Digital Rights Ireland

Pulling the plug is not the answer

Dr. Richard Tynan and I have a piece in Saturday’s Irish Examiner discussing the implications of Eircom’s “phased disconnection” scheme. Unfortunately it doesn’t seem to be on their website, so here’s the full text:

Pulling the plug is not the answer

Earlier this week Eircom announced that it has started “the phased disconnection of file-sharers” on its network – colloquially known as a “three strikes” policy.

The key players in this procedure are Eircom, the Irish Recorded Music Association (IRMA) and technology firm Dtecnet. Under the procedure IRMA will provide Eircom with the IP addresses of machines that Dtecnet claims to have found to be infringing the copyright of its members. This will then trigger a disconnection procedure by Eircom starting with a letter, moving on to temporary suspension of an account, and ending with the disconnection of the account for up to a year.

In Ireland, one must generally have engaged in some form of wrongdoing in order to be punished. It is clear that the disconnection of one’s internet access is quite a severe punishment in today’s digital society.

But one problem with the approach adopted by Eircom is that the wrongdoer and the person who is disconnected may not be the same person.

The evidence used to identify alleged filesharers is unreliable.

Recent studies in the US have shown that copyright holders often act on flimsy evidence – in one case, accusing three laser printers of illegal filesharing. Similarly there is substantial evidence of UK users being wrongfully targeted. This may in part be due to deliberate tactics to sow confusion.

For example, the operators of filesharing site ThePirateBay have confirmed that they insert random IP addresses into the information they provide as to who is sharing what file.

But whatever the reason it is likely that innocent Irish users will face wrongful accusations.

In addition, in the era of wireless technology it is very common for an internet connection to be shared by many members of a household. In fact, Eircom offers wireless routers as part of its broadband bundles. This means that cutting off internet access based on the actions of one user will have a detrimental effect on all the others using the same connection for education, entertainment or business purposes.

If a husband is accused of filesharing, should this have the effect of preventing his children from doing their homework, or his wife from working at home?

It is clear that in the household context, the alleged wrongdoer and the individuals punished are not the same and the impact can be wholly disproportionate.

There’s also a risk that users may be accused based on somebody else piggybacking on their wireless connection. In November 2009 it was revealed that Eircom had negligently supplied insecure wireless modems, affecting up to 250,000 users.

Consequently anyone within the signal range of these users can illegally share files without the account holder’s knowledge – and there is even an app for the iPhone to make this process easier.

Eircom state on their website that they will not disconnect business customers but the effects of these measures on a small business could be catastrophic where they have an ordinary household account (as many do).

Through no fault of their own, a small business might find their internet connectivity withdrawn because of the actions of another family member, a malicious neighbour or even because they happen to be unlucky enough to be assigned the same IP address as one ThePirateBay has randomly inserted into files sharing the latest U2 album. This is worrying in a situation where a person’s livelihood is at stake.

One criticism of the current approach is that it shifts the burden of preventing illegal file sharing onto the ISPs, driving up the cost of broadband for private users and businesses. While this is true, it in fact goes much further than that. This logic of this deal – particularly if it is extended to other ISPs – potentially places a burden onto small businesses such as hotels and coffee shops to police their users’ activity. This will come at a significant cost to these businesses who have limited resources in these hard times.

Quite apart from these criticisms, there are also significant problems of principle. Internet access is today a fundamental right and a necessity – especially as the government moves more public services online – but this system threatens to take away that right based on nothing more than a private agreement between IRMA and Eircom.

In other European countries proposals for similar laws have been the subject of public consultation and debated by national parliaments. Here, however, there has been no legislation and no Government or Oireachtas input of any sort. Indeed the full details of the deal between Eircom and IRMA have never been published. A recently passed European law requires that disconnection of internet users should be subject to “adequate procedural safeguards” and “effective judicial review” – this deal, however, doesn’t appear to provide for either.

Instead, it allows users to be disconnected with no right of appeal to any independent body.

In summary, the Eircom / IRMA deal and the “graduated response” procedure is a worrying development for Irish internet users – one which has been undemocratic in its adoption and is likely to be unreliable in its application.

TJ McIntyre is a Lecturer in the School of Law, UCD and chairman of Digital Rights Ireland

Dr. Richard Tynan is a Postdoctoral Research Fellow in the School of Computer Science and Informatics, UCD

1 comment May 31st, 2010

Leaked report on Data Retention Directive shows fundamental flaws

Under Article 14 of the Data Retention Directive the Commission must produce a public evaluation of the application of the Directive before 15 September 2010. A draft version of that document has now been leaked (along with the Irish Government’s submission) and makes for very interesting reading.

Karlin Lillington has an excellent summary in today’s Irish Times, and here are some of the highlights:

Ireland is one of the countries accessing private information the most:

THE GARDA made more requests for phone-call traffic data in 2008 than police in Germany, which has 20 times the population of the Republic.

According to a leaked draft of a European Commission report, gardaí made more than 14,000 access requests for call data in 2008, a rate about 40 per cent higher than had been previously assumed by data privacy advocates, who had based an estimate of 10,000 on figures provided in the past by gardaí to the Office of the Data Protection Commissioner.

