Posts filed under 'Privacy - General'
Henry McDonald in today’s Guardian has an alarming story about Garda surveillance of crime journalists, including routine monitoring of their mobile phone calls and messages:
Journalists in Ireland have raised concerns about the country’s draconian gagging orders on police officers talking to the media, including allegations that the state is monitoring their mobile phone calls to try to reveal sources.
Dublin-based reporters, some of whom are under death threats from armed criminal gangs, have told MediaGuardian that the Irish police force, Garda Siochána, has questioned them about police contacts, threatened them with arrest and has been checking their mobile phone calls to suspected sources…
Many experienced Garda sources now use cheap, disposable mobile phones to keep in touch with reporters.
The veteran crime and security journalist Jim Cusack, from the Sunday Independent, said he has faced threats of detention over his refusal to reveal sources in a story about a Real IRA murder.
Cusack said: “I have been threatened with possible arrest for ‘withholding information relating to a criminal offence’ – the 2005 act again – with a punishment of up to 10 years when I told gardaí I could not remember the source of a story about a dissident murder in Donegal several months earlier.
“The last time I was made aware my phone records were being hacked was last year after I contacted a detective involved in a murder case and left a message referring to some material I had come across which might be of use in the case.
“I was not called back. Instead a third party contacted me and said the detective had been warned by a colleague that my phone was under surveillance and the call had been logged by C3. This is the old name for the Garda security and intelligence section.”
Asked about both the continued gagging of gardaí talking to the media and allegations of journalists being threatened with arrest as well coming under covert surveillance, the Garda press office said: “An Garda Siochána do not discuss internal discipline matters.” The force’s press office declined to answer specific queries about journalists alleging their calls were being monitored.
These revelations are shocking but not surprising – it’s long been known that data retention laws pose a special threat to whistleblowers and journalists, particularly in Ireland where there are no adequate sanctions for police abuse of surveillance powers.
Some individual Irish journalists have done trojan work in raising these concerns – take a bow “Journalist C” in particular – but the Irish NUJ and other media organisations collectively have maintained a disappointing silence on the issue.
The position is very different elsewhere. The European Federation of Journalists has campaigned against data retention, as have journalists’ organisations in individual states such as Germany. For whatever reason, however, there doesn’t seem to have been any collective awareness amongst Irish journalists of the threat which this type of mass surveillance presents to their profession. Perhaps today’s story might prompt more action on their part?
May 11th, 2012
Recent media reports have confirmed that a Garda detective sergeant will not face criminal prosecution and will keep her job despite abusing the data retention system to spy on an ex-boyfriend.
In November 2010 the annual report of the judge who oversees the data retention system confirmed earlier reports that the sergeant, who then worked in the Garda intelligence division, had abused her position by accessing the phone records of her former boyfriend, tracking details of his communications. It appears that this came to light when the former boyfriend became suspicious that she knew about calls which he had made since they separated, and not as the result of any internal audit or other safeguards. According to the Sunday Times:
Eve Doherty was transferred from Crime and Security, the garda’s spying agency, after she was caught accessing phone records last year.
Her former boyfriend had become suspicious because she allegedly knew details of the calls he had made after they had separated. Doherty has been disciplined, and will remain a member of the force. She is currently seconded to Garda Special Branch, the anti-terrorist division.
Her case was the first of its kind to be highlighted in an annual report prepared for the Dail by a High Court judge, who is assigned to monitor the state’s phonetapping activities. Judge Iarfhlaith O’Neill, who is designated to monitor telephone tapping by the security services, mentioned the case in a report to the Oireachtas in February, though Doherty was not named.
O’Neill said that he investigated a number of alleged breaches of Section 64(2) of the Criminal Justice (Terrorist Offences) Act 2005 which had been “committed by a member of An Garda Siochana”.
Under Section 64(2) no garda below the rank of chief superintendent can request an individual’s phone records from a service provider to aid investigations of criminal offences.
The High Court judge said that the extent of the alleged non-compliance with the 2005 act had been “rigorously investigated and fully understood”.
He said all appropriate steps had been taken to ensure future compliance with the act.
