Posts filed under 'Mass surveillance'
Last week the Cabinet approved the heads of a Surveillance Bill which, if enacted, will allow Gardaí to break into private property to place covert video cameras and audio bugs, and to use evidence gathered in that way in criminal prosecutions. The Bill – which was already on the legislative programme but was rushed forward after the murder in Limerick of Shane Geoghegan – is intended to place existing Garda practices on a statutory basis in line with Ireland’s obligations under the European Convention on Human Rights.
At the moment, due to the lack of statutory controls, material gathered in this way (such as transcripts of conversations) can be used for intelligence purposes but would not be admissible in criminal trials. The Bill aims to remedy this by providing that Gardaí will have to obtain authorisation from a District Court judge before this type of surveillance can be carried out (except in cases of exceptional urgency) and that a designated judge of the High Court will keep the overall operation of the system under review. In addition, these methods can only be used in respect of crimes carrying a possible sentence of at least five years imprisonment and where the surveillance is, in all the circumstances, proportionate.
The Bill promises to regularise the law in this area and to that extent must be welcomed. It is unfortunate, however, that it took a high profile and tragic murder before this was given priority. As far back as 1996 the Law Reform Commission in a Consultation Paper identified a need for reform and in a 1998 Report it recommended that there should be a legal basis for Garda surveillance of this type. Successive Ministers for Justice have, however, largely ignored this recommendation. (The most remarkable example being in 2006 when the Privacy Bill introduced by then Minister for Justice Michael McDowell targeted surveillance by the media – but entirely excluded Garda surveillance from its scope.) In light of over a decade of government inactivity, the Bill is long overdue.
The timing of the Bill aside, its provisions generally represent a substantial step forward. It has clearly been influenced by the constitutional guarantee of the inviolability of the dwelling and the safeguards which it provides are more robust than those recommended by the Law Reform Commission. It introduces for the first time in Irish law the principle that judicial approval should be required before surveillance is carried out. Unlike other forms of surveillance such as data retention – which currently can be used in respect of even the most minor crimes – the Bill is limited to genuinely serious offences and also introduces a requirement that the surveillance must be proportionate having regard to the impact on the rights of innocent third parties.
There are of course some aspects of the Bill which could be improved. For example, the procedure to deal with cases of exceptional urgency is too lax. Under the Bill as it stands those cases would bypass the judicial process entirely, so that surveillance could take place for up to 14 days without any authorisation. There must be a question mark as to whether this provision would be constitutional if it was used to break into and bug a dwelling. Instead, it would be preferable to deal with cases of urgency by permitting Gardaí to commence surveillance without a judicial authorisation but then requiring that an application be made to the District Court for permission to continue the surveillance.
However, while the Bill is generally good as far as it goes, there is a strong argument to be made that it doesn’t go nearly far enough.
Despite its broad title, it addresses only one very narrow area – the covert surveillance of locations by devices which are physically planted in those locations. Many other forms of surveillance – such as the use of GPS devices to track the position of cars, the use of long range cameras and microphones to monitor locations from a distance and live monitoring of internet activity – will still be entirely unregulated. As a result there will continue to be doubt as to whether Gardaí have the power to use these types of surveillance and as to whether the resulting evidence can be used in criminal prosecutions.
Meanwhile, although there is some legislation regulating other forms of surveillance such as the interception of communications, data retention and Garda use of CCTV, that legislation has developed on an ad hoc and reactive basis with few consistent principles applying to its use or oversight. Much of it is also out of date, most notably the 1993 interception of communications legislation which due to technological changes no longer adequately protects email and other internet communications.
Considered as a whole, therefore, the wider Irish law is inadequate. Given that many of these issues were flagged by the Law Reform Commission in 1998, it is hard to see any justification for the failure to address them to date. Although this Bill does provide for some improvements, it is at best a piecemeal response which will not address similar problems with other forms of surveillance. It is clear that the time has come for comprehensive reform of the overall law relating to surveillance. This Bill is a good first step towards that reform. But it is only a first step, and it would be regrettable if the government were to continue to ignore this area until forced to act by another highly visible crime.
November 28th, 2008
The Irish Times is reporting that the Joint Committee on European Scrutiny (a cross party committee which examines proposed EU legislation) has published a report which is highly critical of European proposals on passenger records.
