Digital Rights Ireland

Leaked report on Data Retention Directive shows fundamental flaws

Under Article 14 of the Data Retention Directive the Commission must produce a public evaluation of the application of the Directive before 15 September 2010. A draft version of that document has now been leaked (along with the Irish Government’s submission) and makes for very interesting reading.

Karlin Lillington has an excellent summary in today’s Irish Times, and here are some of the highlights:

Ireland is one of the countries accessing private information the most:

THE GARDA made more requests for phone-call traffic data in 2008 than police in Germany, which has 20 times the population of the Republic.

According to a leaked draft of a European Commission report, gardaí made more than 14,000 access requests for call data in 2008, a rate about 40 per cent higher than had been previously assumed by data privacy advocates, who had based an estimate of 10,000 on figures provided in the past by gardaí to the Office of the Data Protection Commissioner.

Older data is very seldom accessed:

According to the report, the vast majority of data requests across the EU – 85 per cent – are made when the data is less than seven months old, with the bulk of requests, 70 per cent, filed for data held for less than three months.

Statistics gathered from member states “support the conclusion that the relevance of data decreases significantly” with age, the report says.

The report found no concrete evidence from any state to support longer retention periods. “No objective elements were found that could support the choice of the retention period: neither the prevalence of certain forms of crime, the geography of the [member state], or (in-)efficiencies of a law enforcement organisation seem to support the choice,” it says.

The report shows there are very few requests within any state, including Ireland, for data after 12 months. Only 109 requests in aggregate from eight EU countries including Ireland were made in 2008 for mobile data held longer than 18 months. Only 39 total requests from the same eight countries were made for fixed-line call data stored longer than 18 months.

Fears of function creep have been borne out, and data retention is being used for matters such as filesharing cases:

It also notes that many member states have implemented the EU data retention directive by widening its scope and retaining data that was not retained in the past, often allowing it to be used for more purposes than outlined in the directive, such as for civil litigation on copyright in the UK. Such expansion is referred to as “mission creep” by privacy advocates.

Irish companies will be at a competitive disadvantage due to data retention:

The report says some respondents feel that in states with lengthy retention periods, private industry is at a competitive disadvantage because of the burden and costs that retention may impose directly or indirectly.

Several network operators said the need to invest in retention infrastructure had caused them to delay or abandon improvements to national networks.

Deutsche Telekom claimed it had spent €5.2 million on implementation of retention infrastructure and €3.7 million a year to facilitate about 13,000 call data requests and 6,500 internet data requests. Other operators said they had spent in excess of €4 million setting up systems for providing access to stored data.

As predicted, prepay SIM cards have made data retention measures ineffective and have led to Member States – including Ireland – attempting to ban their use:

In the Government’s response to a questionnaire on the State’s implementation of data retention, the Department of Justice noted it was considering ways to identify users of pre-paid SIM cards, an issue which was raised by several states.

In addition to these points, the full document is full of more damning details. For example, not one Member State provided any statistical information demonstrating that data retention was of use in any significant number of cases (p.7), while it’s clear from responses that the Directive – which was sold as a harmonisation measure – has completely failed to achieve this (p.8). Similarly, national data protection authorities have pointed out that they often lack proper powers to supervise data retention and that telecommunications companies often lack proper security over customer data (pp.9-10).

2 comments May 14th, 2010

Why German data retention decision means Irish Bill should be scrapped

Karlin Lillington writes in today’s Irish Times about the German decision striking down data retention law as a breach of privacy and what it means for the Data Retention Bill currently before the Oireachtas. Here’s an excerpt:

ANALYSIS: Data retention proposals about to become law here have been declared an invasion of privacy in Germany. Government please take note

IF THE Government fails to reconsider the terms of its Data Retention Bill, currently in its final stages before the Houses of the Oireachtas, it is likely to find that costly court challenges and a forced reworking of the legislation lie ahead.

The Retention of Data Bill 2009 seeks the overdue implementation of an EU directive on data retention (storage of call data for two years and internet-use data for one year, for everyone in the country, including children). It is the tail-end of a long process in which the right to privacy has been pitted against the needs of law enforcement to have access to records for criminal investigations.

Even as the Bill passed a Dáil vote that cements in its current provisions, there are signs that all is not well on the European front for national data retention legislation.

On Tuesday, in a significant finding, the German constitutional court threw out Germany’s existing data retention laws for a range of reasons, many of which have direct application to Ireland.

The German court echoed precisely the concerns expressed by many groups and individuals here about our own legislation – worries that were given a lone voice in the Dáil debate by Labour TD Seán Sherlock.

The German court found that enacting any data retention legislation requires a regard for what it termed the exceptional intensity of the interference with human rights that result from such measures. It therefore obligates the government to have clear and transparent measures in place to ensure data safety, data use, and adequate legal remedy available to citizens for misuse of personal data.

It said retention legislation must set a very high standard for safety of all data, and this cannot be balanced against a general burden of cost, whoever that may lie with. It underlined that access to data should only be allowed in cases targeting most serious crimes and terrorist offences. It argued that individuals must be notified after the fact that their information was accessed for an inquiry.

All of these issues have been highlighted as a concern in Ireland, where the Government has tried to downgrade the level of the crimes that our legislation applies to; does not outline a quality of service that must be met to protect data; does not cover the costs of managing and protecting data, but passes them on to the internet and telecoms sector; and does not give adequate legal remedy to citizens nor adequate oversight. Irish legislation would not meet the provisions laid out by the German court.

Privacy advocacy group Digital Rights Ireland has already brought a constitutional case against the Government in the High Court on the constitutionality of Irish legislation. This is widely expected to be referred to the European Court of Human Rights and prove a test case on the issue for the EU as a whole, where the German case will signal issues likely to prove troublesome for Irish and other EU nations’ retention laws.

Full text.

6 comments March 4th, 2010

Press Release on German Data Retention Decision

The civil rights organisation which brought the successful challenge to data retention before the German Constitutional Court has now issued a press release on that decision. Here’s the full text:

Press release by the German Working Group on Data Retention (AK Vorrat)

2 March 2010:

After data retention ruling: Civil liberties activists call for political end to retention of telecommunications data

+++ Data retention opposed by 70% of German population +++ European
Citizens’ Initiative for repealing the EU directive on data retention announced +++ Legal action to be continued +++

The German Working Group on Data Retention has today announced a Europe-wide campaign to end Internet and telephone data retention. This follows the German Constitutional Court’s ruling on a mass complaint made by more than 34,000 citizens. According to a newly-published poll, 69.3% of all Germans oppose data retention, making it the most strongly rejected surveillance law.[1]

“The recording of confidential contacts and movements of the entire population in the absence of any suspicion is unacceptable and must stop immediately”, says Florian Altherr of the Working Group. “In starting an initiative to this end, the Federal Minister of Justice can count on the support of EU Commissioner Viviane Reding as well as of many states such as Austria, Belgium and Romania, all of which do not have data retention laws in place.”

“In order to bring the massive rejection of blanket data retention home to politicians we are in the process of preparing a European Citizens’
Initiative. With the signatures of one million opponents to the permanent logging of our Internet and phone use we want to pursuade the EU to repeal its data retention directive”, announces data protection activist padeluun of the Working Group.

Patrick Breyer of the Group adds: “At the same time we will continue our legal fight against data retention. Today’s decision proclaiming the recording of the entire population’s behaviour in the absence of any suspicion compatible with our fundamental rights is unacceptable and opens the gates to a surveillance state.”

The German Working Group on Data Retention is making five political demands after today’s ruling:
1. The Federal Government, the Federal Minister of Justice and Parliaments must now cooperate with other like-minded states and bodies to take steps to repeal the redundant and detrimental data retention directive.
2. The German law on data retention, going far even beyond EU requirements and – according to the German Constitutional Court – unconstitutional, must not be re-enacted.
3. European citizens should be given the right to file constitutional complaints directly with the European Court of Justice.
4. The Federal Government must not agree to any further collection of information on citizens not suspected of any wrong-doing in the name of security, such as the air travellers file proposed by the EU. Mass data pools that were introduced in the past, such as the registration of Internet use by the Federal Office for Information Security or the employee information system ELENA, must be closed down.
5. An independent review of all existing “security” measures must take place in order to systematically examine their compatibility with our fundamental rights, their effectiveness, their cost, their harmful side-effects and alternatives.

Background information:

Communications data enables the tracing of who has contacted whom via telephone, mobile phone or e-mail. In the case of mobile calls or text messages via mobile phone, the user’s location is also logged. Data retention allows citizens’ movements to be traced and personal and business contacts to be monitored. Information regarding the content of communications such as personal interests and individual life circumstances can also be deduced.

A study commissioned in 2008 shows that data retention is acting as a serious deterrent to the use of telephones, mobile phones, e-mail and Internet. The survey conduced by research institute Forsa found that with communications data retention in place, one in two Germans would refrain from contacting a marriage counsellor, a psychotherapist or a drug abuse counsellor by telephone, mobile phone or e-mail if they needed their help. One in thirteen people said they had refrained from using telephone, mobile phone or e-mail at least once because of data retention, which extrapolates to 6.5 mio. Germans in total.

German NGO Working Group on Data Retention (Arbeitskreis
Vorratsdatenspeicherung) organised several protest marches against the scheme. Last year, 20.000 people protested against surveillance in Berlin.[2] About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data
Retention):

The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.

Homepage and contact details: http://www.vorratsdatenspeicherung.de

Footnotes and Links:

[1] Poll on data retention (in German):

http://www.vorratsdatenspeicherung.de/images/infas-umfrage.pdf

[2] Protest march “Freedom not Fear”:

http://www.vorratsdatenspeicherung.de/content/view/333/79/lang,en/

About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data Retention):
The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.
Homepage und contact details: http://www.vorratsdatenspeicherung.de

Add comment March 3rd, 2010

German Constitutional Court strikes down data retention law

Great news from Germany, where the Federal Constitutional Court has found data retention law to be incompatible with the right to privacy under the German Constitution. More thoughts on the decision and the implications for our own case at a later stage, but for the meantime here’s the initial AP report:

MELISSA EDDY Associated Press Writer

5:23 AM EST, March 2, 2010

BERLIN (AP) — Germany’s highest court on Tuesday overturned a law allowing authorities to retain data on telephone calls and e-mail traffic for help in tracking criminal networks.

A law ordering data on calls and e-mail exchanges be retained for six months for possible use by criminal authorities violated Germans’ constitutional right to private correspondence and must be revised, the Federal Constitutional Court ruled.

In its ruling, the court said the law failed to sufficiently balance the need for personal privacy against that for providing security, although it did not rule out data retention in principle.

“The disputed instructions neither provided a sufficient level of data security, nor sufficiently limited the possible uses of the data,” the court said.

Nearly 35,000 Germans had appealed to the court to overturn the law, which stems from a 2006 European Union anti-terrorism directive requiring telecommunications companies to retain phone data and Internet logs for a minimum of six months in case they are needed for criminal investigations.

The court upheld the EU directive, saying the problem lay instead with how the German parliament chose to interpret it.

Under the German law, which went into effect Jan. 2008, information about all calls from mobile or landline phones was retained for six months, including who called whom, from where and for how long.

The following year, that law was expanded to include the data surrounding all contact via e-mail.

Although the laws forbid authorities from retaining the contents of either form of communication, they met with fierce opposition from civil rights groups.

“Massive amounts of data about German citizens who pose no threat and are not suspects is being retained,” Germany’s commissioner for data security issues, Peter Schaar, told ARD’s morning show.

Experts argue the information is crucial to being able to trace crimes involving heavy use of the Internet, including tracking terror networks and pursuing child pornography.

3 comments March 2nd, 2010

Reform of search warrants must take computer searches into account

The Law Reform Commission has just published a consultation paper on search warrants and bench warrants. In relation to search warrants it points out there is currently a bewildering array of statutory provisions (over 100 different Acts and Regulations) which deal with searches, with different procedures to be followed and different powers of search and seizure in each case. The consultation paper aims, amongst other things, to rationalise the law in this area, and seeks to put in place a single statutory framework.

Surprisingly, though, the consultation paper has almost nothing to say about searches of computers and data. In fairness, it does note that there are some existing (rather patchy) provisions which specifically deal with computer searches – such as the power to require passwords in s.48 of the Criminal Justice (Theft and Fraud Offences) Act 2001. It also makes a very brief reference to the need for specialist forensic examination of seized computers. However it fails to consider any of the difficulties which have emerged when traditional norms are applied to data, much less current proposals which would fundamentally rewrite the law in this area.

To take just a few examples: there is no recognition of the vast quantities of personal data which are often stored on computers, making searches particularly privacy invasive in a way which is not generally true elsewhere. On a similar note, the consultation paper fails to recognise that the effect of seizing a computer and data can often be to shut down a business or to seriously disrupt an individual’s life, and that this often can be mitigated by returning a copy of the seized data. There’s no analysis of how extensive searches of data should be – if, for example, a computer is seized on suspicion of fraud offences should it be permissible to automatically scan the hard drive to detect possible child pornography images? (These and many other issues have been extensively analysed by Orin Kerr in several excellent articles, including Search Warrants in an Era of Digital Evidence and Searches and Seizures in a Digital World.) Similarly, there’s no mention of so-called remote searches (police hacking into computers at a distance), despite the fact that these have been the subject of recent EU proposals.

These and other issues will have to be addressed if the Law Reform Commission analysis is to deal with computer searches adequately in a way which protects privacy – if you’re interested in bringing any of these issues to their attention, you can email them at info@lawreform.ie or make a submission via snail mail using the details on this page.

(Cross-posted from tjmcintyre.com)

1 comment December 28th, 2009

Data Retention – Should it be left to a private agreement between the State and Telcos?

Karlin Lillington has a strong piece in today’s Irish Times about a leaked draft agreement on data retention between state agencies (the Garda Síochána, Revenue and Defence Forces) and the telecoms industry (represented by ALTO, TIF and the ISPAI). Her comments are worth quoting extensively:

A secret memorandum of understanding between State agencies and the communications industry on how to implement the as-yet non-existent Government data retention legislation, confirms longstanding concerns about who is managing the data retention agenda and to what end.

With data retention, it appears that the tail is wagging the dog, in blatant disregard for proper democratic legislative process. The agencies that want access to our call and internet data are bypassing the Oireachtas, which at least theoretically, is the body that draws up and implements legislation.

As one alarmed privacy advocate told me: “This is legislation by decree.” …

No doubt, the argument will be made – and indeed is, within the body of the 13 page memorandum – that the document exists to help streamline the process by which our data are requested and handed over to various bodies that will now be allowed to look at it. Or as the memorandum states: “to promote efficient and effective standards of co-operation between the State and the Communications Industry.”

But it is not the business of the agencies to arrange any such matters privately with the communications industry, especially in the absence of actual legislation, or any public discussion or input, or any significant Oireachtas debate on a Bill that has only recently been published and not yet debated.

A data retention bill has not been passed by the Oireachtas yet, so this extraordinary “agreement” is based on sweeping assumptions, not articles of law.

More startling is the fact that agencies and industry are making such secretive plans for co-operation at all. It is the job of the Oireachtas and, ultimately, the courts to determine how legislation will be interpreted and implemented, not the Garda Commissioner, the Revenue Commissioners or the Defence Forces by private agreement.

This is the equivalent of the Financial Regulator securing a private understanding with Irish companies and banks as to how they will be supervised and how evidence will be obtained from them for investigations.

Another concern is that the memorandum, as it stands, indicates an agreement to obtain data that goes beyond what has been proposed so far in the published data retention bill.

The memorandum arranges for communications companies to hand over ‘‘any available personal details” of an IP address user, e-mail sender or VoIP user, even though the draft Bill (as seen by The Irish Times earlier this year) only requires name and address.

The memorandum also contains an agreement to hand over the MAC address associated with a computer user – the numerical “address” of a physical piece of hardware, such as a laptop, that enables it to connect to a network – though not required by the Bill.

The memorandum concludes with supreme arrogance: a detailed schedule pertaining to what will be handed over and how, matched to the text from the “Act” – again, simply the proposed Bill the Oireachtas has not yet approved. The schedule has a column for the “mutual agreement of retained data” and another for “issues addressed and agreed”.

Excuse me? Since when do agencies and industry get to “mutually agree” how they will privately interpret and comply with publicly mandated legislation (setting aside the glaring absence of any such legislation on which to base their ‘mutual agreement’)?

The memorandum notes in conclusion that it should be disseminated within Government “where necessary” and copies of the signed agreement be filed with legal representatives and stored internally in company files.

So, we have a private deal arranged in advance, in disregard of the role of the democratically elected Oireachtas and with no public input or scrutiny, between State agencies and the communications industry on how they will interpret and act on one of the most controversial pieces of legislation proposed for the State and European Union.

Legislation that has massive privacy and security implications for citizens and for businesses, and which already has been criticised by several leading business figures from indigenous and multinational companies as a threat to Ireland’s business environment.

Such arrangements have no place in a democracy and will surely alarm businesses that have chosen to base themselves in Ireland. Revelations that they exist will not instill confidence that privacy safeguards will be respected for citizens or businesses, nor dispel concerns that other murky off the record arrangements will be made along the way.

To be fair, there are portions of the draft agreement which are highly desirable. It aims to establish a single point of contact principle, which should minimise mistakes and abuse. It seeks to have state authorities digitally sign and encrypt any email requests for information. And it clarifies the appallingly vague technical language in the draft Data Retention Bill in a way which may make it workable.

But these safeguards should be built into the legislation itself, made mandatory and enforceable by judicial supervision. Instead, this agreement leaves them to an ad hoc arrangement between the State and the telecoms industry, and admits that it is merely “a non-binding statement of understanding or agreement [which] creates no legal obligations or commitments on the signing parties”. Moreover, it does so in secret, with no public input into the process. And, as Karlin points out, in some places it goes beyond what the draft legislation would require, and commits ISPs to handing over information without any legal obligation or permission to do so.

Read the full text of the leaked agreement here.

1 comment September 25th, 2009

Another day, another laptop loss

Yesterday it was a HSE laptop with sensitive financial information on the public. (Don’t forget the HSE has form – with multiple data losses just last year – and has now shown that it has broken its promise to encrypt all laptops containing sensitive personal information.)

Today it’s the turn of Bord Gáis to lose another unencrypted laptop containing bank account and credit card details of 75,000 customers.

We’ve been banging on about this for a while, but it’s worth repeating that in light of these fiascos, a law to warn you that your data has been stolen is long overdue:

At the moment, there is no legal obligation on a body which loses your personal information to notify you. This means that individuals may be unaware that sensitive information such as medical histories or financial records has been lost. It may be, for example, that the first you learn about it is when you go to the ATM and find that your account has been emptied.

What’s being done on this front at the moment? The Minister for Justice has kicked this issue to touch for the time being, setting up a working group to consider whether mandatory reporting should be introduced – and we’ve made submissions to that group. But if you want to see action taken sooner rather than later, now would be a good time to let your TDs (firstname.surname@oireachtas.ie) and MEPs (contact details here) know that you support a right to be warned when your data has been stolen.

Perhaps most importantly, you might want to ask yourself this question – if this is what happens to your financial information, what can you expect to happen to your email and web information if the government is allowed to continue with its plans for data retention?

6 comments June 17th, 2009

Complaint to European Commission over Irish Interception Laws

You might have noticed that we think that Irish data retention laws are an invasion of our privacy. Unfortunately Irish law on interception of communications also fails to protect our privacy – and for that reason we’ve lodged a formal complaint with the European Commission, pointing out that Irish law doesn’t meet European standards and asking that they require the Irish government to introduce adequate protections. Read on for more details and to see what you can do to help.

What’s the difference between data retention and interception? While data retention focuses on traffic data – who called whom, when, where the mobile phone was, etc. – interception deals with attempts by the state or private parties to monitor the contents of communications – to listen in on telephone calls, read emails, and so on.

Interception is controlled to a limited extent by Irish law – under legislation from 1983 and a 1993 Act introduced after a scandal involving the Taoiseach and Minister for Justice illegally tapping journalists’ phones – but that law is now well out of date, and doesn’t meet the standards set out by European law in the 2002 e-Privacy Directive.