The Director of Public Prosecutions (DPP) decided that, following a garda investigation, no charges should be brought in the case.
That story also reveals that after an internal disciplinary process she will retain her job and will not even be demoted. Incredibly, despite this abuse of trust, the sergeant has been transferred to the Garda Special Branch, where she will continue to have access to sensitive information. The matter was also referred to the independent Garda Siochana Ombudsman Commission which decided not to investigate the matter further.
A number of significant questions are left unanswered. In relation to the specific case: Why was no prosecution brought? Why was it considered appropriate to leave a person found to have abused sensitive records in a position of responsibility, much less the Special Branch? Why was this person not dismissed? Why did a Chief Superintendent sign off on her requests, and will that person be investigated for failing to adequately ensure that her requests were legitimate?
More general questions are also raised: Was this part of a wider pattern of abuse? Is there an adequate internal audit trail of data retention requests? If so, who is responsible for reviewing that trail? Does the designated judge access a sample of requests from the preceding year to ensure that the surveillance was appropriate? If not, what other steps are taken to review the approximately 15 000 data retention requests which are made every year? What are the “appropriate steps” referred to by the judge “to ensure future compliance with the act”?
The Department of Justice response has been simply to pass the buck. According to the Sunday Times again:
The Department of Justice said the handling of the case was a matter for garda authorities. “The case in question concerned access to retained telecommunications data which was governed at the time by the provisions of the Criminal Justice (Terrorist Offences) Act 2005,” said a spokeswoman.
“The act assigned the oversight of the provisions relating to data retention to a designated judge of the High Court.”
Given the lack of adequate sanctions for this abuse and the failure of either the designated judge or the Department of Justice to provide answers to these questions it is hard to see how the Irish public can be expected to have any confidence in the data retention system.
References: “Garda accused of bugging her ex-boyfriend”, The Sunday Times, (20.02.2011) “Garda who spied on her boyfriend will keep job”, The Sunday Times, (14.08.2011)
[Cross-posted from EDRI-gram]
September 2nd, 2011
Mark Tighe has an important story in today’s Sunday Times about apparent abuse by a garda of the data retention system. Unfortunately it’s behind a paywall, but I’ve taken the liberty of scanning the hardcopy and placing it here as it raises a number of fundamental questions about the safeguards which are in place against abuse and the likelihood of further abuse now that the 2011 Act has extended data retention to internet use also.
Garda accused of bugging her ex-boyfriend
A FEMALE garda suspected of obtaining the phone records of her ex-boyfriend has been reported as the first person who may have breached phone-tapping rules introduced in legislation in 1993.
The case is highlighted in a report prepared by Iarfhlaith O’Neill, a High Court judge designated to monitor the state’s phone-tapping activities.
Security sources say that the case involves a garda who was stationed in the force’s crime and security division, which carries out spying and intelligence services. The garda is accused of obtaining phone records of her former boyfriend to track his movements and activities after they separated. The man became suspicious and complained to gardai because his ex-girlfriend allegedly knew s details of calls he had made.
In a report to the Oireachtas earlier this month, O’Neill said that he investigated a number of alleged breaches of Section 64(2) of the Criminal Justice (Terrorist Offences) Act 2005. Under Section 64(2) no garda below the rank of chief superintendent can request an individual’s phone records from a service provider to aid investigations of criminal offences.
O’Neill said: “These breaches are alleged to have been committed by a member of An Garda Siochana.”
“As a result of my investigations, I was concerned that these breaches may have occurred. These alleged breaches are now the subject matter of a criminal investigation and also disciplinary proceedings under the garda disciplinary code.”
O’Neill said that the extent of the alleged non-compliance with the 2005 Act had been “rigorously investigated and fully understood”. He said all appropriate steps had been taken to ensure future compliance with the act.
The rest of O’Neill’s report states that on November 18 last year he attended garda headquarters, then army headquarters in McKee Barracks and later the Depart¬ment of Justice offices on St Stephen’s Green.
In each location he reviewed documents relating to phone tapping and phone records and spoke to people involved in the operation of the act. He said that all his queries were answered to his satisfaction.
“As a result of the forgoing, I am satisfied that there is, as of the date of this report (November 26, 2010) full compliance with the provisions of the above acts,” he said.
A spokesman for the Data Protection Commissioner (DPC) said that gardai had informed it of the apparent data breach last June.
Gardai refused to comment on the case.
Gardai and the Department of Justice have refused to release details of how many requests for phone records or how many phone taps are authorised each year. They say that such information is sensitive.
The Labour party has called for a review of the powers given to gardai to access personal records and said they should only be used in exceptional circumstances.
In 2007 the DPC said that, based on audits of phone companies, it estimated gardai were making 10,000 requests for citizens’ phone records each year. Security sources say the figure is now likely to be closer to 15,000 as gardai regularly seek phone records to aid investigations.
Despite its resistance to publishing details about requests to access the phone records of private citizens, Ireland may be forced to do so by a 2009 European Council directive.
The directive requires member countries to legislate to provide their data protection commissioners with the number of requests made for phone records and the legal justification invoked.
Some quick thoughts:
The references to bugging and phone-tapping are misleading – what is alleged here (as I understand it) is that the garda accessed the phone records of her ex rather than actually listened to the contents of telephone calls.
There are, unhelpfully, no details given in the report as to how the abuse came to light or what changes will be made in future to prevent further abuses. (Continuing a fine tradition of opacity.) But a number of questions spring to mind.
When did the alleged abuse take place, and how long did it take before it was uncovered? Was the abuse discovered purely by chance? Is there an adequate internal audit trail of requests which are made? If so, who is responsible for reviewing that trail? Does the designated judge access a sample of requests from the preceding year to ensure that the surveillance was appropriate? If the designated judge will not provide this level of detail in the annual report then the Minister for Justice must do so to the Oireachtas if the public are to have confidence in this system. While the particular details of this case cannot be discussed until any criminal trial is concluded, it is remarkable that there is absolutely no discussion of the systems-level controls which are (or are not) in place.
Finally, when data breach notification is finally introduced as a legal obligation (whether under the revised e-Privacy Directive or the Data Protection Commissioner’s Code of Practice) will it include a right to be notified of this type of breach also? Note that the Directive appears to impose a notification obligation on telcos only.
For more background on the allegations behind this story, see this Mail on Sunday piece from last year.
[Cross-posted from tjmcintyre.com]
February 20th, 2011
In a week when whistleblowing by an anonymous blogger was crucial to exposing problems in the Irish Red Cross it becomes all the more important to stand up for the right to online anonymity. The following is an attempt to make the case for the social value of anonymous speech. A shorter version appeared in today’s Sunday Times (behind a paywall so no link, alas.)
In defence of online anonymity
Earlier this week Declan Kiberd decried “masked and anonymous ranters who use the media to vent,” praising instead those “honest people who write letters to the editor” and supply their name and address. In another recent article Jim Glennon wrote that anonymity “facilitates bitterness, vitriol and, at times, sheer poison” making the internet “a playground for cranks” who are invulnerable “to identification or retaliation”.
These comments don’t recognise any positive aspects to anonymous speech. But the last point from Jim Glennon inadvertently illustrates why many people are concerned that the things they say online might be connected to their offline identities. Retaliation is a real risk – the case law is full of examples of retaliation for such things as expressing unpopular views, blowing the whistle on wrongdoing or speaking out in favour of a union.
This point can sometimes be overlooked by those who are in a position of power. Professor Kiberd, for example, enjoys by virtue of the Universities Act the academic freedom “to question and test received wisdom, to put forward new ideas and to state controversial or unpopular opinions” without fear of being penalised by his employer. Others, however, may not be so fortunate.
Even leaving aside fears of retaliation, there are many reasons why anonymous speech can be a good thing. While anonymity can sometimes be used to tell lies, very often it instead promotes honesty. Irish society can place a premium on keeping up appearances and putting on a brave face, in a way that makes it difficult to admit to weakness. Visit discussion forums, however, and we often find that anonymity enables users to be more honest about difficult subjects such as their relationships, their finances or their health.