Older data is very seldom accessed:

According to the report, the vast majority of data requests across the EU – 85 per cent – are made when the data is less than seven months old, with the bulk of requests, 70 per cent, filed for data held for less than three months.

Statistics gathered from member states “support the conclusion that the relevance of data decreases significantly” with age, the report says.

The report found no concrete evidence from any state to support longer retention periods. “No objective elements were found that could support the choice of the retention period: neither the prevalence of certain forms of crime, the geography of the [member state], or (in-)efficiencies of a law enforcement organisation seem to support the choice,” it says.

The report shows there are very few requests within any state, including Ireland, for data after 12 months. Only 109 requests in aggregate from eight EU countries including Ireland were made in 2008 for mobile data held longer than 18 months. Only 39 total requests from the same eight countries were made for fixed-line call data stored longer than 18 months.

Fears of function creep have been borne out, and data retention is being used for matters such as filesharing cases:

It also notes that many member states have implemented the EU data retention directive by widening its scope and retaining data that was not retained in the past, often allowing it to be used for more purposes than outlined in the directive, such as for civil litigation on copyright in the UK. Such expansion is referred to as “mission creep” by privacy advocates.

Irish companies will be at a competitive disadvantage due to data retention:

The report says some respondents feel that in states with lengthy retention periods, private industry is at a competitive disadvantage because of the burden and costs that retention may impose directly or indirectly.

Several network operators said the need to invest in retention infrastructure had caused them to delay or abandon improvements to national networks.

Deutsche Telekom claimed it had spent €5.2 million on implementation of retention infrastructure and €3.7 million a year to facilitate about 13,000 call data requests and 6,500 internet data requests. Other operators said they had spent in excess of €4 million setting up systems for providing access to stored data.

As predicted, prepay SIM cards have made data retention measures ineffective and have led to Member States – including Ireland – attempting to ban their use:

In the Government’s response to a questionnaire on the State’s implementation of data retention, the Department of Justice noted it was considering ways to identify users of pre-paid SIM cards, an issue which was raised by several states.

In addition to these points, the full document is full of more damning details. For example, not one Member State provided any statistical information demonstrating that data retention was of use in any significant number of cases (p.7), while it’s clear from responses that the Directive – which was sold as a harmonisation measure – has completely failed to achieve this (p.8). Similarly, national data protection authorities have pointed out that they often lack proper powers to supervise data retention and that telecommunications companies often lack proper security over customer data (pp.9-10).

2 comments May 14th, 2010

Data Retention Challenge – High Court update

After last week’s excitement, this week is something of an anti-climax – when the case came back before the High Court today the State applied for and were granted further time to consider the judgment. The case will be listed next on June 11th.

1 comment May 12th, 2010

High Court decision on our data retention challenge

Great news today from the High Court where Mr. Justice McKechnie gave an extremely favourable decision on our constitutional challenge to data retention laws.

While the full judgment is 53 pages long, the gist is relatively simple.

Long story short: today’s decision has cleared the way for our challenge to proceed and to challenge the entire European legal basis for data retention.

(Following the wider European trend where Germany, Bulgaria and Romania have all found aspects of data retention to be unconstitutional.)

The longer version: Today’s decision dealt with three procedural issues which had to be cleared before we can argue the substance of the case: i.e. whether mass surveillance of this sort is compatible with constitutional guarantees of fundamental rights.

The first of these issues dealt with standing: could DRI (as a company, not a natural person) assert rights of privacy? And could it argue the rights of privacy of others? On this point the court held in our favour, accepting that DRI was a “sincere and serious litigant”, which raised these issues with bona fide interest and concern and ruling that it was appropriate for us to argue these points as this was a matter of “fundamental public importance”.

The second point dealt with an attempt by the State to stop the action in its tracks by seeking “security for costs” – i.e. requiring us to make a payment into court to cover the costs of the State should we lose the action. Because of the cost of High Court actions, requiring such a payment at the outset could effectively have prevented the case from being heard. Here the court rejected the State’s application, holding that:

the matters pleaded in this case do raise issues of significant public importance… Given the rapid advance of current technology it is of great importance to define the legitimate legal limits of modern surveillance techniques used by governments… without sufficient legal safeguards the potential for abuse and unwaranted invasion of privacy is obvious… That is not to say that this is the case here, but the potential is in my opinion so great that a greater scrutiny of the proposed legislation is certainly merited.”

Finally, the third point related to our application to refer this case to the European Court of Justice (“ECJ”). As data retention is now dealt with at a European level, it is important that we be able to challenge the European law in this area – something which can only be done before the ECJ in Luxembourg. Here the court again accepted our argument, holding that a reference to the ECJ was required and that it was appropriate that it be made at the current stage of the proceedings.

So what happens next? There will be some more legal argument next week about the precise questions which should be referred to the ECJ – after that, the case will be referred to the ECJ and will go into their system for a hearing in Luxembourg, which have implications for data retention across Europe.

8 comments May 5th, 2010