Who owns your data and who decides on access to it?

State agencies’ power to access your phone and internet data has long been dogged by controversy. It has been challenged by successive court rulings and, last month, a judge said there was an ‘urgency’ to clearing up the law. So what is going on in the spying game, asks Security Correspondent Cormac O’Keeffe.

Getting to grips with the law on communication data is like walking through a bog, with dusk setting in.

It is an area that has been forced to get its act together due to various rulings in European courts — in 2014 and 2016 — as well as the findings of the Murray report over a year ago.

Last month, the judge charged with reviewing the accessing of the private information by State agencies said there was an “urgency” in new legislation.

Draft Government legislation in the Communication (Retention of Data) Bill 2017 was published in October 2017, with promises the full bill would be out last spring or before the summer recess.

That bill, which will amend the Communication (Retention of Data) Act 2011, has still not materialised.

Its publication is said to be imminent.

TROUBLED HISTORY

The law governing the area has its foundation in the original ‘phone-tapping’ act (Postal and Telecommunications Services Act 1983) and a follow-up Act in 1993.

In 2002, the Data Protection Commissioner (DPC) formed the view that the retention of data for six years, as was the case then, was excessive and instructed telecoms operators to reduce the period to six months in line with EU law.

The government issued a ministerial direction to require retention for three years. When the DPC challenged this, the Government subsequently introduced the Criminal Justice (Terrorist Offences) Act 2005, which established a three-year retention period.

The DPC expressed warnings over civil liberties.

An EU directive in 2006 sought to harmonise the laws of member states regarding retention of communication data on telecommunication and internet networks to ensure it was available for the prevention, detection, and prosecution of serious crime and protection of national security.

The 2011 act implemented the directive and specifically included internet communications (excluding content, as with phones) and changed the retention period to one year for internet data and two years for landline and mobile phone data.

Unlike phone tapping (requiring ministerial approval) and surveillance devices (judicial approval), access to communication data (and placing of tracking devices) only required internal approval at a senior level in the organisation concerned.

Those organisations are the gardaí (by far the greatest user), the Defence Forces, Revenue, GSOC, and the Competition and Consumer Protection Commission (which has yet to use the power).

The legal authority of GSOC over its use of this power caused controversy in January 2016 when it emerged it had sought communication data of journalists as part of an investigation into a media leak. (This was subsequently examined by the Murray inquiry.)

There are provisions in the 2011 Act for statistical reports to the Minister for Justice, for a High Court judge to oversee the workings of the provisions and a Complaints Referee.

Under the 2011 Act, communication data can be sought for the prevention, detection or investigation of a serious offence (gardaí, Revenue, GSOC), safeguarding the security of the State (gardaí and Defence Forces) and the saving of human life (gardaí).

In March 2014, the DPC published some details on usage of the provision by the gardaí.

While it was satisfied with overall internal controls, it raised concerns that requests were being signed by a chief superintendent (as required by the 2011 Act) after requests had been sent by staff in the Garda Telecommunications Liaison Unit in Crime and Security. The practice had been adopted because of the scale of requests (some 40 a day). Afterwards, gardaí told the DPC that a chief superintendent signed all requests beforehand.

LANDMARKS

In April 2014 came the first of two landmark judgments by the European Court of Justice, involving a case taken by Digital Rights Ireland and referred by the Irish High Court.

It found that the EU Data Retention Directive 2006 was incompatible with the EU’s Charter of Fundamental Rights.

The court said the directive failed to make express provision for sufficient safeguards for the protection of fundamental rights.

It said while objectives to target organised crime and terrorism justified interference with rights to privacy, it had to be strictly limited and proportionate to the threat.

It found the directive’s requirement that service providers retain all communication data, even of persons not suspected of involvement in serious crime, was disproportionate. It said there were procedural failings such as prior examination by a court.

In his report (published in October 2017), Mr Justice John Murray said while the ruling declared the directive invalid, it “left open, or undecided” whether EU law or the directive applied to implementing national legislation.

In 2015, the then government approved a heads of bill to take account of the Digital Rights Ireland case.

In its submission to Mr Justice Murray in June 2016, the Irish Human Rights and Equality Commission said that despite the April 2014 European Court of Justice ruling, and in “stark contrast to other member states”, Ireland had not amended its legislation.

It said that oversight of the operation of the system appeared to be limited to a “regrettably post-facto review by a busy High Court judge in their spare time”.