Anonymity can also mean an improvement in the quality of debate. As Mr. Glennon notes, we should “analyse the arguments being advanced, and not those by whom they are being advanced”. As human beings we are naturally keen to know who is speaking, to put a face to an opinion. But the anonymity of internet discussion enables us to judge arguments on their merits, leaving our prejudices behind.
Indeed, while there is an understandable tendency to be fearful of modern technology none of these points are new to the internet. It should not be forgotten that many great works of literature have been produced anonymously or under assumed names. One of the giants of Irish writing, Jonathan Swift, published all his satirical works either anonymously or under a pseudonym.
None of this is to say that online anonymity should be absolute. In criminal cases – such as the recent attack on the CAO website – the law allows for user identities to be revealed to Gardaí as part of an investigation. Apart from criminal cases, however, anonymity should be taken away only in very narrow circumstances. In an important decision in 2005 the High Court ruled that internet users enjoyed a right to “confidentiality of identity” and held that this right should not be set aside by a court unless there is “very clear proof of wrongdoing”.
In general, this ruling strikes a reasonable balance between the privacy rights of users and the rights of parties who claim that they have been the victims of wrongdoing. It also allows a court to refuse identification where it is sought for some ulterior motive.
For example, in a 2006 case Ryanair applied to the High Court to identify anonymous Ryanair pilots who posted comments on a union website. Ryanair claimed that they needed the identities to protect other staff from intimidation and threats – the High Court, however, found that there was no evidence of intimidation or threats and the real purpose behind the action was to “break the resolve” of the pilots seeking better conditions of employment. Consequently the court refused to order disclosure of the pilots’ identities.
This approach is far from perfect, however. Although in theory wrongful applications to identify can be challenged, in practice this seldom happens. The only reason that the High Court was able to consider the merits of Ryanair’s case was because the union behind the pilots’ website was able to stand up for the rights of its members. If Ryanair had tried to identify the pilots using some other method – suing their internet service provider (ISP), for example – then it is likely that the application to identify would have gone unopposed and the pilots been improperly unmasked.
Unlike other jurisdictions such as the United States, Irish law fails to ensure that users are notified of attempts to identify them and given an opportunity to oppose the application. Consequently in most cases Irish users are dependent on their ISP to make a case on their behalf. ISPs, however, have no commercial incentive to do so.
As a result, although the law is supposed to balance the rights of the parties before ordering identification, the court will generally hear only the plaintiff’s version of events. If Irish law is to fully protect anonymous speech online then it will be important to ensure that users have a right to be heard before their identity is revealed – notification afterwards is too little, too late.
TJ McIntyre is chairman of Digital Rights Ireland, solicitor and lecturer in law in UCD
August 29th, 2010
Under Article 14 of the Data Retention Directive the Commission must produce a public evaluation of the application of the Directive before 15 September 2010. A draft version of that document has now been leaked (along with the Irish Government’s submission) and makes for very interesting reading.
Karlin Lillington has an excellent summary in today’s Irish Times, and here are some of the highlights:
Ireland is one of the countries accessing private information the most:
THE GARDA made more requests for phone-call traffic data in 2008 than police in Germany, which has 20 times the population of the Republic.
According to a leaked draft of a European Commission report, gardaí made more than 14,000 access requests for call data in 2008, a rate about 40 per cent higher than had been previously assumed by data privacy advocates, who had based an estimate of 10,000 on figures provided in the past by gardaí to the Office of the Data Protection Commissioner.
Older data is very seldom accessed:
According to the report, the vast majority of data requests across the EU – 85 per cent – are made when the data is less than seven months old, with the bulk of requests, 70 per cent, filed for data held for less than three months.
Statistics gathered from member states “support the conclusion that the relevance of data decreases significantly” with age, the report says.
The report found no concrete evidence from any state to support longer retention periods. “No objective elements were found that could support the choice of the retention period: neither the prevalence of certain forms of crime, the geography of the [member state], or (in-)efficiencies of a law enforcement organisation seem to support the choice,” it says.
The report shows there are very few requests within any state, including Ireland, for data after 12 months. Only 109 requests in aggregate from eight EU countries including Ireland were made in 2008 for mobile data held longer than 18 months. Only 39 total requests from the same eight countries were made for fixed-line call data stored longer than 18 months.