The draft Framework Decision on the Use of Passenger Name Record (PNR) for Law Enforcement is an astonishing proposal which, if passed, would establish giant databases tracking the travel of every individual, logging details of every flight they make and keeping that information for 13 years. That information could then be accessed and shared with other countries without any individual suspicion, much less any form of warrant or prior permission. The proposal envisages using this information for “profiling” of all passengers. As originally proposed, the database would apply only to international flights (entering or leaving the EU) but some states are now pushing to extend this to include all flights within the EU while the UK is taking this further still and is seeking to create a database of all ferry and rail traffic within the EU.
This proposal has already been the subject of criticism across Europe from, for example, the European Data Protection Supervisor. In a presentation to the Joint Committee the Data Protection Commissioner clearly explained why the proposal is unacceptable:
We all support reasonable and proportionate measures to counter violence perpetrated against innocent people, but such measures should represent a proper balance between the need to combat such illegality and the rights of the innocent majority to go about their daily lives without undue interference by the State. In my opinion, and that of my EU colleagues, the Commission proposal fails this test. The proposal involves an obligation on air carriers to transmit to a state authority, called a “passenger information unit”, the PNR information that the passenger has provided to the air carrier in respect of any journey by air into or out of the European Union. The information typically includes contact details, such as address, phone number and e-mail, as well as payment information, such as credit card details. Under the proposal, the information has to be retained by the passenger information unit for a total of 13 years.
Such information is given by a passenger for the purpose of the provision of a service, namely air travel. The Commission proposal is that this information should be transmitted to state authorities for a totally different purpose, the combating of what is described as terrorism and organised crime. It is a basic data protection principle that information collected for one purpose should not be used for another purpose and should be deleted when no longer required for the purpose for which it was collected. The Commission proposal offends against this basic principle. Under the proposal, air carriers will have no choice but to hand over a complete record of an individual’s movements in and out of the European Union to a state entity that will retain it for 13 years, and not only a record of travel, but also of contact and payment information.
Many regular travellers would have difficulty recalling where they had travelled to, even in the past year. With this proposal, the state will have a detailed record of all such travel in and out of the European Union, and for a period going back 13 years. Therefore, whether it is a business trip to Singapore, a shopping trip to New York or a holiday in Morocco, the state will have full details. Can this invasion of individual privacy be considered a proportionate response to threats from the small number who may be tempted to engage in terrorism or organised crime?
One must also have concern for the ability of the state to protect the confidentiality of such information. Recent cases investigated by my office have, unfortunately, demonstrated that deliberate or inadvertent leaking or misuse of such information is a significant risk. Experience in other EU countries is no different…
There is little hard evidence of the actual usefulness of PNR passenger data in combating terrorism or organised crime. All we are presented with is general comments that such information is useful, with a small number of examples. There is even less evidence of the additional utility of PNR data over the more reliable API data that is already being collected. The result is that a key test under European law — that of proportionality — does not seem to be met. Even if one were to accept the case presented for this proposal — I do not — the protection provided for the innocent majority who have nothing to do with terrorism or organised crime is vague and inadequate. These deficiencies are spelled out in the written opinion my EU colleagues have already delivered and which has been provided to the committee.
If this proposal is implemented, we will have taken a further step to what has been called the surveillance society, where our day-to-day activities are constantly monitored and our private space is more and more restricted. We already have a situation, under data retention law, where the details of who we communicate with electronically is compulsorily stored, in case it would be useful for the investigation of crime. With this proposal, our international travel movements will be monitored by the State for the same reason. Can it only be a matter of time before this is extended to all of our movements? (Emphasis added)
The Joint Committee has now accepted these points (and also pointed out that – incredibly – neither Ryanair nor EasyJet were consulted in relation to the proposal).
What can you do about this? The responsible Irish official is the Minister for Justice. You might like to let him know that your privacy is important, and that the proposals (which Ireland has supported) are unacceptable. Ask him why he has ignored the concerns raised by the Data Protection Commissioner and proceeded with a measure based on “little evidence” with “vague and inadequate protections” for your personal information. Ask him whether he plans to ignore the concerns raised by our democratic representatives in the Joint Oireachtas Committee. Contact details? Email: minister@justice.ie, Phone: 01 602-8202 (ask for the Minister’s Office), Fax: 01 661-5461, Snail Mail: 94 St. Stephen’s Green, Dublin 2. And of course you should cc your local TDs (details here) and let them know that this issue is important to you in deciding how you will vote.
