Extension of surveillance law ‘doomed to failure’
Experts say State must address issues with current legislation before introducing new Bill
Legislation approved by the Cabinet on Tuesday and due to be published in the autumn is expected to cover services such as WhatsApp, Viber and Facebook, as well as email service. Photograph: iStockphoto
Proposals to extend Garda powers to allow them intercept social media accounts, text messages and other private messages sent by criminal suspects are “doomed to failure” due to the failure to address problems with existing surveillance laws, legal experts have said.
Legislation approved by the Cabinet on Tuesday and due to be published in the autumn is expected to cover services such as WhatsApp, Viber and Facebook, as well as email services. Gardaí have expressed concern that instant messaging apps are being used by criminals.
In the case of services such as WhatsApp, however, the service providers claim the messages are encrypted and that it is impossible to decipher them.
Dr TJ McIntyre, chair of Digital Rights Ireland (DRI), said the Government’s proposal was “possibly premature” but there was a “broader picture”.
“This is something that should be done by means of a proper consultation. You can’t have it being done completely in secret within the Department of Justice,” he said.
DRI brought a case before the Court of Justice of the European Union in 2014 challenging the EU’s Data Retention Directive, arguing it involved mass surveillance of some 500 million EU citizens.
In the landmark judgment, the court struck down the directive and declared illegal this type of mass surveillance of the entire population. A challenge by DRI to Ireland’s domestic legislation of 2011 on the retention of the phone and internet records of all citizens for up to two years remains before the High Court.
Dr McIntyre said the surveillance question was also “overwhelmingly an international issue”.
“Other countries – the US and the UK in particular – have made some steps towards engaging with this properly and in a more public way internationally. Maybe the Irish State is already doing this internationally itself, but we don’t know.”
He said if the proposed legislation was seeking to extend the existing surveillance regime then it was “doomed to failure”.
“The existing scheme is flawed. We need to start remedying the problems we have before expanding it further.”
In a submission to the United Nations Human Rights Council last year, DRI expressed concern about the lack of prior judicial authorisation for state surveillance, as well as what it said was inadequate oversight of interception and data retention.
It also said existing systems whereby certain surveillance may be approved internally by An Garda Síochána or other bodies were open to abuse.
It noted one case where a Garda sergeant had used the data retention system to spy on her former partner.
Dr McIntyre noted the full details of the proposed legislation were not yet available but added: “We shouldn’t have to guess. This is an area where we should have had proper consultation a long time ago rather than waiting to see what might emerge from the Department of Justice, particularly when we know and we have demonstrated that there are problems with the existing regime.”
He said the practical effects of such legislation might also be “limited” to the extent that they were intended to apply to US-based service providers.
“They would have to comply with US law in any event. Even if we have the Minister’s interceptive powers extended to online services, practically speaking that’s irrelevant because to get that data you’d have to go through the MLAT [mutual legal assistance treaty] process to go to the US.”
There was also the question of whether the authorities were seeking access to content, or to subscriber information, which might require different processes.
Prof Fiona de Londras, Chair in Global Legal Studies at Birmingham Law School, University of Birmingham, said: “Experience from other jurisdictions, including the UK, shows that the only way to ensure fundamental rights are properly balanced with policing powers in terms of interception is to create robust safeguards in legislation.”
Prof de Londras said the law must outline the “clear bases upon which correspondence can be intercepted, require authorisation from an independent body (ideally a court), and strictly control the use that can be made of the fruits of this interception”.
“Mass or blanket surveillance, and intercept laws without clear and effective safeguards, are likely to contravene both the Constitution and the European Convention on Human Rights.
“If the Tánaiste satisfies the Oireachtas that these powers are necessary, she must then show that they are also proportionate and limited and comply with fundamental rights.”
He said he could not say the Tánaiste’s proposed legislation was “anti-encryption”, given that the full details had not yet been published.
“But assuming it is, this is reminiscent of the backlash against end-to-end cryptography in the wake of the Paris and Brussels attacks, the premise of which [that the attackers eluded intelligence services using cryptography] was completely false.”
“From my experience, criminals, like terrorists, are surprisingly unconcerned with their privacy,” he said.
Mr Fitzmaurice said that given the right resources, state actors could certainly access people’s data, but the level of difficulty and effort would vary.
A “gold standard” messaging app such as Signal used end-to-end encryption, but the authorities could still build up a social graph of people’s contacts using metadata over a period of time.
It was also possible for state and other actors to intercept phone traffic by using devices known as IMSI-catchers, which gave them a privileged position on the phone network.
“If any state adversary wants to get access to your stuff, with enough persistence they can do it. Even if you are really super-secure, probably they’re smart enough and have the resources to spend to get access to this kind of thing.”
DRI told the UN in its September 2015 submission there was an “urgent need” for legislation to criminalise the use of IMSI-catchers, which allowed attackers to indiscriminately gather data from thousands of mobile phones in a specific area and at public events such as political demonstrations.