It added: “It is clear that under the current system neither the complaints referee nor designated judge have adequate time nor recompense nor technical expertise to allow them to do their job effectively.”

A second judgment from the European Court of Justice came in December 2016, with the Tele2 case. It ruled that EU law did apply to domestic legislation in this area.

It said EU law prohibited general and indiscriminate retention of data.

It said prior approval by an expert body such as a court was essential for requests. But it did say EU law permitted the targeted retention of data.

While the Murray inquiry was nearing completion, the DPC published its 2016 annual report in April 2017.

In a little-publicised section, it gave a two-page summary of audits it had conducted of the five relevant agencies regarding their operation of the 2011 Act.

Overall, it concluded that strict assessment criteria were deployed by the centralised liaison units in each of the agencies for “every request” sent to communication service providers.

It said: “Of particular note was the attention given by these units when working with investigation units on the ground to ensure that the scope of disclosure requests are narrowed down and refined to the minimum at all times.

“The audit team found that the principles of proportionality, necessity, and relevance were applied in all disclosure requests examined and all requests were reviewed, signed, and approved at the required level on a case-by-case basis.”

In his report, Mr Justice Murray concluded that much of the data retention system in Ireland was “precluded by EU law”.

He said the Tele2 ruling “sweeps the ground” from under the mass surveillance system in Ireland and that it “may no longer be lawful” to compel service providers to retain indiscriminate communication data.

He further warned that the relevant agencies should consider to what extent, “if at all”, they should continue to use the powers under the Act, pending amendments.

Murray said a panel of district court judges or a specialist tribunal must authorise all requests for data, apart from for urgent cases.

He further said that a High Court judge should examine all requests involving journalists.

The judge said access to a journalist’s data — including to identify a source — should in principle be permitted only when the journalist themselves is suspected of committing a crime or threatening national security.

He said a monitoring body, such as the DPC, should be established.

On GSOC’s powers, Mr Justice Murray did not say the ombudsman was wrong in law in interpreting that it had the authority to access journalist data.

While acknowledging questions concerning the “validity” of GSOC’s interpretation of the law, the judge recommended the power be “explicitly stated” in legislation.

NEW LAWS

The Department of Justice published the General Scheme of the Communication (Retention of Data) Bill 2017 at the same time as the report.

It provided ministerial authorisation for data to be retained, judicial authorisation in order for data to be disclosed, and for all data to be held for 12 months.

Justice Minister Charlie Flanagan said gardaí and other agencies would continue “in certain circumstances” to seek communication data under the 2011 act.

In a statement to the Irish Examiner, GSOC said the 2011 Act “remains constitutional and operative”.

The Oireachtas justice committee held hearings to look at the draft bill that November. It was attended by the department, Digital Rights Ireland, the Irish Council of Civil Liberties, and the National Union of Journalists attended.

Digital Rights Ireland said a provision in the draft bill for ministerial orders to retain data was “too permissive” and that there was no requirement that the order be targeted. It said the standard for access to data for third parties — those not involved in any wrongdoing — was too wide.

Digital Rights Ireland said the definition of traffic and location data, involving the logging of website addresses, could reveal newspapers or even particular articles read by an individual, thereby effectively disclosing the content of communications.

It said the 12-month retention period should be no longer than three months. In relation to urgent requests, the draft bill did not provide judicial authorisation in cases involving journalists.

It said a judge did not have sufficient resources or competence to exercise comprehensive control over state surveillance.

It recommended an independent supervisory body, chaired by a judge and with sufficient technical expertise and financial resources.

In its submission, the Department of Justice said that making additional provisions for High Court authorisation for accessing journalists’ data “could give rise to complexities”.

The committee’s report, published in January 2018, recommended:

  • Particular provision for journalists and their sources: That requests for their data should be examined by a High Court judge or independent judicial body; that the journalist must be suspected of serious criminal activity or threat to national security; and that access to their data to identify sources should be permitted only where there is an “overriding public interest”;
  • An independent monitory authority, replacing the designated High Court judge;
  • Ministerial orders to retain data should only be made where “strictly necessary” and for no more than three months — and must be targeted;
  • Access to third-party data (those not directly suspected of an actual crime or threatening security) only in cases where person is in “some way implicated”;
  • Logging of data should not include web browsing or other information which might reveal the content of the data.

The report also commented on the Criminal Justice (Mutual Assistance) Act 2008. This allows a middle-ranking garda, on foot or a request from certain police forces or security agencies, to request a district court judge to authorise the disclosure of specified retained data.

Murray said the judge in these cases had no discretion to refuse an application made in the prescribed manner.

Murray said there was no way to ascertain the number of requests of this type, but estimated there were “approximately 250 per year” and said the review had been told the “annual number is steadily increasing”.

The Oireachtas report said this Act was not covered in the draft bill.

In replies to parliamentary questions, Mr Flanagan said the final bill should be ready in the spring/summer session of 2018. Last month, the designated judge, Ms Justice Marie Baker, said there was an “urgency” in bringing in the new legislation.

Ms Justice Marie Baker

Ms Justice Baker said State agencies were applying the provisions correctly and that there had been no “overzealous” use of the Act.

“As regards data retention, whilst I want to note that the procedural and substantive guarantees provided for by the act are properly observed and the relevant powers are exercised by the relevant officers in a sensitive and prudent manner, I must note that there is an urgency in respect of the revision of the substantive provisions of the 2011 act, as already suggested in the Murray report,” said Ms Justice Baker.

She added that she was in a “somewhat difficult position in regard to the 2011 act as a result of these determinations [EU court rulings] regarding the substantive foundation of the legislation”.

In response to a query from the Irish Examiner on the status of the bill, the Department of Justice said: “Drafting of the bill is well advanced with a number of amendments to give effect to the recommendations of the Justice Committee pre-legislative scrutiny under consideration. The bill will be published once these have been settled.”

Publication is expected soon and should be before Christmas, it is understood.

There are indications the delay in producing the final bill has not been due to drawing up and revising amendments, but due to lack of resources and staffing within the department. There are also, albeit unconfirmed, indications that the final bill may not be hugely different to the draft one.

Scale of disclosures becoming apparent

Getting basic information on the scale of the State’s access of people’s private information is notoriously difficult in Ireland, with a deep culture of secrecy denying our right to know. But there are some slivers of light, from certain companies holding the data and, now, for the first time, from one of the State agencies involved. Today, we publish the information we have managed to gather, writes Cormac O’Keeffe.

Getting basic information on the scale of the State's accessing of people's private information is notoriously difficult in Ireland, with a deep culture of secrecy denying the public's right to know. But there are some slivers of light, from certain companies holding the data and, now, for the first time, from one of the State agencies involved. Today, we publish the information we have managed to gather, writes Cormac O'Keeffe.

There has been constant talk in recent years about the need to change the ‘culture’ of policing and the justice system.

We have been often reassured that this ‘sea change’ is happening.

But efforts by the Irish Examiner to get basic information on powerful, and widely used, spying power has led us down various rabbit holes.

This snooping power relates to the accessing of people’s communication data, both on the phone and online.

This has been described as a “vast store of private information” regarding the use of your phones and digital devices, from your network of phone contacts to your activity online — everything other than the actual content.

The UN Special Rapporteur on Privacy Joseph Cannataci said the data includes “information of all websites you have looked at, each click you have made, every swipe on your smartphone, every telephone call you made or received, the times of the calls, who the calls were made to”.

He said State agencies gathering communication data have “a more intimate knowledge of you than access to some content data”.

There are clear, and sometimes life-saving, reasons why State bodies, such as the gardaí, need to access communication data, but that is a separate issue to the provision of information about its operation and scale of use.

The main State agencies using the power are the gardaí (by far the greatest user), the Defence Forces, and Revenue. They continue to refuse to disclose their usage of the spying power.

This is despite repeated findings in European courts and a recent judicial inquiry in Ireland (Murray inquiry) highlighting the deep flaws in relation to legislation governing the area, warnings about continuing to use the powers and the urgent need for corrective amendments.

But the default culture in Ireland has been to disclose as little information as possible, no more than is required — with a lack of clarity as to the basis for refusing the information.

The information sought by the Irish Examiner is general statistical information, not relating to specific cases and nothing that would jeopardise any investigations.

It is a complex picture, which internet companies — guided by international norms of transparency — willingly providing the data on the number of requests they receive and giving you the links to the necessary pages.

Irish data from a major international mobile phone company is also available if you search for it online.

As a result of persistent inquiries by this newspaper, one State agency did eventually provide information — a significant development and one setting a precedent for the other agencies.