November 17th, 2008
The outgoing head of the Crown Prosecution Service and DPP for England and Wales, Sir Ken MacDonald QC, has used his retirement speech to warn against UK government proposals to expand data retention:
As I near my conclusion, let me, in my final public speech as DPP, repeat my call for level headedness and for legislative restraint in an age of dangerous movements.
We need to take very great care not to fall into a way of life in which freedom’s back is broken by the relentless pressure of a security State.
Over the last thirty years technology has given each of us, as individual citizens, enormous gifts of access to information and knowledge. Sometimes it seems as if everything is at our fingertips and this has made our lives immeasurably richer.
But technology also gives the State enormous powers of access to knowledge and information about each one of us. And the ability to collect and store it at will. Every second of every day, in everything we do.
Of course modern technology is of critical importance to the struggle against serious crime.
Used wisely, it can protect us.
But we need to understand that it is in the nature of State power that decisions taken in the next few months and years about how the State may use these powers, and to what extent, are likely to be irreversible. They will be with us forever. And they in turn will be built upon.
So we should take very great care to imagine the world we are creating before we build it. We might end up living with something we can’t bear.
October 21st, 2008
The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.
It’s important to point out, though, that this ruling only relates to the procedural way in which the Directive was passed. It doesn’t affect our case that the Directive breaches fundamental principles of human rights, and we still await a decision from the High Court referring these issues to the European Court of Justice.
Full text of the Advocate General’s opinion available here.
The German Working Group against Data Retention (Arbeitskreis Vorratsdatenspeicherung) is also bringing a legal challenge to data retention and has put out a press release on the Opinion.
October 14th, 2008
The agenda of the European Court of Justice has just listed Tuesday, October 14 for the Advocate General’s opinion on the State’s challenge to the Data Retention Directive. This won’t be a final decision – the Advocate General gives an opinion which is merely advisory and the court is not bound by it. In most cases, however, the court will follow the broad approach of the Advocate General.
What’s the significance of the State’s challenge? Here’s what we said about it before:
On the plus side, the challenge will certainly delay implementation of the Directive, and stands a very good chance of striking it down in its entirety. There is a very strong case that the passing of the Directive was flawed.
On the minus side, the challenge is purely procedural. The Government agrees with the principle of spying on every citizen – it merely alleges that the wrong legal mechanism was chosen. According to the Government, the measure should have been passed by unanimous agreement of all the member states – not by a majority voting procedure. We agree – the directive is clearly an attempt to deal with matters of criminal law that are reserved to the member states, and the fundamental rights of Irish citizens should not be set aside by the majority vote of other EU states. But we’re disappointed that the Government shows no interest in asserting the right to privacy of Irish citizens. The result is that the European Court of Justice, when it eventually deals with the case, will only be hearing about procedure – not privacy.
Obviously we hope that the Government’s challenge will succeed in invalidating the Directive. Whatever the outcome of their case, however, our own challenge to data retention – where we raise these privacy issues about Irish law as well as the Directive – will continue.
(Thanks to Joris van Hoboken for pointing out that the Opinion had been timetabled.)
October 3rd, 2008
This is a letter which the Department of Justice wrote in July 2006 indicating that they would consult us before drafting any measures implementing the Data Retention Directive. 18 months later we still haven’t heard anything concrete from them, despite reports that they plan to put laws in place within the next month. Equally in the dark are the ISPs and others in the internet industry who will face the technical challenges and cost of implementation:
Given the short timeframe for putting this legislation into action, the industry – ie ISPs – should know the score. They are charged with the responsibility of storing this vast bank of data on the Irish citizen, but frustratingly they are still not quite sure of their role in the process.
“We, as ISPs, do not have any difficulty with the objective of fighting serious crime but what we need are clear instructions on the expectations of governments across Europe as to what exactly it is we have to retain and when,” says Durrant.
Shane Deasy, managing director for wireless internet provider BitBuzz, while willing and able to comply with the new legislation, echoes Durrant’s sentiment: “There is a grey area – details we have yet to get answers to.
“The industry has met with the Department of Justice and has had several discussions on this forthcoming legislation but to my knowledge the industry has not yet been given information on exactly what data they are required to store and for how long.
“It may require a lot more storage on the part of the ISPs but at the moment we simply don’t know exactly what we are going to be asked to retain.”
