Licence to pry?

As the law tries to keep up with internet advances, the question of privacy remains in the fore.

The internet originally didn't come with a business plan - and certainly didn't come with business in mind at all - though that's not very obvious today. Nor was it created so that the average citizen could log on and shop, send e-mails, post opinions,profiles and pictures, and all the other activities that fill part of the week for most of the population in Ireland.

The fledgling net emerged, along with many other interesting and useful technologies, decades ago out of the US Defense Department's Advanced Research Projects Agency (DARPA). DARPA was established following the launch of the Soviet's Sputnik satellite, to help ensure the US didn't fall behind in the technology race.

According to common belief, the internet (or DARPAnet) was created to act as a communications network that could survive a nuclear war, with no central point of command or control. Others involved with its establishment have said that actually, it was created to fill the role it still has - to harness some of the power and capabilities of computers and act as a superb communications medium that could span long distances at little cost.

Eventually, the internet moved beyond DARPA and its affiliated academic, research and development centres and spread to universities and technology-oriented businesses.

Then along came the world wide web - a kind of overlay to the basic, command-line based internet that enabled people to see data in a visual representation (web pages). The rest is history.

Now, millions use the net and the web daily. And as they do, an unnoticed but significant side effect is that they leave digital footprints all over the place, because digital systems - the computers that are the architecture of the internet - generate detailed records as they operate. At one time, those records were gobbledygook to most and for the remaining minority of the computer savvy that could read them, copious and not easily searchable.

But that has changed. With increasingly sophisticated search tools able to mine data on the internet or computers generally, it has become far easier to find needles in data haystacks. Think how quickly you are served up an assortment of web pages after googling a term, and you can see how today's web and computing technologies make the hidden, visible.

Law enforcement was not slow to realise it could be most interesting to have access to large swathes of data. Since the advent of widely used information and communications technologies - especially the internet - there's been a continuous battle between those who would like to see electronic data reaped and potentially harvested, and those wishing to protect personal and business privacy. The former seek tools for fighting crime, the latter argue that just because technology offers the tools for ongoing widespread surveillance doesn't mean it should be used for such purposes.

Before 9/11 in the US and Europe, large businesses, conservative and libertarian politicians protective of enterprise and privacy advocates made odd bedfellows who more or less successfully kept at bay repeated government and law enforcement attempts to gain widespread access to digital data and filter or store it.

But post 9/11, "the fight against terrorism" has been used as an argument for pushing through legislation giving governments and law enforcement agents the right to require that electronic communications data be stored and made searchable upon request, for varying periods of time. Such legislation is known as "data retention".

The Irish Government brought in such legislation, initially in 2002 as a secret cabinet direction and, eventually, after several threats from the Data Protection Commissioner to take the Government to the High Court on Constutitutional grounds, as a last minute amendment to another bill in 2006. Irish data retention law, which requires the storage of traffic information (but not content) of phone and mobile calls and faxes, currently has one of the longest storage periods in Europe at three years.

In addition, the government has signalled its intent to introduce in the next month via statutory instrument, an EU-mandated directive requiring e-mail and some internet data to also be stored, probably for two years (the maximum allowed in the EU directive).

As in many other countries, the average citizen seems to remain sanguine about this. Many privacy advocates argue that this is because the topic is complex, abstract and technical.

For this reason, privacy advocacy group Digital Rights Ireland (DRI) have taken a High Court challenge to Irish data retention law, arguing that the average citizen would not understand the implications of what technology is able to reveal and needs an informed advocate.

"This is a complete reversal of the assumption that people are innocent until proven guilty. This legislation is the first time we have seen any state impose mass surveillance on its population on the basis that at some point in the future, someone might commit a crime," argues TJ McIntyre, University College Dublin law lecturer and chairman of DRI.

Businesses, especially in the technology sector, are perhaps more aware of the implication, not least in the wake of the long US Department of Justice v Microsoft case in which stored e-mails played a major role, and the introduction of stringent business operations legislation such as Sarbannes-Oxley and similar EU requirements. And businesses have always been sensitive about information leaks.

Hence Irish data retention legislation alarmed companies such as Microsoft, Iona Technologies and Oracle, worried by the scope of current legislation, as well as by the lack of independent oversight of such legislation.

When the data retention amendment was passed in 2006, Joe Macri, managing director of Microsoft Ireland, warned: "Irish legislation is going beyond what is required from an EU perspective and is going to put significant additional costs on businesses from an administrative and a capital investment perspective.

"While we respect and understand the needs and concerns of the law enforcement agencies, there is also a need to take personal privacy concerns and the broader needs of business into consideration.

"I feel that the legislation as it currently stands has not been considered in the context of the potential impact that it will have on business in general and the ICT industry specifically," says Macri.

Dr Chris Horn, co-founder and vice chairman of Iona Technologies, said that law enforcement had legitimate concerns about tackling crime and protecting citizens.

But he added: "Our society also has a right to protect itself from unwarranted personal intrusion by agencies of this State and those of other states.

