Data Retention – Should it be left to a private agreement between the State and Telcos?

Karlin Lillington has a strong piece in today’s Irish Times about a leaked draft agreement on data retention between state agencies (the Garda Síochána, Revenue and Defence Forces) and the telecoms industry (represented by ALTO, TIF and the ISPAI). Her comments are worth quoting extensively:

A secret memorandum of understanding between State agencies and the communications industry on how to implement the as-yet non-existent Government data retention legislation, confirms longstanding concerns about who is managing the data retention agenda and to what end.

With data retention, it appears that the tail is wagging the dog, in blatant disregard for proper democratic legislative process. The agencies that want access to our call and internet data are bypassing the Oireachtas, which at least theoretically, is the body that draws up and implements legislation.

As one alarmed privacy advocate told me: “This is legislation by decree.” …

No doubt, the argument will be made – and indeed is, within the body of the 13 page memorandum – that the document exists to help streamline the process by which our data are requested and handed over to various bodies that will now be allowed to look at it. Or as the memorandum states: “to promote efficient and effective standards of co-operation between the State and the Communications Industry.”

But it is not the business of the agencies to arrange any such matters privately with the communications industry, especially in the absence of actual legislation, or any public discussion or input, or any significant Oireachtas debate on a Bill that has only recently been published and not yet debated.

A data retention bill has not been passed by the Oireachtas yet, so this extraordinary “agreement” is based on sweeping assumptions, not articles of law.

More startling is the fact that agencies and industry are making such secretive plans for co-operation at all. It is the job of the Oireachtas and, ultimately, the courts to determine how legislation will be interpreted and implemented, not the Garda Commissioner, the Revenue Commissioners or the Defence Forces by private agreement.

This is the equivalent of the Financial Regulator securing a private understanding with Irish companies and banks as to how they will be supervised and how evidence will be obtained from them for investigations.

Another concern is that the memorandum, as it stands, indicates an agreement to obtain data that goes beyond what has been proposed so far in the published data retention bill.

The memorandum arranges for communications companies to hand over ‘‘any available personal details” of an IP address user, e-mail sender or VoIP user, even though the draft Bill (as seen by The Irish Times earlier this year) only requires name and address.

The memorandum also contains an agreement to hand over the MAC address associated with a computer user – the numerical “address” of a physical piece of hardware, such as a laptop, that enables it to connect to a network – though not required by the Bill.

The memorandum concludes with supreme arrogance: a detailed schedule pertaining to what will be handed over and how, matched to the text from the “Act” – again, simply the proposed Bill the Oireachtas has not yet approved. The schedule has a column for the “mutual agreement of retained data” and another for “issues addressed and agreed”.

Excuse me? Since when do agencies and industry get to “mutually agree” how they will privately interpret and comply with publicly mandated legislation (setting aside the glaring absence of any such legislation on which to base their ‘mutual agreement’)?

The memorandum notes in conclusion that it should be disseminated within Government “where necessary” and copies of the signed agreement be filed with legal representatives and stored internally in company files.

So, we have a private deal arranged in advance, in disregard of the role of the democratically elected Oireachtas and with no public input or scrutiny, between State agencies and the communications industry on how they will interpret and act on one of the most controversial pieces of legislation proposed for the State and European Union.

Legislation that has massive privacy and security implications for citizens and for businesses, and which already has been criticised by several leading business figures from indigenous and multinational companies as a threat to Ireland’s business environment.

Such arrangements have no place in a democracy and will surely alarm businesses that have chosen to base themselves in Ireland. Revelations that they exist will not instill confidence that privacy safeguards will be respected for citizens or businesses, nor dispel concerns that other murky off the record arrangements will be made along the way.

To be fair, there are portions of the draft agreement which are highly desirable. It aims to establish a single point of contact principle, which should minimise mistakes and abuse. It seeks to have state authorities digitally sign and encrypt any email requests for information. And it clarifies the appallingly vague technical language in the draft Data Retention Bill in a way which may make it workable.

But these safeguards should be built into the legislation itself, made mandatory and enforceable by judicial supervision. Instead, this agreement leaves them to an ad hoc arrangement between the State and the telecoms industry, and admits that it is merely “a non-binding statement of understanding or agreement [which] creates no legal obligations or commitments on the signing parties”. Moreover, it does so in secret, with no public input into the process. And, as Karlin points out, in some places it goes beyond what the draft legislation would require, and commits ISPs to handing over information without any legal obligation or permission to do so.

Read the full text of the leaked agreement here.