Digital Rights Ireland

We all support reasonable and proportionate measures to counter violence perpetrated against innocent people, but such measures should represent a proper balance between the need to combat such illegality and the rights of the innocent majority to go about their daily lives without undue interference by the State. In my opinion, and that of my EU colleagues, the Commission proposal fails this test. The proposal involves an obligation on air carriers to transmit to a state authority, called a “passenger information unitâ€, the PNR information that the passenger has provided to the air carrier in respect of any journey by air into or out of the European Union. The information typically includes contact details, such as address, phone number and e-mail, as well as payment information, such as credit card details. Under the proposal, the information has to be retained by the passenger information unit for a total of 13 years.

Such information is given by a passenger for the purpose of the provision of a service, namely air travel. The Commission proposal is that this information should be transmitted to state authorities for a totally different purpose, the combating of what is described as terrorism and organised crime. It is a basic data protection principle that information collected for one purpose should not be used for another purpose and should be deleted when no longer required for the purpose for which it was collected. The Commission proposal offends against this basic principle. Under the proposal, air carriers will have no choice but to hand over a complete record of an individual’s movements in and out of the European Union to a state entity that will retain it for 13 years, and not only a record of travel, but also of contact and payment information.

Many regular travellers would have difficulty recalling where they had travelled to, even in the past year. With this proposal, the state will have a detailed record of all such travel in and out of the European Union, and for a period going back 13 years. Therefore, whether it is a business trip to Singapore, a shopping trip to New York or a holiday in Morocco, the state will have full details. Can this invasion of individual privacy be considered a proportionate response to threats from the small number who may be tempted to engage in terrorism or organised crime?

One must also have concern for the ability of the state to protect the confidentiality of such information. Recent cases investigated by my office have, unfortunately, demonstrated that deliberate or inadvertent leaking or misuse of such information is a significant risk. Experience in other EU countries is no different…

There is little hard evidence of the actual usefulness of PNR passenger data in combating terrorism or organised crime. All we are presented with is general comments that such information is useful, with a small number of examples. There is even less evidence of the additional utility of PNR data over the more reliable API data that is already being collected. The result is that a key test under European law — that of proportionality — does not seem to be met. Even if one were to accept the case presented for this proposal — I do not — the protection provided for the innocent majority who have nothing to do with terrorism or organised crime is vague and inadequate. These deficiencies are spelled out in the written opinion my EU colleagues have already delivered and which has been provided to the committee.

If this proposal is implemented, we will have taken a further step to what has been called the surveillance society, where our day-to-day activities are constantly monitored and our private space is more and more restricted. We already have a situation, under data retention law, where the details of who we communicate with electronically is compulsorily stored, in case it would be useful for the investigation of crime. With this proposal, our international travel movements will be monitored by the State for the same reason. Can it only be a matter of time before this is extended to all of our movements? (Emphasis added)

As I near my conclusion, let me, in my final public speech as DPP, repeat my call for level headedness and for legislative restraint in an age of dangerous movements.

We need to take very great care not to fall into a way of life in which freedom’s back is broken by the relentless pressure of a security State.

Over the last thirty years technology has given each of us, as individual citizens, enormous gifts of access to information and knowledge. Sometimes it seems as if everything is at our fingertips and this has made our lives immeasurably richer.

But technology also gives the State enormous powers of access to knowledge and information about each one of us. And the ability to collect and store it at will. Every second of every day, in everything we do.

Of course modern technology is of critical importance to the struggle against serious crime.

Used wisely, it can protect us.

But we need to understand that it is in the nature of State power that decisions taken in the next few months and years about how the State may use these powers, and to what extent, are likely to be irreversible. They will be with us forever. And they in turn will be built upon.

So we should take very great care to imagine the world we are creating before we build it. We might end up living with something we can’t bear.

On the plus side, the challenge will certainly delay implementation of the Directive, and stands a very good chance of striking it down in its entirety. There is a very strong case that the passing of the Directive was flawed.

On the minus side, the challenge is purely procedural. The Government agrees with the principle of spying on every citizen - it merely alleges that the wrong legal mechanism was chosen. According to the Government, the measure should have been passed by unanimous agreement of all the member states - not by a majority voting procedure. We agree - the directive is clearly an attempt to deal with matters of criminal law that are reserved to the member states, and the fundamental rights of Irish citizens should not be set aside by the majority vote of other EU states. But we’re disappointed that the Government shows no interest in asserting the right to privacy of Irish citizens. The result is that the European Court of Justice, when it eventually deals with the case, will only be hearing about procedure - not privacy.

The EU is currently developing a new five year strategy for justice and home affairs and security policy for 2009-2014. The proposals set out by the shadowy “Future Group” set up by the Council of the European Union include a range of highly controversial measures including new technologies of surveillance, enhanced cooperation with the United States and harnessing the “digital tsunami”. In the words of the EU Council presidency:

Seven years on from 11 September 2001 and the launch of the “war on terorism” this major new report The Shape of Things to come (60 pages) examines the proposals of the Future Group and their effect on civil liberties. It shows how European governments and EU policy-makers are pursuing unfettered powers to access and gather masses of personal data on the everyday life of everyone – on the grounds that we can all be safe and secure from perceived “threatsâ€.