"In addition, businesses have a right to protect themselves against accidental disclosure of commercially sensitive information and industrial espionage. Given the context of poorly managed IT projects by the State, what confidence can the Irish public and businesses have that agencies of this State, and companies by law acting on their behalf, can adequately gather and in particular protect highly sensitive information?"

Internet service providers are worried about how they are supposed to implement the incoming EU legislation on e-mail and web usage, and have stated that extra costs associated with storage and making data accessible to law enforcement are costs that will be passed on to customers.

Paul Durrant, director of the Internet Service Providers Association of Ireland (ISPAI), says ISPs would need to retain massive amounts of information because, unlike the far more clear-cut situation with mobile or landline calls, it is impossible to differentiate between various types of information in many cases (whether it needs, under law, to be retained or not).

"We will see companies leaving the Republic and the EU because they're concerned about the confidentiality of their business information," he told a conference on data retention.

The full impact of these new data retention laws remains to be seen - or more realistically, may never be 'seen' because citizens and businesses may not be aware when their own data records have been accessed or by whom, for what purpose.

On the other hand, a net-reared generation may not care - after all, many demonstrate regularly that they will trade private information in exchange for a perceived benefit, even if the benefit is just "having fun".

This can be seen in the rise of social networking sites such as Bebo, Facebook and MySpace. On these sites, under-30s in particular seem happy to post information that, at best, might be seen as embarrassing and, at worst, might cost them admission to university (a Cambridge admissions officer admitted to checking applicant profiles), a job (those party pictures don't exactly make someone look professional) or their identity (TMI - too much information about addresses, birthdays, place of birth, family and work details - makes identity theft a growing risk).

Yes, communicating has never been so easy. But there is a privacy cost that is all the greater because it isn't clearly understood by the majority.

As a result, we all risk communicating far more information than intended, to recipients we never imagined.

SOMEONE COULD BE LISTENING

For years, it was the stuff of rumour, speculative chat at hacker gatherings, fodder for conspiracy theorists and laughed off by others as the creation of overactive minds fed too many Ian Fleming novels.

Then, in early 2000, its existence was confirmed. Echelon - a massive global eavesdropping system that could supposedly listen in on millions of phone conversations and read e-mails, text messages and faxes, filtering for suspicious keywords - was real.

Or at least, a set of reports from a perturbed European Parliament said so, after extensive investigations. Various media interviews since with intelligence sources, some of whom worked in some of the numerous Echelon interception bases, have confirmed its reality.

Even though some articles and books in the 1980s pinpointed the existence of a vast surveillance network of global "intercept stations" that could pluck signals from the air and networks and analyse them, the fact that an institution like the European Parliament had verified that Echelon truly existed caused a sensation.

Details about it remain hazy, but the first 1998 report laid out a set of general facts. Echelon - its name perfectly redolent of spy v. spy antics - was apparently a five-country network co-ordinated and overseen by the NSA.

A network of spy stations maintained by the US, England, Canada, Australia and New Zealand, working together through a secret agreement called UKUSA, intercept electronic signals of almost every telephone call, fax transmission and email message transmitted around the world daily, it was claimed. These signals are crunched through NSA supercomputers to look for keywords called the Echelon "dictionaries". Most of the stations are supposed to be in the US and UK.

Duncan Campbell, a journalist who has spent years researching and writing about Echelon, and authored one of the EU reports, said this was probably an overstatement and it was more likely the system in the 1980s and 1990s analysed mainly satellite communications. However, experts now say technology developments in the past decade would make it feasible to scan and search a much wider variety of communications transmissions.

While one would have supposed that the EU was most jittery about the privacy and surveillance aspects of the network, the more practical, post Cold War, pre 9/11 raison d'etre for the first preliminary report released in 1998 was actually concerns about business. The EU feared Echelon was being used not just for spying, but for industrial espionage that had affected European member countries.

"Concern was aroused in particular by the assertion in the [initial EU] report that Echelon had moved away from its original purpose of defence against the Eastern Bloc and was currently being used for purposes of industrial espionage. Examples of alleged industrial espionage were given in support of the claim: in particular, it was stated that Airbus and Thomson CFS had been damaged as a result," stated the 2001 EU report.

Campbell has said Airbus lost a $6 billion (€4.12 billion) contract with Saudi Arabia when Echelon intercepted messages that indicated Airbus was offering payments to a Saudi official, according to a story in the Baltimore Sun newspaper in 1995.

He also alleged that because of Echelon intercepts, US firm Raytheon was able to win a $1.4 billion (€960 million) contract to supply a radar system to Brazil, over French company Thomson-CSF.

The US has always strongly denied these accusations, and then British prime minister Tony Blair dismissed the stories when they surfaced in 2000.

Nonetheless the EU concluded that European companies and citizens should encrypt their communications in order to prevent them being accessed by Echelon, and also promoted the setting up of EU-run internet networks that are not easily accessed by US networks.