By Gerard Cunningham.
Late last year, the Irish Times reported exclusively on secret courts set up by justice minister Frances Fitzgerald to regulate requests for Irish data from the UK’s GCHQ. The courts were set up after files released by NSA whistleblower Edward Snowden revealed that GCHQ was illegally tapping data on the internet pipes leaving Ireland, which travel through the UK.
The new courts, established by statutory instrument, make it a crime to report that a company has been ordered to appear before the in camera courts.
Exclusive is a much abused word in journalism, but for once it is accurate. A month after the story was broken by Karlin Lillington, no other newspaper or broadcaster has covered it. Privacy, and in particular online privacy, remains a little understood concept in the Irish media. While Irish journalists reminisced about CJ Haughey as RTé showed its three part series ‘Charlie’, their memories colouring their judgment of the politically ambitious but dramatically flawed programme, another Charlie made headlines in France. In the wake of the Charlie Hebdo attacks leaders, who linked arms in Paris days later in the name of free speech, announced in lockstep the need for increased surveillance of their citizens.
Charlie Haughey accidentally invented Irish privacy rights in 1983. His justice minister didn’t object to the concept of tapping the phones of journalists – they were a security threat, the Boss said so – but after the affair became public as part of the year of GUBU, legal cases by Geraldine Kennedy and Bruce Arnold led the courts to outline a right to privacy. Technology has moved on from 1983, when many rural phones were still connected through manual exchanges and the Apple IIe and Commodore 64 were the height of computing sophistication. Not surprisingly, the law has struggled to keep up.
In principle, surveillance of Irish citizens is governed by two laws. Data interception (telephone tapping) is regulated by the 1993 Interception of postal Packets and Telecommunications Messages (Regulation) Act, while the law on data retention comes under the 2003 Data Protection Act, with an annual report prepared by an independently appointed designated judge. These reports can be laughably brief, often amounting to a single page.
In practice, a myriad other laws, governing everything from the coroners’ courts to the investigation of shipping accidents, give State agencies access to personal data.
“The headline stuff is the 1993 Act for interception and the 2003 Act for data retention, but there is a bit question mark over how other powers could be used”, says TJ McIntyre, law lecturer and chairman of the independent civil liberties group, Digital Rights Ireland.
“There’s tonnes of legislation that give powers to, not just the Gardaí but investigators in the department of agriculture, revenue commissioners and other state bodies, and the obvious concern is that these bodies may demand such documents as may be found, and obviously those powers can be used to get their hands on particular communications”.
“There’s also the concern that the Garda or other state agencies might also be getting voluntary disclosure of some information, for example going to social-network sites and asking to see direct (private) messages between people, and perhaps even if they don’t have the power to compel disclosure, that site might be disclosing them anyway”.
“US firms wouldn’t do that as, to the extent that their operations are based in the US, they would have to comply with US laws which are more stringent, and normally would insist on some sort of US process. But domestic firms: I would be a bit more worried about.”
“To put this into context. There is a wider European arena, under the European Convention on Human Rights (ECHR), which is quite clear that when you have state surveillance systems, you should have certain safeguards in place.
So if you don’t have a judge authorising access to information beforehand, you should have some sort of judicial oversight of the system as a whole, the systems have to be prescribed by law setting out when they can be used, what kind of crimes are being investigated and so on”.
Digital Rights Ireland last year pursued Ireland to the European Court of Justice (ECJ), securing a judgment striking down Irish data-retention laws as excessive. The government, perhaps anticipating a successful challenge to its 2006 regulations on data retention, passed the Communications (Retention of Data) Act in 2011.
McIntyre is unconvinced anything has changed as a result of the ECJ decision.
“It would be disappointing if the telecoms companies had not approached the state to amend the practice in Ireland after the DRI decision, and I would be fairly confident they hadn’t”, he says. “The State’s position is that the 2011 Act is still in force and, while that is the case, everything is hunky dory, nothing to see here, nothing to worry about. And our position is no, the 2011 Act is unconstitutional and by continuing to keep its head in the sand the State is only storing up problems for the future”.
“I think it is very likely you are going to see convictions quashed in the future because evidence was admitted when it shouldn’t have been admitted, when there was no statutory basis for it”.
The Morris tribunal revealed two instances where confidential telephone data was obtained outside the regulatory framework. In the first instance telephone records were obtained by an officer in Garda HQ who phoned the GPO, where the then publicly-owned Telecom Eireann (now Eircom) was based, and asked the person who answered the phone for the records. He produced no warrant or authorisation, and the records were sent to him within a few days. The officer said this was the only time he had done this, as the records were needed urgently and he didn’t have time to process the paperwork, and that he did not recall the name of the person he spoke to in Telecom Eireann.
In the second case, private investigator Billy Flynn was able to obtain the home telephone records of a Donegal Garda, something has superiors could not do. Flynn later claimed that he was able to do this because he serendipitously gave a lift to a hitch-hiker who worked for the phone company, who was able to provide him with exactly the printouts he needed in order to further his investigation.
Barrister Fergal Crehan notes that such instances of ‘informal’ Garda requests, and ‘blagging’ are not simply glitches that happened in Donegal decades ago, pointing to a recent prosecution of a private investigator by the Data Protection Commissioner.
“A Garda witness was treated as a hostile witness, and it emerged from that that the garda really had no reason to be accessing the PULSE data in question. We can only speculate on the extent of those activities.
The people who have access to this information often are not earning a lot of money, they’re not in the boardroom. If people aren’t earning a whole lot of money, if you throw them €50 they’d be far more likely to say Yes than somebody higher up the hierarchy.
You ask could GUBU happen again”, says Crehan. “The answer is it is already happening literally on an industrial scale”.
Crehan points out that what was said in the tapped phone calls of Geraldine Kennedy and Bruce Arnold wasn’t really what Charlie Haughey’s government cared about. Haughey already knew there were leaks in the cabinet. That was why the taps were set up in the first plase. What really mattered was the metadata. Who were the journalists talking to, and when? That kind of metadata is stored by Irish internet and telecoms companies for Garda authorities, and can be accessed – legally and illegaly by foreign agencies such as the NSA.
Metadata – data about data – are the kind of things that makes non-geek eyes glaze over, but such data, even anonymised, can be enough to identify unique patterns. As a recent public example, by comparing telephone data released under Freedom of Information with Oireachtas attendance records, the Sunday Times was able to identify Michelle Mulherin as the TD who made numerous mobile phone calls to Kenya.
GUBU was a lifetime ago. Then the Garda had to take specific steps to get information on an individual telephone. Today all that information is collected and stored as a matter of course. Small wonder then that several journalists to this writer’s knowledge carry several throwaway ‘burner’ mobile phones at any time. •