Wednesday, December 19, 2012

Cloud surveillance in Ireland: coming soon to a server near you?

There's an excellent article by Peter Swire in the current International Data Privacy Law journal titled "From real-time intercepts to stored records: why encryption drives the government to seek access to the cloud". The core argument is relatively familiar though particularly well articulated - with the move away from conventional telephony and towards the use of VOIP, webmail and encrypted web connections over SSL there are growing problems for national governments in using traditional surveillance powers. Instead governments are increasingly attempting to access stored communications after the fact, where these are held in cloud services.

An important implication is that this divides up countries into "haves" (where cloud services are based and can be compelled to cooperate) and "have nots" (who will lack leverage over foreign companies). Consequently, as he puts it:
the 'have nots' become increasingly dependent, for access to communications, on cooperation from the 'have' jurisdictions... This technical possibility to respond to process leads to an important, specific split between the ‘haves’ and ‘have nots’. Some jurisdictions will have the cloud server in their jurisdiction, with relatively straightforward access to the stored records under local law. Other jurisdictions will not have such access. They will have to use a Mutual Legal Assistance Treaty (MLAT) or other mechanism to gain access to the holder of the records. These ‘have not’ jurisdictions may well face added expense and delay in gaining access to the records. In some (or perhaps many) cases they will not be able to access records that they consider important for law enforcement or national security purposes. Conversely, cloud providers and other holders of records are likely to face an increasing number of lawful access requests, from a potentially bewildering array of jurisdictions.
So what does this mean for Ireland? Think about these recent headlines: "Dropbox to establish Irish office", "Twitter ramps up hiring in Dublin", "Facebook is liking Ireland more and more". Add Google and other companies with Dublin HQs and suddenly Ireland becomes - in Swire's analysis - one of the "have" jurisdictions when it comes to internet surveillance.* Better yet, it's a jurisdiction with antiquated laws on surveillance, where oversight of police activities continues to be inadequate. Consequently we can expect both domestic and international interest in accessing the contents of these cloud services - with the added advantage that the out of date Irish law might allow the more stringent requirements of US law to be evaded in the case of providers with their main base in the US. Watch this space.

--

*There is one possible caveat - some US providers appear to be basing only e.g. sales and marketing functions here, leaving actual data hosting in the hands of a different (US) corporate entity and therefore theoretically outside the scope of the Irish authorities. It remains to be seen though whether this will be effective.

Tuesday, December 18, 2012

Voyeurism as harassment

There's an case reported in today's Irish Independent about a man convicted of hiding a camera in the shower of a women's locker room. In the absence of a voyeurism offence in Irish law he was charged with harassment contrary to s.10 of the Non Fatal Offences Against the Person Act 1997. This isn't the first of these cases and a practice has developed of using the 1997 Act in these circumstances. At first glance this might seem to be a good fit - the definition of harassment does after all cover situations where a person by "watching" another person thereby "seriously interferes with the other's peace and privacy". However, it seems to me that s.10 isn't a substitute for a dedicated voyeurism crime along the lines of the English offence. In particular, the section is aimed at overt harassment and requires that the harassment be carried out "persistently". Once-off incidents - including once-off cases of voyeurism - wouldn't be covered on this basis.

Monday, December 03, 2012

Irish mobile phone companies: still spammy

Last year, following a complaint to the Data Protection Commissioner, I finally received an apology from Carphone Warehouse for multiple spam text messages sent to my phone. It seems that they didn't get the message then. From today's Irish Times:
Carphone Warehouse was fined €1,250 on each of two charges relating to the sending of an unsolicited email marketing messages. The court heard the company had previously been warned in relation to similar breaches, although it had no previous convictions.

Meteor was also prosecuted over the sending of an unsolicited marketing email. The customer who complained to the Data Protection Commissioner had previously gone to "some lengths" to ensure he would not be contacted by the company, the court heard. While the customer was the only one who complained, the message had been sent to between 11,000 and 18,500 people who should not have received it, the court heard. Counsel for the Data Protection Commissioner agreed that while Meteor had no previous convictions for such offences, it had previously had the benefit of the Probation Act. Judge O'Neill said that if the company paid €5,000 to Temple Street children's hospital by December 17th, he would strike out the charge. If the money was not paid by that date he would convict and impose a fine of €5,000.

Hutchison 3G, trading as Three, was prosecuted on three counts - one of sending an unsolicited email, one in relation to an unsolicited phone call, and a third in relation to an unsolicited marketing text message sent to deputy data protection commissioner Gary Davis.

Judge O'Neill asked the company to pay €2,500 to Crumlin children's hospital by December 17th. He said if such payment was made he would strike out the charge. He took two of the three charges into account.
Pro tip: if you're going to spam, try not to spam the Data Protection Commissioner's Director of Investigations.

Friday, November 30, 2012

Of hyperbole and credulous journalism

According to an uncritical report in the Irish Times today a court case will have "significant ramifications for Irish society". SiliconRepublic agrees that the case is "significant" and will "send shivers down the spine" of internet users. So what was this latter day Donoghue v. Stevenson of such great importance?

It turns out that it was a run of the mill application to the High Court to identify internet users. These are reasonably common in the Irish courts. The first came in 2005 when the music industry sought to identify filesharers. Since then there have been multiple such applications including several other filesharing cases, a very high profile action by the Red Cross against a whistleblower and one by Ryanair against pilots. This year alone applications were brought to identify internet users by a student wrongly accused of dodging a taxi fare and by solicitor Damien Tansey against the operators of the Rate Your Solicitor website.

This is far from being a full list - these are just the most high profile examples - and this is certainly not any sort of new area of law.

So why the hyperbole in the current stories? Both pieces quote the solicitor responsible for the action, and it's entirely understandable that he might seek to talk up the significance of the case. But journalists should know better than to accept self-serving claims at face value.

Monday, November 26, 2012

High Court confirms standard of review in data protection appeals

The recent decision in Nowak v. Data Protection Commissioner will be essential reading for all data protection practitioners as in it the High Court finally confirms the test to be used in hearing appeals against decisions of the Data Protection Commissioner, along with providing some interesting observations regarding examination scripts as personal data and the meaning of "frivolous and vexatious" complaints to the DPC.

Under s.26 of the Data Protection Acts 1988 and 2003 there is a general right of appeal to the Circuit Court against decisions of the DPC - that section does not, however, specify the standard which the court should take in hearing appeals. In particular, it left open the question of whether an appeal should be treated as a full rehearing of the matter, an appeal on the merits, an appeal limited to a point of law, or some other approach falling short of a hearing de novo. In practice, the Circuit Court has generally followed the decision in Ulster Bank v. Financial Services Ombudsman which is deferential towards the decision maker and requires the appellant to show a serious and significant error in the decision. However, given the scarcity of written judgments at Circuit Court level and the lack of any High Court precedent the matter remained open until now.

In this case, Mr. Nowak was an unsuccessful student with Chartered Accountants Ireland (CAI) and sought access to information held by CAI including a copy of his examination script. While other information was provided to him, the examination script was withheld on the basis that it did not constitute personal data. Mr. Nowak complained to the DPC, who ultimately declined to investigate his complaint on the basis that the complaint was frivolous or vexatious.

Mr. Nowak then brought an appeal to the Circuit Court under s.26, where Judge Linnane held that the court had no jurisdiction to hear the appeal where the DPC had declined to investigate the complaint on this basis. On subsequent appeal the High Court (Birmingham J.) agreed, ruling that:

I find myself in respectful agreement with Judge Linnane that the jurisdiction of the Circuit Court is to hear an appeal against a decision that has been arrived at after there has been an investigation. I share her view that absent investigation of the complaint and a decision in relation to the investigation, that the Circuit Court has no jurisdiction. The entitlement of an aggrieved party in the first place to submit an appeal and then of the Court to hear and determine an appeal arises only where there has been a decision of the Commissioner in relation to a complaint under section 10(1)(a). However, the Commissioner reaches a decision in relation to a complaint only if, not having decided that the matter is frivolous and vexatious, he proceeds to investigate the complaint and reaches a decision in relation thereto.

