Posts filed under 'Mass surveillance'
This is a letter which the Department of Justice wrote in July 2006 indicating that they would consult us before drafting any measures implementing the Data Retention Directive. 18 months later we still haven’t heard anything concrete from them, despite reports that they plan to put laws in place within the next month. Equally in the dark are the ISPs and others in the internet industry who will face the technical challenges and cost of implementation:
Given the short timeframe for putting this legislation into action, the industry – ie ISPs – should know the score. They are charged with the responsibility of storing this vast bank of data on the Irish citizen, but frustratingly they are still not quite sure of their role in the process.
“We, as ISPs, do not have any difficulty with the objective of fighting serious crime but what we need are clear instructions on the expectations of governments across Europe as to what exactly it is we have to retain and when,” says Durrant.
Shane Deasy, managing director for wireless internet provider BitBuzz, while willing and able to comply with the new legislation, echoes Durrant’s sentiment: “There is a grey area – details we have yet to get answers to.
“The industry has met with the Department of Justice and has had several discussions on this forthcoming legislation but to my knowledge the industry has not yet been given information on exactly what data they are required to store and for how long.
“It may require a lot more storage on the part of the ISPs but at the moment we simply don’t know exactly what we are going to be asked to retain.”
Such is the confusion that Google has recently voiced its concerns on its Public Policy blog, stating that the approach taken by Justice may have the effect of damaging the Irish internet industry:
Ireland looks set to be amongst the first countries to transpose the directive. Concerns have been expressed that sufficient time may not be available for a full debate to discuss the very complex issues involved. There is also a real risk that a rushed transposition process could produce legislation which negatively impacts on consumer privacy and is harmful to the internet and telecomms sector. Our view is that it is vital that the reasonable concerns of privacy advocates and industry are taken into account. Google is going to take advantage of the current window of opportunity to get our views across, and we hope that other interested parties will do likewise.
So what will it take before the Department of Justice is prepared to engage in real consultation?
February 28th, 2008
Professor Robert Clark is a leading Irish expert on privacy and the law. Here’s what he had to say in the Independent about the Government’s handling of personal privacy:
Big Brother Philosophy Threatens Public’s Privacy
Do the Irish Government and state agencies — health, prison, law enforcement, semi-state bodies for example — have a legal obligation to keep your personal information private? The answer is a resounding “yes”.
But this does not mean that the law will necessarily be observed — bad things happen. Experience shows that human errors will greatly facilitate personal information misuse. Failure to keep computer passwords confidential, for instance, are estimated to be a major source of data security lapses.
Threats are often internal, rather than external. Examples that come to mind include a case in Belfast some years ago when an unmarried mother-to-be applied at her dole office for maternity benefit.
She was dreading telling her mother of the pregnancy but a nosey neighbour who worked in the office found out about the inquiry and told the entire neighbourhood. The welfare agency was held in breach of its duty to keep information in confidence.
A similar event occurred in Kerry last year when the gardai had to pay damages when information about a suspect found its way into the public domain by way of a garda leak.
The fact is that the State is likely to have access to personal information of the most sensitive kind — medical and health data, criminal records, religion, etc — and it is through data protection law that citizens draw the most protection.
While the Office of the Data Protection Commissioner is better resourced now, the complexity of finding meaningful solutions that face the commissioner in the internet age cannot be overestimated.
Privacy and data protection all too often lose out when confronted by pressure for more police powers or greater administrative convenience. The level of scrutiny by the Oireachtas was negligible. Successive Data Protection Commissioners have complained about this Big Brother philosophy but to little effect.
The practical point is this: the more public servants who can access the data, the more likely it is that something will go wrong.
The lesson to be taken from the UK child benefit disk debacle, in which two disks holding personal data about millions of people went missing, is that too many junior staff were able to access and copy too much information about too many citizens, in breach of internal rules.
The rules and legal position are clear — it is human error that accounts for most data breaches. Threats from hackers are often regarded as external threats but often the person who alters websites and files is a disgruntled employee or ex-employee who is out for revenge or wants to access information about others. Case law in relation to employee hackers shows that the employer is entitled to sack someone straying into personnel files of co-workers.
Where the threat is external, as in cases of identity theft, denial of service attacks, phishing, for example, our legislation appears to be less satisfactory.
Hacking was criminalised as a very minor offence back in 1991 but we have yet to see a review of the law relating to computer and technology misuse in the light of these more damaging developments.
To the extent that our lawmakers are not keeping information misuse laws up to date, it can be said that Sean and Maura Public are not being protected by the State.
A cynic might say that internet crimes and information theft are difficult to detect and investigate but this, while true, is not an excuse for legislative complacency.
Prof Robert Clark is a member of the Internet Advisory Board and is the author of ‘Data Protection Law in Ireland’
February 8th, 2008
Today’s Irish Independent covers the revelation (via Ruari Quinn’s Dáil questions) that over 80 government laptops – together with other items such as USB keys and Blackberries – have been lost or stolen over the last five years. It appears from the responses to those questions that the laptops weren’t encrypted, but it’s not fully clear what was on each device. We’ve pointed out before that the State’s security standards for personal data appear to be extremely lax – suggesting that it’s essentially a matter of luck that we haven’t had private files compromised on as large a scale as the recent English loss of data on 25 million individuals. The Data Protection Commissioner is already investigating the lax culture within some Government Departments where snooping or sale of personal information is common – but past experience suggests that real change won’t happen unless there is public pressure for it.
