Saturday, August 31, 2013

What would Turkey like to hide from its citizens?

Internet censorship in Turkey is a prime example of why democracies should not attempt to filter the internet. I've blogged before about the blocking of Richard Dawkin's website by the Turkish authorities so I was fascinated to learn that a full list of sites which have been blocked by Turkey is available. The information has been compiled by EngelliWeb.com which identifies 31,694 sites as having been blocked, roughly doubled from last year. You can also view all blocked sites as a single page.

Highlights of the blocking list? In addition to Kurdish news sites, it includes the entirety of:

Blogger
Blogspot
Dailymotion
Google Groups
Google Sites
Shoutcast
Ustream.tv
Vimeo
Wordpress
YouTube

One important caveat - not everything on the list is currently blocked. Turkey has flipflopped on many of these sites with on again/off again bans at different times for different reasons. Some sites - such as YouTube - have also been unblocked after caving in to Turkish government pressure and agreeing to censor for Turkish users.

More on Turkish blocking from the excellent Reporters Without Borders site. The Guardian has a recent piece on how Turkish internet users are getting around this censorship.

Friday, June 07, 2013

Quote of the day

The way things are supposed to work is that we're supposed to know virtually everything about what they do: that's why they're called public servants. They're supposed to know virtually nothing about what we do: that's why we're called private individuals.
Glenn Greenwald nails it.
 

Saturday, May 25, 2013

Will Irish courts take phone hacking seriously?

There's a remarkable story in today's Irish Independent about a woman whose criminal charges were struck out - without even a conviction - despite having been found guilty of listening to her former supervisor's voicemails. From the article:
A CIVIL servant who was found guilty of spying on her former supervisor by hacking into her mobile phone's voicemail messages has escaped punishment.

Dublin City Council employee Severine Doyle (39) had pleaded not guilty to 11 charges under the Postal and Telecommunication Act. However, following a hearing last June, she was found guilty of intercepting voice messages on a phone used by Teresa Conlon, Dublin City Council's head of housing allocation.

Dublin District Court heard that Ms Conlon's voicemail messages had been intercepted over a five-week period, from January 8 until February 11, 2010.

Doyle's sentencing had been adjourned until yesterday. Judge Eamon O'Brien told defence solicitor Declan Fahy: "I will strike it out with liberty to re-enter. I am giving her a chance, the ball is in her court."

During the trial on June 28 last year, Ms Conlon told the judge she found out that some city councillors had said they had listened to tapes of messages left on her phone.
This is an unusual outcome. The offences established carry a possible sentence of 5 years if prosecuted on indictment or 12 months otherwise. There were multiple incidents of phone hacking over an extended period. There was no guilty plea. The offences were aggravated by dissemination of the recorded material to councillors. Despite all this, the case was struck out. This may not have been a case for a custodial sentence, but I see no reason why a conviction shouldn't have been registered to mark the gravity of the offence. While there may be more to the matter than emerges from the media coverage, on the face of it this is a case where the court has failed to give adequate weight to the right to privacy in communications.

Thursday, May 16, 2013

"Anyone who uses Facebook does so at his or her peril"

Lawyers: Angry that former clients are suing you over failed investments? Apparently the correct response is not to post on Facebook "They thought they knocked me down, now they will see the full scale of my reaction. F*** them, just f*** them. They will be left with nothing."

Turns out that Facebook posts are not automatically confidential, and will be admissible in evidence against you in proceedings to stop you dissipating the money you owe. Whodathunkit?

The key passage is at para. 4 of the judgment and neatly summarises why very few posts will attract a duty of confidence:
[A]nyone who uses Facebook  does so at his or her peril. There is no guarantee that any comments posted to be viewed by friends will only be seen by those friends. Furthermore it is difficult to see how information can remain confidential if a Facebook user shares it with all his friends and yet no control is placed on the further dissemination of that information by those friends. No evidence was adduced as to how many friends the defendant had and what his relationship was with each of them. It was certainly not suggested that those friends were in anyway restricted as to how they used any information given to them by the defendant. For the avoidance of doubt, I do not consider that any of the friends viewing that information would necessarily have concluded that the information was confidential and could not be disclosed. I have received no evidence as to why those friends were in any way restricted as to how they can use information received from the defendant and why they would have known this information was confidential or private

Defamatory material on Facebook and YouTube: McKeogh v. Doe and others

The High Court today gave a significant decision in McKeogh v. Doe and others concerning defamatory material posted through Facebook and YouTube. The background to the case is well summarised by the Daily Mail. As I have a professional involvement I'll refrain from any comment except to explain that this is an interlocutory judgment (i.e. pending a final hearing of the action) in which Peart J. held that a mandatory injunction should be granted against Facebook and the Google defendants requiring them to take down material defaming the plaintiff until the full trial can take place. The judgment did not itself grant an injunction - instead, the details of the injunction will be determined following a meeting to take place between experts for the plaintiff and the defendants. After this meeting the experts must report back to the court with either an agreed report or separate reports regarding the technical steps which can be taken to remove the defamatory material as far as reasonably possible.

