Rights group urges law reform to protect privacy of emails
Interception of private communications ‘happening on greater scale’ than data reveals, says Digital Rights Ireland
Microsoft’s offices at Sandyford in Dublin. The company said it must produce data in response to what it called “valid legal requests” from US and Irish law enforcement bodies because it had headquarters in these jurisdictions or because it hosted data in them. Photograph: Alan Betson
Interception by the State of private communications such as emails is occurring on a greater scale than that revealed in a report published by software giant Microsoft, the chairman of a civil rights group has suggested.
Solicitor and lecturer TJ McIntyre, chairman of Digital Rights Ireland, called for clarity on the legal basis being relied upon by such companies to release information on users’ accounts on foot of requests from gardaí.
He has called for the law to be changed as soon as possible to ensure that emails enjoy the same protections as telephone calls currently do under 1983 and 1993 legislation.
Microsoft’s Transparency Report published earlier this week revealed gardaí made 72 requests last year seeking access to 222 accounts in 2012.
The report covers law enforcement requests and/or court orders related to the company’s online and cloud services – including, Hotmail/Outlook.com, SkyDrive, Xbox Live, Microsoft Account, Messenger and Office 365. Data on the voice service Skype is included, but is reported separately.
In five cases (6.9 per cent), the contents of emails were provided to gardaí. Information not relating to the content of the mails was handed over in 46 cases.
‘Valid legal requests’
Microsoft said it must produce data in response to what it called “valid legal requests” from US and Irish law enforcement bodies because it had headquarters in these jurisdictions or because it hosted data in them.
Existing Irish law on interception of communications covered a limited class of company, Mr McIntyre said.
“The only class of companies the existing framework applies to are people who have to have a certain type of licence or authorisation from Comreg,” he said.
This meant landline providers and mobile providers, but not firms such as Microsoft and Google in relation to their webmail services.
Interception of telephone calls, for example, may only be carried out on foot of the approval of the Minister for Justice and only in relation to certain types of serious offence, such as activities deemed a threat to the security of the State.
Such approval may only be given as a last resort, Mr McIntyre said.
He noted Ireland was one of only four countries other than the US where user content was disclosed – the others being Brazil, Canada and New Zealand.
But Mr McIntyre said Google and Microsoft had voluntarily provided much more information than had ever been provided by the State in relation to its own interception of communications.
‘No court approval’
“The State has never given out numbers for the number of actual interceptions – ie the number of cases where phone calls have been listened to or text messages have been read. They’ve never done that before. There’s no court approval before the fact for any of these.”
Asked about the number of instances in which a ministerial warrant had been issued for the retrieval of such personal data, the Department of Justice said information of this nature was not available “as per the provisions of the Interception of Telecommunications Act, 1993”.
Asked whether he believed gardaí were making requests for such information on a bigger scale than that disclosed by companies such as Google and Microsoft, Mr McIntyre said: “It’s certainly happening on a wider scale.
“Microsoft and Google would obviously be the most high-profile examples, and in terms of the numbers they’d also be the most significant, I’d suspect.”
During 2012, Microsoft, including Skype, received 75,378 law enforcement requests potentially affecting 137,424 accounts worldwide.
The company said that while it was not possible to directly compare the number of requests to the number of users affected, it was “likely that less than 0.02 per cent of active users were affected”.
Google received 34 requests for data on users in the first six months of 2012 and provided data in 6 per cent of cases.