Digital Rights Ireland

Internet Filtering in Ireland: More Information from the Seanad

Following on from our freedom of information request, Senator Paschal Donohue recently raised the issue of internet filtering in the Seanad. In a perceptive intervention he pointed to business risks of filtering and sought to establish precisely what is the current policy in this area. The Government response is very interesting – confirming for example that all Irish mobile broadband providers are already filtering (presumably against the IWF blacklist) and that the the Department of Communications has been frozen out of the discussion. Full text: (more…)

8 comments June 1st, 2010

Pulling the plug is not the answer

Dr. Richard Tynan and I have a piece in Saturday’s Irish Examiner discussing the implications of Eircom’s “phased disconnection” scheme. Unfortunately it doesn’t seem to be on their website, so here’s the full text:

Pulling the plug is not the answer

Earlier this week Eircom announced that it has started “the phased disconnection of file-sharers” on its network – colloquially known as a “three strikes” policy.

The key players in this procedure are Eircom, the Irish Recorded Music Association (IRMA) and technology firm Dtecnet. Under the procedure IRMA will provide Eircom with the IP addresses of machines that Dtecnet claims to have found to be infringing the copyright of its members. This will then trigger a disconnection procedure by Eircom starting with a letter, moving on to temporary suspension of an account, and ending with the disconnection of the account for up to a year.

In Ireland, one must generally have engaged in some form of wrongdoing in order to be punished. It is clear that the disconnection of one’s internet access is quite a severe punishment in today’s digital society.

But one problem with the approach adopted by Eircom is that the wrongdoer and the person who is disconnected may not be the same person.

The evidence used to identify alleged filesharers is unreliable.

Recent studies in the US have shown that copyright holders often act on flimsy evidence – in one case, accusing three laser printers of illegal filesharing. Similarly there is substantial evidence of UK users being wrongfully targeted. This may in part be due to deliberate tactics to sow confusion.

For example, the operators of filesharing site ThePirateBay have confirmed that they insert random IP addresses into the information they provide as to who is sharing what file.

But whatever the reason it is likely that innocent Irish users will face wrongful accusations.

In addition, in the era of wireless technology it is very common for an internet connection to be shared by many members of a household. In fact, Eircom offers wireless routers as part of its broadband bundles. This means that cutting off internet access based on the actions of one user will have a detrimental effect on all the others using the same connection for education, entertainment or business purposes.

If a husband is accused of filesharing, should this have the effect of preventing his children from doing their homework, or his wife from working at home?

It is clear that in the household context, the alleged wrongdoer and the individuals punished are not the same and the impact can be wholly disproportionate.

There’s also a risk that users may be accused based on somebody else piggybacking on their wireless connection. In November 2009 it was revealed that Eircom had negligently supplied insecure wireless modems, affecting up to 250,000 users.

Consequently anyone within the signal range of these users can illegally share files without the account holder’s knowledge – and there is even an app for the iPhone to make this process easier.

Eircom state on their website that they will not disconnect business customers but the effects of these measures on a small business could be catastrophic where they have an ordinary household account (as many do).

Through no fault of their own, a small business might find their internet connectivity withdrawn because of the actions of another family member, a malicious neighbour or even because they happen to be unlucky enough to be assigned the same IP address as one ThePirateBay has randomly inserted into files sharing the latest U2 album. This is worrying in a situation where a person’s livelihood is at stake.

One criticism of the current approach is that it shifts the burden of preventing illegal file sharing onto the ISPs, driving up the cost of broadband for private users and businesses. While this is true, it in fact goes much further than that. This logic of this deal – particularly if it is extended to other ISPs – potentially places a burden onto small businesses such as hotels and coffee shops to police their users’ activity. This will come at a significant cost to these businesses who have limited resources in these hard times.

Quite apart from these criticisms, there are also significant problems of principle. Internet access is today a fundamental right and a necessity – especially as the government moves more public services online – but this system threatens to take away that right based on nothing more than a private agreement between IRMA and Eircom.

In other European countries proposals for similar laws have been the subject of public consultation and debated by national parliaments. Here, however, there has been no legislation and no Government or Oireachtas input of any sort. Indeed the full details of the deal between Eircom and IRMA have never been published. A recently passed European law requires that disconnection of internet users should be subject to “adequate procedural safeguards” and “effective judicial review” – this deal, however, doesn’t appear to provide for either.

Instead, it allows users to be disconnected with no right of appeal to any independent body.

In summary, the Eircom / IRMA deal and the “graduated response” procedure is a worrying development for Irish internet users – one which has been undemocratic in its adoption and is likely to be unreliable in its application.

TJ McIntyre is a Lecturer in the School of Law, UCD and chairman of Digital Rights Ireland

Dr. Richard Tynan is a Postdoctoral Research Fellow in the School of Computer Science and Informatics, UCD

1 comment May 31st, 2010

Leaked report on Data Retention Directive shows fundamental flaws

Under Article 14 of the Data Retention Directive the Commission must produce a public evaluation of the application of the Directive before 15 September 2010. A draft version of that document has now been leaked (along with the Irish Government’s submission) and makes for very interesting reading.

Karlin Lillington has an excellent summary in today’s Irish Times, and here are some of the highlights:

Ireland is one of the countries accessing private information the most:

THE GARDA made more requests for phone-call traffic data in 2008 than police in Germany, which has 20 times the population of the Republic.

According to a leaked draft of a European Commission report, gardaí made more than 14,000 access requests for call data in 2008, a rate about 40 per cent higher than had been previously assumed by data privacy advocates, who had based an estimate of 10,000 on figures provided in the past by gardaí to the Office of the Data Protection Commissioner.

Older data is very seldom accessed:

According to the report, the vast majority of data requests across the EU – 85 per cent – are made when the data is less than seven months old, with the bulk of requests, 70 per cent, filed for data held for less than three months.

Statistics gathered from member states “support the conclusion that the relevance of data decreases significantly” with age, the report says.

The report found no concrete evidence from any state to support longer retention periods. “No objective elements were found that could support the choice of the retention period: neither the prevalence of certain forms of crime, the geography of the [member state], or (in-)efficiencies of a law enforcement organisation seem to support the choice,” it says.

The report shows there are very few requests within any state, including Ireland, for data after 12 months. Only 109 requests in aggregate from eight EU countries including Ireland were made in 2008 for mobile data held longer than 18 months. Only 39 total requests from the same eight countries were made for fixed-line call data stored longer than 18 months.

Fears of function creep have been borne out, and data retention is being used for matters such as filesharing cases:

It also notes that many member states have implemented the EU data retention directive by widening its scope and retaining data that was not retained in the past, often allowing it to be used for more purposes than outlined in the directive, such as for civil litigation on copyright in the UK. Such expansion is referred to as “mission creep” by privacy advocates.

Irish companies will be at a competitive disadvantage due to data retention:

The report says some respondents feel that in states with lengthy retention periods, private industry is at a competitive disadvantage because of the burden and costs that retention may impose directly or indirectly.

Several network operators said the need to invest in retention infrastructure had caused them to delay or abandon improvements to national networks.

Deutsche Telekom claimed it had spent €5.2 million on implementation of retention infrastructure and €3.7 million a year to facilitate about 13,000 call data requests and 6,500 internet data requests. Other operators said they had spent in excess of €4 million setting up systems for providing access to stored data.

As predicted, prepay SIM cards have made data retention measures ineffective and have led to Member States – including Ireland – attempting to ban their use:

In the Government’s response to a questionnaire on the State’s implementation of data retention, the Department of Justice noted it was considering ways to identify users of pre-paid SIM cards, an issue which was raised by several states.

In addition to these points, the full document is full of more damning details. For example, not one Member State provided any statistical information demonstrating that data retention was of use in any significant number of cases (p.7), while it’s clear from responses that the Directive – which was sold as a harmonisation measure – has completely failed to achieve this (p.8). Similarly, national data protection authorities have pointed out that they often lack proper powers to supervise data retention and that telecommunications companies often lack proper security over customer data (pp.9-10).

2 comments May 14th, 2010

Data Retention Challenge – High Court update

After last week’s excitement, this week is something of an anti-climax – when the case came back before the High Court today the State applied for and were granted further time to consider the judgment. The case will be listed next on June 11th.

4 comments May 12th, 2010

High Court decision on our data retention challenge

Great news today from the High Court where Mr. Justice McKechnie gave an extremely favourable decision on our constitutional challenge to data retention laws.

While the full judgment is 53 pages long, the gist is relatively simple.

Long story short: today’s decision has cleared the way for our challenge to proceed and to challenge the entire European legal basis for data retention.

(Following the wider European trend where Germany, Bulgaria and Romania have all found aspects of data retention to be unconstitutional.)

The longer version: Today’s decision dealt with three procedural issues which had to be cleared before we can argue the substance of the case: i.e. whether mass surveillance of this sort is compatible with constitutional guarantees of fundamental rights.

The first of these issues dealt with standing: could DRI (as a company, not a natural person) assert rights of privacy? And could it argue the rights of privacy of others? On this point the court held in our favour, accepting that DRI was a “sincere and serious litigant”, which raised these issues with bona fide interest and concern and ruling that it was appropriate for us to argue these points as this was a matter of “fundamental public importance”.

The second point dealt with an attempt by the State to stop the action in its tracks by seeking “security for costs” – i.e. requiring us to make a payment into court to cover the costs of the State should we lose the action. Because of the cost of High Court actions, requiring such a payment at the outset could effectively have prevented the case from being heard. Here the court rejected the State’s application, holding that:

the matters pleaded in this case do raise issues of significant public importance… Given the rapid advance of current technology it is of great importance to define the legitimate legal limits of modern surveillance techniques used by governments… without sufficient legal safeguards the potential for abuse and unwaranted invasion of privacy is obvious… That is not to say that this is the case here, but the potential is in my opinion so great that a greater scrutiny of the proposed legislation is certainly merited.”

Finally, the third point related to our application to refer this case to the European Court of Justice (“ECJ”). As data retention is now dealt with at a European level, it is important that we be able to challenge the European law in this area – something which can only be done before the ECJ in Luxembourg. Here the court again accepted our argument, holding that a reference to the ECJ was required and that it was appropriate that it be made at the current stage of the proceedings.

So what happens next? There will be some more legal argument next week about the precise questions which should be referred to the ECJ – after that, the case will be referred to the ECJ and will go into their system for a hearing in Luxembourg, which have implications for data retention across Europe.

14 comments May 5th, 2010

Adrian Weckler: Why Internet Blocking Won’t Work

Adrian Weckler of the Sunday Business Post has an excellent recent column on the current EU proposals to require internet blocking:

The European Commission has proposed a directive requiring internet service providers (ISPs) to ban access to websites displaying child pornography. Unfortunately, this is the wrong action to take.

It won’t prevent access to the websites in question, and it will start a legislative ball rolling where industry lobby groups will begin to agitate for bans on access to all manner of websites.

The commission’s rationale is that many illegal websites are hosted outside the European Union.

Therefore, it has no power to prosecute the website owners or shut the sites down. The next best move, it reckons, is to compel ISPs across the EU to block access to such sites.

For the person trying to access such a site, a message will be displayed informing them that the URL is blocked.

Some argue that the new rules should go further; that ISPs should be required to keep a record of computer addresses that attempt to access these illegal sites and report them to the police.

There are a great many problems with adopting this approach. Most importantly, it won’t work. Technology used to block access to websites is, generally, old.

It is also quite easy to bypass for anyone who wishes to spend a few minutes online investigating how to do so.

Full text.

Add comment April 29th, 2010

FOI shows Department of Justice planning internet blocking for Ireland

In January we filed a Freedom of Information Request with the Department of Justice asking for all documents dealing with internet blocking by ISPs. Last month the response came back – refusing access to almost every internal document!

Sometimes, however, it can be informative to know what is being concealed. When answering FOI requests, departments prepare a schedule of records listing each document they hold by data and title.

Looking at this list (available here) it becomes clear that for some time now the Department of Justice has been proposing the introduction of internet blocking in Ireland – and has been doing this under the radar, without any public consultation or legislative approval. Indeed, it is clear from the list that the Department is not planning on introducing legislation but instead intends to introduce this new form of censorship without any legal basis, based on the now discredited Norwegian and Danish models.