Fears of function creep have been borne out, and data retention is being used for matters such as filesharing cases:
It also notes that many member states have implemented the EU data retention directive by widening its scope and retaining data that was not retained in the past, often allowing it to be used for more purposes than outlined in the directive, such as for civil litigation on copyright in the UK. Such expansion is referred to as “mission creep” by privacy advocates.
Irish companies will be at a competitive disadvantage due to data retention:
The report says some respondents feel that in states with lengthy retention periods, private industry is at a competitive disadvantage because of the burden and costs that retention may impose directly or indirectly.
Several network operators said the need to invest in retention infrastructure had caused them to delay or abandon improvements to national networks.
Deutsche Telekom claimed it had spent €5.2 million on implementation of retention infrastructure and €3.7 million a year to facilitate about 13,000 call data requests and 6,500 internet data requests. Other operators said they had spent in excess of €4 million setting up systems for providing access to stored data.
As predicted, prepay SIM cards have made data retention measures ineffective and have led to Member States – including Ireland – attempting to ban their use:
In the Government’s response to a questionnaire on the State’s implementation of data retention, the Department of Justice noted it was considering ways to identify users of pre-paid SIM cards, an issue which was raised by several states.
In addition to these points, the full document is full of more damning details. For example, not one Member State provided any statistical information demonstrating that data retention was of use in any significant number of cases (p.7), while it’s clear from responses that the Directive – which was sold as a harmonisation measure – has completely failed to achieve this (p.8). Similarly, national data protection authorities have pointed out that they often lack proper powers to supervise data retention and that telecommunications companies often lack proper security over customer data (pp.9-10).
May 14th, 2010
Karlin Lillington writes in today’s Irish Times about the German decision striking down data retention law as a breach of privacy and what it means for the Data Retention Bill currently before the Oireachtas. Here’s an excerpt:
ANALYSIS: Data retention proposals about to become law here have been declared an invasion of privacy in Germany. Government please take note
IF THE Government fails to reconsider the terms of its Data Retention Bill, currently in its final stages before the Houses of the Oireachtas, it is likely to find that costly court challenges and a forced reworking of the legislation lie ahead.
The Retention of Data Bill 2009 seeks the overdue implementation of an EU directive on data retention (storage of call data for two years and internet-use data for one year, for everyone in the country, including children). It is the tail-end of a long process in which the right to privacy has been pitted against the needs of law enforcement to have access to records for criminal investigations.
Even as the Bill passed a Dáil vote that cements in its current provisions, there are signs that all is not well on the European front for national data retention legislation.
On Tuesday, in a significant finding, the German constitutional court threw out Germany’s existing data retention laws for a range of reasons, many of which have direct application to Ireland.
The German court echoed precisely the concerns expressed by many groups and individuals here about our own legislation – worries that were given a lone voice in the Dáil debate by Labour TD Seán Sherlock.
The German court found that enacting any data retention legislation requires a regard for what it termed the exceptional intensity of the interference with human rights that result from such measures. It therefore obligates the government to have clear and transparent measures in place to ensure data safety, data use, and adequate legal remedy available to citizens for misuse of personal data.
It said retention legislation must set a very high standard for safety of all data, and this cannot be balanced against a general burden of cost, whoever that may lie with. It underlined that access to data should only be allowed in cases targeting most serious crimes and terrorist offences. It argued that individuals must be notified after the fact that their information was accessed for an inquiry.
All of these issues have been highlighted as a concern in Ireland, where the Government has tried to downgrade the level of the crimes that our legislation applies to; does not outline a quality of service that must be met to protect data; does not cover the costs of managing and protecting data, but passes them on to the internet and telecoms sector; and does not give adequate legal remedy to citizens nor adequate oversight. Irish legislation would not meet the provisions laid out by the German court.
Privacy advocacy group Digital Rights Ireland has already brought a constitutional case against the Government in the High Court on the constitutionality of Irish legislation. This is widely expected to be referred to the European Court of Human Rights and prove a test case on the issue for the EU as a whole, where the German case will signal issues likely to prove troublesome for Irish and other EU nations’ retention laws.