So what can you do to protect the private information the State (Revenue, Social Welfare, HSE, Passport Office, local authority, etc.) hold about you? We’d suggest you start making some noise. Start by complaining to your local TDs – if they use email it will usually have the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TDs here. Let them know that personal privacy is an important issue for you. Ask them why the State has been so careless with our private information that the Data Protection Commissioner has said that he has warned of these risks for years, and has said that the State needs “a wake up call”. Ask them what they plan to do about it. And of course you can ask them why, in light of this carelessness, they should be trusted to bring in data retention.
February 8th, 2008
Today, Monday 28th, is European Data Protection Day. Last year we marked this with a post giving some practical ways in which you could protect your privacy.
This year, the single most important thing you could do is to help stop data retention in Ireland. What exactly is data retention? TJ wrote this explanation of the issues for the Irish Examiner:
How would you feel if someone followed you every day, writing down your movements, making a note of everyone you talked to, jotting down the address of every letter you post, and then storing that information for three years? What would you think if that system of surveillance was extended to every single person in the country? While this might sound like the stuff of science fiction, since 2002 the Government has required telephone companies to track the movements of all their users, to log details of every telephone call made and every text message sent and to store that information for three years. The Department of Justice now proposes to extend this further, to require ISPs to monitor everyone’s internet use, including details of every email or instant message we send, and every time we log on or off, and to store that information for up to two years. What’s more, it intends to do this by the stroke of a ministerial pen, with no debate before the Dáil or the Seanad.
The rather dull name for this surveillance is “data retention”. But it might be more informative to talk of “digital footprints”. As technology comes to be more and more part of our everyday lives, we leave a trail of digital footprints recording almost everything we do. Activities which once would have been private (posting a letter) may now leave a record (sending an email). Data retention laws – by storing these digital footprints – mean that the rights to privacy and freedom of expression we take for granted in the offline world might be lost in the digital age.
Since the Department of Justice admitted these plans there has been a surge of interest. The primary question has been what can individuals do to stop this.
The most potent assistance anyone can give is to write a letter to the Ministers responsible, as well as to their local TDs.
If they’re in government, ask them why Ireland is introducing data retention so urgently. And don’t accept “Because European law requires it” as an answer. There is an EU Directive requiring data retention. But it is being challenged by multiple court cases. One is being taken by the Irish State itself at the European Court of Justice. One is being taken by DRI in the High Court. And one is being taken by 30,000 signatories objecting to the German Government’s implementation of the Directive. There is no reason why our Government should implement the Directive before these court cases have been heard – especially given that the Government itself agrees that the Directive is invalid.
Ask them why the Oireachtas is being sidelined. A law such as this should be subject to democratic scrutiny.
Member states of the EU had the right to seek an 18 month derogation from having to transpose this law. Ask the Ministers and your public representatives why Ireland did not avail of this breathing period.
In addition, you might ask the Minister for Communications to put a figure on how much the additional costs of collecting, storaging and accessing of this data will add to the price of broadband for the average consumer.
Brian Lenihan TD is the Minister for Justice. It is the Department of Justice who have responsibility for the introduction of data retention in Ireland. His email is: info@justice.ie.
Eamon Ryan TD is the Minister for Communications. The Minister for Communications is responsible for the regulation of Internet Service Providers who will need to implement Government policy in this area. His email is: minister.ryan@dcmnr.gov.ie.
Your local TD (if they use email) will usually have the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TD here.
January 28th, 2008
Government proposals to introduce surveillance of all internet users are unacceptable. The proposed law will require Internet Service Providers (ISPs) to log details of every email, every instant message or chat message, and every time users log on or log off, and to store that information for up to 18 months. This information will then be available without any court order or warrant. These proposals, implementing European law, are being drafted without public consultation and would be implemented by a statutory instrument. There will be no scrutiny by the Oireachtas.
It is incredible that the Government proposes to introduce a law which would require every Internet user to be monitored without any warrant or prior judicial approval, without any public consultation and without any debate or vote in the Oireachtas. A law of this gravity should not be made by stealth.
The Department of Justice appears to be relying on the “urgency” of the matter to justify bypassing the Dail and Seanad. But the European law being implemented was passed in February 2006. The Department has had two years to introduce a Bill and it cannot rely on its own delay to justify sidelining democratic scrutiny.
In any case, it is inappropriate to implement this law whilst it is under court challenge. The Irish government itself has challenged the validity of the law before the European Court of Justice. Digital Rights Ireland has also brought a High Court action challenging the European law. These proposals will effectively pre-empt the judgment of the courts.
January 19th, 2008
From the Irish Times:
Britain’s prime minister Gordon Brown and chancellor Alistair Darling were left reeling last night after the astonishing disclosure that the personal data of 25 million people and 7.25 million families across the UK has been lost.
