IT Law in Ireland

Internet censorship in Turkey is a prime example of why democracies should not attempt to filter the internet. I've blogged before about the blocking of Richard Dawkin's website by the Turkish authorities so I was fascinated to learn that a full list of sites which have been blocked by Turkey is available. The information has been compiled by EngelliWeb.com which identifies 31,694 sites as having been blocked, roughly doubled from last year. You can also view all blocked sites as a single page.

Highlights of the blocking list? In addition to Kurdish news sites, it includes the entirety of:

Blogger
Blogspot
Dailymotion
Google Groups
Google Sites
Shoutcast
Ustream.tv
Vimeo
Wordpress
YouTube

One important caveat - not everything on the list is currently blocked. Turkey has flipflopped on many of these sites with on again/off again bans at different times for different reasons. Some sites - such as YouTube - have also been unblocked after caving in to Turkish government pressure and agreeing to censor for Turkish users.

More on Turkish blocking from the excellent Reporters Without Borders site. The Guardian has a recent piece on how Turkish internet users are getting around this censorship.

The way things are supposed to work is that we're supposed to know virtually everything about what they do: that's why they're called public servants. They're supposed to know virtually nothing about what we do: that's why we're called private individuals.

Glenn Greenwald nails it.
 

There's a remarkable story in today's Irish Independent about a woman whose criminal charges were struck out - without even a conviction - despite having been found guilty of listening to her former supervisor's voicemails. From the article:

A CIVIL servant who was found guilty of spying on her former supervisor by hacking into her mobile phone's voicemail messages has escaped punishment.

Dublin City Council employee Severine Doyle (39) had pleaded not guilty to 11 charges under the Postal and Telecommunication Act. However, following a hearing last June, she was found guilty of intercepting voice messages on a phone used by Teresa Conlon, Dublin City Council's head of housing allocation.

Dublin District Court heard that Ms Conlon's voicemail messages had been intercepted over a five-week period, from January 8 until February 11, 2010.

Doyle's sentencing had been adjourned until yesterday. Judge Eamon O'Brien told defence solicitor Declan Fahy: "I will strike it out with liberty to re-enter. I am giving her a chance, the ball is in her court."

During the trial on June 28 last year, Ms Conlon told the judge she found out that some city councillors had said they had listened to tapes of messages left on her phone.

This is an unusual outcome. The offences established carry a possible sentence of 5 years if prosecuted on indictment or 12 months otherwise. There were multiple incidents of phone hacking over an extended period. There was no guilty plea. The offences were aggravated by dissemination of the recorded material to councillors. Despite all this, the case was struck out. This may not have been a case for a custodial sentence, but I see no reason why a conviction shouldn't have been registered to mark the gravity of the offence. While there may be more to the matter than emerges from the media coverage, on the face of it this is a case where the court has failed to give adequate weight to the right to privacy in communications.

Lawyers: Angry that former clients are suing you over failed investments? Apparently the correct response is not to post on Facebook "They thought they knocked me down, now they will see the full scale of my reaction. F*** them, just f*** them. They will be left with nothing."

Turns out that Facebook posts are not automatically confidential, and will be admissible in evidence against you in proceedings to stop you dissipating the money you owe. Whodathunkit?

The key passage is at para. 4 of the judgment and neatly summarises why very few posts will attract a duty of confidence:

[A]nyone who uses Facebook  does so at his or her peril. There is no guarantee that any comments posted to be viewed by friends will only be seen by those friends. Furthermore it is difficult to see how information can remain confidential if a Facebook user shares it with all his friends and yet no control is placed on the further dissemination of that information by those friends. No evidence was adduced as to how many friends the defendant had and what his relationship was with each of them. It was certainly not suggested that those friends were in anyway restricted as to how they used any information given to them by the defendant. For the avoidance of doubt, I do not consider that any of the friends viewing that information would necessarily have concluded that the information was confidential and could not be disclosed. I have received no evidence as to why those friends were in any way restricted as to how they can use information received from the defendant and why they would have known this information was confidential or private

The High Court today gave a significant decision in McKeogh v. Doe and others concerning defamatory material posted through Facebook and YouTube. The background to the case is well summarised by the Daily Mail. As I have a professional involvement I'll refrain from any comment except to explain that this is an interlocutory judgment (i.e. pending a final hearing of the action) in which Peart J. held that a mandatory injunction should be granted against Facebook and the Google defendants requiring them to take down material defaming the plaintiff until the full trial can take place. The judgment did not itself grant an injunction - instead, the details of the injunction will be determined following a meeting to take place between experts for the plaintiff and the defendants. After this meeting the experts must report back to the court with either an agreed report or separate reports regarding the technical steps which can be taken to remove the defamatory material as far as reasonably possible.