More importantly, however, Birmingham J. nevertheless went on to consider the substantive issue raised by the appellant and held that:
15. Had an appeal been possible, it would then have been necessary to consider how a court should approach the hearing of an appeal from a body such as the Data Protection Commissioner. How a court should approach an appeal from a statutory body was addressed by Finnegan P. in the case of Ulster Bank v. Financial Services Ombudsman [2006] IEHC 323 (Unreported, High Court, Finnegan P., 1st November, 2006). In the course of his judgment he commented:

"To succeed on this appeal the Plaintiff must establish as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. In applying the test the Court will have regard to the degree of expertise and specialist knowledge of the Defendant. The deferential standard is that applied by Keane C.J. in Orange v The Director of Telecommunications Regulation & Anor and not that in The State (Keegan) v Stardust Compensation Tribunal."...

17. I am satisfied that the approach identified by Finnegan P. is the one that would have been appropriate to apply had an appeal been available. In particular, it seems to me that it would have been appropriate for the court to have regard to what Finnegan P. referred to as the deferential standard, when deciding whether to substitute its own view for that of the Data Protection Commissioner on the issue of whether an examination script constituted personal data. The Data Protection Commissioner is concerned with issues involving data protection on a daily basis. He is required to be in regular contact with his colleagues in other EU member states and is likely to be fully au fait with developments internationally. Pointing to the expertise of the Data Protection Commissioner does not mean that a court will abdicate its responsibilities and there may be cases where decisions of the Commissioner will be set aside, but if that happens, the decision to set aside the decision of the Commissioner will have been taken by a court that is conscious of the experience and expertise of the Commissioner. [Emphasis added.]
Applying this standard, Birmingham J. went on to hold that examination scripts did not, per se, amount to personal data and that the DPC was entitled to find that the examination scripts in this case did not contain personal information. He also held that the DPC was entitled to find the complaint frivolous or vexatious on the basis that:
Th[e] section refers to complaints that are frivolous or vexatious. However, I do not understand these terms to be necessarily pejorative. Frivolous, in this context does not mean only foolish or silly, but rather a complaint that was futile, or misconceived or hopeless in the sense that it was incapable of achieving the desired outcome...
The decision of the Circuit Court was therefore affirmed.

While the points raised regarding examination scripts and frivolous and vexatious complaints are significant in their own right, for me the most important part of the decision is its clear statement that the courts should be slow to set aside decisions of the DPC. The standard applied - that of a serious and significant error - sets the bar quite high for any challenges.

Monday, November 12, 2012

Scenes from the history of the IEDR

The .ie Domain Registry (the IEDR) has been in the news lately following a compromise which left Google.ie and Yahoo.ie redirected to an Indonesian server controlled by hackers. This reminded me to scan and upload some documents from a 2003 Freedom of Information Act request to the Department of Communications about the IEDR - while of little contemporary relevance, they are very informative indeed for anyone with an interest in the history of the .ie space and hopefully will be a useful follow on to the massive set of documents Michele Neylon obtained under FOI relating to the formation of the IEDR.

ENN has some background about the precarious state of the IEDR in 2003.

Apologies for the poor formatting - the documents are as received from the department: FOI re IEDR, 2003

Saturday, November 10, 2012

High Court orders Quinns to reveal passwords to receiver

Time to reset your password

In an interesting decision the High Court (Kelly J.) yesterday ordered that members of the Quinn family must provide passwords to personal email accounts and other information to a receiver appointed over their assets. The order was made in support of the injunctions already granted aimed at recovering assets following a "mesmerisingly complex" asset-stripping scheme in breach of court orders.

This is significant and may well be the first time an Irish court has made an order requiring a party to civil litigation to reveal their passwords to the other side - while there's extensive caselaw in the related area of electronic discovery, none of the reported cases seem to have required the production of passwords. [Update - the ever knowledgeable Andy Harbison tells me that this isn't in fact the first case where an Irish court has made an order requiring that passwords be disclosed - this has been done in at least one Anton Piller order, though unfortunately there's no reported judgment.]

Given the invasiveness of the procedure - especially the fact that personal emails would be involved - the court built in protections into the order, so that:
[T]he information must only be seen by the receiver and a named solicitor..

The judge approved a protocol proposed by the receiver for obtaining and categorising information from the phones and computers. It involves material being downloaded in the presence of the Quinn defendants by a representative of a company hired by the receiver.
That material will then be categorised by the receiver into three categories -- relevant and not privileged, irrelevant, and apparently privileged. Disputes over privilege issues will be decided by the court.
More details in the Irish Times|Irish Independent.

For the related issue as to whether password disclosure can be compelled in criminal matters see this post from 2010.)

Friday, November 09, 2012

Irish newspapers have some curious views about search engines

The Irish newspaper industry seems to have chosen today for a bout of collective hyperbole about search engines. Here's what the Examiner had to say:
Work generated through effort, skill, imagination, professionalism, and usually considerable capital investment, is pirated by businesses with no connection to the creative process as a means to win revenue without risk or outlay. This process is hardly different to what we more commonly describe as theft. The scale of the piracy is astounding. In 2010, while every media company in the country shed jobs and cut costs to the bone, a single search engine operating in Ireland offered around 150,000 newspaper articles that cost publishers an estimated €46.5m to generate. Last year that site offered more than 350,000 articles at a cost equivalent to more than €110m. And all without paying one cent to those who created those articles.
There's more in the same vein from the Irish Times and the Independent.

Incredible, isn't it, that the newspapers are powerless to defend themselves against this "theft" and "piracy". Oh, wait - they're not. Instead, they've deliberately chosen to allow in search engines and to profit from the traffic which they generate.

Here's a non-technical explanation. You don't have to allow your site to be indexed by search engines. If you don't want your site to appear on Google you can use a simple file, known as robots.txt, which tells search engines what they can and can't do. The Examiner has one, as does the Irish Times and the Independent. So do they tell these "pirates" and "thieves" to keep out? Absolutely not. In fact, all three provide sitemaps for search engines which summarise their sites and make them easier to index, while both the Irish Times and the Independent provide specific instructions for the "Mediapartners-Google" searcher. Why do they do this? Because of a business decision that they benefit from the readership which added visibility in search engines generates.

The tone of the piece in the Examiner is entirely deceptive: far from being the helpless victim of "theft" and "piracy", the newspaper has chosen, for its own commercial advantage, to allow its site to be indexed and to benefit from the resulting visitors. Should the newspaper object, it is free to opt-out at any point. But it is shoddy work to misrepresent the position to its readers in this way.

Thursday, October 25, 2012

Internet betting: Irish government seeks to introduce blocking on no evidence and against EU findings

Roulette, originally uploaded by discopalace
There's been surprisingly little coverage of Irish government plans to require blocking of foreign betting websites. The plans, contained in s.26 of the Betting (Amendment) Bill 2012, would allow the District Court to make orders as follows:
in the case of a remote bookmaker or remote bookmaking intermediary, an order that telecommunications service providers and internet service providers in the State shall not permit access to — (i) the internet address of any internet domain that the remote bookmaker or remote betting intermediary concerned uses for the purposes of conducting his business, (ii) a particular facility in such a domain, or (iii) any other order that that court considers appropriate for the purpose of ensuring that any such domain, or any remote bookmaking operation conducted by the remote bookmaker or remote betting intermediary concerned is not accessible to persons in the State.
Leaving aside the technological inexactitude of this provision (what, exactly, is a "facility" in a domain? A sub-domain? A particular directory or path?) this is a remarkably wide provision which should worry Irish internet companies.

The reference to internet "service" providers rather than internet "access" providers appears to be wide enough to cover any service provider which could be used to access a site - which would appear to include providers of VPNs, search engines, DNS providers and others. This wide power is then further supplemented by a power to make "any other order" that [the] court considers "appropriate" to ensure that the domain etc. "is not accessible". This seems to be drafted with a view to ordering that sites should be delisted from search engines but could, potentially, be used against any internet intermediary and could be used to, for example, block access to proxy sites and other tools which might be used to circumvent the blocking.

What justification has the Irish state provided for such a far reaching power? Essentially, none. Online gambling was first considered in detail by government in the 2008 report Regulating Gaming in Ireland which cautioned against blocking systems:
The Committee is of the view that censorship of the Internet in an effort to achieve such ends is frequently self-defeating, is unlikely to achieve the intended results, leads to the diversion of scarce law enforcement resources and frequently has unintended and undesirable consequences.
This conclusion was, essentially, reiterated in the 2010 report Options for Regulating Gambling which contained no independent analysis on this point. These are, to date, the only government documents which address the issue - there has been no regulatory impact assessment published - and it is striking that neither recommends blocking systems.

In much the same way, the European Commission Staff Working Paper on Online Gambling recently came out against blocking systems, stating that:
However, blocking access to websites does not work as an isolated enforcement tool and can be easily circumvented. Moreover, depending on the technology used, website blocking can impact on legitimate businesses. The efficiency of the blocking method furthermore depends on the validity of the list of blocked websites. Keeping the list up-to-date requires significant resources while internet addresses can be changed instantly. Lastly, ISPs are faced with the implementation of the provisions for blocking access to websites, not only implying costs and tying-up of resources but also creating potential liability issues.
Simply put, the case has not been made for this new type of blocking and it would set a worrying precedent if such a far reaching power were to be created.Once ISPs are forced to introduce blocking mechanisms for one purpose, it is only a matter of time before others seek to jump on the bandwagon.

Thursday, September 20, 2012

High Court: Bloggers can benefit from journalistic privilege


There's quite a lot to digest in the recent decision of Hogan J. in Cornec v. Morrice & Ors. Most of the judgment deals with wider issues in the protection of journalists' sources, and unsurprisingly the media coverage so far tends to focus on this aspect. But reading the judgment, I was struck by the way in which it considered whether non-traditional media could also benefit from similar protections. In particular, it appears to be the first Irish judgment to consider the position of bloggers.

In this case orders were sought to compel two individuals - Nicola Tallant and Mike Garde - to testify for the purposes of US civil proceedings. Both objected to the orders on various grounds, including the argument that requiring their testimony would reveal both their sources and the information provided by these sources, contrary to their journalistic privilege recognised by Irish law. ("Journalistic privilege" is used here as shorthand - para. 42 of the judgment makes it clear that strictly speaking there is no such thing. Nevertheless it is a useful phrase to capture the rights which journalists may have in certain situations.)

In the case of Nicola Tallant, an investigative reporter with the Sunday World, there was no difficulty in applying the concept of journalistic privilege. The position of Mike Garde was rather more ambiguous. As the court put it, he was "not a journalist in the strict sense of the term". Instead, he was a director of Dialogue Ireland - an independent organisation working with people who become caught up in cults or fringe religions - and regularly appeared in the media and blogged about issues surrounding cults. Despite this, however, Hogan J. had no hesitation in finding that he should also benefit from a similar protection, holding that:
While Mr. Garde is not a journalist in the strict sense of the term, it is clear from that his activities involve the chronicling of the activities of religious cults. Part of the problem here is that the traditional distinction between journalists and laypeople has broken down in recent decades, not least with the rise of social media. It is probably not necessary here to discuss questions such as whether the casual participant on an internet discussion site could invoke Goodwin-style privileges, although the issue may not be altogether far removed from the facts of this case.

Yet Mr. Garde’s activities fall squarely within the “education of public opinion” envisaged by Article 40.6.1. A person who blogs on an internet site can just as readily constitute an “organ of public opinion” as those which were more familiar in 1937 and which are mentioned (but only as examples) in Article 40.6.1, namely, the radio, the press and the cinema. Since Mr. Garde’s activities fall squarely within the education of public opinion, there is a high constitutional value in ensuring that his right to voice these views in relation to the actions of religious cults is protected. It does not require much imagination to accept that critical information in relation to the actions of those bodies would dry up if Mr. Garde could be compelled to reveal this information, whether in the course of litigation or otherwise. It is obvious from the very text of Article 40.6.1 that the right to educate (and influence) public opinion is at the very heart of the rightful liberty of expression. That rightful liberty would be compromised – perhaps even completely jeopardised – if disclosure of sources and discussions with sources could readily be compelled through litigation. [Emphasis added]
This strikes me as a very important ruling - by explicitly equating blogs and other new media forms with the traditional "organs of public opinion" protected by the Constitution it may well strengthen the position of internet authors not just in relation to the protection of sources but also in other areas such as defamation.

Thursday, September 13, 2012

Hillsborough: using police databases to smear the dead

Yesterday saw the publication of the Report of the Hillsborough Independent Panel which confirmed many of the criticisms made by the families of those killed in the disaster. One of the most shocking points in that report for me was the revelation that criminal record checks were carried out on some of the dead, with a view to smearing them and deflecting criticism of police handling of the event. This illustrates an important point that privacy campaigners have been making for a long time: centralised databases of this type can and will be abused, and the power to trawl databases for information on individuals - in effect, to manufacture a case against them - is a dangerous one. It's not hard to imagine how data retention records might be abused in a similar way in future. With that in mind, here's an excerpt from the Report setting out what was done:
Criminal record checks on the deceased

2.5.111 A solicitor involved in the Hillsborough inquests disclosed a document to the Panel showing that criminal record checks were conducted selectively on some of the deceased who had recorded blood alcohol levels. To protect the privacy of the deceased the Panel has decided not to make public the document but to describe the process through which an attempt was made to establish links between blood alcohol levels and previous criminal convictions.

2.5.112 The document indicates that a Police National Computer (PNC) check was conducted on all who died at Hillsborough for whom a blood alcohol reading above zero was recorded. It includes a handwritten list of the names, dates of birth, blood alcohol readings and home addresses of 51 of the deceased and provides screen-prints apparently drawn from the PNC. A summary of the results appears on the front page, establishing the number ‘with cons’ (convictions).

2.5.113 The document was not formally part of the West Midlands or South Yorkshire Police inquiries and there is no record in the documents provided by either force or by the Coroner. There is no record of who conducted the checks or precisely when the checks occurred. The National Policing Improvement Agency, the organisation responsible for the PNC, confirmed to the Panel that information has not been retained within the PNC.

2.5.114 It is the Panel’s view that criminal record checks were carried out on those of the deceased with recorded blood alcohol levels in an attempt to impugn personal reputations. There is, however, no evidence to suggest that this inappropriate – and possibly unlawful – exercise was used in the investigations, inquiries or inquests.

Monday, June 18, 2012

Internet freedom in Ireland: apathy is not a policy

The OSCE Dublin Conference on Internet Freedom is just starting (livestream) where numerous superb speakers will be discussing fundamental rights online. It prompted me to wonder - is Ireland a worthy host? How does the overall Irish track record on online freedoms stack up?