The Metropolitan Police are now leading the search for two disks containing details of the UK’s entire child benefits database. The data was downloaded in breach of all standing procedures by junior officials at HM Revenue and Customs (HMRC) and then sent to the National Audit Office via an internal postal system that was not recorded or registered….
The data contains names and addresses of parents and children, national insurance and child benefit numbers and, in some cases, bank or building society details.
How long will it be before the giant databases created by data retention laws are compromised? Governments worldwide, and the Irish Government in particular, have shown that they cannot be trusted with the information they already have. Now is not the time to create even more databases.
This case also highlights the importance of our call for a right to be warned when your personal data is exposed. Under Irish law as it stands there is no obligation on the State – or anybody else – to warn you when they have allowed your personal information to be compromised. The first you may know about it is when you feel the effects of identity theft. But by then it will be too late.
November 21st, 2007
Minister for Justice Brian Lenihan today announced more funding for community CCTV schemes. Unfortunately these schemes still fail to comply with basic safeguards recommended by the Law Reform Commission nearly ten years in its 1998 Report on Privacy.
Experience in other jurisdictions have shown that CCTV systems are open to abuse. Voyeurism by CCTV operators is common, with even the occasional politician as a victim. One English case shows what can happen:
Two council CCTV camera operators have been jailed for spying on a naked woman in her own home. Mark Summerton and Kevin Judge, from Sefton Council, Merseyside, trained a street camera into the woman’s flat… The images from the camera, including the woman without her clothes on, were shown on a large plasma screen in the council’s CCTV control room in November 2004, Liverpool Crown Court heard.
Over several hours, she was filmed cuddling her boyfriend before undressing, using the toilet, having a bath and watching television dressed only in a towel.
What safeguards are there in Irish law? There is a Department of Justice Code of Practice for Community-Based CCTV Systems, which has a limited statutory basis in section 38 of the Garda Siochana Act 2005. But that Code of Practice, though fine as far as it goes, lacks teeth. The worst that can happen if a Community CCTV scheme flouts the Code of Practice is that its authorisation to operate the system might be taken away. There is no provision for civil or criminal sanctions against operators who abuse the system, leaving victims potentially without any redress.
The Minister for Justice did acknowledge today that safeguards were necessary against the abuse of CCTV systems. We agree. The current Code of Practice should be put on a full statutory basis, enforceable by civil and criminal sanctions.
July 31st, 2007
DRI opposes Government proposals to introduce mandatory registration of mobile phones. These proposals will infringe on the privacy of every mobile phone user, as well as being expensive, impracticable and ineffective. But you don’t have to take our word for it. Here’s what the Department of Communications, Marine and Natural Resources had to say in January:
The idea for a Register of mobile phones was extensively reviewed by officials in the Department. There were many complex legal, technical, data protection and practical issues to be considered. In theory, a Register of mobile phones might seem like a good idea. However, having looked at the situation in other administrations, considered the ease with which an unregistered foreign or stolen SIM card can be used and the difficulties that would be posed in verifying identity in the absence of a national identification card system, and having consulted with the Office of the Attorney General and other interested parties, it was concluded that the proposal would be of limited benefit, in that it would not solve the illegal and inappropriate use of pre-paid mobile phones and was not practical.
As the earlier Communications comments suggest, the current proposals don’t appear to have given any thought to some fundamental issues:
What’s to stop purchasers giving false details?
What’s to stop drug dealers from using phones belonging to others?
What about phones bought before the register comes into effect?
Stolen phones?
Foreign SIM cards?
Not to mention the most important question: how can a failed drug policy justify treating the entire population as suspects?
Let the government know what you think of these proposals. You can contact Pat Carey (the responsible junior minister) here and the Minister for Communications Eamon Ryan here.
July 23rd, 2007
The Rachel O’Reilly murder trial has focused attention on the use of mobile phone tracking. RTÉ’s This Week programme has a segment on the risks of tracking and data retention with contributions from the Data Protection Commissioner and DRI.
July 16th, 2007
RTÉ News reports that Dr. Jerry Cowley, Independent TD for Mayo, is to ask the complaints referee to investigate apparent official tapping of his telephone:
The independent Mayo TD Jerry Cowley has called for an investigation to establish if his phone is being tapped by gardaí.
He said he had raised the matter with the Minister for Justice, Michael McDowell, and got what he described as a ‘less than satisfactory reply’.
He said his suspicions that his phone might be being tapped had been raised by ‘a series of unusual coincidences’.
But he declined to give any further details of these. He said: ‘I want to know for certain if my phone is being tapped’.
Deputy Cowley has been closely associated with the Shell to Sea campaign which opposes the current Corrib Gas pipeline plans in Co Mayo.
In a democracy it is particularly worrying if the Government is monitoring our communications with our elected representatives with the potential that this will be used to undermine the opposition for political purposes. In the United Kingdom, the Wilson Doctrine addresses these concerns by prohibiting the tapping of MPs’ (and Peers’) telephones. But that rule has no counterpart in Ireland.
March 29th, 2007
Next Posts
Previous Posts