Full text of the judgment:

Kudos to Microsoft for today publishing their first annual Transparency Report setting out details of how often national police forces seek to read customer content (such as emails) or to access other information on customers. This is done as part of their commitment as a member of the Global Network Initiative and it's striking, but alas not surprising, that this makes Microsoft considerably more transparent than the Irish government which refuses to reveal even this basic statistical information.

On to the data. In 2012, in relation to Microsoft products generally (Hotmail, Outlook.com, Messenger, etc.) Gardaí sought information in 72 different requests, relating to 222 different accounts. Of these requests, 5 resulted in user content being revealed (such as the actual contents of emails), 46 resulted in non-content user information being revealed (such as the IP address last used), 19 resulted in no data being found and 2 were rejected for not meeting legal requirements.

Skype, which Microsoft now owns, was treated separately. In relation to Skype Gardaí made 4 requests relating to 7 different accounts and there was no data disclosed in relation to any of those requests. (This mostly seems to be due to no data being found but records aren't available for the entire year.). Also, in 2 cases the Skype support team provided general guidance to Gardaí regarding the procedures for accessing customer data.

There's an interesting comparison here with Google's Transparency Report. The overall numbers of requests by Gardaí to Microsoft and Google are very close (76 total for Microsoft for all of 2012; 34 for Google for the first six months of 2012). However the numbers of requests which result in information being provided are very different. In the case of Google data was provided in reply to just 2 of 34 requests (6%), while Microsoft provided data in response to 51 of 76 requests (67%). It's impossible to know without more information why that is and the low Google response rate might be just a blip for the particular six month period - nevertheless the difference is striking.

Significantly, Ireland was one of only four countries other than the US where user content was disclosed, the others being Brazil, Canada and New Zealand. The report doesn't make it clear why this is, but the FAQs imply that this may be due to Hotmail and Outlook.com accounts being hosted in Ireland and therefore being subject to local law.

The report also glosses over a question which has long interested me - what's the legal basis on which Microsoft will provide the contents of emails to Gardaí? Here's what the FAQs have to say:

What laws apply to Microsoft and Skype customer records and content? 

Irish law and European Union directives apply to the Hotmail and Outlook.com accounts hosted in Ireland...

How does Microsoft and Skype determine what law enforcement entities are able to request data? 

Microsoft must produce data in response to valid legal requests from U.S. and Irish law enforcement entities because we are headquartered in those jurisdictions or because we host data in those countries. Microsoft may disclose non-content data pursuant to a law enforcement request after it is validated locally and transmitted to our compliance teams in the U.S. and Ireland...

So - what exactly is a "valid legal request"? Irish law on interception doesn't seem to extend to webmail, suggesting that Microsoft are simply acting in response to non-statutory Garda requests rather than requiring a Ministerial warrant as would be required for telephone tapping. If so, the relevant law would be s.8 of the Data Protection Acts 1988 and 2003, which allows (but doesn't require) voluntary disclosures of user information in the context of criminal investigations. This would, however, be worrying if true as it would allow Garda access to email contents without any outside scrutiny (no Ministerial warrant or court order required) and without the other safeguards which would apply to telephone tapping - so no judicial oversight after the fact and no complaints mechanism available.

If this is the case then it would also put Ireland in breach of our obligations under Article 8 of the European Convention on Human Rights, which states that interferences with private communications must be "in accordance with the law", requiring that there should be a clear legal basis along with adequate mechanisms in place to oversee and guard against abuses of surveillance. (See in particular Klass v. Germany and Malone v. UK.)

More clarity on this point is required, and as soon as possible the law should be changed to ensure that emails enjoy the same protections as telephone calls.

The High Court gave a landmark judgment on surrogacy earlier today, holding that the biological mother of twins born to a surrogate (her sister) was entitled to be recorded as their mother on their birth certificates. I'll leave the family law side of this to the experts, but I was struck by how the court handled the issue of media coverage. In particular, in exercising its discretion to allow certain designated journalists to report on the proceedings the court did so subject to a number of conditions one of which was that: "no contemporaneous social media reporting e.g. by Twitter shall be carried out by the designated reporters."

This seems to be the first time that an Irish court has positively restricted the tweeting or live blogging of court proceedings, though that's not to say that the issue hasn't been considered.

In 2009 Abigail Rieley - then working as a court reporter - could still say that the issue hadn't yet reached the judicial consciousness. In 2011 it was reported that a judicial committee would consider the issues of jurors' use of the internet and might also consider the issue of courtroom reporting on social media. (I'm not aware that anything public ever emerged from this - if you know better please let me know.) Still again, in 2012 the media relations advisor to the Courts Service published an interesting article on social media and the courts (PDF) which amongst other things suggested that there was a need for judicial guidance along the lines of the current English rules regarding tweeting from court.

Meanwhile, despite these concerns the use of Twitter in court has simply become a part of day to day reality. Today's judgment is the first time it has butted up against judicial resistance - and that only in the particularly difficult and private context of a family law matter. I suspect, though, that it won't be the last.