Taken as a whole, it strikes me that the internet is generally quite free in Ireland, but this is a result of apathy rather than policy. By that I mean that Ireland compares well on metrics such as the number of government censorship requests to Google, and looks good when compared against e.g. our astonishingly authoritarian neighbour. However, this is largely as a result of government failure to act. Where the Irish government has acted it has almost always done so in a way which threatens or at most is only neutral in relation to online rights.

The most obvious example is mass surveillance via data retention, where the Irish state was a leader in seeking to impose this throughout Europe. But there are numerous others. Draconian Irish defamation law continues to threaten freedom of expression, and the Defamation Act 2009 did very little indeed to protect online speech, ignoring recommendations from the Government's own expert report on defamation law. The recent copyright statutory instrument seems intended to permit internet blocking at the behest of the music industry, in a way which is likely to be without notice to blocked sites, to lack transparency, and to cause significant collateral damage. The role of the Data Protection Commissioner has been threatened by double digit percentage cuts in funding, leading to a situation where enforcement of privacy rights in Ireland is massively under resourced. In the same way, there is no adequate discipline for Irish police who abuse communications records to spy for their own private purposes. The list of negatives could go on.

What about the positives? Only one comes to mind - the recent establishment of the Copyright Review Committee to examine fair use and wider reform. Even here, however, any impact on fundamental rights will be incidental: the aim of the Government in setting up the review group was primarily commercial - to promote "innovation" and employment. Any impact on fundamental rights is incidental.

The conference was just opened by Eamon Gilmore, who spoke in proud terms about James Joyce, censorship and freedom of expression. (I suspect he's not familiar with the way in which the Joyce estate has abused copyright law to silence critics.) It strikes me, though, that for all these fine words the Irish state has a long way to go in showing genuine respect for fundamental rights online. Irish rights online are largely the result of apathy, and apathy is not a policy.

Monday, April 30, 2012

Record numbers of complaints, data breaches and more (all on a shoestring budget)

The Data Protection Commissioner's 2011 Annual Report was published today. While the whole document is well worth reading, a few highlights struck me as worth particular attention.

Resources

Unsurprisingly - particularly in the light of the ongoing Facebook investigation - the report starts by saying that the financial and personnel position of the Office has become unsustainable in light of increased demands, with the warning that failing to remedy this will jeopardise investment in Ireland:
The scope of our responsibilities has changed significantly in the past 3 to 5 years. This arises in particular from the success of the Industrial Development Authority in attracting to Ireland companies conducting significant processing of personal data. We have worked with these companies to help them understand their obligations under EU data protection law towards all EU users of their services.

The legislative proposals presented by the European Commission1 in January of this year, if passed into law, will involve increased responsibilities for our Office under the so-called “one-stop-shop” arrangement for multinational companies providing services to EU users from an Irish base. While the exact division of labour between data protection authorities has yet to be finalised, it clearly will involve a greater degree of responsibility for our Office in relation to multinational companies which choose Ireland as an EU base. Failure to adequately discharge this responsibility will carry significant reputational risks for the country...

The implications of our increased European responsibilities were brought home to us forcefully in relation to our audit of the activities of Facebook-Ireland. Facebook- Ireland had unambiguously placed itself under our Office’s jurisdiction through changes in its contractual arrangements with its EU users and the establishment of clear responsibility for the processing of their data. We therefore included them in our programme of audits for 2011. This was the most complex audit ever undertaken by our Office, involving about a quarter of our staff resources for 3 months and external technical assistance from University College Dublin (UCD)...

We clearly cannot maintain a similar level of commitment in relation to other multinational companies without additional resources. I am confident that this message is understood by the Government and would hope to be allocated additional resources in the course of this year. [All emphasis added.]
Number of incidents

Complaints reached a record high last year with 1,161 complaints under the Data Protection Acts and 253 complaints under the ePrivacy Regulations (dealing with unsolicited texts messages, etc.). Remarkably, data breach notifications outnumbered both types of complaints with 1,167 notifications during the year from 186 different organisations (up from 119 in 2009 and 410 in 2010). This seems to reflect greater awareness of the obligation to notify, rather than any increase in breaches, and presumably will plateau in coming years - but the sheer volume of notifications presents its own challenges.

Unsolicited marketing prosecutions

One area where the DPC has been particularly successful is in relation to unsolicited marketing text messages and telephone calls, where there now seems to be a well-oiled machine in place for prosecuting repeat offenders. In relation to communications providers alone, in 2011 successful prosecutions were brought against:

* Eircom: one unsolicited telephone marketing call, Probation Act applied, €2,000 donation made to charity;
* Vodafone: four unsolicited telephone marketing calls, one text message, total of €3,850 in fines imposed;
* o2: one unsolicited text message, Probation Act applied, €2,000 donation made to charity;
* UPC: eighteen charges relating to unsolicited telephone marketing calls, total of €7,100 in fines imposed.

Political spam now prohibited

Until recently there was an extensive exemption for political direct marketing - one which was arguably incompatible with the requirements of the ePrivacy Directive. This has now been amended, which will no doubt be a relief to Irish voters in the run up to the Fiscal Treaty referendum:
A second issue of concern which I commented on in 2009 was the direct marketing exemption which excluded from the scope of the Data Protection Acts any direct marketing carried out for political purposes by political parties or by candidates for election to political office. I expressed my dissatisfaction then that I was unable to launch investigations into complaints which I received from voters who received unsolicited SMS messages, emails or phone calls even when they had made it clear that they did not wish to be contacted in that way. Had such unsolicited marketing contact been made to members of the public by any other entity, such as a commercial business, there would be no restriction on my investigating the matter. I expressed doubts in my 2009 Annual Report about the consistency with EU Directives of the exemption in this country for such political activities.

I am pleased to report that the Minister for Communications, in framing S.I. 336 of 2011, removed the exemption relating to direct marketing for political activities in the context of marketing communications carried out by electronic means – such as SMS messages, faxes, email and telephone calls. As a result, I am no longer restricted from investigating complaints in this area. Accordingly, in my role as Data Protection Commissioner, I am obliged to investigate any such complaints in this area.

In this respect, arising out of the Presidential Election which took place following the commencement of SI 336 of 2011 on 1 July, I have already issued a warning to a political party about the sending of unsolicited marketing text messages in the course of the campaign. A second such incident is likely to lead to a prosecution. [Although not identified in the Annual Report, the Sunday Times has named Sinn Fein as the offending party.]
Department of Social Protection Audit

One of the greatest offenders against individual privacy has been the Department of Social Protection, formerly the Department of Social Welfare, which has a long and ignominious track record of staff abuse of personal information. (One recent example.) Worryingly, however, the Annual Report confirms earlier reports that Social Protection databases may be open to abuse externally as well as internally - by other state entities which have access to the departmental systems:
Also included in the list of the audits is an INFOSYS investigation. This refers to an in-depth examination of the use of INFOSYS – a database of social welfare data administered by the Department of Social Protection. The INFOSYS investigation focused on the authorised use of INFOSYS by a whole range of external third parties, including local authorities and state agencies. Initially INFOSYS was a ‘desk audit’ entailing extensive correspondence in the second and third quarter of 2011 between my Office and external users of INFOSYS. It was my intention to comment extensively on this investigation in this report but this has not proven possible, given the resources needed, to complete it to a suitable level. However, the interim findings have caused my Office to engage with the Department of Social Protection and the large number of entities authorised to access the system to address the deficiencies identified so far.
Guthrie Cards / Heel Prick Samples

