Last week the Cabinet approved the heads of a Surveillance Bill which, if enacted, will allow Gardaí to break into private property to place covert video cameras and audio bugs, and to use evidence gathered in that way in criminal prosecutions. The Bill – which was already on the legislative programme but was rushed forward after the murder in Limerick of Shane Geoghegan – is intended to place existing Garda practices on a statutory basis in line with Ireland’s obligations under the European Convention on Human Rights.
At the moment, due to the lack of statutory controls, material gathered in this way (such as transcripts of conversations) can be used for intelligence purposes but would not be admissible in criminal trials. The Bill aims to remedy this by providing that Gardaí will have to obtain authorisation from a District Court judge before this type of surveillance can be carried out (except in cases of exceptional urgency) and that a designated judge of the High Court will keep the overall operation of the system under review. In addition, these methods can only be used in respect of crimes carrying a possible sentence of at least five years imprisonment and where the surveillance is, in all the circumstances, proportionate.
The Bill promises to regularise the law in this area and to that extent must be welcomed. It is unfortunate, however, that it took a high profile and tragic murder before this was given priority. As far back as 1996 the Law Reform Commission in a Consultation Paper identified a need for reform and in a 1998 Report it recommended that there should be a legal basis for Garda surveillance of this type. Successive Ministers for Justice have, however, largely ignored this recommendation. (The most remarkable example being in 2006 when the Privacy Bill introduced by then Minister for Justice Michael McDowell targeted surveillance by the media – but entirely excluded Garda surveillance from its scope.) In light of over a decade of government inactivity, the Bill is long overdue.
The timing of the Bill aside, its provisions generally represent a substantial step forward. It has clearly been influenced by the constitutional guarantee of the inviolability of the dwelling and the safeguards which it provides are more robust than those recommended by the Law Reform Commission. It introduces for the first time in Irish law the principle that judicial approval should be required before surveillance is carried out. Unlike other forms of surveillance such as data retention – which currently can be used in respect of even the most minor crimes – the Bill is limited to genuinely serious offences and also introduces a requirement that the surveillance must be proportionate having regard to the impact on the rights of innocent third parties.
There are of course some aspects of the Bill which could be improved. For example, the procedure to deal with cases of exceptional urgency is too lax. Under the Bill as it stands those cases would bypass the judicial process entirely, so that surveillance could take place for up to 14 days without any authorisation. There must be a question mark as to whether this provision would be constitutional if it was used to break into and bug a dwelling. Instead, it would be preferable to deal with cases of urgency by permitting Gardaí to commence surveillance without a judicial authorisation but then requiring that an application be made to the District Court for permission to continue the surveillance.
However, while the Bill is generally good as far as it goes, there is a strong argument to be made that it doesn’t go nearly far enough.
Despite its broad title, it addresses only one very narrow area – the covert surveillance of locations by devices which are physically planted in those locations. Many other forms of surveillance – such as the use of GPS devices to track the position of cars, the use of long range cameras and microphones to monitor locations from a distance and live monitoring of internet activity – will still be entirely unregulated. As a result there will continue to be doubt as to whether Gardaí have the power to use these types of surveillance and as to whether the resulting evidence can be used in criminal prosecutions.
Meanwhile, although there is some legislation regulating other forms of surveillance such as the interception of communications, data retention and Garda use of CCTV, that legislation has developed on an ad hoc and reactive basis with few consistent principles applying to its use or oversight. Much of it is also out of date, most notably the 1993 interception of communications legislation which due to technological changes no longer adequately protects email and other internet communications.
Considered as a whole, therefore, the wider Irish law is inadequate. Given that many of these issues were flagged by the Law Reform Commission in 1998, it is hard to see any justification for the failure to address them to date. Although this Bill does provide for some improvements, it is at best a piecemeal response which will not address similar problems with other forms of surveillance. It is clear that the time has come for comprehensive reform of the overall law relating to surveillance. This Bill is a good first step towards that reform. But it is only a first step, and it would be regrettable if the government were to continue to ignore this area until forced to act by another highly visible crime.
November 28th, 2008
The Irish Times is reporting that the Joint Committee on European Scrutiny (a cross party committee which examines proposed EU legislation) has published a report which is highly critical of European proposals on passenger records.