Such is the confusion that Google has recently voiced its concerns on its Public Policy blog, stating that the approach taken by Justice may have the effect of damaging the Irish internet industry:
Ireland looks set to be amongst the first countries to transpose the directive. Concerns have been expressed that sufficient time may not be available for a full debate to discuss the very complex issues involved. There is also a real risk that a rushed transposition process could produce legislation which negatively impacts on consumer privacy and is harmful to the internet and telecomms sector. Our view is that it is vital that the reasonable concerns of privacy advocates and industry are taken into account. Google is going to take advantage of the current window of opportunity to get our views across, and we hope that other interested parties will do likewise.
So what will it take before the Department of Justice is prepared to engage in real consultation?
February 28th, 2008
Professor Robert Clark is a leading Irish expert on privacy and the law. Here’s what he had to say in the Independent about the Government’s handling of personal privacy:
Big Brother Philosophy Threatens Public’s Privacy
Do the Irish Government and state agencies — health, prison, law enforcement, semi-state bodies for example — have a legal obligation to keep your personal information private? The answer is a resounding “yes”.
But this does not mean that the law will necessarily be observed — bad things happen. Experience shows that human errors will greatly facilitate personal information misuse. Failure to keep computer passwords confidential, for instance, are estimated to be a major source of data security lapses.
Threats are often internal, rather than external. Examples that come to mind include a case in Belfast some years ago when an unmarried mother-to-be applied at her dole office for maternity benefit.
She was dreading telling her mother of the pregnancy but a nosey neighbour who worked in the office found out about the inquiry and told the entire neighbourhood. The welfare agency was held in breach of its duty to keep information in confidence.
A similar event occurred in Kerry last year when the gardai had to pay damages when information about a suspect found its way into the public domain by way of a garda leak.
The fact is that the State is likely to have access to personal information of the most sensitive kind — medical and health data, criminal records, religion, etc — and it is through data protection law that citizens draw the most protection.
While the Office of the Data Protection Commissioner is better resourced now, the complexity of finding meaningful solutions that face the commissioner in the internet age cannot be overestimated.
Privacy and data protection all too often lose out when confronted by pressure for more police powers or greater administrative convenience. The level of scrutiny by the Oireachtas was negligible. Successive Data Protection Commissioners have complained about this Big Brother philosophy but to little effect.
The practical point is this: the more public servants who can access the data, the more likely it is that something will go wrong.
The lesson to be taken from the UK child benefit disk debacle, in which two disks holding personal data about millions of people went missing, is that too many junior staff were able to access and copy too much information about too many citizens, in breach of internal rules.
The rules and legal position are clear — it is human error that accounts for most data breaches. Threats from hackers are often regarded as external threats but often the person who alters websites and files is a disgruntled employee or ex-employee who is out for revenge or wants to access information about others. Case law in relation to employee hackers shows that the employer is entitled to sack someone straying into personnel files of co-workers.
Where the threat is external, as in cases of identity theft, denial of service attacks, phishing, for example, our legislation appears to be less satisfactory.
Hacking was criminalised as a very minor offence back in 1991 but we have yet to see a review of the law relating to computer and technology misuse in the light of these more damaging developments.
To the extent that our lawmakers are not keeping information misuse laws up to date, it can be said that Sean and Maura Public are not being protected by the State.
A cynic might say that internet crimes and information theft are difficult to detect and investigate but this, while true, is not an excuse for legislative complacency.
Prof Robert Clark is a member of the Internet Advisory Board and is the author of ‘Data Protection Law in Ireland’
February 8th, 2008
Today’s Irish Independent covers the revelation (via Ruari Quinn’s Dáil questions) that over 80 government laptops – together with other items such as USB keys and Blackberries – have been lost or stolen over the last five years. It appears from the responses to those questions that the laptops weren’t encrypted, but it’s not fully clear what was on each device. We’ve pointed out before that the State’s security standards for personal data appear to be extremely lax – suggesting that it’s essentially a matter of luck that we haven’t had private files compromised on as large a scale as the recent English loss of data on 25 million individuals. The Data Protection Commissioner is already investigating the lax culture within some Government Departments where snooping or sale of personal information is common – but past experience suggests that real change won’t happen unless there is public pressure for it.
