All about data access - Refusal to give spy data ‘breaches’ law

The refusal of State agencies to publish statistics on their use of controversial surveillance powers is “in breach” of the State’s transparency duties under the law, a leading legal expert says.

TJ McIntyre, law lecturer at UCD and chairman of Digital Rights Ireland, congratulated the Garda Síochána Ombudsman Commission (GSOC) for breaking ranks with State agencies and voluntarily publishing figures.

Mr McIntyre was reacting to a special report in the Irish Examiner yesterday on the State’s use of secretive and controversial spying powers.

In the report, three key state agencies — An Garda Síochána, the Defence Forces, and the Revenue Commissioners — refused to provide figures on their use of powers which allows them to access people’s private communication data from phone companies and internet firms.

However, following repeated queries from the Irish Examiner, the Garda Ombudsman eventually agreed to publish limited data, which revealed it had secured information of people’s communication data almost 100 times between 2012 and 2017.

This newspaper also revealed that all state agencies had made 1,250 disclosure requests to four major internet firms (Microsoft, Google, Facebook, and Twitter) over the last five years. In addition, the country’s largest mobile phone operator, Vodafone, agreed to 16,500 disclosure requests from the agencies over a three-year period.

Under the Communications (Retention of Data) Act 2011, designated state agencies can access communication data for the prevention, detection or investigation of a serious offence (Garda Síochána, Revenue, GSOC), safeguarding the security of the State (gardaí, Defence Forces) and the saving of human life (gardaí).

The Competition and Consumer Protection Commission also has the power, but has not yet used it.

The Irish Examiner sought details almost three weeks ago of use of this legislation from the Department of Justice, which receives an annual report directly, or through other government departments from the relevant agencies.

No information has been provided to this newspaper, as of yet, by the department.

Commenting on the refusal by the gardaí, Defence Forces, and Revenue to provide statistics, Mr McIntyre said: “A failure to publish statistics on use of this surveillance power is in breach of the State’s transparency duty under section 9 of the 2011 Act.”

This section relates to the obligation of the State agencies to provide an annual report to the Department of Justice, either directly in the case of gardaí (and GSOC), and indirectly through the minister of defence by the Defence Forces and through the finance minister by Revenue.

The chairman of Digital Rights Ireland commended the Garda Ombudsman for its decision to publish figures on its usage of the provisions and said it highlighted the secretive culture of the other agencies.

“I’m happy to see GSOC displaying how it’s possible to have transparency in this area, which shows up the reflexive secrecy on the part of the other state agencies,” he said.

DGI took a High Court case here that led to a landmark decision in April 2014 by the European Court of Justice, which found that the 2006 EU Data Retention Directive was incompatible with the EU’s Charter of Fundamental Rights.

What’s involved in data access?

Is accessing my communication data the same as bugging?

No. Bugging of your phones (interception) involves eavesdropping on what you are saying. It’s a separate power (also covers online content) and requires authorisation by the Minister for Justice.

Bugs as in placing audio/visual surveillance devices in homes, cars, or other places is not the same either and that requires a court order.

So, what data are we talking about?

Communication data can be broken down into three areas.First, subscriber data. This will identify the number of a landline or mobile phone and the identity and address of the user/subscriber (unless it’s a pay-as-you-go phone).

Second, call data records. This includes details of the number calling and the number called, for outgoing and incoming calls (also revealing the frequency and intensity of calls).

It tells the type of communication, whether voice or text. It will give details of the handset used, the start and finish time of the call (giving the duration) and where the call entered the system (nearest mast), providing the information on the location of the communication.

Handsets can also be ‘pinged’ in a bid to locate the device, often used in missing person cases.

Third, internet data records. This includes the equivalent subscriber data and communication data.

It also includes the IP addresses of a digital device being used, email addresses, names and addresses of user, when they registered, web history, credit card,and other billing information.

For example, Facebook says the request relates to its various products, including Facebook itself, Facebook Messenger, WhatsApp, and Instagram.

Accessing this data is done internally in the agencies with the power (the Gardaí, the Defence Forces, Revenue, Gsoc, and the Competition and Consumer Protection Commission).

What’s the big deal with it?

One judge here described communication data as “a vast store of private information”.

It’s information that goes back years. It can provide a detailed insight into what you have swiped on your phone and your network of contacts.

Mr Justice John Murray examined the law and published his report just over a year ago. He said this stored data provides a “historical record” of all your communication over a lengthy period — two years for telephone communications and one year for internet communications.

