Legislation strong on privacy for Internet users

The remarkably swift passage of the Electronic Commerce Act 2000 through the Oireachtas may reflect the hope that this legislation…

The remarkably swift passage of the Electronic Commerce Act 2000 through the Oireachtas may reflect the hope that this legislation is a breakthrough in Ireland's efforts to become a hub for e-commerce. But the bulk of the Act - signed into law by the President yesterday - simply implements EU law and so offers little to distinguish us from our competitors.

However, the Act should ensure that those who use the Internet within Ireland should enjoy extremely high levels of privacy protection by making it an offence for anyone to attempt to access the contents of an encrypted communication or data without authorisation.

An e-mail is at best as private as a postcard, anyone who comes across one can read it with ease and without detection. The solution is to use encryption; this enables users to encrypt their communications to levels of security which even intelligence agencies such as the US's NSA apparently find impossible to decrypt. This protects the privacy of legitimate users but also the secrets of criminals and terrorists.

As the Director of the FBI stated: ". . .encryption. . .has catastrophic implications for our ability to combat every threat to national security. . .the widespread use of robust non-recovery encryption will ultimately devastate our ability to fight crime and terrorism." Therefore, some countries have sought to limit the use of encryption, but Ireland has taken a different approach and the Electronic Commerce Act 2000 appears to protect the privacy of communications far more than the laws of our neighbours.

READ MORE

Section 25 of the Act makes it an offence for any person or public body to access, possess or recreate ". . .the signature creation device of another person. . . without authorisation for the purpose of creating an unauthorised electronic signature. . ."; the section also makes it an offence to alter, disclose or use another person's signature creation device for that purpose.

A "signature creation device" is defined as a device such as configured software or hardware used to generate signature creation data, which is in turn defined as unique data such as codes, passwords, algorithms or private cryptographic keys. It should be noted that section 26 extends this protection to activities which take place partially outside Ireland.

Arguably these provisions make it an offence for any public body, such as the Garda, to attempt to recreate any individual's codes, passwords, algorithms or private cryptographic keys. So if the Garda was to legitimately intercept a communication which had been encrypted as part of the process of receiving an electronic signature, then it would commit an offence if it was to try and decrypt that communication.

It might be argued that this offence would only be committed by somebody who tried to recreate these codes or keys for the purpose of recreating an electronic signature, but in practice it may be impossible to distinguish between an electronic signature and the data to which it is attached. Even if that distinction can be made with current technology, it should be possible to write an encryption program where that distinction cannot be made.

This all boils down to a question of statutory interpretation and the Irish Courts have always firmly protected the privacy of individuals in cases such as Kennedy & Arnold versus Ireland. As Charleton, McDermot & Bolger on Irish Criminal Law states: "In order not to infringe in any way on the constitutional right to. . .privacy. . .the Gardai. . .must be given a specific statutory or common law power to act." The Electronic Commerce Act 2000 contains extensive protections for the privacy of encrypted data and communications, it contains no power to decrypt those communications such as the power to intercept unencrypted communications under The Interception of Telecommunications Act 1993.

The Irish approach can be contrasted to that of the UK where the Regulation of Investigatory Powers Bill is currently before the House of Lords. Once this Bill becomes law then disclosure notices may be served on any person who has access to a key or password, such as a service provider to enable the UK police or intelligence services to decrypt intercepted data. If they do not hand over the key then they will be guilty of an offence.

One effect of this bill may be that Irish service providers may be wary of connecting to the global Internet via the UK, since any Irish communications which travel through that jurisdiction will be subject to this law. But stringent privacy protections may come with a price; this legislation may be compared to Switzerland's banking secrecy laws which for a very long time attracted a lot of money but then became discredited amid allegations of money laundering and unfair treatment of holocaust victims.

Denis Kelleher is a practising barrister and co-author with Karen Murray BL of IT law in the European Union, Sweet & Maxwell (London), 1999 and Information Technology Law in Ireland, Butterworths (Dublin), 1999.