The draft Framework Decision on the Use of Passenger Name Record (PNR) for Law Enforcement is an astonishing proposal which, if passed, would establish giant databases tracking the travel of every individual, logging details of every flight they make and keeping that information for 13 years. That information could then be accessed and shared with other countries without any individual suspicion, much less any form of warrant or prior permission. The proposal envisages using this information for “profiling” of all passengers. As originally proposed, the database would apply only to international flights (entering or leaving the EU) but some states are now pushing to extend this to include all flights within the EU while the UK is taking this further still and is seeking to create a database of all ferry and rail traffic within the EU.
This proposal has already been the subject of criticism across Europe from, for example, the European Data Protection Supervisor. In a presentation to the Joint Committee the Data Protection Commissioner clearly explained why the proposal is unacceptable:
We all support reasonable and proportionate measures to counter violence perpetrated against innocent people, but such measures should represent a proper balance between the need to combat such illegality and the rights of the innocent majority to go about their daily lives without undue interference by the State. In my opinion, and that of my EU colleagues, the Commission proposal fails this test. The proposal involves an obligation on air carriers to transmit to a state authority, called a “passenger information unit”, the PNR information that the passenger has provided to the air carrier in respect of any journey by air into or out of the European Union. The information typically includes contact details, such as address, phone number and e-mail, as well as payment information, such as credit card details. Under the proposal, the information has to be retained by the passenger information unit for a total of 13 years.
Such information is given by a passenger for the purpose of the provision of a service, namely air travel. The Commission proposal is that this information should be transmitted to state authorities for a totally different purpose, the combating of what is described as terrorism and organised crime. It is a basic data protection principle that information collected for one purpose should not be used for another purpose and should be deleted when no longer required for the purpose for which it was collected. The Commission proposal offends against this basic principle. Under the proposal, air carriers will have no choice but to hand over a complete record of an individual’s movements in and out of the European Union to a state entity that will retain it for 13 years, and not only a record of travel, but also of contact and payment information.
Many regular travellers would have difficulty recalling where they had travelled to, even in the past year. With this proposal, the state will have a detailed record of all such travel in and out of the European Union, and for a period going back 13 years. Therefore, whether it is a business trip to Singapore, a shopping trip to New York or a holiday in Morocco, the state will have full details. Can this invasion of individual privacy be considered a proportionate response to threats from the small number who may be tempted to engage in terrorism or organised crime?
One must also have concern for the ability of the state to protect the confidentiality of such information. Recent cases investigated by my office have, unfortunately, demonstrated that deliberate or inadvertent leaking or misuse of such information is a significant risk. Experience in other EU countries is no different…
There is little hard evidence of the actual usefulness of PNR passenger data in combating terrorism or organised crime. All we are presented with is general comments that such information is useful, with a small number of examples. There is even less evidence of the additional utility of PNR data over the more reliable API data that is already being collected. The result is that a key test under European law — that of proportionality — does not seem to be met. Even if one were to accept the case presented for this proposal — I do not — the protection provided for the innocent majority who have nothing to do with terrorism or organised crime is vague and inadequate. These deficiencies are spelled out in the written opinion my EU colleagues have already delivered and which has been provided to the committee.
If this proposal is implemented, we will have taken a further step to what has been called the surveillance society, where our day-to-day activities are constantly monitored and our private space is more and more restricted. We already have a situation, under data retention law, where the details of who we communicate with electronically is compulsorily stored, in case it would be useful for the investigation of crime. With this proposal, our international travel movements will be monitored by the State for the same reason. Can it only be a matter of time before this is extended to all of our movements? (Emphasis added)
The Joint Committee has now accepted these points (and also pointed out that - incredibly - neither Ryanair nor EasyJet were consulted in relation to the proposal).
What can you do about this? The responsible Irish official is the Minister for Justice. You might like to let him know that your privacy is important, and that the proposals (which Ireland has supported) are unacceptable. Ask him why he has ignored the concerns raised by the Data Protection Commissioner and proceeded with a measure based on “little evidence” with “vague and inadequate protections” for your personal information. Ask him whether he plans to ignore the concerns raised by our democratic representatives in the Joint Oireachtas Committee. Contact details? Email: minister@justice.ie, Phone: 01 602-8202 (ask for the Minister’s Office), Fax: 01 661-5461, Snail Mail: 94 St. Stephen’s Green, Dublin 2. And of course you should cc your local TDs (details here) and let them know that this issue is important to you in deciding how you will vote.