What’s wrong with the existing Irish law? There are two major limitations. First, it was introduced at a time when there were a limited number of players in the telecommunications market. As such, it applied initially to Telecom Éireann, and was extended to certain telecoms businesses operating under a licence or a general authorisation. It does not, however, apply to other businesses which don’t need an authorisation – which includes most online only businesses. Webmail, instant messaging or voice over IP, for example, would not be protected by the 1993 Act. Secondly, it applies only to messages which are “being transmitted” – something which appears to mean that e.g. the contents of a webmail inbox would not be protected.

As a result of these limitations, the protections of the 1983 and 1993 Acts – which make interception a criminal offence, require a warrant from the Minister for Justice before interception can be carried out by the police, and provide for judicial oversight – simply do not apply to a wide range of online communications. This lack of legislative control appears to be a relatively clear breach of the e-Privacy Directive, which requires states to “prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so … [by] legislative measures [which are] necessary, appropriate and proportionate within a democratic society”.

In short, we think that Irish law doesn’t adequately protect the privacy of your online communications – and hopefully the European Commission will require the Government to introduce adequate protections. If you agree, you can support the complaint by contacting the Minister for Justice (Email: minister@justice.ie, Fax: 01 661-5461, Snail Mail: 94 St. Stephen’s Green, Dublin 2) and asking him to extend Irish interception law to adequately protect online communications and meet our European obligations. You can also email the Commission at InfsoB2@ec.europa.eu, referring to our complaint and indicating that you are also making a formal complaint that Irish law on the interception of communications is not in compliance with Art. 5 of the ePrivacy Directive.

(Update: 16.06.09 – The European Commission has now replied, indicating that it is now investigating this matter under reference 2009/4368, SG(2009) A/4871. You might include this reference if writing to support us.)

For those of you who can’t get enough legalese, the full text of our complaint is below:

Dear Mr. …

The purpose of this letter is to outline how Ireland has failed to implement Article 5 of Directive 2002/58/EC.

As you know, Article 5.1 provides that:

“Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.”

When implementing the Directive, it was the view of national authorities that Article 5.1 was already adequately provided for in Irish law by section 98 of the Postal and Telecommunications Services Act 1983 in combination with the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993. See the comments of the Department of Communications, Marine & Natural Resources in their Guidance Notes on the Transposition into Irish Law of EU Directive 2002/58/EC. (29 July 2003) Since transposition, Part 7 of the recent Criminal Justice (Terrorist Offences) Act 2005 has also become relevant.

Between them, these pieces of domestic legislation do partially cover the requirements of Article 5. However, the scope of this legislation is limited and there are several situations which appear to fall within Article 5 but which would not be covered by Irish law. Three points in particular stand out:

* Section 98 applies only to messages being transmitted by persons who hold a general authorisation. Messages transmitted by other persons are not protected. Thus, it would appear that email sent via a webmail service such as Gmail would not be covered; nor would calls on VOIP services such as Skype.

* Section 98 applies only to messages “in the course of transmission”. Again using the example of a webmail service, it would appear that the stored contents of a person’s inbox would not be in transmission and thus would not be covered (perhaps depending on whether they had been read by the recipient).

* The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 regulates police interceptions of telecommunications messages, but again only where those messages are being transmitted by persons who hold a general authorisation. Consequently, the safeguards created by that Act (including judicial oversight) do not apply to other police interceptions.

I propose to outline briefly the Irish legal framework and to consider in more detail the places where Irish law falls short of the requirements of Article 5.

Persons to whom Irish interception law applies

Irish law on interception of telecommunications messages is contained in section 98 of the Postal and Telecommunications Services Act 1983 which prohibits interception and disclosure of telecommunications messages. That section, as originally enacted, applied only to the interception of messages being transmitted by the then state monopoly, Telecom Éireann.

With the advent of deregulation, section 98 was extended to cover other licensed operators (the Postal and Telecommunications Services (Amendment) Act, 1999, section 7). Subsequently, with the introduction of a general authorisation framework, the provisions of section 98 were extended to any person operating under a general authorisation (Regulation 4(8) of the European Communities (Electronic Communications Networks and Services)(Authorisation) Regulations 2003).

