Law to allow snooping on social media defies European court ruling

The Cabinet’s new legislation allowing for the interception of social media communications has me marvelling that snooping WhatsApp preoccupies this Government more than changing our overall surveillance and data-retention legislation, effectively thrown out by the European Court of Justice (ECJ) over two years ago.

Excuse me if I am missing some hidden hierarchy of importance on the Cabinet to-do list, but surely an ECJ decision on a case primarily based on the Irish implementation of the EU's data- retention directive trumps amending said invalidated legislation in order to add even more surveillance powers under the same discredited oversight regime?

But maybe this is a minor quibble and I should really strive to understand the need for the Garda to have the increased powers to surveil WhatsApp, Viber and Facebook, as well as texts and emails.

I’ve tried, and all I can say is, oh dear.

Perhaps the Cabinet and law enforcement in Ireland are not aware that both WhatsApp and Viber are automatically encrypted. Just popping over and reading the web-page FAQs for these services would have made this clear.

End-to-end encryption

Here’s WhatsApp: “WhatsApp is now end-to-end encrypted at all times. This will ensure that users’ messages, videos, photos sent over WhatsApp can’t be read by anyone else – not WhatsApp, not cybercriminals, not law-enforcement agencies. Even calls and group chats will be encrypted.”

And Viber: “End-to-end security means that data (messages, photos, videos, voice and video calls) is encrypted the moment it is sent from one device until the moment it is received by the intended recipient. No middle man – not even Viber.”

Facebook Messenger might be marginally more useful as a target, as encryption there is opt-in.

A Government spokesperson said: “What we are simply talking about is modernising the regime that has applied here for a long time now in relation to phones and post to ensure that it reflects the developments in technology.”

Where to start with that? I guess some critical developments, like the in-built encryption in texting and messaging apps widely introduced by companies in the wake of Edward Snowden’s headline-making revelations about mass surveillance failed to be noticed by lawmakers here.

The excuse for introducing this legislation right now is, yes, worries about terrorism, paramilitary groups and increased gang violence. Historically, law enforcement and governments always try to introduce measures when a recent incident or two scares the general public.

But there’s lots in this legislation that should scare the public far more. For example, the proposal that the legislation should allow the retention of “superfluous data” gathered in the course of an investigation, which is a direct contravention of the ECJ’s demand that surveillance must be targeted and data held must be specifically relevant, not a trawl to be stored for later perusal “just in case”.

Or the claim that interception and retention of data, and access to it, will only be in cases of the most serious crime or terrorism threats. Oh, please. This was, and remains, the supposed basis for our existing, ECJ-invalidated legislation. Yet, as last year’s Gsoc investigation into Garda leaks revealed, it turns out a number of interconnected pieces of national legislation allow at least 10 different agencies access to retained data, including Gsoc, the Competition Authority, local authorities and the Irish Medicines Board.

Oversight mechanism 

Then, astonishingly, no change at all is proposed to the current oversight mechanism for surveillance and retention of any data gathered under these new powers. Oh no. We are sticking with the solitary serving High Court judge reporting directly to the Taoiseach and an existing judicial complaints system supposedly available to citizens and businesses surveilled.

That would be the same skimpy, weakly documented (in a one-page annual report) system that helped lead the ECJ to damn the pathetically poor supervision and oversight of data retention across the EU – another key reason the court invalidated the EU directive.

And the idea of a functionally useful judicial complaints system? Maybe the Cabinet doesn't remember that in 2014 Minister for Justice Frances Fitzgerald enacted by statutory instrument a dormant section of the Criminal Justice (Mutual Assistance) Act 2008 which allowed, for the first time in Ireland, the establishment of secret courts to prosecute firms that might object to the grounds or legality of an interception order, or refuse to comply.

Oh, yes. We have secret courts with corporate gag orders. That makes it hard to use a judicial process if you don’t know you were targeted falsely in the first place.

But the screamingly obvious issue here is that the State is increasing the surveillance provisions of legislation that is clearly invalid, in defiance of a sweeping ECJ decision discarding an entire EU directive on surveillance and data retention. The Government should be addressing the urgent (you’d think) task of creating a new and valid piece of legislation that conforms with that landmark 2014 ECJ decision, instead of grafting a new limb on to a legislative corpse.