November 17th, 2008
The outgoing head of the Crown Prosecution Service and DPP for England and Wales, Sir Ken MacDonald QC, has used his retirement speech to warn against UK government proposals to expand data retention:
As I near my conclusion, let me, in my final public speech as DPP, repeat my call for level headedness and for legislative restraint in an age of dangerous movements.
We need to take very great care not to fall into a way of life in which freedom’s back is broken by the relentless pressure of a security State.
Over the last thirty years technology has given each of us, as individual citizens, enormous gifts of access to information and knowledge. Sometimes it seems as if everything is at our fingertips and this has made our lives immeasurably richer.
But technology also gives the State enormous powers of access to knowledge and information about each one of us. And the ability to collect and store it at will. Every second of every day, in everything we do.
Of course modern technology is of critical importance to the struggle against serious crime.
Used wisely, it can protect us.
But we need to understand that it is in the nature of State power that decisions taken in the next few months and years about how the State may use these powers, and to what extent, are likely to be irreversible. They will be with us forever. And they in turn will be built upon.
So we should take very great care to imagine the world we are creating before we build it. We might end up living with something we can’t bear.
October 21st, 2008
The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.
It’s important to point out, though, that this ruling only relates to the procedural way in which the Directive was passed. It doesn’t affect our case that the Directive breaches fundamental principles of human rights, and we still await a decision from the High Court referring these issues to the European Court of Justice.
Full text of the Advocate General’s opinion available here.
The German Working Group against Data Retention (Arbeitskreis Vorratsdatenspeicherung) is also bringing a legal challenge to data retention and has put out a press release on the Opinion.
October 14th, 2008
The agenda of the European Court of Justice has just listed Tuesday, October 14 for the Advocate General’s opinion on the State’s challenge to the Data Retention Directive. This won’t be a final decision - the Advocate General gives an opinion which is merely advisory and the court is not bound by it. In most cases, however, the court will follow the broad approach of the Advocate General.
What’s the significance of the State’s challenge? Here’s what we said about it before:
On the plus side, the challenge will certainly delay implementation of the Directive, and stands a very good chance of striking it down in its entirety. There is a very strong case that the passing of the Directive was flawed.
On the minus side, the challenge is purely procedural. The Government agrees with the principle of spying on every citizen - it merely alleges that the wrong legal mechanism was chosen. According to the Government, the measure should have been passed by unanimous agreement of all the member states - not by a majority voting procedure. We agree - the directive is clearly an attempt to deal with matters of criminal law that are reserved to the member states, and the fundamental rights of Irish citizens should not be set aside by the majority vote of other EU states. But we’re disappointed that the Government shows no interest in asserting the right to privacy of Irish citizens. The result is that the European Court of Justice, when it eventually deals with the case, will only be hearing about procedure - not privacy.
Obviously we hope that the Government’s challenge will succeed in invalidating the Directive. Whatever the outcome of their case, however, our own challenge to data retention - where we raise these privacy issues about Irish law as well as the Directive - will continue.
(Thanks to Joris van Hoboken for pointing out that the Opinion had been timetabled.)
October 3rd, 2008
There’s some good news and some not-so-good news in the Irish Times today on how the government is responding to its ongoing problems with losing personal data.
First, the not-so-good news. In response to a parliamentary question from Labour leader Ruairí Quinn, it emerged that the rate of loss of electronic devices is increasing to approximately one per week. (A figure which includes e.g. laptops, desktops, usb keys, Blackberries, etc.) Worse, only three government departments have fully encrypted their portable devices and although the majority are in the process of doing this, two departments (Communication and Education and Science) have not done so at all.
So what’s the good news? After these figures emerged, the Minister for Justice indicated that he was considering introducing mandatory reporting where personal data is lost, which, according to the Irish Times, would extend to “all state agencies, banks and other entities”. We’ve been calling for mandatory reporting of data loss for some time now, something which has been endorsed by amongst others the European Data Protection Supervisor and the Irish Times and it’s good to see the Minister (albeit belatedly) acknowledge the need for change.