However, this limitation of section 98 to messages being transmitted by persons operating under a general authorisation would appear to present a problem. There may be situations where telecommunications messages are being transmitted by means of a public communications network or through a publicly available telecommunications service, where that network or service is not being operated under a general authorisation. Webmail and VOIP services would appear to fall into this category. Accordingly, messages transmitted by such services do not appear to be protected against interception under Irish law.

In particular, there is no offence to address the situation where a private individual intercepts messages being transmitted by such a service, or where the proprietor of such a service improperly discloses such messages.

Restriction to messages in the course of transmission

Section 98(1) (as extended) provides:

“A person who-
(a) intercepts or attempts to intercept, or
(b) authorises, suffers or permits another person to intercept, or
(c) does anything that will enable him or another person to intercept,
telecommunications messages being transmitted by [a person deemed to be authorised under the Authorisation Regulations] or who discloses the existence, substance or purport of any such message which has been intercepted or uses for any purpose any information obtained from any such message shall be guilty of an offence.” (emphasis added and text changed to reflect extension of s.98 to other operators)

The reference to telecommunications messages being transmitted suggests that stored messages, such as voicemail messages, or a webmail inbox, would not be protected by section 98. (It might be said that such messages are “being transmitted” until the point at which they are initially accessed – however, once accessed it would seem more difficult to argue that they are still being transmitted.) This limitation appears to be incompatible with Art. 5 of Directive 2002/58/EC which applies to “communications” (as defined in Art. 2) generally. Indeed, Art. 5 would be significantly undermined if messages in storage were excluded.

Regulation of police interception of telecommunications messages

The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 sets out the Irish law on police interception of telecommunications. Under section 2, an authorisation to intercept the contents of communications can only be given by the Minister for Justice. Sections 4 and 5 set out conditions which must be satisfied before an authorisation can be granted. For example, section 4 provides (in respect of the investigation of crime) that:

“The conditions referred to in section 2 of this Act in relation to an interception for the purpose of criminal investigation are-

( a ) (i) that-

(I) investigations are being carried out by the Garda Síochána, or another public authority charged with the investigation of offences of the kind in question, concerning a serious offence or a suspected serious offence,

(II) investigations not involving interception have failed, or are likely to fail, to produce, or to produce sufficiently quickly, either or, as the case may be, both of the following, that is to say:

(A) information such as to show whether the offence has been committed or as to the facts relating to it,

(B) evidence for the purpose of criminal proceedings in relation to the offence,

and

(III) there is a reasonable prospect that the interception of postal packets sent to a particular postal address or of telecommunications messages sent to or from a particular telecommunications address would be of material assistance (by itself or in conjunction with other information or evidence) in providing information, or evidence, such as aforesaid,

or

(ii) that-

(I) in the case of a serious offence that is apprehended but has not been committed, investigations are being carried out, for the purpose of preventing the commission of the offence or of enabling it to be detected, if it is committed, by the Garda Síochána or another public authority charged with the prevention or investigation of offences of the kind in question,

(II) investigations not involving interception have failed, or are likely to fail, to produce, or to produce sufficiently quickly, information as to the perpetrators, the time, the place, and the other circumstances, of the offence that would enable the offence to be prevented or detected, as the case may be, and

(III) there is a reasonable prospect that the interception of postal packets sent to a particular postal address or of telecommunications messages sent to or from a particular telecommunications address would be of material assistance (by itself or in conjunction with other information) in preventing or detecting the offence, as the case may be,

and

(b) that the importance of obtaining the information or evidence concerned is, having regard to all the circumstances and notwithstanding the importance of preserving the privacy of postal packets and telecommunications messages, sufficient to justify the interception.”

This section provides important safeguards: interception is restricted to serious offences, investigation other than interception must be inadequate, interception is restricted to messages sent to or from a particular address, thus ruling out indiscriminate monitoring of traffic and “fishing expeditions”, and interception must, in the circumstances, be proportionate.

Section 8 of the Act then creates a judicial power of oversight over the interception system, while section 9 creates a complaints procedure for persons who allege that interceptions have been improperly carried out.

The 1993 Act is, however, limited to “interceptions” which would (if not authorised) amount to an offence under section 98. (See the definition of “interception” in section 1.) Consequently, the 1993 Act has no application to interceptions falling outside section 98. It follows that any interception by the police of, for example, emails transmitted by a webmail service will not be regulated by the provisions of section 98 and will escape regulation by Irish law – the section 98 safeguards, including proportionality, judicial oversight and the complaints procedure, will not be available.

This would appear to breach Article 15.1 of Directive 2002/58/EC. Article 15.1 specifies that any restriction by Member States of the rights and obligations provided for in Article 5 must be by way of “legislative measures” which are “necessary, appropriate and proportionate within a democratic society”. However, interception of emails in the circumstances I have outlined would appear not to be governed by any legislative measure, much less one which can be assessed as necessary, appropriate or proportionate. The unfettered discretion which this would appear to confer on the police would therefore appear to be incompatible with the Directive.

In summary, it appears that Irish law has not been properly updated to take account of the requirements of Article 5 of Directive 2002/58/EC, and I would respectfully ask that the Commission investigate whether Ireland has failed properly to implement this Directive.

2 comments May 28th, 2009

European Court upholds data retention… for the time being

The European Court of Justice has given its decision today in the Irish Government challenge to the Data Retention Directive - Ireland v. Parliament and Council (Press Release | Judgment). Unsurprisingly (in light of the Advocate General’s Opinion) it has held that the directive was properly adopted as an internal market measure (by qualified majority voting) rather than as a criminal matter (requiring unanimity). Where does this leave us and our case?

While it’s a pity to see the Directive upheld, the Government’s challenge was a very narrow one, dealing only with the essentially technical matter of the legal basis for the Directive. The Government didn’t raise and the ECJ wasn’t asked to decide on the fundamental rights issues. Indeed it expressly stated:

The Court notes at the outset that the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement by the directive of fundamental rights resulting from interference with the exercise of the right to privacy.

Consequently, the decision doesn’t affect the core of our challenge to the Directive, which will still go ahead on the basis that it infringes the rights to privacy and freedom of expression. At the moment we’re waiting on a decision from the High Court on our application to refer these issues to the ECJ – we’re confident that when these issues reach the ECJ that they will decide in our favour.

2 comments February 10th, 2009

Keeping an eye on UK developments

Karlin Lillington has an interesting story in today’s Irish Times on recent UK developments in surveillance and what they might mean for Ireland. Here’s an excerpt:

NET RESULTS: When it comes to abuse of privacy, where Britain goes, Ireland tends to follow. That’s why we should be worried – very worried – about developments across the Irish Sea that emerged as the year rolled over into 2009, writes Karlin Lillington.

First came a New Year’s Eve story in the Guardian that home secretary Jacqui Smith will propose the creation of a single giant communications database and the option of outsourcing the storage of all the personal details held under the UK’s data retention regime to a private firm.

That means potentially that a single repository – a massive, national communications database – would hold all the details about, though not the content of, everyone’s e-mails, phone calls, faxes, text messages and internet use.

The same array of data is retained in Ireland as well, though at the moment, as is the case in Britain, data is retained by the communications providers, not in a central database.

Gathering such a spread of private information into a single database would create a “hellhouse” of personal private data that would not only be vulnerable to security breaches on a massive scale but would prove too great a temptation for law enforcement, according to Britain’s former director of public prosecutions, Sir Ken McDonald.

McDonald was scathing in his criticism of the idea. “Authorisations for access might be written into statute,” he told the Guardian. “But none of this means anything. All history tells us that assurances like these are worthless in the long run. In the first security crisis, the locks would loosen.”

While “security” would be cited as the main impetus for such a database, “the notion of total security is a paranoid fantasy that would destroy everything that makes living worthwhile” and bring an “ugly future”, he said.

One of the areas she points out – remote searches or the ability of the police to remotely hack into your computer to find evidence or monitor your activity – will certainly be one of the big issues of 2009. While Irish law doesn’t currently deal with this issue, there are moves at EU level to encourage (and possibly eventually require) all member states to allow remote searches. This becomes more worrying when combined with a growing law enforcement desire to be able to conduct “remote cross border searches” – that is, for the police in country A to be able to hack into a computer in country B. This strategy – also known as “chasing bits across borders” presents its own problems for privacy and especially accountability.

6 comments January 9th, 2009