One of the most important issues dealt with by the report is the (long delayed) destruction of illegally-held blood samples taken from all newborns. The full discussion is too long to excerpt here, but one important point (which the media don't appear to have picked up) is that the Minister for Health and the HSE appear to have attempted to evade the Data Protection Commissioner in their efforts to create a national DNA database, by freezing out the DPC from a "review" of the decision to destroy the samples:
A final issue that emerged can essentially be summarised as that it would be useful to continue to hold the millions of samples involved to form the basis of a national database which could be used for health-related genetic (DNA) analysis We were obliged to point out that the creation of such a database, without the consent of the persons involved (or their parents/guardians as appropriate) would be a clear breach of the Data Protection Acts. It would also run counter to the spirit (if not the letter) of the Disability Act 2005 – which requires individual consent for the carrying out of genetic tests – and of the Marper judgment of the European Court of Human Rights in relation to the retention of DNA samples in a criminal context However, in light of concerns expressed around such issues, we understand that the Minister for Health asked for a full review of the decision taken by the HSE to destroy the samples on the terms agreed with this Office. We were not a party to this review but it is now completed and at the time of writing the Minister had approved the position previously agreed including the publicity campaign for people to seek earlier deletion or continued retention depending on their own particular preferences.
Security cluelessness

Finally, although it's not an issue of any great significance, I was amused by case study 7 in which insurance company Allianz chose to use three pieces of publicly available information for their "security questions":
Allianz informed us that it introduced three ID security questions consisting of date of birth, mother's maiden name and place of birth. It stated that these questions were introduced to ensure that it was keeping its customer's personal information safe and secure and to prevent any unauthorised disclosure. As previously outlined in my 2009 Annual Report it is our view that the use of questions such as date of birth and mother's maiden name for the purpose of ensuring security of data is not an adequate safeguard against disclosure to a third party. Such questions may in fact be a security vulnerability as this type of information is publicly available upon payment of a fee to the General Register Office and is therefore of limited value on its own as a security feature.

Sunday, April 08, 2012

Surveillance up, but bugs being discovered by targets

Smoke alarm claimed to have been bugged by gardaí
John Mooney and Mark Tighe have an detailed piece in today's Sunday Times arising out of the latest report of the designated judge under the Criminal Justice (Surveillance) Act 2009. Some highlights:
AN INCREASING number of requests by gardai for permission to spy on alleged criminals and terrorists are being rejected because the operations were premature, excessive or contained inadequate information. A report on the state's covert surveillance operations by Kevin Feeney, a High Court judge appointed to audit spying activities by gardai, Customs and the military, found a small increase in the number of cases where gardai were refused permission to plant eavesdropping devices and tiny cameras to spy on people suspected of involvement in paramilitary groups and organised crime.

In one case, a chief superintendent who asked to use an audio transmitter was refused permission because the surveillance was not proportionate to the identified objectives of the operation. Applications by garda officers for surveillance warrants were turned down on the basis that the premises where the device was to be located had not been confirmed as available or appropriate.

The 2009 Surveillance Act allows gardai, the Defence Forces and Revenue Commissioners to break into homes and cars to plant recording devices and tiny cameras to record private conversations. The "product" can be used as evidence in prosecutions. Permission for the surveillance, which can last up to three months, must be granted by a district court judge.

Feeney said the number of cases where gardai obtained district court authorisation to plant devices was "a small double-figure number". The number of authorisations that were declined was fewer than 10, but up on the previous year.

The report, obtained by The Sunday Times, also noted that surveillance and countersurveillance devices can be bought by the public. The judge said the availability of such equipment was brought to his attention when gardai found a device that had been installed by an unknown third party to monitor a person they were spying on. The report makes no reference to the discovery of such equipment by people being spied upon. Security sources say several devices have been detected recently...
I'll upload a copy of the latest report as soon as I have it. In the meantime, the 2009/2010 report is available here.

Fresh claims that Irish police have been hacked

It's been an embarrassing time recently for Irish police, following allegations that Lulzsec hackers were able to compromise the personal email accounts of senior gardaí, enabling them to record a FBI hosted conference call involving international computer crime specialists. Interestingly, Monday's Daily Mail had a story (which doesn't seem to have been picked up by other Irish media) suggesting that there have been wider breaches of garda security. Excerpt:
A MAJOR Garda security alert into phone and email hacking of the country's highest ranking officers is under way.

The Mail can reveal that deputy commissioner Noirín O'Sullivan has ordered an investigation into apparently widespread phone and email hacking of senior gardaí.

It is understood the investigation has established that Pulse, the Garda intelligence system, has not been compromised.

However, senior security sources say that the emails and phones of senior gardaí have been hacked.

The investigation is attempting to establish the extent of the hacking and for what purpose confidential garda information is being targeted.

The probe has established that the head of police in another European country has had his email illegally accessed by an Irish-based hacker.

At least two other senior police officers in other European forces have had their email compromised.

The investigation is being taken 'extremely seriously' by Garda management and checks are under way on senior officers' phones and emails to see if they have been illegally accessed.

Some gardaí have had their phones and emails hacked, but because of the sensitive nature of the investigation, senior sources could not reveal what exactly has been accessed. A file is being prepared for the Director of Public Prosecutions. One key aspect of the probe is trying to establish for what purpose the hacking was initiated. It is understood that gardaí checking to see if online Irish based hackers are sharing the confidential information that has been hacked with others internationally...

As one of the State's two deputy commissioners, Noirín O'Sullivan holds the second most senior rank in the force, with responsibility for operational policing and national security.

The fact she ordered the investigation indicates how seriously the matter is being taken by Garda management.

Monday, March 26, 2012

Eircom admits user disconnection is illegal; wants other Irish ISPs to do it anyway

You couldn't make it up. Eircom, not content with shooting itself in the foot by agreeing to introduce a "three strikes" system which wasn't required by the law, now wants its rivals to do the same. Presumably that would be the same three strikes system which Eircom's head of public policy has admitted is in breach of European law.

Friday, March 16, 2012

Coleman v. MGN - jurisdiction in internet defamation cases

The Supreme Court yesterday gave a decision on internet defamation in Coleman v. Mirror Group Newspapers, where it held that the Irish courts had no jurisdiction in relation to a photograph said to have been published on the Mirror website in 2003. The judgment turns for the most part on deficiencies in pleading rather than on the substantive law so is of little precedential value, but it does highlight the fact that the courts will not rely on "presumed" publication in this jurisdiction - there must be evidence that online material was actually read by a person within the jurisdiction in order for a defamation claim to be brought:
First, there is no pleading that the publication alleged of the relevant articles is by internet publication of the relevant newspaper. Nor could such a pleading be inferred from the words of the Statement of Claim. Secondly, there is a need for evidence of publication to establish the tort of defamation. There is no evidence before the Court that the Daily Mirror was published on line in 2003. There is no evidence that the daily edition of the Daily Mirror was on the world wide web in 2003. Thirdly, there is no evidence of any hits on any such site in this jurisdiction. These are fatal flaws in the plaintiff’s case.
Compare the similar decision in USA Rugby v. Calhoun.

Tuesday, March 13, 2012

User consent to privacy policies is a fiction - here's why

One simple answer to our privacy problems would be if everyone became maximally informed about how much data was being kept and sold about them. Logically, to do so, you'd have to read all the privacy policies on the websites you visit. A few years ago, two researchers, both then at Carnegie Mellon, decided to calculate how much time it would take to actually read every privacy policy you should.

First, Lorrie Faith Cranor and Aleecia McDonald needed a solid estimate for the average length of a privacy policy. The median length of a privacy policy from the top 75 websites turned out to be 2,514 words. A standard reading rate in the academic literature is about 250 words a minute, so each and every privacy policy costs each person 10 minutes to read.

Next, they had to figure out how many websites, each of which has a different privacy policy, the average American visits. Surprisingly, there was no really good estimate, but working from several sources including their own monthly tallies and other survey research, they came up with a range of between 1,354 and 1,518 with their best estimate sitting at 1,462.