(Item #39 is typical. While we don’t have the content, the description – “Copy detailed minutes of meeting between OIS [Office of Internet Safety] and An Garda Siochána 30/07/08 re proposed introduction of blocking technology – 4 pages” – is revealing. Item #48 shows that the discussions have gone as far as “operational procedures”.)

We’ll be writing more about this shortly – in the meantime, Karlin Lillington has a good piece in today’s Irish Times discussing the implications of these documents:

Putting up barriers to a free and open internet

The Government has been having high-level discussions on introducing internet blocking, writes KARLIN LILLINGTON

THE GOVERNMENT has had extensive private discussions on introducing internet blocking – barring access to websites or domains – according to material obtained under a Freedom of Information (FOI) request.

The approach is used by some internet service providers (ISPs) and mobile network operators to block access to child pornography. But increasingly, governments and law enforcement agencies are pushing for much broader use, ranging from blocking filesharing sites to trying to tackle cybercrime and terrorism.

Critics say internet blocking creates many problems with little real effect on illegal activity. For example, internet users and businesses have complained about the side-effects of domain blocking, where barring access to domains can shut down hundreds of personal and business websites as well as e-mail addresses associated with them.

The exact nature of the Government discussions cannot be determined as many of the requests for key documents were refused by the Department of Justice. However, the ongoing high level of discussion on the subject is indicated in the detailed description of each refused item in the list of materials returned by the department.

The FOI request, made by privacy advocate Digital Rights Ireland and seen by The Irish Times, contains eight pages of listed documents. One refused item details a June 2009 meeting between the department and Vodafone on the “introduction of internet filtering in Ireland”. Another is an e-mail from mobile operator 3 listing filter technologies it is using.

Another refused item details minutes of a meeting between the Office for Internet Safety and the Garda “re proposed introduction of blocking technology”. Discussions on the international use of blocking and on proposed European legislation were also refused.

Possible interest in the wider use of such technologies is indicated by a refused document in which an e-mail and note on blocking child pornography sites was forwarded to the official in the Department of Justice in charge of casino gaming regulation.

Proponents of internet blocking argue that it removes offensive and illegal material from the internet and can make it more difficult for child pornographers and their customers to operate.

But critics say it is a blunt instrument that does little to combat pornography or other activities, while causing headaches for networks and ISPs. It can also cause inconvenience and costly disruptions to service for innocent companies and individuals if their websites, internet access and e-mail get cut off.

Paul Durrant of the Internet Service Providers’ Association of Ireland says blocking brings cost burdens for service providers and is not particularly effective. He also says it often means many legitimate websites are barred.

Often, website operators are not informed that their site is on a blacklist and may be unaware that millions are denied access to it.

ISPs also object to taking on the role of policing illegal filesharing. Internationally, ISPs claim they are under increasing pressure from copyright holders and law enforcement agencies to bring in blocking software to do this. “It gets very difficult to judge what is illegal and this kind of blocking would be problematic to implement,” says Durrant. “The Government really needs to put clear laws in place if it wants to do this.”

Durrant adds that blocking “stifles a free and open internet” – a concern for national and international “smart-economy” businesses – and could affect inward investment and the ability of Irish businesses to operate effectively.

Existing evidence indicates that blocking is a clumsy approach and amounts to censorship, says TJ McIntyre, a barrister, UCD law lecturer and chairman of Digital Rights Ireland. He is concerned about the indications from his FOI request that blocking could be brought in on a national level.

McIntyre has written a paper arguing that increasing pressure on network providers and ISPs to act as third-party “gatekeepers”, often in a “voluntary” fashion, allows for unaccountable control of internet users and usage.

“Blocking involves censorship taken on no legal basis. There is no judge, no jury and no right to be heard if you are blocked,” says McIntyre. “The chances are it also will be used in unaccountable ways by unaccountable organisations.”

He adds: “If you want to stop people accessing certain material, the thing to do is to legislate for that.”

59 comments April 16th, 2010

Why German data retention decision means Irish Bill should be scrapped

Karlin Lillington writes in today’s Irish Times about the German decision striking down data retention law as a breach of privacy and what it means for the Data Retention Bill currently before the Oireachtas. Here’s an excerpt:

ANALYSIS: Data retention proposals about to become law here have been declared an invasion of privacy in Germany. Government please take note

IF THE Government fails to reconsider the terms of its Data Retention Bill, currently in its final stages before the Houses of the Oireachtas, it is likely to find that costly court challenges and a forced reworking of the legislation lie ahead.

The Retention of Data Bill 2009 seeks the overdue implementation of an EU directive on data retention (storage of call data for two years and internet-use data for one year, for everyone in the country, including children). It is the tail-end of a long process in which the right to privacy has been pitted against the needs of law enforcement to have access to records for criminal investigations.

Even as the Bill passed a Dáil vote that cements in its current provisions, there are signs that all is not well on the European front for national data retention legislation.

On Tuesday, in a significant finding, the German constitutional court threw out Germany’s existing data retention laws for a range of reasons, many of which have direct application to Ireland.

The German court echoed precisely the concerns expressed by many groups and individuals here about our own legislation – worries that were given a lone voice in the Dáil debate by Labour TD Seán Sherlock.

The German court found that enacting any data retention legislation requires a regard for what it termed the exceptional intensity of the interference with human rights that result from such measures. It therefore obligates the government to have clear and transparent measures in place to ensure data safety, data use, and adequate legal remedy available to citizens for misuse of personal data.

It said retention legislation must set a very high standard for safety of all data, and this cannot be balanced against a general burden of cost, whoever that may lie with. It underlined that access to data should only be allowed in cases targeting most serious crimes and terrorist offences. It argued that individuals must be notified after the fact that their information was accessed for an inquiry.

All of these issues have been highlighted as a concern in Ireland, where the Government has tried to downgrade the level of the crimes that our legislation applies to; does not outline a quality of service that must be met to protect data; does not cover the costs of managing and protecting data, but passes them on to the internet and telecoms sector; and does not give adequate legal remedy to citizens nor adequate oversight. Irish legislation would not meet the provisions laid out by the German court.

Privacy advocacy group Digital Rights Ireland has already brought a constitutional case against the Government in the High Court on the constitutionality of Irish legislation. This is widely expected to be referred to the European Court of Human Rights and prove a test case on the issue for the EU as a whole, where the German case will signal issues likely to prove troublesome for Irish and other EU nations’ retention laws.

Full text.

7 comments March 4th, 2010

Press Release on German Data Retention Decision

The civil rights organisation which brought the successful challenge to data retention before the German Constitutional Court has now issued a press release on that decision. Here’s the full text:

Press release by the German Working Group on Data Retention (AK Vorrat)

2 March 2010:

After data retention ruling: Civil liberties activists call for political end to retention of telecommunications data

+++ Data retention opposed by 70% of German population +++ European
Citizens’ Initiative for repealing the EU directive on data retention announced +++ Legal action to be continued +++

The German Working Group on Data Retention has today announced a Europe-wide campaign to end Internet and telephone data retention. This follows the German Constitutional Court’s ruling on a mass complaint made by more than 34,000 citizens. According to a newly-published poll, 69.3% of all Germans oppose data retention, making it the most strongly rejected surveillance law.[1]

“The recording of confidential contacts and movements of the entire population in the absence of any suspicion is unacceptable and must stop immediately”, says Florian Altherr of the Working Group. “In starting an initiative to this end, the Federal Minister of Justice can count on the support of EU Commissioner Viviane Reding as well as of many states such as Austria, Belgium and Romania, all of which do not have data retention laws in place.”

“In order to bring the massive rejection of blanket data retention home to politicians we are in the process of preparing a European Citizens’
Initiative. With the signatures of one million opponents to the permanent logging of our Internet and phone use we want to pursuade the EU to repeal its data retention directive”, announces data protection activist padeluun of the Working Group.

Patrick Breyer of the Group adds: “At the same time we will continue our legal fight against data retention. Today’s decision proclaiming the recording of the entire population’s behaviour in the absence of any suspicion compatible with our fundamental rights is unacceptable and opens the gates to a surveillance state.”

