Data law lays foundation for surveillance state

Net Results: Though the Government would like you to believe that its data retention policy is all about protecting you from…

Net Results: Though the Government would like you to believe that its data retention policy is all about protecting you from crime, a range of speakers at a legal seminar held last week by the Irish Centre for European Law consistently argued the opposite.

The policy, passed as a surreptitious, 11th-hour amendment to a crime bill last year (instead of being introduced in its own right as had been long promised by the Government and Minister for Justice Michael McDowell), requires telecoms operators to retain call data for three years.

Soon, information on internet use is likely to be added to this information stockpile held on every citizen - just in case you commit a crime at some future point.

I spoke on the topic at the event and offered my opinion: that in barely a decade, the Republic has gone from being one of the nations most protective of digital privacy, to one of the most oppressive western democracies, using shockingly opaque and underhanded methods to secretly impose data retention in the first place as a Cabinet direction, then place it on the books through a last-minute amendment proposed in a nearly empty Dáil.

READ SOME MORE

I believe this switch has profound implications for how the State views its citizens, for facilitating abuse of the law by the Garda and placing citizen information at risk from hacking, and for damaging the Republic's attractiveness as an investment location for the technology sector, which is still unaware of the scope of this legislation.

These points were raised by speakers representing a range of perspectives on the issue. As data protection commissioner Billy Hawkes said in his presentation, it is unprecedented for data to be held on citizens "in case" it is needed by police; for individuals to have no idea if their records have been accessed by police; for police to access data for any crime, including the most petty misdemeanour, because Mr McDowell's amendment contained none of the promised limitations on its use and the Republic's retention period is up to five times longer than required under the EU's own data retention directive.

Paul Durrant, from the Internet Service Providers' Association of Ireland, noted that even if none of the other concerns about the requirements of new data retention legislation existed, it will be impossible for most internet service providers (ISPs)to comply with the scope of the requirements that ISPs retain net use and e-mail records for three years.

First, the privacy and integrity of customer data is critical to ISPs and the very basis of the services they provide. If Irish ISPs and hosting providers, many of which operate global services and have enormous contracts with multinationals here, are required to retain their business and personal records for three years, who believes those companies will remain here or offer business to Irish providers?

"We have concerns that this law unbalances the demand for internet services," he says.

"We will see companies leaving the Republic and the EU because they're concerned about the confidentiality of their business information."

In addition, he says the provisions are technically unworkable. ISPs would need to retain massive amounts of information because, unlike the far more clear-cut situation with mobile or landline calls, it is impossible to differentiate between various types of information in many cases (eg, whether it needs, under law, to be retained or not). This means vast swathes of data they shouldn't be retaining will be retained, in this legal and technical quagmire.

The cost of storage and making such data properly searchable and safeguarding it is also a huge issue for the industry, as the Government shows no indication it will manage or underwrite such costs. And as voice calls within businesses increasingly move to VoIP over the internet, how will this additional data be managed?

"This is very very badly and hastily drafted legislation," Durrant says of the EU's data retention directive, which adds e-mail and internet dimensions to our hastily drafted data retention amendment.

Barrister and senior law lecturer at NUI Galway Thomas O'Malley noted that the existing Irish and incoming EU data retention legislation alters the very nature of information used for combating crime, from focusing on 'narrative' to 'data'.

In other words, crime is usually solved by gathering information about the crime, and then about people suspected of committing a crime, and forming a narrative flow that connects that person, with motivation, past history, and evidence, to the crime.

Data retention amasses independent chunks of data, with the serious risk - regularly seen in police misuse of databases - of taking random facts and assuming they should fit together in an incriminating way.

O'Malley describes this as actuarial justice versus individual criminal justice. "We are enabling the State to collect that disembodied data that doesn't tell us anything about the person," he says. "Purely from a criminal justice perspective, what is happening is very dangerous. It's reducing people to numbers."

It also builds the foundations for a surveillance state in which we are all guilty until proven innocent, as TJ McIntyre, UCD law lecturer and chairman of Digital Rights Ireland, argued.

Worried yet? You should be.

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology