Will Ireland Be Britain’s Sister Surveillance State?
The recent announcement by the Minister for Justice that serious and organised crime will receive legislative attention from the Government and the Oireachtas is most welcome. However, the stated means of achieving this are deeply concerning for the Irish public and larger digital economy. The statements indicate that the Government intends to follow the British model of surveillance where Irish companies can be compelled to betray their users. Why would any user engage with a service that could deliberately jeopardise their online safety and security, or that of their family?
Whether it is an established company looking to set up in Ireland or a startup looking to compete on the world stage, it is vital that those companies do not have both hands tied behind their backs when it comes to security.
Communications and data should be end-to-end safe. This means that a message can only been read by its intended recipient, and remains private when someone attempts to intercept the message.
The statements today mask a subtlety of surveillance; namely that the Irish Government doesn’t just want to intercept and collect the communications; they want to be able to read and understand them. And to achieve this, they are aiming to enlist companies. We have seen governments block access to services such as WhatsApp and even ordering the jailing of officials from the company because the company’s system has been built to be secure from snooping attacks by governments, criminals, or hackers.
Some hints of the narrative are emerging from the Department that echo the statements in the British Government in the run up to the Investigatory Powers Bill. Firstly, the department has stated:
It is proposed to make changes in the law to provide simply that the power which already exists to intercept post and telephone communications - and which has played a vital role in fighting crime and counteracting threats to the security of the State - will be extended to other, more modern, forms of communication and all companies providing these services.
The word *simply* masks the complexity of extending powers of post and telephone to the internet which operates very differently. This statement shows either an attempt to distract the public’s attention, or ignorance of how the internet operates and the enormous technical changes that will be required to deliver this.
The Department have also hinted that they will provide the power to discover unknown devices:
The Garda Authorities have also sought provision in law to make use of technology that can enable them to identify unknown communications devices that may be in use by criminals or terrorists.
Once again, this masks the enormous technical, legal, and ethical challenges in identifying devices, especially where the user has taken steps to prevent their identity becoming known. This software is vital across the globe and it is unclear whether the Government intends to ban the use of this software in Ireland, compel developers to install backdoors, or purchase malware off the black market to exploit vulnerabilities in our devices and systems.
As the plans of the Minister unfold, it will be vital to scrutinise any proposals for the following mistakes made by the British Government in the recent Investigatory Powers Bill:
1. Are any members of the oversight regime subjected to the surveillance they themselves are meant to oversee? For oversight to be truly independent, the staff of these bodies must not have to worry about their communications, or that of their families, being read by the agencies they are supposed to hold to account. The recent scandal around the potential bugging of the Garda oversight body GSOC by members of the force they oversee demonstrates why this is so vital.
2. Will there be additional safeguards around the collection and interception of communications of sections of society fundamental to democracy and rule of law, including: judges, journalists and sources, TDs and their constituents, doctors and patients, and lawyers and clients?
3. Will the Government seek powers to hack either through the development of their own malware or the purchase of products by companies such as FinFisher or Hacking Team? A member of the Irish Defence Forces was revealed to have been in contact with Hacking Team about the potential purchase of their malware.
4. Will the Irish Government continue to leave the mobile phone networks relied upon by the Irish public vulnerable to a device that can be bought online for €5,000 according to the former Minister for Justice, Alan Shatter? Will they prioritise the safety of the Irish public over their desire to be able to listen in to any mobile communication?
5. The British Government claim that their laws have extra territorial effect, including in Ireland. Meaning that a UK minister can issue a warrant for an Irish company to hack its users or intercept their communications. Will the Irish Government claim that its laws apply worldwide or will they limit them to the constitutionally defined limits? Will they clarify whether Irish companies will be subject to UK law?
6. Will the Government seek powers to remove so-called “protective countermeasures” including end-to-end encryption or anti-virus as the British Government has recently sought.
7. Will the Government seek targeted, thematic, and/or bulk powers? Targeted surveillance is particularised to an appropriate level of specificity including a name and address. Thematic and bulk powers allow for snooping on large groups of semi-defined people, such as “all people living in Dublin”. Mass surveillance is unacceptable in a modern democracy and only those who are suspected of wrong doing should be in danger of a necessary and proportionate incursion of their right to privacy, security, and safety.
8. Will the Irish Government involve the courts in a meaningful way or limit their role to merely a rubber stamp as in the British surveillance model? Independent authorisation and oversight are vital if the public is to have any confidence in the Minister’s claims that privacy will be respected in the new legislation.