He said:

Although routinely referred to in anodyne terms as ‘data’ or ‘retained data’, this vast store of private information touches every aspect of an individual’s private and professional communications profile over a lengthy period.

He said this data has “special importance” when considering the principle of protection of journalistic sources.

Speaking in Dublin, UN Special Rapporteur on Privacy Joseph Cannataci said communication data is“not less any less sensitive than content data” and it canactually “reveal a lot more about you”.

He said this includes “information of all websites you have looked at, each click you have made, every swipe on your smartphone, every telephone call you made or received, the times of the calls, who the calls were made to”.

He added: “They will have a more intimate knowledge of you than access to some content data”.

In its report in January 2018, the Oireachtas Justice Committee said: “Access to communications data can allow an observer to create a detailed outline of a person’s personal, social, and professional activities and networks, and even of that person’s interests and opinions.”

How are the gardaí using these powers and are they abused?

Firstly, it’s not just the gardaí, though they are by far the greatest users of the power. The Defence Forces can seek access to this information for reasons of protecting the security of the State. Revenue can do so when investigating tax and customs offences (such as tobacco and oil smuggling).

And GSOC can use it when investigating suspected criminal offences involving guards, which can include and has included accessing the records of journalists.

Gardaí seek this information when investigating serious crime, prevention of the loss of life (e.g. in child kidnap cases), missing persons investigations, and national security.

The recent case of Graham Dwyer is an example of the type of cases where such information can be crucial in both investigating a crime and securing evidence for a prosecution.

The Irish Human Rights and Equality Commission (IHREC) has said that the State has a “positive obligation” established by European courts and conventions to investigate crimes.

It noted that communication data was heavily relied upon in the Dwyer prosecution and added:

Such examples show the clear public interest in communications data being available, and defensible on appeal.

There isn’t much publicly accessible analysis of the type of cases where the power is used.

Under Section 12 of the 2011 Act, a ‘designated judge’ reviews the operation of the provisions to ensure compliance. The High Court judge is also required to submit a report to the Taoiseach.

But these reports traditionally give little information and this has been the source of concern and criticism by various bodies, including the IHREC, Digital Rights Ireland (DRI), and the Irish Council of Civil Liberties (ICCL).

In the most recent four-page review of both communication data and phone interception powers, the designated judge, Ms Justice Marie Baker, said a “critical filtering” was conducted in each of the State agencies regarding use of the powers and that people’s privacy was respected.

She said the usage was a “proportionate response”to the legislation and that the powers were exercised “reasonably” and there was no “overzealous” use.

The Data Protection Commissioner, in its 2016 annual report, said that “strict assessment” was conducted in central units in all of the agencies. It said the principle of “proportionality, necessity, and relevance” was applied in all disclosure requests examined.

Do I have any rights in any of this?

Apart from the function of the designated judge,Section 10 of the 2011 Act outlines a complaints procedure and there is provision for a ‘complaints referee’ who shall investigate complaints made under the act.

Mr Justice Murray said the procedure can only be triggered by someone who believes their data has been improperly disclosed.

If the referee finds the provisions of the act have been contravened, the referee must tell the applicant and make areport to the Taoiseach. The referee has powers to order the destruction of the retained data and the payment of compensation.

The IHREC said the current complaints mechanism “does not appear to provide an effective remedy” and is not open to appeal.

The ICCL and DRI want the referee to collate statistics on complaints, those upheld, and compensation paid, a view shared by the Oireachtas Justice Committee. The Murray report said the State agencies “should be required” to notify people affected by the communication disclosures as soon as such notification is no longer liable to jeopardise theinvestigation.

It also recommended a judicial remedy for those whose rights have been infringed, a view backed by the justice committee.

What’s next?

Publication of the Communications (Data Retention) Bill 2017, said to be “imminent”.


More in this Section

State’s reaction is to deny, delay, and to buy silence

Cork University Hospital copes when disaster calls

A cut above the rest: Cork salon offers helping hand to the homeless

CUH marking 40 years of community service


Lifestyle

Making Cents: Prepare financially now for mortgage hunting in 2019

Girls of tomorrow: iWish conference inspires young women to pursue STEM careers

Theatre review: Aladdin panto - Cork Opera House

Irish sci-fi blasts off: Tramp Press launches anthology of science fiction stories

More From The Irish Examiner