Gerard Cunningham interviews TJ McIntyre.
Justice minister Frances Fitzgerald’s proposal to expand Irish surveillance and interception laws to include social media and email accounts, coming only weeks after a row over interception of journalists’ communications by GSOC, is ill-advised and unlikely to achieve its stated aims, a leading privacy advocate has said.
The proposed changes would allow gardaí to “intercept the emails, social media and instant messages of suspected terrorists and organised criminals”, according to media reports.
But the changes would have little impact because most internet companies are subject to US law, and could serve to undermine trust in Ireland as a location for online businesses, according to Digital Rights Ireland (DRI) chairman TJ McIntyre, a lecturer in Law at the UCD Sutherland School.
“We don’t know what this is going to look like yet, but the key point to start with is that existing intercept law is based on the minister signing a warrant, which is then taken over to a telephone company like Eircom or Vodafone, who then put a tap on your call”, said McIntyre.
He considers what they’re talking about is extending the existing powers: “That would mean that they want to mirror the existing system, so that they get the minister’s signature and then go to Google or WhatsApp and demand messages. But none of the US firms are going to accept a politician’s signature to disclose content. And in many cases, US law is going to preclude them from doing that anyway”.
What is going to happen he believes is that, essentially, we will have no change from the current position, which is that “if gardaí want access to communications on a US-based service, even if that service has a local office in Ireland, then they will, in almost every case, still have to go down the Mutual Legal Assistance Treaty (MLAT) route, and send a request to Washington which is then processed there locally according to American standards”.
So if you want to get somebody’s message content on a US server, from a US-based provider, normally that would mean the MLAT request goes from Dublin to Washington. It is then processed locally, before going to a US judge and then an order would be made locally requiring disclosure.
McIntyre notes that: “Microsoft and Facebook are outliers: they have deliberately chosen to apply Irish law to the data that they host. So they have local hosting here, and their position is that Irish law governs what’s hosted locally”. But in a case like Google, you would probably find that the control of communications is based in California.
According to McIntyre: “The minimum European standards for oversight are that you need an independent judge making the decision, not a politician, you need adequate oversight, which we don’t currently have (in one case, the judge forgot about it and had to be prompted to do it), and you need to have special protections in place, at least for journalists, and preferably for lawyer-client communications, and communications with parliamentarians”.
He tells me it’s difficult to know in practice how this is intended to operate. “For firms headquartered in the US, it’s not going to change anything. You can get an Irish ministerial signature, you can get an Irish court order, but many firms won’t be in a position to comply even if they wanted to. The technical capacity to comply may not even be in Ireland”.
It may be that the department of justice thinks differently. He considers it “may be that they think all these companies are based in the Dublin docklands and therefore can be told what to do. But if that’s their reasoning, I suspect they’re in for something of a disappointment”.
The other risk is that tech firms may take fright at this. Even if it doesn’t apply to their business, it’s something that can undermine the reputation of Ireland for privacy, and undermine trust in companies based here.”If their clients don’t feel confident in companies with operations in Ireland, those companies may just move to reassure their customers. So I suspect you will see opposition to this proposal from the tech firms”.
McIntyre says this is an area that needs to be modernised, and claims it would be a good thing if this was the impetus to modernise surveillance laws with proper safeguards. For the moment he regrets that “it seems they’re drafting this as usual in secret with no public consultation”. He feels it is really “quite outrageous, particularly given they’re already lost one case on surveillance litigation in the European Court of Justice, and are on track to lose the second aspect of that case in the High Court in Dublin”.