Full text of the judgment:

Thursday, March 21, 2013

Microsoft joins the transparency movement (with an important Irish dimension)

Kudos to Microsoft for today publishing their first annual Transparency Report setting out details of how often national police forces seek to read customer content (such as emails) or to access other information on customers. This is done as part of their commitment as a member of the Global Network Initiative and it's striking, but alas not surprising, that this makes Microsoft considerably more transparent than the Irish government which refuses to reveal even this basic statistical information.

On to the data. In 2012, in relation to Microsoft products generally (Hotmail, Outlook.com, Messenger, etc.) Gardaí sought information in 72 different requests, relating to 222 different accounts. Of these requests, 5 resulted in user content being revealed (such as the actual contents of emails), 46 resulted in non-content user information being revealed (such as the IP address last used), 19 resulted in no data being found and 2 were rejected for not meeting legal requirements.

Skype, which Microsoft now owns, was treated separately. In relation to Skype Gardaí made 4 requests relating to 7 different accounts and there was no data disclosed in relation to any of those requests. (This mostly seems to be due to no data being found but records aren't available for the entire year.). Also, in 2 cases the Skype support team provided general guidance to Gardaí regarding the procedures for accessing customer data.

There's an interesting comparison here with Google's Transparency Report. The overall numbers of requests by Gardaí to Microsoft and Google are very close (76 total for Microsoft for all of 2012; 34 for Google for the first six months of 2012). However the numbers of requests which result in information being provided are very different. In the case of Google data was provided in reply to just 2 of 34 requests (6%), while Microsoft provided data in response to 51 of 76 requests (67%). It's impossible to know without more information why that is and the low Google response rate might be just a blip for the particular six month period - nevertheless the difference is striking.

Significantly, Ireland was one of only four countries other than the US where user content was disclosed, the others being Brazil, Canada and New Zealand. The report doesn't make it clear why this is, but the FAQs imply that this may be due to Hotmail and Outlook.com accounts being hosted in Ireland and therefore being subject to local law.

The report also glosses over a question which has long interested me - what's the legal basis on which Microsoft will provide the contents of emails to Gardaí? Here's what the FAQs have to say:

What laws apply to Microsoft and Skype customer records and content? 

Irish law and European Union directives apply to the Hotmail and Outlook.com accounts hosted in Ireland...

How does Microsoft and Skype determine what law enforcement entities are able to request data? 

Microsoft must produce data in response to valid legal requests from U.S. and Irish law enforcement entities because we are headquartered in those jurisdictions or because we host data in those countries. Microsoft may disclose non-content data pursuant to a law enforcement request after it is validated locally and transmitted to our compliance teams in the U.S. and Ireland...
So - what exactly is a "valid legal request"? Irish law on interception doesn't seem to extend to webmail, suggesting that Microsoft are simply acting in response to non-statutory Garda requests rather than requiring a Ministerial warrant as would be required for telephone tapping. If so, the relevant law would be s.8 of the Data Protection Acts 1988 and 2003, which allows (but doesn't require) voluntary disclosures of user information in the context of criminal investigations. This would, however, be worrying if true as it would allow Garda access to email contents without any outside scrutiny (no Ministerial warrant or court order required) and without the other safeguards which would apply to telephone tapping - so no judicial oversight after the fact and no complaints mechanism available.

If this is the case then it would also put Ireland in breach of our obligations under Article 8 of the European Convention on Human Rights, which states that interferences with private communications must be "in accordance with the law", requiring that there should be a clear legal basis along with adequate mechanisms in place to oversee and guard against abuses of surveillance. (See in particular Klass v. Germany and Malone v. UK.)

More clarity on this point is required, and as soon as possible the law should be changed to ensure that emails enjoy the same protections as telephone calls.

Wednesday, March 20, 2013

Testifying before the Oireachtas Social Media Hearings

Leinster House, Kildare Street
I appeared today along with my colleague Fergal Crehan on behalf of Digital Rights Ireland before the Oireachtas Joint Committee on Transport and Communications which is currently holding a series of hearings on "Social Media Ethics and Regulation". There's a good summary of the proceedings in the Irish Times but the masochistic amongst you can watch the whole thing here. Our slides and Fergal's very comprehensive written submissions are embedded below.