So what can you do to protect the private information the State (Revenue, Social Welfare, HSE, Passport Office, local authority, etc.) hold about you? We’d suggest you start making some noise. Start by complaining to your local TDs – if they use email it will usually have the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TDs here. Let them know that personal privacy is an important issue for you. Ask them why the State has been so careless with our private information that the Data Protection Commissioner has said that he has warned of these risks for years, and has said that the State needs “a wake up call”. Ask them what they plan to do about it. And of course you can ask them why, in light of this carelessness, they should be trusted to bring in data retention.
February 8th, 2008
Today, Monday 28th, is European Data Protection Day. Last year we marked this with a post giving some practical ways in which you could protect your privacy.
This year, the single most important thing you could do is to help stop data retention in Ireland. What exactly is data retention? TJ wrote this explanation of the issues for the Irish Examiner:
How would you feel if someone followed you every day, writing down your movements, making a note of everyone you talked to, jotting down the address of every letter you post, and then storing that information for three years? What would you think if that system of surveillance was extended to every single person in the country? While this might sound like the stuff of science fiction, since 2002 the Government has required telephone companies to track the movements of all their users, to log details of every telephone call made and every text message sent and to store that information for three years. The Department of Justice now proposes to extend this further, to require ISPs to monitor everyone’s internet use, including details of every email or instant message we send, and every time we log on or off, and to store that information for up to two years. What’s more, it intends to do this by the stroke of a ministerial pen, with no debate before the Dáil or the Seanad.
The rather dull name for this surveillance is “data retention”. But it might be more informative to talk of “digital footprints”. As technology comes to be more and more part of our everyday lives, we leave a trail of digital footprints recording almost everything we do. Activities which once would have been private (posting a letter) may now leave a record (sending an email). Data retention laws – by storing these digital footprints – mean that the rights to privacy and freedom of expression we take for granted in the offline world might be lost in the digital age.
Since the Department of Justice admitted these plans there has been a surge of interest. The primary question has been what can individuals do to stop this.
The most potent assistance anyone can give is to write a letter to the Ministers responsible, as well as to their local TDs.
If they’re in government, ask them why Ireland is introducing data retention so urgently. And don’t accept “Because European law requires it” as an answer. There is an EU Directive requiring data retention. But it is being challenged by multiple court cases. One is being taken by the Irish State itself at the European Court of Justice. One is being taken by DRI in the High Court. And one is being taken by 30,000 signatories objecting to the German Government’s implementation of the Directive. There is no reason why our Government should implement the Directive before these court cases have been heard – especially given that the Government itself agrees that the Directive is invalid.
Ask them why the Oireachtas is being sidelined. A law such as this should be subject to democratic scrutiny.
Member states of the EU had the right to seek an 18 month derogation from having to transpose this law. Ask the Ministers and your public representatives why Ireland did not avail of this breathing period.
In addition, you might ask the Minister for Communications to put a figure on how much the additional costs of collecting, storaging and accessing of this data will add to the price of broadband for the average consumer.
Brian Lenihan TD is the Minister for Justice. It is the Department of Justice who have responsibility for the introduction of data retention in Ireland. His email is: info@justice.ie.
Eamon Ryan TD is the Minister for Communications. The Minister for Communications is responsible for the regulation of Internet Service Providers who will need to implement Government policy in this area. His email is: minister.ryan@dcmnr.gov.ie.
Your local TD (if they use email) will usually have the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TD here.
January 28th, 2008
Government proposals to introduce surveillance of all internet users are unacceptable. The proposed law will require Internet Service Providers (ISPs) to log details of every email, every instant message or chat message, and every time users log on or log off, and to store that information for up to 18 months. This information will then be available without any court order or warrant. These proposals, implementing European law, are being drafted without public consultation and would be implemented by a statutory instrument. There will be no scrutiny by the Oireachtas.
It is incredible that the Government proposes to introduce a law which would require every Internet user to be monitored without any warrant or prior judicial approval, without any public consultation and without any debate or vote in the Oireachtas. A law of this gravity should not be made by stealth.
The Department of Justice appears to be relying on the “urgency” of the matter to justify bypassing the Dail and Seanad. But the European law being implemented was passed in February 2006. The Department has had two years to introduce a Bill and it cannot rely on its own delay to justify sidelining democratic scrutiny.
In any case, it is inappropriate to implement this law whilst it is under court challenge. The Irish government itself has challenged the validity of the law before the European Court of Justice. Digital Rights Ireland has also brought a High Court action challenging the European law. These proposals will effectively pre-empt the judgment of the courts.
January 19th, 2008
Next Posts
Previous Posts