The devil is, however, in the details and (while it’s dangerous to read too much into a relatively short piece) there are indications in the story that what the Minister is considering is too narrow.
First, the story talks about reporting “when an electronic device containing information on members of the public is lost or stolen”. This reflects a rather old fashioned view of data being embodied in a particular tangible form - a view which is no longer valid. It makes little sense to say that there should be notification when a USB key is lost but not when an online database is compromised.
Secondly, the focus seems to be on data which goes “missing”. This might fit the traditional example of the laptop left on the bus - but excludes situation where a corrupt insider deliberately misuses data. A good example is the recent scandal where mortgage brokers illegally passed on details of buyer’s finances to estate agents and auctioneers. Such abuses are often more serious than inadvertent loss of data, and any duty to report should also include deliberate and illegal disclosures of data.
Thirdly, the duty to report would be to the Data Protection Commissioner, with the public being informed “in major cases”. This must not mean, however, that the individuals whose data is lost would only be informed “in major cases”. The risk to your finances if your details are lost is just as great whether or not you are the only victim. It would be little consolation to learn that you were not informed and given a chance e.g. to cancel your credit cards because you were the victim of a “minor breach” only.
These concerns aside, we welcome the Minister’s decision and look forward to seeing detailed proposals soon.
October 2nd, 2008
European civil rights group Statewatch today launched a fascinating and worrying report - The Shape of Things to Come by Tony Bunyan - giving an overview of EU policy and the implications for civil liberties. Here’s what they had to say about it:
The EU is currently developing a new five year strategy for justice and home affairs and security policy for 2009-2014. The proposals set out by the shadowy “Future Group” set up by the Council of the European Union include a range of highly controversial measures including new technologies of surveillance, enhanced cooperation with the United States and harnessing the “digital tsunami”. In the words of the EU Council presidency:
“Every object the individual uses, every transaction they make and almost everywhere they go will create a detailed digital record. This will generate a wealth of information for public security organisations, and create huge opportunities for more effective and productive public security efforts.”
Seven years on from 11 September 2001 and the launch of the “war on terorism” this major new report The Shape of Things to come (60 pages) examines the proposals of the Future Group and their effect on civil liberties. It shows how European governments and EU policy-makers are pursuing unfettered powers to access and gather masses of personal data on the everyday life of everyone – on the grounds that we can all be safe and secure from perceived “threats”.
The Statewatch report calls for a “meaningful and wide-ranging debate” before it is “too late” for privacy and civil liberties.
Reading this report, it’s hard to disagree with the conclusion that:
In the immediate aftermath of 11 September 2001 the EU, and national governments, adopted measures said to be necessary as “exceptional” because of the “war on terrorism” and that they were not permanent but time limited. Seven years on the “exceptional” has become the norm.
Press release
Eight page summary
Full report
September 11th, 2008
The editorial in today’s Irish Times has joined the calls (by ourselves and others) for laws which will ensure that Irish citizens are warned when their personal information has been compromised.
IF ANY doubts remained about the urgent need for a national data disclosure law, they will have been banished by the revelation that the Comptroller and Auditor General’s office failed to disclose - for 16 months - the theft of a laptop which included personal details of 380,000 social welfare recipients.
The comptroller’s office also revealed that 106,000 of the records included highly sensitive bank account data. None of the data were encrypted, an appalling disregard for this most basic of digital security provisions. And while it was said there was no indication the information had been used in a compromising way, such assurances will provide little comfort to the 380,000 individuals whose information is exactly the kind of material that quickly makes its way on to criminal websites, where it is sold in cheap bundles to hackers and identity thieves.
Such incidents are becoming more, rather than less, common. In April, Bank of Ireland finally told Data Protection Commissioner Billy Hawkes that three laptops with details of 31,500 customers had gone missing up to 10 months earlier. Those data weren’t encrypted either. A month later the bank said it was investigating another allegation that a laptop had been stolen in 2001.