March 4th, 2010
The civil rights organisation which brought the successful challenge to data retention before the German Constitutional Court has now issued a press release on that decision. Here’s the full text:
Press release by the German Working Group on Data Retention (AK Vorrat)
2 March 2010:
After data retention ruling: Civil liberties activists call for political end to retention of telecommunications data
+++ Data retention opposed by 70% of German population +++ European
Citizens’ Initiative for repealing the EU directive on data retention announced +++ Legal action to be continued +++
The German Working Group on Data Retention has today announced a Europe-wide campaign to end Internet and telephone data retention. This follows the German Constitutional Court’s ruling on a mass complaint made by more than 34,000 citizens. According to a newly-published poll, 69.3% of all Germans oppose data retention, making it the most strongly rejected surveillance law.
“The recording of confidential contacts and movements of the entire population in the absence of any suspicion is unacceptable and must stop immediately”, says Florian Altherr of the Working Group. “In starting an initiative to this end, the Federal Minister of Justice can count on the support of EU Commissioner Viviane Reding as well as of many states such as Austria, Belgium and Romania, all of which do not have data retention laws in place.”
“In order to bring the massive rejection of blanket data retention home to politicians we are in the process of preparing a European Citizens’
Initiative. With the signatures of one million opponents to the permanent logging of our Internet and phone use we want to pursuade the EU to repeal its data retention directive”, announces data protection activist padeluun of the Working Group.
Patrick Breyer of the Group adds: “At the same time we will continue our legal fight against data retention. Today’s decision proclaiming the recording of the entire population’s behaviour in the absence of any suspicion compatible with our fundamental rights is unacceptable and opens the gates to a surveillance state.”
The German Working Group on Data Retention is making five political demands after today’s ruling:
1. The Federal Government, the Federal Minister of Justice and Parliaments must now cooperate with other like-minded states and bodies to take steps to repeal the redundant and detrimental data retention directive.
2. The German law on data retention, going far even beyond EU requirements and – according to the German Constitutional Court – unconstitutional, must not be re-enacted.
3. European citizens should be given the right to file constitutional complaints directly with the European Court of Justice.
4. The Federal Government must not agree to any further collection of information on citizens not suspected of any wrong-doing in the name of security, such as the air travellers file proposed by the EU. Mass data pools that were introduced in the past, such as the registration of Internet use by the Federal Office for Information Security or the employee information system ELENA, must be closed down.
5. An independent review of all existing “security” measures must take place in order to systematically examine their compatibility with our fundamental rights, their effectiveness, their cost, their harmful side-effects and alternatives.
Communications data enables the tracing of who has contacted whom via telephone, mobile phone or e-mail. In the case of mobile calls or text messages via mobile phone, the user’s location is also logged. Data retention allows citizens’ movements to be traced and personal and business contacts to be monitored. Information regarding the content of communications such as personal interests and individual life circumstances can also be deduced.
A study commissioned in 2008 shows that data retention is acting as a serious deterrent to the use of telephones, mobile phones, e-mail and Internet. The survey conduced by research institute Forsa found that with communications data retention in place, one in two Germans would refrain from contacting a marriage counsellor, a psychotherapist or a drug abuse counsellor by telephone, mobile phone or e-mail if they needed their help. One in thirteen people said they had refrained from using telephone, mobile phone or e-mail at least once because of data retention, which extrapolates to 6.5 mio. Germans in total.
German NGO Working Group on Data Retention (Arbeitskreis
Vorratsdatenspeicherung) organised several protest marches against the scheme. Last year, 20.000 people protested against surveillance in Berlin. About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data
The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.
Homepage and contact details: http://www.vorratsdatenspeicherung.de
Footnotes and Links:
 Poll on data retention (in German):
 Protest march “Freedom not Fear”:
About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data Retention):
The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.