The German Working Group on Data Retention is making five political demands after today’s ruling:
1. The Federal Government, the Federal Minister of Justice and Parliaments must now cooperate with other like-minded states and bodies to take steps to repeal the redundant and detrimental data retention directive.
2. The German law on data retention, going far even beyond EU requirements and – according to the German Constitutional Court – unconstitutional, must not be re-enacted.
3. European citizens should be given the right to file constitutional complaints directly with the European Court of Justice.
4. The Federal Government must not agree to any further collection of information on citizens not suspected of any wrong-doing in the name of security, such as the air travellers file proposed by the EU. Mass data pools that were introduced in the past, such as the registration of Internet use by the Federal Office for Information Security or the employee information system ELENA, must be closed down.
5. An independent review of all existing “security” measures must take place in order to systematically examine their compatibility with our fundamental rights, their effectiveness, their cost, their harmful side-effects and alternatives.

Background information:

Communications data enables the tracing of who has contacted whom via telephone, mobile phone or e-mail. In the case of mobile calls or text messages via mobile phone, the user’s location is also logged. Data retention allows citizens’ movements to be traced and personal and business contacts to be monitored. Information regarding the content of communications such as personal interests and individual life circumstances can also be deduced.

A study commissioned in 2008 shows that data retention is acting as a serious deterrent to the use of telephones, mobile phones, e-mail and Internet. The survey conduced by research institute Forsa found that with communications data retention in place, one in two Germans would refrain from contacting a marriage counsellor, a psychotherapist or a drug abuse counsellor by telephone, mobile phone or e-mail if they needed their help. One in thirteen people said they had refrained from using telephone, mobile phone or e-mail at least once because of data retention, which extrapolates to 6.5 mio. Germans in total.

German NGO Working Group on Data Retention (Arbeitskreis
Vorratsdatenspeicherung) organised several protest marches against the scheme. Last year, 20.000 people protested against surveillance in Berlin.[2] About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data
Retention):

The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.

Homepage and contact details: http://www.vorratsdatenspeicherung.de

Footnotes and Links:

[1] Poll on data retention (in German):

http://www.vorratsdatenspeicherung.de/images/infas-umfrage.pdf

[2] Protest march “Freedom not Fear”:

http://www.vorratsdatenspeicherung.de/content/view/333/79/lang,en/

About Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data Retention):
The Arbeitskreis Vorratsdatenspeicherung (AK Vorrat) is a Germany-wide organisation which campaigns against extensive surveillance in general and the blanket logging of telecommunications and other behavioural data in particular.
Homepage und contact details: http://www.vorratsdatenspeicherung.de

1 comment March 3rd, 2010

German Constitutional Court strikes down data retention law

Great news from Germany, where the Federal Constitutional Court has found data retention law to be incompatible with the right to privacy under the German Constitution. More thoughts on the decision and the implications for our own case at a later stage, but for the meantime here’s the initial AP report:

MELISSA EDDY Associated Press Writer

5:23 AM EST, March 2, 2010

BERLIN (AP) — Germany’s highest court on Tuesday overturned a law allowing authorities to retain data on telephone calls and e-mail traffic for help in tracking criminal networks.

A law ordering data on calls and e-mail exchanges be retained for six months for possible use by criminal authorities violated Germans’ constitutional right to private correspondence and must be revised, the Federal Constitutional Court ruled.

In its ruling, the court said the law failed to sufficiently balance the need for personal privacy against that for providing security, although it did not rule out data retention in principle.

“The disputed instructions neither provided a sufficient level of data security, nor sufficiently limited the possible uses of the data,” the court said.

Nearly 35,000 Germans had appealed to the court to overturn the law, which stems from a 2006 European Union anti-terrorism directive requiring telecommunications companies to retain phone data and Internet logs for a minimum of six months in case they are needed for criminal investigations.

The court upheld the EU directive, saying the problem lay instead with how the German parliament chose to interpret it.

Under the German law, which went into effect Jan. 2008, information about all calls from mobile or landline phones was retained for six months, including who called whom, from where and for how long.

The following year, that law was expanded to include the data surrounding all contact via e-mail.

Although the laws forbid authorities from retaining the contents of either form of communication, they met with fierce opposition from civil rights groups.

“Massive amounts of data about German citizens who pose no threat and are not suspects is being retained,” Germany’s commissioner for data security issues, Peter Schaar, told ARD’s morning show.

Experts argue the information is crucial to being able to trace crimes involving heavy use of the Internet, including tracking terror networks and pursuing child pornography.

3 comments March 2nd, 2010