I won't rehash here the substance of the discussion, but I should say that we got a very fair hearing from the Committee whose members - following four separate sessions on the topic - are now very familiar with the issues (previous sessions: 1|2|3). They were quite receptive to the argument that greater resources are needed for the Data Protection Commissioner and the Garda Computer Crime Investigation Unit, and I suspect that they were as shocked as I was to discover that there is currently a three year backlog for that unit to investigate child pornography cases.

The hearings as a whole were also useful in highlighting current practice in sites such as YouTube and shedding some light on the otherwise rather opaque Office for Internet Safety in the Department of Justice. I was disappointed though that there was no evidence from domestic social networking sites such as Boards.ie - the larger international players such as Facebook, Twitter and YouTube operate in a very different environment, not least in the resources they have, and it would be unfortunate if the Committee were given the impression that they were typical of social media sites generally. I don't know whether the domestic absence is because local sites didn't seek to be heard, or whether they weren't given time - but either way it seems to me that these sites would benefit from joining forces and possibly setting up a group to represent their views. In any event I look forward to seeing the Committee's report.


Tuesday, March 05, 2013

Irish court allows reporters into family law case (but bars tweeting)

The High Court gave a landmark judgment on surrogacy earlier today, holding that the biological mother of twins born to a surrogate (her sister) was entitled to be recorded as their mother on their birth certificates. I'll leave the family law side of this to the experts, but I was struck by how the court handled the issue of media coverage. In particular, in exercising its discretion to allow certain designated journalists to report on the proceedings the court did so subject to a number of conditions one of which was that: "no contemporaneous social media reporting e.g. by Twitter shall be carried out by the designated reporters."

This seems to be the first time that an Irish court has positively restricted the tweeting or live blogging of court proceedings, though that's not to say that the issue hasn't been considered.

In 2009 Abigail Rieley - then working as a court reporter - could still say that the issue hadn't yet reached the judicial consciousness. In 2011 it was reported that a judicial committee would consider the issues of jurors' use of the internet and might also consider the issue of courtroom reporting on social media. (I'm not aware that anything public ever emerged from this - if you know better please let me know.) Still again, in 2012 the media relations advisor to the Courts Service published an interesting article on social media and the courts (PDF) which amongst other things suggested that there was a need for judicial guidance along the lines of the current English rules regarding tweeting from court.

Meanwhile, despite these concerns the use of Twitter in court has simply become a part of day to day reality. Today's judgment is the first time it has butted up against judicial resistance - and that only in the particularly difficult and private context of a family law matter. I suspect, though, that it won't be the last.

Thursday, February 28, 2013

Illegally obtained digital evidence: Mind your Ps and Qs

"While the law provides for court orders to be made for the preservation and obtaining of evidence for the purpose of future legal proceedings, claimants, or potential claimants, sometimes resort to measures of self help, by copying, seizing, or attempting to access digital copies of documents" - Tugendhat J. in L v. L. (2007)

Those words from the English High Court are equally true in Ireland. Particularly in family law cases it can be very easy for a litigant to (illegally) access the laptop, webmail or other electronic information of the other side to collect ammunition for use at trial. This presents interesting legal issues as to when such evidence will be admissible, despite the way in which it was obtained.

The High Court gave a recent judgment in the family law case P v. Q [2012] IEHC 593 which offers some guidance. In this case the applicant (the husband) sought a judicial separation and attempted to introduce evidence relating to the respondent's (wife's) sexual activities since the breakup of their marriage, including details of material on her laptop and posted by her to certain websites. The respondent gave evidence that the passwords for her laptop and the access codes for the sites were kept in a locked safe which the applicant must have accessed illegally. Consequently she sought to ensure that the information obtained by the applicant was not used in the proceedings and in particular was not used as the basis to obtain an order for discovery against her.

On appeal from the Circuit Court, the High Court held that in the ordinary course of events this information would be inadmissible on the basis that it was obtained illegally and in breach of the constitutional right to privacy of the respondent. In this case, however, given that child welfare issues also arose the court took the view that the constitutional rights of the child took precedence over the manner in which the evidence was obtained so that the information could be admitted in relation to the child welfare issues only. The relevant parts of the judgment are at para. 33 onwards:
33. The issue for the court to determine is complicated by the allegation that the respondent’s privacy was breached illegally when the codes and passwords of her personal laptop were accessed, at a time subsequent to the commencement of family law proceedings Although disputed by the applicant, the evidence before this court heard on affidavit would indicate that the passwords and access codes to these particular websites were retained by the respondent in a locked safe. There are many occasions and opportunities in family law proceedings, where parties to the proceedings access information which the other party regards as private, but which has not been obtained illegally. In this case the acquisition of the codes is tainted by illegality.