Homepage und contact details: http://www.vorratsdatenspeicherung.de
March 3rd, 2010
Great news from Germany, where the Federal Constitutional Court has found data retention law to be incompatible with the right to privacy under the German Constitution. More thoughts on the decision and the implications for our own case at a later stage, but for the meantime here’s the initial AP report:
MELISSA EDDY Associated Press Writer
5:23 AM EST, March 2, 2010
BERLIN (AP) — Germany’s highest court on Tuesday overturned a law allowing authorities to retain data on telephone calls and e-mail traffic for help in tracking criminal networks.
A law ordering data on calls and e-mail exchanges be retained for six months for possible use by criminal authorities violated Germans’ constitutional right to private correspondence and must be revised, the Federal Constitutional Court ruled.
In its ruling, the court said the law failed to sufficiently balance the need for personal privacy against that for providing security, although it did not rule out data retention in principle.
“The disputed instructions neither provided a sufficient level of data security, nor sufficiently limited the possible uses of the data,” the court said.
Nearly 35,000 Germans had appealed to the court to overturn the law, which stems from a 2006 European Union anti-terrorism directive requiring telecommunications companies to retain phone data and Internet logs for a minimum of six months in case they are needed for criminal investigations.
The court upheld the EU directive, saying the problem lay instead with how the German parliament chose to interpret it.
Under the German law, which went into effect Jan. 2008, information about all calls from mobile or landline phones was retained for six months, including who called whom, from where and for how long.
The following year, that law was expanded to include the data surrounding all contact via e-mail.
Although the laws forbid authorities from retaining the contents of either form of communication, they met with fierce opposition from civil rights groups.
“Massive amounts of data about German citizens who pose no threat and are not suspects is being retained,” Germany’s commissioner for data security issues, Peter Schaar, told ARD’s morning show.
Experts argue the information is crucial to being able to trace crimes involving heavy use of the Internet, including tracking terror networks and pursuing child pornography.
March 2nd, 2010
The Law Reform Commission has just published a consultation paper on search warrants and bench warrants. In relation to search warrants it points out there is currently a bewildering array of statutory provisions (over 100 different Acts and Regulations) which deal with searches, with different procedures to be followed and different powers of search and seizure in each case. The consultation paper aims, amongst other things, to rationalise the law in this area, and seeks to put in place a single statutory framework.
Surprisingly, though, the consultation paper has almost nothing to say about searches of computers and data. In fairness, it does note that there are some existing (rather patchy) provisions which specifically deal with computer searches – such as the power to require passwords in s.48 of the Criminal Justice (Theft and Fraud Offences) Act 2001. It also makes a very brief reference to the need for specialist forensic examination of seized computers. However it fails to consider any of the difficulties which have emerged when traditional norms are applied to data, much less current proposals which would fundamentally rewrite the law in this area.
To take just a few examples: there is no recognition of the vast quantities of personal data which are often stored on computers, making searches particularly privacy invasive in a way which is not generally true elsewhere. On a similar note, the consultation paper fails to recognise that the effect of seizing a computer and data can often be to shut down a business or to seriously disrupt an individual’s life, and that this often can be mitigated by returning a copy of the seized data. There’s no analysis of how extensive searches of data should be – if, for example, a computer is seized on suspicion of fraud offences should it be permissible to automatically scan the hard drive to detect possible child pornography images? (These and many other issues have been extensively analysed by Orin Kerr in several excellent articles, including Search Warrants in an Era of Digital Evidence and Searches and Seizures in a Digital World.) Similarly, there’s no mention of so-called remote searches (police hacking into computers at a distance), despite the fact that these have been the subject of recent EU proposals.
These and other issues will have to be addressed if the Law Reform Commission analysis is to deal with computer searches adequately in a way which protects privacy – if you’re interested in bringing any of these issues to their attention, you can email them at email@example.com or make a submission via snail mail using the details on this page.
(Cross-posted from tjmcintyre.com)
December 28th, 2009
Karlin Lillington has a strong piece in today’s Irish Times about a leaked draft agreement on data retention between state agencies (the Garda Síochána, Revenue and Defence Forces) and the telecoms industry (represented by ALTO, TIF and the ISPAI). Her comments are worth quoting extensively:
A secret memorandum of understanding between State agencies and the communications industry on how to implement the as-yet non-existent Government data retention legislation, confirms longstanding concerns about who is managing the data retention agenda and to what end.
