Friday, May 03, 2024

Irish state spyware and the law

In 2022 the European Parliament PEGA committee adopted a damning report on the use of spyware across the EU, following growing evidence of countries such as Spain, Poland, Greece and Hungary abusing spyware to spy on opposition politicians, the media, and civil society.

Ireland featured in that report, but only incidentally as the home of several spyware businesses which had set up shop in Dublin for tax advantages. Consequently the report leaves unanswered the questions of whether the Irish state is using spyware and if so what legal justifications it is using to do so.

Let's have a quick look at those questions.

There's not a lot of direct evidence here - there is no Irish law specifically governing state spyware and the state refuses to comment on its use - but I obtained an interesting document under FOI which might shed some light on this.

This is the Department of Justice's response to a questionnaire from the European Commission looking for "information from all Member States about the use of spyware by national authorities and the legal framework governing such use". (Cianan Brennan had a good summary of the response in the Examiner.)

The letter to the Commission is careful not to confirm or deny that the Garda Síochána or other state agencies agencies use spyware. In fact, it doesn't even mention the word. However, it does suggest that state agencies do. (Unsurprisingly: as far back as 2015 the Defence Forces were in discussion with Hacking Team about purchasing their products.)

Why? The key point is that the letter mentions two separate powers - interception of communications under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 and use of surveillance devices under the Criminal Justice (Surveillance) Act 2009.

Neither of these individually allows state malware - the 1993 Act permits interception only, and does not give power to tamper with devices, while the 2009 Act authorises use of surveillance devices, including access to premises to plant the devices, but does not give any express power to interfere with computer systems and specifically excludes anything (such as monitoring of email traffic) that would constitute an interception under the 1993 Act. Consequently neither power on its own would permit the use of spyware.

However by referring to both powers the letter suggests that spyware is being authorised using both of these powers - possibly combining a warrant from the Minister for Justice under the 1993 Act with a District Court authorisation under the 2009 Act in some cases to provide a (shaky) legal foundation for spyware.

If so, this is a major scandal in itself. The 2009 Act was never put forward as authorising spyware and in fact it is drafted in terms which make it clear that it is intended to apply to physical surveillance tools. The key term "surveillance device" is defined as "an apparatus designed or adapted for use in surveillance" - i.e. a physical device rather than software. Judges may authorise "enter[ing] ... any place" for the purposes of surveillance, but aren't empowered to authorise hacking into a computer.

In March 2024 the Irish government signed up to the US-led Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware. That statement re-commits Ireland to the principle that "Governments should ensure transparency on the applicable general legal framework supporting the use of surveillance technologies. Governments should clearly define the legal basis for using surveillance technology with transparency on the safeguards in place to prevent abuse or discriminatory uses." It is the height of hypocrisy for the Irish government to lecture the world about transparency, when denying it at home.

Data retention in Ireland: When European law meets national recalcitrance


I've just finished writing a chapter on data retention law in Ireland for a forthcoming collection edited by Eleni Kosta and Irene Kamara. It examines how, from the judgment in Digital Rights Ireland onwards, the Irish state has fought a rearguard action against compliance with EU fundamental rights.

Abstract:

This chapter examines the development of data retention in Ireland following the CJEU judgments in Digital Rights Ireland and Tele2 Sverige. It describes how the Irish State continued to enforce national data retention law for six years after Tele2 Sverige confirmed its illegality, attempted to re-litigate the legality of indiscriminate data retention before the national courts, and reformed domestic law only when forced to act by the CJEU decision in GD v Commissioner of An Garda Síochána. It assesses how national oversight mechanisms largely failed to address this illegality and argues that the data retention saga has highlighted significant weaknesses in the criminal justice system, the ‘designated judge’ model of supervising surveillance, and the accountability of the executive to parliament.

Full text on SSRN