The Statewatch report calls for a “meaningful and wide-ranging debate†before it is “too late†for privacy and civil liberties.

In the immediate aftermath of 11 September 2001 the EU, and national governments, adopted measures said to be necessary as “exceptional†because of the “war on terrorism†and that they were not permanent but time limited. Seven years on the “exceptional†has become the norm.

IF ANY doubts remained about the urgent need for a national data disclosure law, they will have been banished by the revelation that the Comptroller and Auditor General’s office failed to disclose - for 16 months - the theft of a laptop which included personal details of 380,000 social welfare recipients.

The comptroller’s office also revealed that 106,000 of the records included highly sensitive bank account data. None of the data were encrypted, an appalling disregard for this most basic of digital security provisions. And while it was said there was no indication the information had been used in a compromising way, such assurances will provide little comfort to the 380,000 individuals whose information is exactly the kind of material that quickly makes its way on to criminal websites, where it is sold in cheap bundles to hackers and identity thieves.

Such incidents are becoming more, rather than less, common. In April, Bank of Ireland finally told Data Protection Commissioner Billy Hawkes that three laptops with details of 31,500 customers had gone missing up to 10 months earlier. Those data weren’t encrypted either. A month later the bank said it was investigating another allegation that a laptop had been stolen in 2001.

The Government must recognise that the public is well past the point of believing such occurrences are rare events. Nor will people accept that long-delayed disclosures of such losses by the organisations involved is just a trivial oversight. It is time to force organisations to immediately reveal such losses. The Government should introduce the type of legislation pioneered in California five years ago (and now copied in 40 more states).

California’s laws require organisations to immediately inform affected individuals when personal financial or medical information is lost. Initially seen as an oddity, it forced the disclosure of some of the biggest national data breaches and hacking incidents in the US, because Californian customers had to be told about them if their names were associated with any of the records. Once this happened, organisations quickly found they had to reveal the full extent of data breaches.

Thanks to the law’s name-and-shame effect, it has helped compel organisations to adopt better data protection standards. And such a law allows people to close accounts immediately and otherwise protect themselves from the sloppy stewardship of their private details, rather than wait months, even years, to find their account details might have been sold on. Irish citizens deserve such protection of their personal information.

STAFF at the State spending watchdog who failed to inform authorities that laptops stolen from them contained sensitive information about up to 400,000 people are to escape disciplinary action.

The Office of the Comptroller and Auditor General (OCAG) last night confirmed the staff will not face any sanction despite not displaying the “common sense” to report the nature of the material contained on three laptops stolen over the past three years.

OCAG admitted the unencrypted laptops — among 16 stolen from their officials since 1999 — contained highly sensitive information, including PPS numbers, bank account details and social welfare payment details.

While the staff involved reported the theft of the laptops to their superiors and the gardai, the extent on the information contained in them was not reported and only became apparent in recent weeks when OCAG conducted a review.

An OCAG spokesman described the massive oversight as “a procedural flaw” and said no disciplinary action would be taken as there had been no procedures in place at the time for the reporting of the theft of sensitive information.

At the moment, there is no general legal obligation on a body which loses your personal information to notify you. This means that individuals may be unaware that sensitive information such as medical histories or financial records has been lost. It may be, for example, that the first you learn about it is when you go to the ATM and find that your account has been emptied. We’ve said before that it’s time that this was changed. In the US, for example, many states have laws requiring that you be warned if your information is compromised. This has been successful in helping individuals to protect themselves and also in providing an incentive for companies to invest in security, knowing that they will no longer be able to sweep their failings under the carpet. In fact, the European Data Protection Supervisor has now recommended that it is time for such a law at a European level, and has suggested amendments to the forthcoming e-Privacy Directive.

If you agree that you should have a right to be warned when your data is compromised, you should start by writing to the Minister for Justice (minister@justice.ie) and to your MEPs. (Contact details for MEPs.) Ask them to support the proposals of the European Data Protection Supervisor on security breach notification.

You can also write to your local TD. Most now use email, with the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TDs here. Let them know that privacy is an important issue for you. And let them know that unless data retention is stopped, it is only a matter of time until telephone, internet and email records are similarly leaked.

Do you know where you this time last week? You may not, but the State certainly does.
Fergal Crehan
Irish Dally Mall, Friday, June 6, 2008

IT’S THE stuff of paranoid, futuristic movie plots - the all-seeing, all-knowing state which tracks your every move irrespective of how law-abiding you are.

But, increasingly, such a vision is less the paranoid fantasy of the conspiracy theorist, and more a sober assessment of our privacy under the policies of the Government, whose duties include protection of our rights, including our right to privacy.

Eyebrows were raised in Britain last month when the Home Office proposed a national database of the emails and phone calls of every citizen. Phrases like ’surveillance state’ and ‘Big Brother’ were bandied about, but it’s worth noting that the current position in Ireland is not very different.