With data retention, it appears that the tail is wagging the dog, in blatant disregard for proper democratic legislative process. The agencies that want access to our call and internet data are bypassing the Oireachtas, which at least theoretically, is the body that draws up and implements legislation.
As one alarmed privacy advocate told me: “This is legislation by decree.” …
No doubt, the argument will be made – and indeed is, within the body of the 13 page memorandum – that the document exists to help streamline the process by which our data are requested and handed over to various bodies that will now be allowed to look at it. Or as the memorandum states: “to promote efficient and effective standards of co-operation between the State and the Communications Industry.”
But it is not the business of the agencies to arrange any such matters privately with the communications industry, especially in the absence of actual legislation, or any public discussion or input, or any significant Oireachtas debate on a Bill that has only recently been published and not yet debated.
A data retention bill has not been passed by the Oireachtas yet, so this extraordinary “agreement” is based on sweeping assumptions, not articles of law.
More startling is the fact that agencies and industry are making such secretive plans for co-operation at all. It is the job of the Oireachtas and, ultimately, the courts to determine how legislation will be interpreted and implemented, not the Garda Commissioner, the Revenue Commissioners or the Defence Forces by private agreement.
This is the equivalent of the Financial Regulator securing a private understanding with Irish companies and banks as to how they will be supervised and how evidence will be obtained from them for investigations.
Another concern is that the memorandum, as it stands, indicates an agreement to obtain data that goes beyond what has been proposed so far in the published data retention bill.
The memorandum arranges for communications companies to hand over ‘‘any available personal details” of an IP address user, e-mail sender or VoIP user, even though the draft Bill (as seen by The Irish Times earlier this year) only requires name and address.
The memorandum also contains an agreement to hand over the MAC address associated with a computer user – the numerical “address” of a physical piece of hardware, such as a laptop, that enables it to connect to a network – though not required by the Bill.
The memorandum concludes with supreme arrogance: a detailed schedule pertaining to what will be handed over and how, matched to the text from the “Act” – again, simply the proposed Bill the Oireachtas has not yet approved. The schedule has a column for the “mutual agreement of retained data” and another for “issues addressed and agreed”.
Excuse me? Since when do agencies and industry get to “mutually agree” how they will privately interpret and comply with publicly mandated legislation (setting aside the glaring absence of any such legislation on which to base their ‘mutual agreement’)?
The memorandum notes in conclusion that it should be disseminated within Government “where necessary” and copies of the signed agreement be filed with legal representatives and stored internally in company files.
So, we have a private deal arranged in advance, in disregard of the role of the democratically elected Oireachtas and with no public input or scrutiny, between State agencies and the communications industry on how they will interpret and act on one of the most controversial pieces of legislation proposed for the State and European Union.
Legislation that has massive privacy and security implications for citizens and for businesses, and which already has been criticised by several leading business figures from indigenous and multinational companies as a threat to Ireland’s business environment.
Such arrangements have no place in a democracy and will surely alarm businesses that have chosen to base themselves in Ireland. Revelations that they exist will not instill confidence that privacy safeguards will be respected for citizens or businesses, nor dispel concerns that other murky off the record arrangements will be made along the way.
To be fair, there are portions of the draft agreement which are highly desirable. It aims to establish a single point of contact principle, which should minimise mistakes and abuse. It seeks to have state authorities digitally sign and encrypt any email requests for information. And it clarifies the appallingly vague technical language in the draft Data Retention Bill in a way which may make it workable.
But these safeguards should be built into the legislation itself, made mandatory and enforceable by judicial supervision. Instead, this agreement leaves them to an ad hoc arrangement between the State and the telecoms industry, and admits that it is merely “a non-binding statement of understanding or agreement [which] creates no legal obligations or commitments on the signing parties”. Moreover, it does so in secret, with no public input into the process. And, as Karlin points out, in some places it goes beyond what the draft legislation would require, and commits ISPs to handing over information without any legal obligation or permission to do so.
Read the full text of the leaked agreement here.
September 25th, 2009