So, each and every Internet user, were they to read every privacy policy on every website they visit would spend 25 days out of the year just reading privacy policies! If it was your job to read privacy policies for 8 hours per day, it would take you 76 work days to complete the task. Nationalized, that's 53.8 BILLION HOURS of time required to read privacy policies. [Emphasis added.]

From TheAtlantic.com. The full study (PDF) is well worth reading.

Wednesday, March 07, 2012

Witness comments on Facebook cause assault case to be dismissed

This may be the first time in Ireland that a case has been dismissed on the basis of Facebook comments. From the Mayo News:
A WOMAN who wrote comments on a Facebook page about an alleged assault was told her actions had ‘fatally compromised’ the assault case which was subsequently dismissed.

Judge Mary Devins told last week’s sitting of Ballina District Court that in her view writing messages on Facebook was akin to writing in newspapers.

She made her ruling after hearing evidence from Maureen O’Malley from Westport, who explained that she posted two messages on Facebook about an alleged assault by the CEO of a Ballina laboratory against an animal rights protester.

Leonard Moran of Carrentrila, Ballina, was accused of assaulting Laura Broxon from Dublin. He was accused of punching her in the face while wielding a hammer when she was staging a protest outside the Ovagen and Charles River Laboratories, which are adjacent to Mr Moran’s house.

Mr Moran, who is a Director of Ovagen and who used to own the lab until it was sold to US company, Charles River in 2002, denied he punched her. Ms Broxon, who is the founder of the National Animal Rights Association, claimed that testing of animals takes place in the lab and during the protest accused Mr Moran of having ‘blood on your hands’...

Detective Garda Pat Ruane explained that two comments had been posted by Maureen O’Malley, who admitted posting them.

She told the court last week that she arrived at the scene after the incident had taken place and had spoken to Ms Broxon, who explained what she claimed happened. She said was shocked at what happened and posted the comments when she went home.

In the first comment, she posted that the CEO of Charles River had assaulted a protester, and in the second comment she asked why he would resort to physical violence and what he was capable of doing to ‘defenceless animals in his lab’.

Judge Devins said that even though she wrote the comments with good intentions, writing about something on Facebook can compromise a criminal prosecution. She said it was akin to a local or national newspaper giving their version of events and dismissed the case.
Based on this report, it's difficult to see precisely why the charge was dismissed. There was no jury and therefore no real risk of the comments improperly influencing the decision maker. The mere fact that a witness has previously written about what they saw - even publicly - is not in itself a basis for dismissal of charges. In addition, there was no suggestion that the comments could influence other witnesses in the case. Most importantly, the equation of Facebook comments with newspaper coverage is simply incorrect and seems to reflect a misguided analogy with the law regarding contempt of court and the sub judice rule. While social media does present genuine challenges for the law, it would be unfortunate if judicial unfamiliarity with the internet were to lead to unnecessary problems for the criminal justice system.

Saturday, March 03, 2012

Illegal blood sample database to be destroyed

Two years ago the Sunday Times broke the story that the Irish national children's hospital was illegally keeping blood samples from almost every Irish newborn since 1984, in what amounted to a de facto national DNA database. Two years later, the decision has finally been made to destroy these samples. From today's Irish Times:
MINISTER FOR Health Dr James Reilly has decided to have more than a million archived blood samples taken from newborns destroyed within the next four to six months.

Cardiologists have called on the Minister to reverse the decision, describing it as “appalling”. They say the samples could be particularly valuable in genetic tests for diagnosing sudden adult death syndrome.

Dr Reilly is to follow the recommendations of a Health Service Executive review group to destroy heel-prick screening cards that are more than 10 years old.

The department plans to give individuals and their families the chance to access the cards or have them returned. Most of those affected would now be aged between 10 and 28...

Until recently parents were not asked for consent to keep the samples. Parents have had the right to opt out of the test since a 2001 Supreme Court judgment.

Since July 2011 parents have been asked for consent to take the samples, with agreement to allow storage for 10 years with use only for tests to which they agree.

Action on the issue came about after the Data Protection Commissioner found in 2009 that the retention of the cards breached the law, following a complaint from a member of the public. The commissioner proposed that the retained samples be destroyed.

The HSE review group report seen by The Irish Times said that retaining samples without consent “clearly contravenes both EU and national data-protection legislation”. It is “extremely important” that the screening programme was “not undermined or compromised in any way”, it said.

Using the samples for research or another purpose “compounds only further that initial wrong”, it said.

The destruction of the old samples “serves to respect the autonomy of the individual”, the report concludes.

Wednesday, February 29, 2012

More Ryanair litigation against flight resellers - this time with a data protection twist

You might have noticed that Ryanair is busy with litigation against services which screenscrape flight details from its site or act as resellers of its flights. (Previously on this blog 1|2|3|4|5.) Usually those cases have centered on arguments that this activity amounts to a breach of either Ryanair's intellectual property rights in their site or their terms of use. However Ryanair has now added an interesting data protection dimension to its claims in a fresh action against Club Travel. From today's Irish Times:
RYANAIR HAS claimed before the High Court that details about people who book its flights through a package holiday website can be seen by other travellers.

The airline is seeking an injunction stopping Club Travel from selling its flights on the grounds that it amounts to wrongful interference with its copyright and database. Club Travel denies the claims. Because of the way Club sells the flights, customers who book through it have access to information about other travellers’ flights and know when they will be out of the country, Ryanair alleges.

Club customers, it claims, are told not to input their own email address but a specific address which belongs to Club. As a result, Club customers may access details of other passengers who booked flights the same way, Martin Hayden SC, for Ryanair, argued.

This gives access to information about when other people who booked the flight are abroad and when their homes are unoccupied, counsel said.

Ryanair said it was also concerned that, for the cost of changing a name on a flight, a person who has such access can change the name, address and passport details on another traveller’s flight and obtain that person’s boarding card, he said.

These were serious data protection issues which could expose Ryanair to penalties, he said.

Friday, February 24, 2012

Self-service search warrants after Damache v. DPP

A peculiar feature of Irish law for many outside observers is the fact that search warrants are treated as being an executive rather than judicial function (PDF, ch.4). As a result a number of statutes give police the power to themselves issue such warrants on a "self-service" basis. Yesterday's Supreme Court decision in Damache v. DPP, however, cuts back the scope of these powers somewhat.

In this case Damache was suspected of involvement in a conspiracy to murder Lars Vilks, one of a number of cartoonists said to have insulted Islam by drawing Mohummad. On foot of this suspicion, a senior garda issued a search warrant in relation to his home by under s. 29(1) of the Offences Against the State Act 1939 (as inserted by s. 5 of the Criminal Law Act 1976). That section is exceptionally wide and in essence allows a senior garda to issue a search warrant in any terrorist related case in respect of any location without any special circumstances having to be shown:
Where a member of the Garda Síochána not below the rank of superintendent is satisfied that there is reasonable ground for believing that evidence of or relating to the commission or intended commission of an offence under this Act or the Criminal Law Act, 1976, or an offence which is for the time being a scheduled offence for the purposes of Part V of this Act, or evidence relating to the commission or intended commission of treason, is to be found in any building or part of a building or in any vehicle, vessel, aircraft or hovercraft or in any other place whatsoever, he may issue to a member of the Garda Síochána not below the rank of sergeant a search warrant under this section in relation to such place.
Crucially, the garda in question had been centrally involved in the investigation and there were no circumstances of urgency or time pressure in the case. Was the legislation valid insofar as it allowed a warrant to be issued in these circumstances?

