information is provided in the Bill, explanatory memorandum or press release on who will bear the costs of retention. Compare this with, for example, the UK regulations which at least empower the Home Secretary to reimburse ‘any expenses incurred’ (which are well into the millions) in complying with the regulations. Bear in mind, too, that while some providers will keep billing data for obvious reasons, this is not the case for all providers. Who will pick up the bill and why has it not been ‘costed’ in a published impact assessment?
(6) The Bill applies without more to all providers of publicly available electronic communications networks and publicly available electronic communications services. These are wide (and imprecise) definitions that, given that specific statutory obligations are created (’a service provider shall retain’), causes doubt for many (webmail? webmail-like? open wifi? voice IM?). This will cause panic and confusion across the sector and will have seriously damaging consequences for Ireland’s ability to promote itself as a destination for high-tech industries. Compare with s 10 of the UK regulations, which provide that the obligation is only activated when the Home Secretary notifies the provider (although the Secretary does have a statutory duty to notify all relevant providers!) Why does the Government wish to create new duties without precision on who the duties will affect?
(7) There is a ‘redundancy’ provision in the UK regulations (again s 10), which states that the Home Secretary doesn’t have to notify providers where the data is retained by another provider. Presumably, this protects downstream ISPs and similarly situated others. There is no such provision in the Irish legislation and the clear terms would require the same data to be collected at multiple locations. Why are the supporters of data retention so generous with the time, money and effort of others?
(8) The detailed instructions (Sch 2, Part 1, 5(d)) requires retention of the date, time and (cell ID) location of the activation of a ‘pre-paid anonymous (mobile telephony) service’. Is this the end of pay-as-you-go anonymity through the back door?
(9) The definition of ’serious offences’ is broad (although it is an improvement on the draft, which would have allowed the powers to be used for any offence with a 12-month sentence attached to it). Any offence carrying a five-year sentence along with selected other offences (from poisoning to the false reporting of child abuse) count. How were these offences selected and what is the basis for their inclusion?
(10) The complaints procedure under s 10 of the Irish bill is bizarre – you can find out if a disclosure request has been made about you by making a request (if you believe that your data has been disclosed!!), but you will only be told if it has been made if it turns out that the rules have been contravened. Translation: meaningless. And there’s a broad barring of legal action other than the required constitutional right of action. And ‘a decision of the (referee who deals with complaints) … is final’. And evidence obtained in violation of the statute is not automatically excluded, as it should be. Given the argument that those with nothing to fear have nothing to hide, why does the Government fear challenges so much as to bar them?
July 14th, 2009
The Communications (Retention of Data) Bill 2009, published last week, has caused a bit of a stir in this morning’s newspapers. It will give effect to EU Data Retention Directive 2006/24/EC of 15 March 2006 (blogged here) which recently survived challenge by the Irish Government in the European Court of Justice, and it will replace the radically misconceived and deeply flawed stop-gap Part 7 of the Criminal Justice (Terrorist Offences) Act, 2005 (also here) (blogged here).
In essence, the Bill requires telecommunications companies, internet service providers, and the like, to retain data about communications (though not the content of the communications); phone and mobile traffic data have to be retained for 2 years; internet communications have to be retained for one year. This is better than it could have been, in that the Directive would have allowed 2 years for all traffic data; but it is a lot worse than the minimum of 6 months allowed by the Directive. This will impose significant costs on those obliged to retain and secure the data, and those costs will be passed on to their already hard-pressed customers. And it is likely to drive international telecommunications and internet companies to European states which have introduced far less demanding regimes.
Traffic data retention (like any example of pre-emptive and widespread surveillance) is simply a bad idea; it is a massive invasion of privacy; it is founded on the illiberal and anti-democratic suspicion that someone somewhere might be doing something; and it is not good enough to reply that if you have nothing to hide, you have nothing to fear from surveillance. As the prolific and challenging AC Grayling argues in his new book Liberty in the Age of Terror: A Defence of Civil Society and Enlightenment Values (Bloomsbury, 2009; reviewed by The Economist here), this pernicious assertion is “one of the most seductive betrayals of liberty” imaginable; it assumes that
the authorities will always be benign; will always reliably identify and interfere with genuinely bad people only; will never find themselves engaging in ‘mission creep’, with more and more uses to put their new powers and capabilities to; will not redefine crimes, nor redefine various behaviours or views now regarded as acceptable, to extend the range of things for which people can be placed under suspicion—and so considerably on.
The concerns might be met by strong protections coupled with meaningful oversight, but the Bill is worryingly bereft on this score. Although it imposes obligations to retain data, and to maintain it secure, and to prevent unauthorised access to data, it does not provide any redress to someone whose data is retained insecurely or accessed without authorisation; and the Data Protection Acts, 1988 (also here) and 2003 (also here) are inadequate to cope (for example, they would provide no criminal sanction for the News of the World’s recently-disclosed shenanigans). Worse than that, large-scale databases are peculiarly vulnerable to attack – an investigation by More4 News for Channel 4 reported last week (in a story that should give some pause to those planning a system to trace patients for Ireland) that more than 8,000 dangerous viruses have infected NHS computers in the last year, overloading networks, and massively compromising large amounts of personal data.
It is appropriate to restrict individual privacy provided that there is a good reason to do so, and the restrictions do not good too far. In the context of this Bill, the prevention of crime is a good reason, but the restrictions seem to go very far indeed, especially in the absence of proper protections and oversight. In S and Marper v UK 30562/04 [2008] ECHR 1581 (4 December 2008) one of the reasons given by the European Court of Human Rights for holding that the UK’s retention of innocent people’s DNA records on a criminal register infringed their right to privacy was the lack of sufficiently strong safeguards. I am a Director of Digital Rights Ireland; this is one aspect of our ongoing challenge to Ireland’s data retention regime; and this flawed Bill does nothing to alleviate these concerns.
(Cross-posted from Eoin O’Dell’s blog, cearta.ie)
July 13th, 2009
Speaking on the Last Word with Matt Cooper earlier today FF TD Niall Collins trotted out that old canard – “if you’ve nothing to hide, you’ve nothing to fear” – in relation to the new data retention bill. Curiously, when asked if he’d be happy to provide us with his mobile phone bills for the last two years and details of his emails for the last year he claimed not to understand the question and refused to do so.
Just so there’s no confusion we’re repeating the request here – if he genuinely has nothing to hide then surely he’ll be happy to provide us with details of his (taxpayer funded!) mobile phone bills for the last two years and we’ll be happy to put them online. A request has been sent to him by email and by voicemail to his constituency office asking if he will make that information available to us and if not why not. Any reply will be posted to this blog. Though perhaps you shouldn’t hold your breath.
Update (14.07.09): The chutzpah of FF TDs knows no bounds. According to today’s Independent, at a recent FF meeting backbenchers opposed being required to use a swipe card to track attendance:
The TDs also resented the idea of a swipe card that would keep track of their comings and goings at Leinster House and prevent claims for expenses from absent members…
TDs and senators believe that a pilot scheme for civil servants where their attendance and hours in work would be monitored by a swipe card system will be used to check up on them. And while most privately acknowledge that a few may abuse their expenses and allowance privileges, they resent the idea of a “Big Brother system of electronic supervision”.
July 13th, 2009
Previous Posts