34. I accept the submissions on behalf of the respondent, that there is a broad principle of constitutional law, that evidence which is obtained by invasion of a constitutional personal right such as a right of privacy must be excluded unless the Court is satisfied that the breach was committed unintentionally or accidentally (which could not be the case here) or is satisfied that there were extraordinary excusing circumstances which justify the admission of the evidence in its discretion”. It is respectfully submitted that there are no extraordinary excusing circumstances in this appeal. I would accept that principle as applying to a criminal prosecution, in order to protect the absolute right to a fair trial.

35. Where different constitutional rights have to be balanced, different principles apply.

36. A court should always be reluctant to admit evidence or approve discovery, which is tainted with illegality, but that is not to say that on all occasions where illegality is suspected or found, that the evidence so obtained is not admissible. This is particularly so when dealing with the welfare of a child.

37. If the court were only dealing with issues between the parties and not the welfare of the child, the court would have taken into consideration the sexual history of the marriage, and on balance would not make the order for discovery sought..

39. The alleged sexual activity of the respondent has a direct bearing on the welfare of the child of the marriage...

41. While the proceedings touching on the welfare of the child are adversarial in nature, there is an inquisitorial aspect to that portion of the proceedings dealing with his custody. Balancing the different constitutional rights and responsibilities the welfare of the child would take precedence over illegally gathered information touching on the child’s welfare.

42. In addition the constitutional right to privacy of the respondent is protected in “in camera” proceedings, as the information disclosed is confined to the parties, their legal representatives and the court. The respondent’s rights can be further protected by the addition of further conditions.

43. The court affirms the order of the Circuit Court with the following additional conditions:-

(1) The material furnished can only be used for the purposes of determining the welfare of the child of the marriage and not for the purposes of s. 16(2)(i) of the Act in respect of the behaviour of the respondent.
(2) Any material discovered which does not impinge on the child’s welfare, should be furnished but returned to the respondent, and not relied on by the court.
(3) In the event of any dispute the presiding judge of the Circuit Court should consider the material and decide on relevance
While this decision allowed the use of this information on the particular facts of the case for a limited purpose, overall it adopts an approach which will mean that in most future cases such evidence will be inadmissible. The judgment isn't entirely clear on the distinction between illegally and unconstitutionally obtained evidence but appears to accept the proposition that wrongful access to a laptop or an online account will amount to an invasion of the constitutional right to privacy - not merely an illegality. In this, it extends the principle previously established in PMcG v. AF in relation to hardcopy (a diary in that case) to digital information also.

Monday, February 18, 2013

Impact of the Criminal Justice Act 2011 on cybercrime law

One of the most important recent developments in Irish criminal law has been the enactment of the Criminal Justice Act 2011 which makes substantial changes to both the substantive and procedural law surrounding offences of dishonesty and "white collar crime" (previously). While the 2011 Act is of very wide application, it has particular significance for computer crime where it creates both duties to report certain types of crime and new police powers to require the handing over of passwords and decryption of files.

Pearse Ryan and Claire O'Brien of Arthur Cox and Andy Harbison of Grant Thornton have produced a very good guide to the effect of the 2011 Act for the Society of Computers and Law (paywalled) and with their kind permission I'm glad to be able to host a copy here:

Cybercrime in Ireland – Recent Legislative Developments

The Criminal Justice Act 2011 (the “2011 Act”) came into effect on 9th August 2011 and was enacted with the aim of granting An Garda Síochána (the Irish national police service) more extensive powers to investigate “serious and complex offences”. (1) The main areas which the 2011 Act deals with are the supply of information at investigation, detention, questioning and the summoning of witnesses.  Much attention has focused on the 2011 Act as a tool in the fight against white collar crime, a topic of much interest since Ireland’s economic crisis.  In the press statement released by the Minister for Justice, Equality and Defence, Mr Alan Shatter, it was stated that the 2011 Act is “an important step in delivering on the Government’s strong commitment to tackle white collar crime as set out in the Programme for Government”.(2)

This article focuses on the 2011 Act as a tool in the fight against cybercrime, a specific sub-species of white collar crime.  While cybercrime may not pose the same threat to national economic well-being as some of the criminal acts, the investigation and accordingly the prosecution of which the 2011 Act was intended to assist, with particular reference to the financial services sector, cybercrime is a material and ever increasing area of criminal activity.  Also, it is an area in which the Gardaí were previously severely hampered in their ability to investigate, with a knock-on effect on prosecutions.