Initially, the High Court held that it was. In a disappointing decision which relied on the fallacy that "modern terrorism is different" Kearns P. held that a search warrant was merely a step in the investigative process which did not have to be issued by an independent authority and that in any event the section would be justified on the basis that:
the security demands of countering international terrorism are of a quite different order to those which apply in what might be described as routine criminal offences. Serious injury and harm can be unleashed at any point in the globe by terrorists who can avail of modern technology to devastating effect. That fact was amply borne out by the attack on the World Trade Centre on 11th September, 2001, and many other terrorist acts before and since. The international terrorism of the modern age is a sophisticated, computerised and fast moving process where crucial evidence may be lost in minutes or seconds in the absence of speedy and effective action by police authorities.
On appeal, however, the Supreme Court took an entirely different approach. Building on earlier Irish authorities and applying the ECtHR decision in Camenzind v. Switzerland and the Canadian Supreme Court decision in Hunter v. Southam Inc the court devloped the principle that search warrants should generally only be issued by an independent person:
For the process in obtaining a search warrant to be meaningful, it is necessary for the person authorising the search to be able to assess the conflicting interests of the State and the individual in an impartial manner. Thus, the person should be independent of the issue and act judicially.
Applying this, the court found that the section was invalid insofar as it allowed for search warrants to be granted in respect of any location by a garda involved in the investigation without there being any special circumstances justifying a departure from this rule:
54. This case is decided on its own circumstances. These circumstances include the fact that the warrant was issued by a member of a Garda Síochána investigating team which was investigating the matters. A member of An Garda Síochána who is part of an investigating team is not independent on matters related to the investigation. In the process of obtaining a search warrant, the person authorising the search is required to be able to assess the conflicting interests of the State and the individual person, such as the appellant. In this case the person authorising the warrant was not independent. In the circumstances of this case a person issuing the search warrant should be independent of the Garda Síochána, to provide effective independence.

55. The circumstances of the appellant’s case also includes the fact that the place for which the search warrant was issued, and which was searched, was the appellant’s dwelling house. The Constitution in Article 40.5 expressly provides that the dwelling is inviolable and shall not be forcibly entered, save in accordance with law, which means without stooping to methods which ignore the fundamental norms of the legal order postulated by the Constitution. Entry into a home is at the core of potential State interference with the inviolability of the dwelling.

56. These two circumstances are at the kernel of the Court’s decision.

57. No issue of urgency arose in this case, and the Court has not considered or addressed situations of urgency.

58. The Court points out that it is best practice to keep a record of the basis upon which a search warrant is granted.

59. This Court would grant a declaration that s. 29(1) of the Offences against the State Act, 1939 (as inserted by s. 5 of the Criminal Law Act, 1976) and referred to as s. 29(1) of the Act of 1939, is repugnant to the Constitution as it permitted a search of the appellant’s home contrary to the Constitution, on foot of a warrant which was not issued by an independent person.
This is in some ways quite a narrow decision. The court placed great stress on the fact that the search related to a dwellinghouse - suggesting that powers of search relating to business premises might be treated differently. Similarly, the court noted that the decision didn't relate to cases of urgency which would seem to leave intact a number of garda powers to issue search warrants in situations where "circumstances of urgency giving rise to the need for the immediate issue of the search warrant would render it impracticable to apply to a judge of the District Court or a Peace Commissioner".

Significantly, however,  the court clearly flags a preference for search warrants to be issued judicially in future. Rather than simply requiring that a search warrant be issued by a garda who was not personally involved in the investigation, the court holds that "in the circumstances of this case a person issuing the search warrant should be independent of the Garda Síochána, to provide effective independence". This would seem to require that any power to issue search warrants in respect of the home should only be exercised by an outside authority (presumably a district court judge) except in cases of urgency.

At the very least this will force a reevaluation of garda practice in this area - and should also require reconsideration of the procedures in related areas such as GPS tracking or access to telephone and internet data where authorisations are granted internally within the Garda.

Thursday, February 23, 2012

Checking the PULSE

We've known for some time now that there's been significant abuse of the Garda PULSE database - whether this takes the form of gardaí checking up on daughters' boyfriends or more seriously information being sold to armed robbers. This abuse was one of the factors which led the Data Protection Commissioner in 2007 to adopt a Garda Code of Practice on Data Protection. While quite far-reaching, that document also dealt specifically with the PULSE database and provides:
The standard of security expected of all employees of An Garda Síochána includes the following:
* access to the information restricted to authorised staff on a "need-to- know" basis in accordance with a defined policy,
* computer systems password protected,
* information on computer screens and manual files kept hidden from callers to offices,
* back-up procedures in operation for computer held data, including off-site back-up,
* all waste papers, printouts, etc. disposed of carefully by shredding,
* all employees must log off from PULSE and other computers on each occasion when they leave the workstation,
* personal security passwords must not be disclosed to any other employee of An Garda Síochána,
* all Garda premises to be secure when unoccupied,
* a designated person will be responsible for all the above within An Garda Síochána with periodic reviews of the measures and practices in place.

Every contact on PULSE leaves a trace and every employee should be acutely aware that all activity under their registered number and password on PULSE is recorded. During an Audit or Investigation procedure they may be asked to account for the reasons they accessed a particular individual's data at any given time and what they did with it afterwards. An Garda Síochána will ensure that appropriate data protection and confidentiality clauses are in place with any processors of personal information on its behalf...

6. AUDITS OF DATA PROTECTION PROCEDURES WITHIN AN GARDA SÍOCHÁNA

To ensure the quality of data retained by An Garda Síochána, and that access to and usage of such data is appropriate within the terms of this Code, each District Officer will, as part of his/her quarterly inspection and audits in line with the Garda Commissioner's policy, examine data under the headings of Quality Control; Data Accuracy; Access to Data; and Usage of Data.

In addition to this, the Garda Professional Standards Unit will conduct examinations and reviews of Data Protection procedures as part of their ongoing examination and review process.
Unfortunately, it seems that the 2007 Code of Practice has been neglected. In particular, there has been a failure to implement the agreed monitoring of the use of the PULSE system and in his 2010 Annual Report the Data Protection Commissioner stated that:
It is disappointing to report that, despite our repeated engagements on this issue, the monitoring of access by members of An Garda Síochána to Pulse falls short of the standards we expect. We wish to see significant progress by the Gardaí in pro-actively monitoring Pulse access in 2011 and will be carrying out an audit to satisfy ourselves of this progress.
Today's Irish Times brings the story up to date, and reveals that a Garda system to monitor access to PULSE has now been put in place (four years after it was first promised) while the Data Protection Commissioner's audit will proceed in the next three months. I look forward with interest to the results - particularly if the audit goes beyond PULSE to also examine the weak controls over Garda surveillance powers which have led to at least one serious case of abuse.

Monday, February 20, 2012

Heads should roll. But, of course, they won't.

Justified outrage from Eamon Delaney in the Sunday Independent:
It is shocking but not surprising that not a single civil servant has been fired for an incredible bout of behaviour at the so-called Department of Social Protection.

It seems that almost 100 departmental employees accessed the personal files of the public and passed on highly sensitive information to insiders. They snooped on their friends, on colleagues and celebrities.

It is hardly of reassurance to know that this has not been going on for a few weeks but for more than seven years, and involved thousands of records being improperly interfered with. In short, it is a disgraceful breach of trust, which just shows the corrosion at the heart of our civil service, a once-pristine post-colonial inheritance.

And yet, not one member of staff has been sacked for their conduct. Not one. This is despite the offenders breaching both the Data Protection Act and the department's own internal rules. Instead, 87 staff members were 'sanctioned' for improperly accessing sensitive data...

And yet what is most amazing is how little outcry there has been about this, or comment from our otherwise vocal politicians, whose ambition is to actually be responsible for public servants. But then they are so immersed in the culture of the public service, and its indulgences and leniency, that they presumably don't see anything to get too alarmed about.

