State surveillance: Proper oversight critical to citizens’ trust

Balancing people’s right to data privacy and State security is a sensitive challenge

In the wake of the disclosure in 2013 that the US National Security Agency (NSA) had intercepted German chancellor Angela Merkel's calls, Taoiseach Enda Kenny was mocked by some when he said he always operated on the basis that his calls were being intercepted.

In the years since, it has become clear that Kenny was closer to the mark than many appreciated – a reality that has been highlighted by this week's focus on the Garda Síochána Ombudsman Commission's use of journalists' telephone records.

The controversy caused by the use of legal powers by Gsoc, the Garda Síochána and to a lesser extent the Defence Forces and the Revenue to access private data has raised legitimate concerns about data protection and the limits of current laws.

However, a lack of understanding about the ability to intercept and what can be done with the fruits of such work confuses the discussion and diverts it from where public interest might be better focused in an era where the landscape surrounding privacy and surveillance is fast-changing.

READ MORE

In the wake of the slaughter in Paris in November, few would dispute the duty of any state to do all in its power to protect the nation and people from attack by domestic and foreign extremists.

Counter-terrorism

Most would readily concede that vigilant and vigorous intelligence gathering is essential in counter-terrorism, but also in criminal investigations and in protecting Ireland’s national interests. Most would acknowledge intelligence must be shared if terrorism is to be stopped.

Surveillance and interception can be the difference between success and failure, stopping attacks, preventing or solving crimes, even protecting life. However, they are powerful tools that can be used for malign as well as benign purposes and not just by the State’s own agencies.

However, the concern from the press this week – and, it must be said, to a far lesser extent from the public at large – about Gsoc’s legal use of metadata, and over issues of accountability, oversight and data protection are legitimate.

However, apart from a few experts who live in the security world, there is a general lack of knowledge about the capabilities of modern surveillance, let alone what the implications are in terms of data protection, privacy or even national security.

Sensitive challenge

Striking the correct balance between the State’s legitimate national and criminal intelligence needs and the citizen’s right to data privacy is a sensitive challenge for any government. Appropriate oversight is critical.

Trust in the professional judgment of the state’s security services is also critical.

Under existing legislation, oversight happens after the fact, not before. Sometimes, that is entirely justified, if time is critical and where there is a risk to life. Police or national intelligence authorities must be permitted to exercise professional judgment to approve immediate interception. However, this argument is less convincing where no risk to life exists.

No doubt, this issue will feature prominently during former chief justice John Murray’s three-month inquiry. Crucially, however, Murray can only consider Irish State entities, as only these are subject to current Irish law.

The broader question must also be asked: what about entities outside this jurisdiction where different national interests and legal conditions apply?

As a small, non-aligned state with an open economy, we might not perceive fellow states as adversaries. Ireland is hardly as a threat to anyone else. Our national interests do not require us to threaten, let alone gather intelligence on, neighbouring states. But other countries do, including some of our fellow EU member states.

The adage that “there are no friends in diplomacy” applies most particularly in the world of intelligence. Given the infinite array of technical means available, it is no surprise that states, including friends, do pursue their own national interest.

In the case of terrorism this is understandable. However, the pursuit of commercial or technological advantage is different. Irish businesses are increasingly conscious of the risks they face in the cyberworld.

Before the NSA whistleblower Edward Snowden’s revelations, few would have considered foreign national intelligence agencies might be active in the area as opposed to commercial rivals. For some countries, national interest is a broad concept.

For those of a certain generation, surveillance conjures images of Sean Doherty and manual recorders in dusty ministerial offices. For the internet generation, surveillance means Wikileaks, the French weekly Canard Enchaine or Snowden.

The reality lies somewhere in between – depending on the size, scope and resources of the nation concerned. The potential capability reaches far beyond anything fictionalised on Homeland or similar shows familiar to a younger audience.

Reality checks

It is good that criminals do not understand or appreciate both the limits and capabilities of surveillance. It is less good when the public does not – as it can lead to suspicion, mistrust and anger. So, a few reality checks are needed.

The US NSA can access communications – verbal or electronic – “in any room, any building, any city in the world”, to quote one expert. Conversations in copper-lined rooms in embassies – common practice since the 1920s to prevent snooping – are no longer secure from its reach.

Other states can do the same, and do. Vibrations in glass caused by speech, or the electronic signal produced when a keyboard is touched, can be captured. Sometimes, long-life listening devices that can “hibernate” for up to two years are secretly installed.

However, information can be gleaned in a myriad other, less-dramatic ways. Existing technologies allow a torrent of social media traffic to be gathered by a “fire-hose feed”. Once analysed, information can become intelligence.

Manipulated

The only limitation is the resources required to analyse the resultant data. Sometimes, the information can provide answers, but not quickly enough. Sometimes, data can be not just monitored; it can be manipulated, including users’ online histories.

Companies, or agencies carrying out trawls can anonymise or disguise their searches so that even if interference is suspected, it is extremely difficult to trace, let alone identify those responsible. The protections in law offered by the Irish Data Protection Act are largely futile in such cases.

In the context of the current controversy, however, are we missing that point? Protecting our right to personal security is valid but so is protecting our right to protect our national security. The current narrative perhaps overlooks the latter.

Flawed as the existing legislation might be, it must be borne in mind that non-State and non-Irish entities are not subject to the legal restrictions placed on the Garda, Revenue, Defence Forces or Gsoc.

Faced with the risk of interception, states and companies have taken actions across many fronts to protect themselves: more paper, less electronic traffic, or more guarded phone calls. Sometimes, an analogue Nokia 6210, minus internet has its uses.

Cathal O’Neill is chief executive of security risk firm RMI