This article follows on from an earlier article entitled ‘Computer Fraud in Ireland’.(3)  

Purpose of 2011 Act


The problems which the 2011 Act attempts to tackle are problems which potentially both significant delay and potentially hamper the investigation and prosecution of white collar crime.  Cybercrime in particular, is frequently orchestrated on a large if not massive scale and in an increasingly complex manner, as technology develops at a rapidly increasing pace. 

The level of resources deployed by organisations to secure their IT systems has increased substantially in recent years.  Correspondingly, the level of technical sophistication necessary to establish a breach in most organisations’ IT networks, and particularly those in the financial services industry, has also had to increase.  Organisations’ cyber-defences now typically take a lot more effort and wherewithal to breach.  Now, more than ever to become a success in cybercrime it is necessary to be intelligent, patient, innovative and well resourced, none of which are characteristics typical of most criminals.  Cybercrime, or at least those areas of it that are more than computerised petty theft, therefore falls increasingly within the domain of organised criminals.(4) 

National authorities responsible for investigation of all forms of cybercrime are almost invariably at a technological disadvantage, as the criminals make the running.  The 2011 Act attempts to go some way towards lessening delays which hamper the investigative process.  

Scope of 2011 Act


Section 3(1) of the 2011 Act brings a number of relevant offences within its ambit, among them Section 9 of the Criminal Justice (Theft and Fraud Offences) Act 2001 (the “2001 Act”) and Sections 2, 3 and 4 of the Criminal Damage Act 1991 (the “1991 Act”).  These offences are summarised below, but are discussed in some detail in the previous article referenced above.

Additionally, Section 3(2) provides that the Minister may, by order, specify as a relevant offence, any arrestable offence relating to criminal acts involving the use of electronic communication networks and information systems or against such networks or systems or both, if the Minister is of the opinion that the nature of the offence is such that it would benefit from the powers conferred on the authorities in the 2011 Act, due to, for example, the complexity of transactions involved and the prolonged period of time usually required for investigation.  It remains to be seen whether any such offences will be specified pursuant to Section 3(2). 

Section 3(2) appears to be a recognition that the 1991 Act and 2001 Act were rendered effectively obsolete by technological innovations quickly after being passed.  Nevertheless, it does not solve the problem that an offence has to be rendered arrestable before it can also be designated as reportable, a problem when Irish authorities have historically had difficulty keeping up with the apparently boundless imaginations of cyber criminals when applied to developing new varieties of IT fraud and cybercrime.

Sections 2 and 3 of the 1991 Act respectively create the offences of damage to, and threat of damage to, property, including damage with an intention to defraud.  Section 4 of the 1991 Act created the offence of possessing anything with intent to damage property with a similar intention to defraud another.   Section 9 of the 2001 Act relates to the dishonest operation of a computer whether within or outside the State with the intention of making a gain, or of causing loss to another. 

It is notable that Section 5 of the 1991 Act remains outside of the remit of the 2011 Act.  Section 5 is a computer-specific offence and deals with persons who, without lawful excuse, operate a computer within the State with intent to access any data kept either within or outside the State, or outside the State with intent to access any data kept within the State, whether or not any data is actually accessed.  Given the specific acknowledgements in the 2011 Act of the role played by technology in serious and complex offences, it is surprising that Section 5, with its obvious focus on hacking and data security has been excluded from its application.  It is possible that the drafters of the 2011 Act doubted the ability of citizens to reliably and accurately identify the kind of offences covered under Section 5 of the 2001 Act, which would render any legal obligation to report such offences excessively onerous.  Hacking offences can be difficult to identify where the perpetrators intention was to remain undetected, which is frequently the case and particularly with more sophisticated hacking.  It might also be noted that resource allocation to the Gardai’s Computer Crime Investigation Unit have failed to keep up with growth rates in IT usage over recent years.  An obligation to report computer offences would thus not necessarily be reflected in an increase in investigative activity.

Key Provisions of 2011 Act


Under Section 15 of the 2011 Act a member of the Garda Síochána may apply to a judge of the District Court for an order to make available particular documents or described documents available or to give information for the purposes of the investigation of a relevant offence.  In the case of documents being handed over under this section which are illegible or inaccessible, the court order may also stipulate that any relevant access or passwords be given.  Failure to provide passwords can be punished by a fine or prison term of up to 12 months on summary conviction or 2 years on indictment. 