But you can be damn sure that if it was journalists doing this snooping, or bank officials leaking sensitive personal info, there would be an outcry and robust calls for enquiries and dismissals.

Wednesday, February 15, 2012

Is data misuse finally becoming a criminal matter?

There's a long and ignominious history in Ireland of personal data abuse by employees in the public sector and insurance industry. Sometimes it's a garda using phone records to spy on her ex, sometimes it's nosiness on the part of Revenue staff, and in still other cases it's systematic abuse of social welfare records by the insurance industry. Sadly, the full list is too long for this post. What these cases have in common is that historically no one has been prosecuted. In some cases staff have been dismissed - but more commonly an internal slap on the wrist was the most that could be feared.

Against this background, it's significant that two prosecutions have recently been taken over data misuse. The first, reported in December, involved a staff member in Revenue who leaked information on a number of individuals to contacts including a private investigator. That case was somewhat outside the data protection mainstream - it was detected to a large extent by accident and dealt with primarily by Gardai rather than the Data Protection Commissioner - but still held out hope for the greater use of criminal sanctions in appropriate cases. That hope has now been realised by a second successful prosecution - this time of three large insurance companies found to be receiving information unlawfully accessed by private investigators from the Department of Social Protection. While the case against the companies is now concluded, a related investigation is continuing into the insider in the Department who was responsible for passing on the information.

What should we make of these cases? In one way the prosecutions still represent only small steps towards more effective enforcement. The penalties are still derisory - in each case the Probation Act was applied so that the defendants escaped conviction on the basis that they made charitable donations. The substantive offences are also lacking - in the Social Protection case the prosecution was based on processing of data other than in accordance with registration rather than any more serious offence. (Sections 19(2)(a) and 19(2)(b) of the 1988 Act.)

From a wider perspective, however, the prosecutions represent an important step forward. The Revenue case seems to have been the very first prosecution under sections 21 and 22 of the Data Protection Acts 1988 and 2003, and certainly the first such prosecution on indictment. Similarly the Social Protection case is important in its own right in that it came out of ongoing work by the Data Protection Commissioner - dating back to 2007 and including a 2008 Code of Practice - and represents the first time that the insurance industry has been effectively held to account for systematic wrongdoing. Combined with recent amendments which create specific offences of leaking Revenue information these cases may finally begin to dislodge the culture of snooping within much of the public sector.

Sunday, February 12, 2012

#SOPAIreland: where's the legal advice?

The main reason - effectively the only reason - given by Minister Sean Sherlock for pushing ahead with a deeply flawed statutory instrument is that he is acting on the advice of the Attorney General. However, he has not revealed the detail of that advice and we are being asked to take it on trust both that it is correct (a matter which is open to debate) and also that it compels this particular course of action.

Fortunately, I discovered during the week that the Labour Party has an explicit commitment as to what should be done in these circumstances. Here's an excerpt from their 2011 policy document "New Government, Better Government":
Attorney General’s Advice

50. In specific circumstances the Attorney General’s advice to government should be published. If the advice of the Attorney General is publicly relied upon as justifying or necessitating a particular course of action adopted by the Government or by a minister, privilege should not preclude the publication of a summary of the arguments as they relate to:
* the development of a legislative proposal by the government, a minister of the government or a minister of state, or by any other member of the Dáil or Seanad,
* the introduction of a Bill or resolution in either House of the Oireachtas or the passage, defeat or amendment of a Bill or resolution in either House,
* the making, revocation or amendment of a statutory instrument, or
* the development or amendment of a policy or programme of a public body, unless the advice is given in the course of litigation or in relation to pending or contemplated litigation.*
* Appropriate provision would be taken for the protection of commercially sensitive information and information to do with private individuals, national security, the detection and prosecution of crime, and so on.
I couldn't agree more, and look forward to this Labour policy being applied to the current statutory instrument.

---
* A question might be raised as to whether publishing advice might prejudice the pending music industry litigation. It could be argued that advice about Ireland's obligations under the Infosoc Directive should not be released, though the Minister has already rather let the cat out of the bag by stating to the Dáil that the advice is that "the State is at risk of actions against it, which would probably result in substantial damages". However, even granting this point there is no reason not to publish the advice about the distinct issue of how to implement the Directive. For example, why was a SI considered appropriate and not primary legislation? How was the vague wording chosen? Why did the Minister reject the suggestions in the Technical Group's alternative draft SI? There is no possible prejudice in providing more clarity on these points.

Monday, February 06, 2012

I thought I was writing a blog; turns out I'm a threat to humanity

We need to address the threat to humanity posed by the tsunami of unverifiable data, opinion, libel and vulgar abuse in new media. I know all the stuff about it being a tool of freedom and democracy, and I also know it has the capacity to destroy civil society and cause unimaginable suffering. Governments have a regulatory function in this regard, and they’re walking away from it because they’re afraid of appearing to be repressive.
Ironically today's speech by Alan Crosbie at a conference on media diversity is itself full of such unverifiable data and opinion. For a man who makes much of the credibility and reliability of newspapers, it is unfortunate that he repeats the long since debunked claim that:
Those English riots, for example, were a new media generated phenomenon, a product of information going from pillar to post without mediation without being edited, without a quality check.
Also worth noting is the cognitive dissonance between page 3 (complaining about political interference in RTE) and page 4 (seeking licence fee payments for newspapers also). Read the whole thing for an insight into the views of the man behind a substantial chunk of the Irish media industry.

Sunday, February 05, 2012

"The law should be predictable as to what is mandated and what is forbidden"

One of the strongest arguments against the proposed copyright statutory instrument is that it is so vague as to make it impossible to predict what it might require of internet intermediaries. The proposal is entirely silent in relation to the most basic issues where one might expect clarity. What type of injunction might be granted? Site blocking? Three strikes? Deep packet inspection? Hash value blocking? What types of intermediaries might be affected - ISPs, search engines, hosting providers, cloud computing providers? Who will have to pay the legal costs of applications for injunctions? Who will have to pay the ongoing cost of implementing any injunction?

Crucially, this vagueness is highlighted by comments of Charleton J., the very High Court judge whose ruling in EMI v. UPC has been relied upon by Sean Sherlock as justification for this statutory instrument. However, when examined closely neither his judgment in that case nor his later extrajudicial pronouncements support this claim. In particular, in a recent speech to the Fordham Intellectual Property Conference, he said:
Legislation such as the [UK Digital Economy] Act of 2010, has at least the predictability of express statement as to the objects to be achieved. In respect of each of the possible solutions of diversion, interruption, warning and cut-off, the British have OfCom looking at the appropriate technical machinery with which to achieve these ends. When this machinery is approved, then, in those circumstances, any court faced with these difficult cases will be in a position to fairly, if not precisely, predict what they can use as a technical solution with a view to granting or refusing to grant injunctions.

This strongly accords with the European law principle that the law should be predictable as to what is mandated and what is forbidden and enables a judge to also know what is expected in the judicial sphere in particular circumstances. As I said in another part of the judgment in EMI v. UPC, if any judge were merely to act on the basis of what the Court felt was right, without having a legislative basis, the Court would be putting itself back in the position of judges in the late 19th and 20th century who used the tort of conspiracy and the remedy of an injunction against the trade union movement and thereby caused public controversy, rendered uncertain the concept of the rule of law and undermined their own authority.

It may also be well for the judicial mind to observe that the separation of powers is a definite guiding principle against doing what might seem desirable, but which is not provided for in legislation.
"The law should be predictable as to what is mandated and what is forbidden and enables a judge to also know what is expected in the judicial sphere in particular circumstances". Can the DJEI honestly claim that their proposed statutory instrument meets these criteria?