The Government must recognise that the public is well past the point of believing such occurrences are rare events. Nor will people accept that long-delayed disclosures of such losses by the organisations involved is just a trivial oversight. It is time to force organisations to immediately reveal such losses. The Government should introduce the type of legislation pioneered in California five years ago (and now copied in 40 more states).
California’s laws require organisations to immediately inform affected individuals when personal financial or medical information is lost. Initially seen as an oddity, it forced the disclosure of some of the biggest national data breaches and hacking incidents in the US, because Californian customers had to be told about them if their names were associated with any of the records. Once this happened, organisations quickly found they had to reveal the full extent of data breaches.
Thanks to the law’s name-and-shame effect, it has helped compel organisations to adopt better data protection standards. And such a law allows people to close accounts immediately and otherwise protect themselves from the sloppy stewardship of their private details, rather than wait months, even years, to find their account details might have been sold on. Irish citizens deserve such protection of their personal information.
August 13th, 2008
From the Irish Independent:
STAFF at the State spending watchdog who failed to inform authorities that laptops stolen from them contained sensitive information about up to 400,000 people are to escape disciplinary action.
The Office of the Comptroller and Auditor General (OCAG) last night confirmed the staff will not face any sanction despite not displaying the “common sense” to report the nature of the material contained on three laptops stolen over the past three years.
OCAG admitted the unencrypted laptops — among 16 stolen from their officials since 1999 — contained highly sensitive information, including PPS numbers, bank account details and social welfare payment details.
While the staff involved reported the theft of the laptops to their superiors and the gardai, the extent on the information contained in them was not reported and only became apparent in recent weeks when OCAG conducted a review.
An OCAG spokesman described the massive oversight as “a procedural flaw” and said no disciplinary action would be taken as there had been no procedures in place at the time for the reporting of the theft of sensitive information.
The OCAG appears to be suggesting that the only mistakes made were those of the individual staff who failed to report the nature of the information which had been stolen. But those mistakes - serious as they were - are just the tip of the iceberg. Who was responsible for the failure to encrypt these laptops? Who was responsible for the decision to transfer entire databases to vulnerable devices? And who was responsible for deciding to copy entire databases without first anonymising the identities and bank details of the social welfare recipients? Those individuals should also be held to account.
August 12th, 2008
We’ve written before about laptops going missing containing confidential personal information. Then it was 31,000 Bank of Ireland customers who had to worry whether they could be the victims of fraud. This time it’s 380,000 social welfare recipients whose details might be compromised - with 106,000 of those also having had their bank account details lost. As before, and in breach of the most elementary principles of data security, it seems that this data was not encrypted.
The most worrying thing about this episode? Despite the laptop being lost in April 2007, it is only now that the victims are being told that their information has been compromised. In the 16 months between then and now they have been deprived of the right to protect themselves - for example, by taking steps to monitor their bank accounts or credit ratings. As we’ve said a few times now, it’s about time that Irish law recognised a right to be notified when your personal data is lost. Here’s how the law currently stands and what you can do about it:
At the moment, there is no general legal obligation on a body which loses your personal information to notify you. This means that individuals may be unaware that sensitive information such as medical histories or financial records has been lost. It may be, for example, that the first you learn about it is when you go to the ATM and find that your account has been emptied. We’ve said before that it’s time that this was changed. In the US, for example, many states have laws requiring that you be warned if your information is compromised. This has been successful in helping individuals to protect themselves and also in providing an incentive for companies to invest in security, knowing that they will no longer be able to sweep their failings under the carpet. In fact, the European Data Protection Supervisor has now recommended that it is time for such a law at a European level, and has suggested amendments to the forthcoming e-Privacy Directive.
If you agree that you should have a right to be warned when your data is compromised, you should start by writing to the Minister for Justice (minister@justice.ie) and to your MEPs. (Contact details for MEPs.) Ask them to support the proposals of the European Data Protection Supervisor on security breach notification.
You can also write to your local TD. Most now use email, with the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TDs here. Let them know that privacy is an important issue for you. And let them know that unless data retention is stopped, it is only a matter of time until telephone, internet and email records are similarly leaked.
If you think you may have been affected, you can contact the Department of Social and Family Affairs on a helpline at 1800 690 590 (9am – 6pm) or via e-mail at helpline@welfare.ie.
August 11th, 2008
Previous Posts