At present, telecommunications providers are required to retain records regarding usage of phones. The Government is proposing to include internet data in this regime, which would include details of every email you send or receive and every web-site you visit.

This system, known as Data Retention, is soon to be challenged in the High Court by civil rights group Digital Rights Ireland. Under Data Retention, service providers are obliged to hand over information whenever a garda ranked chief superintendent or higher asks them.

Snooping

So, the only real difference between our system and the database proposed in the UK is that over there, at least their government will cover the costs of snooping on its own citizens, while here the cost is borne by the service providers. It is a neat trick, to invade the privacy of your citizens while simultaneously putting a brake on development of the internet sector, one of Ireland’s most vital industries.

Defenders of Data Retention say we needn’t worry, as nobody’s actually listening in to the calls, merely recording who they’re to and from, how long they last, and when they happen. It’s worth noting that when journalists Bruce Arnold’s and Geraldine Kennedy’s phones were tapped in the early Eighties, it was only the origin of the calls and not the content that was tapped.

If we were outraged then, when it happened to only two people, we should be appalled now that it’s happening every day, to every citizen with a phone.

Then there’s internet data. If, as Irish people increasingly are, you are a daily user of the internet, records of what you search for and what you look at can build up over time to a remarkably detailed picture of who you are. Your health concerns, eating habits, sexual preferences, political views and financial situation can be determined with reference to what you look at online.

Perhaps most shocking of all, Data Retention covers what’s known as locator information. The location of a mobile phone can be geographically pinpointed to a quite specific degree. Since we tend to carry our mobiles with us wherever we go, they effectively operate as tracking devices for our whereabouts.

The retention of three years’ worth of this locator data, when added to the proposed retention of internet records means that the State now has access to information about your life that you wouldn’t dream of giving to your employers, friends or sometimes even to family members.

Do you know where you were at precisely this time last week? Last month? Last year? You may not, but the State does.

When Data Retention was first publicly discussed, the Government had, by their own admission, been doing it secretly for some time. The then Minister for Justice, Mr McDowell, assured us that the retained data would be accessed very rarely, in order to prevent and investigate serious crime and terrorism.

Indeed, phone record retention was finally given its current legal basis in the Criminal Justice Terrorist Offences Act.

Terrorist

Yet nowhere is the system limited to terrorist offences. Records can be accessed in investigation of the most trivial offences.

The Data Retention Commissioner estimates that there have been 300,000 requests for access to data, which works out at more than 300 per week - the gardai are not investigating terrorist plots at a rate of 300 per week.

In any case, just to be on the safe side, the Government are proposing to redefine a ’serious offence’ as one carrying a sentence of six months and over, a significant change from the five-year yardstick previously employed by the law.

There can be no objection to use of telecommunications data where it is required to prevent or investigate truly serious crime. Why not then have a system where records are stored only where there is a suspicion of a serious crime, and where safeguards are put in place? One might call such a system ‘data preservation’ because it is not automatic in its effect. It would store only the records of those under legitimate suspicion, not those of the entire country.

The great irony of Data Retention is that it doesn’t even work against those it is supposedly targeted at. There are plenty of ways around it. Phone calls can be made, websites browsed and emails sent without it showing up on a person’s Data Retention record. The means of doing this are easily obtained - some were developed to get around the surveillance regimes of such repressive states as China and Burma.

The terrorists and serious criminals who use telecommunications as a key part of their activities are surely aware of this technology.

Consequently, they can continue their activities having suffered only a minor inconvenience, while the law-abiding citizen has his privacy breached, and is treated like a potential criminal by his own government

Whenever large amounts of personal data are stored, there is the potential for something to go wrong. Sometimes that can be a result of misbehaviour - the Data Protection Commissioner says that Social Welfare records have been inappropriately leaked and sold to journalists and investigators.

But even in circumstances of utmost good behaviour, accidents can happen. Last year the UK Treasury lost the records of millions of British subjects. More recently, Bank of Ireland lost details of thousands of their customers.

Even where nothing goes wrong, there is a principle to be considered. Just because technology gives us the ability to do something doesn’t mean we should do it.

Other considerations need to be brought to bear, like the appropriate boundary between. the State and the person. Retention of telecommunications data achieves what previously could only be done by setting a phone-tap and assigning a Garda to follow an individual around at all times. The reason the State previously refrained from doing this was not simply that they couldn’t afford the man-power.

Scrutiny

If someone asks you a personal question, and you say that it’s none of their business, you’ll hardly be persuaded when they reply that you have nothing to fear if you have nothing to hide. That’s not the point - the point is that they have no right to know personal details about you.

The Government proposes to extend Data Retention to internet records not by way of primary legislation, which would be debated in the Oireachtas, but by ministerial order, which requires only the stroke of a pen to become the law of the-land. In other words, the Government refuses to allow public scrutiny of its actions, even as it gives itself the right to poke its nose into ours.

Fergal Crehan is a barrister specialising in internet law and is part of Digital Rights Ireland’s legal team.