Requiring passwords is a significant power, given that without the key the lock remains unopened.  Investigation of cybercrime offences can clearly be substantially frustrated by the lack of access to encrypted documents, as demonstrated, for example, in recent Garda investigations at Anglo Irish Bank.(5)  This section provides the Gardai with considerable additional leverage.  The 2001 Act only allowed for penalty of IR£500 or 6 months for failure to disclose passwords and as far as we are aware these penalties were never imposed.

The Superior Courts in Ireland have on occasion in recent years issued Anton Pillar Orders and other civil warrants which required individuals to disclose passwords to representatives of Civil plaintiffs, under threat of being held in contempt and summarily jailed.  In practice this has meant that private persons have potentially had more scope to force other parties to disclose their password than have the police.  A fact of necessary concern to Gardai.

Section 16 deals with the assertion of privilege over documents which fall subject to an application under Section 15 and allows for the Garda Síochána to apply for a determination as to whether privilege can be claimed, which application may be made in camera.  This provision will be of benefit in the context of the speed at which cybercrime offences can become opaque and tackles a significant area of delay in criminal prosecution. 

Section 18 of the 2011 Act allows for certain reasonable presumptions to be made in the context of the Criminal Evidence Act 1992 in relation to the authorship or exchange of documents by virtue of the circumstances in which the document is found or purports to be exchanged.  In IT forensics, it is typically relatively straightforward for expert investigators to establish that actions were carried out on a computer by persons using a particular user account or other privileges.  It has historically been far more difficult to link specific individuals with user accounts – to place their hands on the keyboard.  The new provision allows the Courts to assume that the individual in possession of a certain set of user credentials was the same person who carried out any acts on the computer using those credentials.  It is up to the defence to demonstrate that others might have been able to use the same credentials to carry out a crime.  These provisions will be of particular relevance to the use of electronic documents in the course of investigation and the use of evidence in criminal trials. 

Under Section 19(1) of the 2011 Act it is an offence for a person to withhold information which they believe might be of material assistance in preventing the commission by another person of a relevant offence or securing the apprehension, prosecution or conviction of any person for a relevant offence and the person fails without reasonable excuse to disclose the information to the Gardaí.  This offence attracts a penalty of a class A fine (maximum €5,000) and/or 12 months imprisonment on summary conviction and an unlimited fine and/or imprisonment not exceeding a period of five years on conviction on indictment.  The Gardaí may arrest and detain, for up to 24 hours, an individual without a warrant if they are suspected of withholding information.(6)  

It is our understanding that this obligation may apply retrospectively so that, in theory, matters that individuals and organisations might have thought long closed should be reported to the Gardai regardless.  This is an area of concern amongst those likely obliged to report offences, although not an area that has attracted much public comment.

Section 19 is the provision of the 2011 Act which has attracted most attention within the public and private sectors.  This provision represents a clarification in the law, creating for the first time a specific obligation to report relevant information to the authorities.  While this provides obvious advantages for the Garda Síochána in investigation of serious crime, it has caused a degree of concern to public and private sector organisations, who may now be guilty of an offence if they fail to report information covered by the provision.  This could potentially apply in circumstances of omission by default, where the organisation may not be actively aware that relevant information is in their possession.  While it is assumed that the normal rules in relation to knowledge and possession of evidence, together with normal Gardai operational practice and procedure, will apply in the application of this Section, there is an element of doubt here which is a cause for concern amongst public and private sector organisations who may be have suffered cybercrime, together with third parties, such as IT security or forensics consultants brought in to investigate technical aspects of an incident, which may take some time to be identified as a crime.  This Section was introduced to solve a perceived problem, but the tariffs applicable to the new offence in particular have caused disquiet amongst those under an obligation to report.

It should be noted that Section 19 has essentially reinstated the offence of Misprision, which had been removed from Irish law by the Criminal Law Act 1997(7), for all but terrorist offences.(8)  Misprision was formerly a common law misdemeanour committed by a person who knew that a felony had been committed but did not give information which could lead to the felon’s arrest.(9)  Minister Shatter stated at the Second Stage reading of the 2011 Act, in relation to Section 19, that “this particular offence is of major importance, as its creation in the Bill will ensure that those who become aware of persons engaging in white collar crime are under an obligation to bring what they know to the attention of the Garda Síochána” .(10)

One provision the 2011 Act does not include is any allowance to provide additional resources to the Gardai to investigate the offences which it is intended be reported to them under its provisions.  Nor has the Government allocated any additional resources to the Garda Bureau of Fraud Investigation or to the Garda Computer Crime Unit in response to this new legislation.  As a consequence it appears the main effect of the Act may be to deluge the law enforcement authorities with reports of possible offences without providing them any means to investigate them.  It is therefore very much an open question whether in this regard the 2011 Act is anything more than a ‘paper tiger’.