After encountering brick walls in our bid to get a comprehensive picture, this newspaper resorted to seeking information from the Department of Justice.

THE LITTLE WE KNOW

An audit of An Garda Síochána by the Data Protection Commissioner published in March 2014 revealed that there were 1,829 requests for disclosure in the month of January 2012.

This comprised 1,296 subscriber requests (name and address of subscriber), 494 call trace requests (calls to and from a device), and 39 IP requests (registered users of a specific device using the internet).

In January 2016, the Irish Times published statistics, based on sources, showing that almost 62,000 requests for communication data (phone and internet) were made in the five years between 2008 and 2012.

It said the figures went from a high of 14,928 requests in 2010 to a low of 8,829 in 2012.

In 2012, half of the requests related to mobile phone records, and roughly a quarter each related to landlines and internet data.

Almost 99% of 61, 823 requests were granted, the newspaper said.

In its submission to the Murray review in June 2016, the Irish Human Rights and Equality Commission said the powers “appear to be in widespread use” and quoted the Irish Times figures.

Also in January 2016, the Irish Independent was given figures by the Department of Justice for the year 2014.

At that time, the newspaper said it had been met with a “wall of silence” from investigative bodies, who refused to disclose their records on requests.

The department’s figures showed there were 5,865 requests for mobile and telephone data (the department did not provide internet figures) in 2014.

This included 5,513 requests (94% of all requests) from the gardaí, 246 requests from the Defence Forces, 91 from GSOC, and 15 from the Revenue Commissioners.

But since 2014, very little, if any, statistics have been published about the use of this power — at a time when it has become increasingly under scrutiny at EU and domestic court level.

In April 2017, the Data Protection Commissioner published its 2016 annual report.

In a little-publicised section, it gave a two-page summary of audits it had conducted of the five relevant agencies regarding their operation of the 2011 Act — giving all the agencies a clean bill of health.

Though it didn’t reveal the actual figures of requests and disclosures (for reasons not stated), it did give a rare insight into their usage.

In relation to An Garda Síochána, it said the majority of disclosure requests they reviewed related to the investigation of serious crime, with other grounds involving State security and saving of human life.

It said the requests covered subscriber data requests (identity of user), call-trace data (numbers called, frequency and location, etc), and IP requests.

“Over the three years reviewed, the team determined that almost two thirds of the requests by AGS were for subscriber data,” the report said.

It said there was a significant number of requests relating to the “prevention of the loss of human life, some of which entailed ‘pinging’ – a type of call trace used in missing person cases”.

It said IP requests only comprised 3% of total disclosure requests between 2013 and 2015.

On the Revenue Commissioners, it said their requests related in all cases bar one to subscriber data and that call-trace data was sought in 60% of cases. It said a very small number referred to IP data.

In relation to the Defence Forces, it said all requests were confined to safeguarding the security of the State. It said the majority of requests between 2013 and 2015 concerned mobile communications data.

It said that 74% of requests by GSOC in the same period were for call-trace data.

The audit team said the last agency with the relevant powers was the Competition and Consumer Protection Commission but that the CCPC had informed them that they had not yet used the power.

NO COMMENT

In October 2017, both the Murray report and the General Scheme of the Communications (Retention of Data) Bill 2017 were published by the Department of Justice.

Days after, the Irish Examiner sent out requests seeking statistics on the use of this power. They went out to: Five State agencies with the power to request the data (An Garda Síochána, Defence Forces, GSOC, Revenue, and the Competition and Consumer Protection Commission [CCPC]); four main telecommunication companies (Vodafone, Eir, Three, and Virgin), and four main internet service providers (Facebook, Google, Microsoft, and Twitter).

As well as detailed questions on statistics, the Irish Examiner also sought responses to the Murray report and its implications for continued use by the agencies.

An Garda Síochána Revenue, and the Defence Forces declined to give any statistical information.

The Garda responses did not even refer to it and cited various legislative provisions, reports to the Justice Minister, the monitoring of the system by a High Court judge, the Complaints Referee, and the Murray review.

Revenue cited the Communications (Retention of Data) Act 2011 and referred to the work of the Designated Judge and the Murray review.

It added: “In the interests of protecting the systems and procedures in place for the administration of the law, and to avoid prejudicing Revenue’s work in the investigation and prosecution of criminal offences, no further information is available.”

The Defence Forces said it was empowered to use the act solely for the purpose of safeguarding the security of the State.

