An edited version of this article appeared in Village magazine, July 2016 edition
Justice minister Frances Fitzgerald’s proposal to expand Irish surveillance and interception laws to include social media and email accounts, coming only weeks after a row over interception of journalists’ communications by GSOC, is ill-advised and unlikely to achieve its stated aims, a leading privacy advocate has said.
The proposed changes would allow gardaí to “intercept the emails, social media and instant messages of suspected terrorists and organised criminals”, according to media reports.
But the changes would have little impact due to most internet companies being subject to US law, and could serve to undermine trust in Ireland as a location for online businesses, according to Digital Rights Ireland (DRI) chairman TJ McIntyre, a lecturer in Law at the UCD Sutherland School
“We don’t know what this is going to look like yet, but the key point to start with is that existing intercept law is based on the minister signing a warrant, which is then taken over to a telephone company like Eircom of Vodafone, who then put a tap on your call,” said McIntyre.
“It appears what they’re talking about is extending the existing powers. That would mean that they want to mirror the existing system, so that they get the minister’s signature and then go to Google or WhatsApp and demand messages. But none of the US firms are going to accept a politician’s signature to disclose content. And in many cases, US law is going to preclude them from doing that anyway.”
“What is going to happen is that, essentially, we will have no change from the current position, which is that if Gardaí want access to communications on a US based service, even if that service has a local office in Ireland, then they will, in almost every case, still have to go down the Mutual Legal Assistance Treaty route, and send a request to Washington which is then processed there locally according to American standards.
“So if you want to get somebody’s message content on a US server, from a US based provider, normally that would mean the MLAT request goes from Dublin to Washington, it is then processed locally, it would go to a US judge and then an order would be made locally requiring disclosure.
“Microsoft and Facebook are outliers, they deliberately chosen to apply Irish law to the data that they host. So they have local hosting here, and their position is that Irish law governs what’s hosted locally. But in a case like Google, you would probably find that the control of communications is based in California.
“The minimum European standards for oversight are that you need an independent judge making the decision, not a politician, you need adequate oversight, which we don’t currently have (in one case, the judge forgot about it and had to be prompted to do it), and you need to have special protections in place, at least for journalists, and preferably for lawyer-client communications, and communications with parliamentarians.
“It’s hard to know practically how this is intended to operate. For firms headquartered in the US, its not going to change anything. You can get an Irish ministerial signature, you can get an Irish court order, but many firms won’t be in a position to comply even if they wanted to. The technical capacity to comply may not even be in Ireland.
“It may be that the department of justice thinks differently, it may be that they think all these companies are based in the Dublin docklands and therefore can be told what to do. But if that’s their reasoning, I suspect they’re in for something of a disappointment.
“The other risk is that tech firms may take fright at this. Even if it doesn’t apply to their business, it’s something that can undermine the reputation of Ireland for privacy, and undermine trust in companies based here. If their clients doesn’t feel confident in companies with operations in Ireland, those companies may just move to reassure their customers. So I suspect you will see opposition to this proposal from the tech firms.
“This is an area that needs to be modernised, and it would be a good thing if this was the impetus to modernise surveillance laws with proper safeguards, but as it seems they’re drafting this as usual in secret with no public consultation is really quite outrageous, particularly given they’re already lost one case on surveillance litigation in the European Court of Justice, and are on track to lose the second aspect of that case in the High Court in Dublin.