2011 Act Overview and Summary

The 2011 Act introduces a wide arsenal of powers aimed at aiding the investigation of serious offences which in the context of cybercrime are generally long overdue and are to be welcomed.  The quite serious tariffs applicable under Section19 have been less welcomed by those likely to suffer cybercrime as well as the IT forensics sector, who may be ones who discover the crime. 

While the 2011 Act incorporates approximately 130 offences into its remit, one significant omission is reference to Section 5 of the 1991 Act, which relates to unauthorised use of a computer with intent to access data, which was intended to deal with hacking.  The reason for this omission is assumed to be attributed to the same logic which associates the offence under the 1991 Act with damage to property and applies comparatively small tariffs.  Under the 1991 Act a general offence relating to damage to property is stated, with property defined to include data.  This is thus a fairly basic cybercrime related offence.  Notwithstanding, the relative merits of Section 5 of the 1991 Act, by omitting reference to it the 2011 Act has disregarded one of the main types of cybercrime offence, namely hacking (albeit a particular type of hacking) that the new broad powers of investigation would seem to have been intended to tackle. 

Significant steps have been taken by the 2011 Act to make inroads on issues which hamper the effective investigation of complex and technical crimes.  This is welcome.  However, overall the law applicable to substantive cybercrime offences, as set out in the 1991 Act and 2001 Act, requires significant revision, to update what are by now elderly offences.  Without a more focused and sophisticated legislative framework cybercrime will remain an area where the law lags behind the crime. 

Pearse Ryan is a partner in the Technology & Life Sciences Group at Arthur Cox, Dublin, specialising in IT, outsourcing, cloud computing and IT security issues.  Claire O’Brien is a trainee solicitor in the Technology & Life Sciences Group at Arthur Cox, Dublin.

Andy Harbison is a Director – IT Forensic Lead, Forensic & Investigation Services, at Grant Thornton, Dublin, specialising in computer forensics and electronic discovery.

Pearse and Andrew wish to express their thanks to Claire for her valuable contribution to this article.

Footnotes:


  1.   Criminal Justice Bill 2011 Second Stage Speech (Dáil) on Wednesday, 18 May 2011Minister for Justice, Equality and Defence, Mr Alan Shatter, T.D.
  2.   Press release of the Minister for Justice, Equality and Defence, Mr Alan Shatter T.D http://www.justice.ie/en/JELR/Pages/CrimJustBill2011_PR
  3.   Article published by the Society for Computers & Law, available at: http://www.scl.org/site.aspx?i=ed16653.  Also available at:  http://www.arthurcox.com/who-we-are/our-people/pearse-ryan.html
  4.   For example, 21/12/12 story entitled ‘Facebook helps FBI take down $850m cyber-gang’, available at: http://www.finextra.com/News/FullStory.aspx?newsitemid=24372
  5.   See: http://www.independent.ie/national-news/anglo-chiefs-facing-quiz-on-missing-passwords-2413749.html
  6.   For a general discussion of S19 see:  http://www.arthurcox.com/uploadedFiles/Publications/Publication_List/Arthur%20Cox%20-%20The%20Criminal%20Justice%20Act%202011,%20September%202011.pdf
  7.   In this Act, Section 3 abolishes the distinction between felony and misdemeanour, thereby abolishing the felony of misprision.
  8.   Section 9 of the Offences Against the State Act, 1998 creates an offence similar to misprision.  In this section it is an offence to withhold information which a person knows or believes might be of material assistance in preventing the commission of a serious offence or securing the apprehension  prosecution or conviction of any other person for a serious offence,
  9.   See for example Sykes v. DPP [1961] 3 All ER.
  10.   http://debates.oireachtas.ie/dail/2011/05/18/00025.asp

Monday, January 14, 2013

Government locked itself in Dáil and wont come out until Internet stops laughing at them, says spokesperson

Best commentary so far on the Irish social media debate. Here's an excerpt:
TD’s are said to be currently staging a sit in, making this the first time in 20 years all 166 members have been in the building at the one time.
In a statement issued earlier, Justice Minister Alan Shatter said the government has had enough of ‘Internet bullies’ poking fun at politicians.
‘Its not fair that everyone is laughing at us all the time and posting funny pictures.’ read a spokesperson. ‘The government has decided to put a stop to this and stage a sit-in from 9am – 11am, before breaking for a three hour lunch break. The sit-in will commence shortly after 2pm and finish for the day at 3.’

Friday, January 04, 2013

Legislation is not the answer to abuse on social media

I had an opinion piece in last week's Sunday Business Post in response to the latest Irish panic about the internet. As it's behind a paywall the full text (with added links) is below:
 
Legislation is not the answer to abuse on social media

Earlier this week the Chinese government passed a measure requiring all internet users to register their real names. The official line has been that the law is to "safeguard the lawful rights and interests of citizens" and "social and public interests", but Chinese bloggers have been in no doubt that it is a response to growing use of the internet to expose official abuses. It's disappointing, therefore, that some within the Irish government seem to be considering a similar approach.

The background is the suicide of TD Shane McEntee. Some members of his family and politicians have said that "abuse" directed towards him on social media over cuts to the respite care grant had caused him great stress. Social media abuse has also been linked to other recent suicides, though politicians need to be careful not to over-simplify the complex causes behind someone deciding to take their own life.

A number of politicians have now called for regulation of social media and the Oireachtas Committee on Transport and Communications has scheduled a special meeting for January to look into the issue with its chairman, Tom Hayes, saying that "people have to be made accountable for what they are saying".

Kneejerk calls for "regulation" ignore the reality that social media is already regulated in the sense that the law applies online as it does offline. Where defamatory comments are made online then a defamation action can be brought in the same way as though those comments were made in a telephone call or letter.

The criminal law applies in the same way --- in particular, the offence of harassment contrary to the Non-Fatal Offences Against the Person Act 1997 has already been used to prosecute online activity. In each case, whether civil or criminal, there are already mechanisms to permit the identification of internet users accused of serious wrongdoing.

Given these existing laws, when politicians call for people to be made "accountable" then either they are unaware of the current mechanisms to deal with breaches of the law or they have something else in mind, some new form of regulation which would restrict speech online to a greater extent than offline.

There are, so far, no concrete proposals on the table, but there is already hostility among Irish politicians to the ability which the internet gives users to speak freely. Ruairi Quinn earlier this year, for example, described the internet as "a playground for anonymous back-stabbers". Consequently, one particular issue that is likely to be floated is that of requiring some form of real name registration for internet users.

The proponents of real name laws invariably make the same point -- that online discussions would be more civil if individuals spoke under their own names. There is a superficial appeal to this argument even if politicians themselves show that the contrary is often the case. Our politicians are never slow to attack each other in the most abusive of ways, but this does not attract the same political condemnation as similar remarks made on social media by ordinary citizens.

There are, however, very fundamental problems with real name laws. Fortunately there is international experience to show why this is. In 2007, South Korea adopted a real name verification law under which websites with more than 100,000 visitors a day were required to record the full identity of visitors posting comments using their resident registration number --- the equivalent to the Irish PPS number. Though users could still use pseudonyms on these sites, the theory was that their true identities could be revealed in the case of wrongdoing.

In a striking parallel with the current Irish situation, this law was partly prompted by suicides of celebrities said to have been the victims of cyber-bullying.

How did this experiment fare? In short, it was a disaster. It was trivially easy to evade --- users could simply move to overseas websites, making it harder rather than easier to enforce the law, while also harming the local internet industry.

It created multiple poorly-secured databases of user identities, which led to South Korea becoming one of the countries most affected by privacy breaches and identity theft.

Most importantly, it led to a chilling effect whereby citizens were deterred from speaking out online for fear of retribution. In 2011, the government announced plans to abandon the law and in August of this year the Constitutional Court unanimously ruled it to be unconstitutional, holding that it disproportionately restricted freedom of expression and did not achieve any public benefit.

In particular, the court found that "there is no evidence that the real name system has significantly reduced the defamatory or otherwise wrongful posting of messages".

The journalist HL Mencken is credited with the expression: "For every complex problem, there is an answer that is clear, simple--- and wrong." In the case of social media, real name legislation is precisely that. True, there are wider issues with civility in social media --- just as there are with civility in public discourse generally.

It also doesn't help that Irish politicians have yet to come to terms with how social media amplifies public opinion, debate and interaction, so that they can sometimes experience the active citizenry which it enables as a relentless flow of criticism.

These, however, are overwhelmingly issues of manners and social norms --- not matters for legislation. The few cases which are genuinely defamatory or criminal can be referred to the legal process, but the remainder are best dealt with by continued conversation, education and self-moderation by online communities.