“Given that this data is accessed for national security reasons it would be inappropriate to give detail on such requests,” it said, but added the requests were targeted and justified “in accordance with the principles of proportionality and necessity”.

It said the Defence Forces use of the 2011 Act “continues as threats to the security of the State persist”.

It cited the work of the High Court judge and an audit of its controls in this area by the DPC.

The CCPC said that the provisions of the 2011 Act came into effect for the CCPC when it was enacted in October 2014.

It said: “To date, the CCPC has not made an application to any service provider for communication data under the 2011 Act.” It said it would welcome any legislative proposals that would provide “enhanced legal clarity” in this area.

GSOC SETS PRECEDENT

There were indications from GSOC by the end of 2017 that it was considering our request for statistics.

The four telecommunication companies did not provide any statistics on total requests or disclosures or more detailed breakdown of data.

Three cited the “sensitive nature of the requests”, while Eir said it was its “position” not to share details of the volume or source or requests. Virgin said it had “no comment” to make.

Vodafone did not provide any statistics and said it was “not in a position” to give specific details.

Searches online by the Irish Examiner uncovered Global Vodafone reports, which did contain statistics by individual countries, including Ireland, on the number of disclosures by the company.

Vodafone published its first report on this area, including detailed information about the law, in 2014.

Its data for Ireland cover three time periods: April 2013-April 2014 (4,124); April 2014-April 2015 (7,973), and April 2015-April 2016 (4,393) — a total of 16,490 disclosures over three years.

The Irish Examiner was unable to find data for the year to April 2017.

The position of the other telecoms contrasts with the internet firms, all of which publish data on a six-monthly basis, in two cases (Micrsoft and Google) up the June 2018 and in the remaining two cases (Facebook and Twitter) to the end of 2017.

The information is provided on their websites and each of the companies here, when contacted by this newspaper, provided the appropriate link.

The statistics have been gathered, assessed and presented by the Irish Examiner today.

They show a total of 1,259 disclosure requests to these four companies by State agencies between 2013 and June 2018.

In the cases of Facebook, Microsoft, and Google, the requests have increased significantly in recent years.

In 768 (61%) of the 1,259 requests data was disclosed, with no data available or the request refused in remaining cases.

The Microsoft data also reveals (unlike any other company contacted) cases where content of the service (such as an email) was requested – in 58 cases in total, with the number increasing significantly in the last 18-months.

During 2018, GSOC was still considering whether or not to provide statistics on its use of the area.

It was only last August that partial information was provided to this newspaper.

It did not give the number of communication requests that the body had made, rather the number of disclosures to it by telecommunication and internet companies.

The figures showed there were 95 approved requests to GSOC for communication data between 2012 and 2017 (13 in 2012, 49 in 2013, 18 in 2014, none in 2015; seven in 2016, and eight in 2017).

GSOC said this was out of 2,577 criminal investigations. GSOC declined to break down the figures in terms of the target, including whether any of them were journalists.

But the decision represents what it thought to be the first time one of the State agencies concerned to voluntarily and publicly provide their use of the 2011 Act.

After receipt of the GSOC, the Irish Examiner again emailed the other State agencies and the telecommunication firms to see if their position had changed.

There was no change in the responses, apart from Three which said that while he was not in a position to disclose the information sought, they “will be publishing such information in the coming months”.

Due to the persistent difficulty in getting basic data in order to assemble a comprehensive picture of use of the powers, the Irish Examiner turned to the Department of Justice for statistics on the area.

The department is provided with annual reports on usage by the various agencies.

Almost three weeks after seeking the data, no information has been forthcoming, yet.

This newspaper will publish any data, if, and when, it does materialise.


Related Articles

China link to Marriott hotels data breach

Quora reveals data breach affecting up to 100 million users

Owner of Dublin's Westin Hotel caught up in global data breach affecting up to 500 million customers

1,250 requests to access private data

More in this Section

State’s reaction is to deny, delay, and to buy silence

Cork University Hospital copes when disaster calls

A cut above the rest: Cork salon offers helping hand to the homeless

CUH marking 40 years of community service


Lifestyle

Making Cents: Prepare financially now for mortgage hunting in 2019

Girls of tomorrow: iWish conference inspires young women to pursue STEM careers

Theatre review: Aladdin panto - Cork Opera House

Irish sci-fi blasts off: Tramp Press launches anthology of science fiction stories

More From The Irish Examiner